6 ways companies fail at security fundamentals

A new report suggests many organizations are failing in the basic cyber hygiene efforts and leaving themselves exposed to hackers.

intro security vulnerability
Getty Images

Back to basics

While advanced cyber attacks grab the attention in headlines, often companies are undone by failing to adhere to the basics of cyber security best practices. Tripwire recently released its State of Cyber Hygiene report, which looks at how well organizations are deploying the basic security controls the Center for Internet Security (CIS) refers to as “cyber hygiene.” These include monitoring, benchmarking, patching, configuring and remediating.

The study, based on a survey of 306 IT security professionals, suggests many organizations are failing at the security fundamentals which can help harden an organization’s defenses and reduce the chances of successful attacks.

1 remove device from network
Getty modified by IDG Comm.

Taking too long to remove unauthorized devices from a network

New devices on the network may be harmless; new users or guests simply connecting their personal phones. However, unknown devices could also be attackers trying to access your network.

Sixty-two percent of organizations reported that it took them hours at best to detect new devices on the network, and hours on top of that to remove any unauthorized devices. All it takes is one malicious attacker to be connected for a few minutes to start potentially causing damage.

Best practice: Organizations need accurate inventory of authorized devices and network level authentication to prevent unauthorized connection.

2 failing to police running software
Getty modified by IDG Comm.

Failure to police software running on a network

We may live in an age of self-service, but shadow applications still pose a danger to networks. Verifying the veracity of applications – and reducing the chance of malware or corporate data leaking out -- is made much easier if you actually know what software is running on your networks.

Thirty percent of organizations have less than half of the software on their network tracked in an asset inventory. It takes over 80 percent of organizations hours or longer to detect and remove unauthorized software from their network.

Best practice: Application whitelisting ensures only authorized software runs on the network and reduces the chances of malicious apps and software entering your organization.

3 scan for vulnerabilities
Getty modified by IDG Comm.

Infrequent scanning for vulnerabilities and slow patching

While the most advanced attacks will be able to avoid detection, most come from known and therefore detectable vulnerabilities. While the vast majority of companies do run vulnerability scans, 41 percent only conduct scans on a monthly or longer basis. Among organizations that have implemented DevOps, 46 percent aren’t scanning for vulnerabilities throughout the continuous integration and deployment (CI/CD) pipeline.

When it comes to patching, the sooner it’s done, the sooner you’ve closed a hole in your defenses. Unfortunately, 44 percent of companies say it takes weeks to apply security patches, with nearly 30 percent taking a month or more.

Best practice: Vulnerability scans should be supported with patch management systems that cover both the operating system and third-party applications in order to achieve automatic and ongoing installation of updates.

4 do not change passwords
Getty modified by IDG Comm.

Failure to change default passwords

If you don’t closely guard access to administration accounts, you may as well not be defending your sensitive data. Less than half of organizations use dedicated workstations for administrative activities, more than half don’t use multifactor authentication for accessing administrative accounts, and 43 percent don’t require unique passwords for different systems. All of these potentially leave powerful user accounts open for abuse by attackers. Nearly a third reported they didn't change default passwords.

Best practice: Mandate the changing of default passwords, deploy multifactor authentication, and use dedicated and segmented workstations for administrative activities wherever possible. Ensure users have no more privilege than is necessary for their role.

5 detect configuration changes
Getty modified by IDG Comm.

Taking too long to detect configuration changes on a network

Misconfigurations are a common component in many successful breaches, while improper configuration can cause internal disruption. Over a third of companies admit that they struggle to enforce configuration settings. As a result, over half of organizations take at least days to detect configuration changes, and just under 40 percent take days or longer to remediate any detected changes.

Best practice: Deploy system configuration management tools to automatically enforce and redeploy configuration settings – both for on-premises and cloud environments.

6 review logs weekly
Getty modified by IDG Comm.

Poor log monitoring

Log monitoring is one of the best ways to notice suspicious or unusual activity that could be a sign of intrusion. However, most organizations aren’t pushing logs from critical systems into a centralized location, meaning logs are often only reviewed weekly or monthly. Nearly three-quarters of the respondents said they reviewed their logs on only a weekly basis. A quarter of organizations only review logs when they review an alert from a SIEM.

Best practice: Collect and monitor as many logs as possible, then push into a central system that can be more easily aggregated, filtered and reviewed.