A recent survey conducted by Tripwire revealed organizations are not fully adopting security controls from key benchmarks, such as the Center for Internet Security (CIS).
CIS established the “top 20” set of critical security controls to help organizations prioritize and protect their organization and data from known cyber attack vectors.
The recent survey was sent out to 306 IT security pros in July 2018 and showed some surprising results, to include:
- Two-thirds of organizations do not use hardening standards/benchmarks (e.g., CIS or Defense Information Systems Agency (DISA)) for secure baselines of systems.
- More than half of respondents said it take up to weeks/months or longer to detect new devices in their network.
- Forty percent of organizations are not scanning for vulnerabilities on a weekly or more frequent schedule.
- Half of organizations aren’t running authenticated scans.
- Over half or organizations said they aren’t collecting and centrally storing security logs from critical systems.
- Forty-one percent of their organizations don’t use multi-factor authentication for privileged access.
Some security experts even say that adoption of just the first five controls (revealed below) could have prevented or reduced risk of 85% of cyber attacks.
The first five CIS controls:
- Control 1 – Inventory and Control of Hardware Assets
- Control 2 – Inventory and Control of Software Assets
- Control 3 – Continuous Vulnerability Management
- Control 4 – Controlled Use of Administrative Privileges
- Control 5 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Also check out SANS CIS Security controls download and mappings to other security frameworks and regulatory obligations.
IT organizations should look for solutions and processes that integrate with CIS security controls automatically.