Cleaning up cyber hygiene
- By Caroline Mohan
- Aug 16, 2018
Effective cyber hygiene is crucial to both system and data security, and government agencies generally practice better cyber hygiene than most industry sectors, a new survey found.
Tripwire's State of Cyber Hygiene survey asked IT security managers about how closely they follow the Center for Internet Security’s (CIS) top six Critical Security Controls, the practice of which ensures good cyber hygiene.
Though government was found to have better cyber hygiene than most industry sectors, the overall results were lackluster. About 50 percent of respondents said they were running authenticated scans and were able to patch vulnerabilities within a week of detection. Almost half use dedicated workstations and networks for administrative activities, but over 40 percent do not use multifactor authentication or don’t require unique passwords for each system.
“The federal government might just be slightly ahead of the private sector on the cyber hygiene curve,” said Keren Cummins, Tripwire’s federal director. Cummins credited the Department of Homeland Security’s Continuous Diagnostics and Mitigation program, which raised the frequency of vulnerability scans to every 72 hours and pushed agencies toward more effective cybersecurity.
Nevertheless, IT managers should scan their systems every day to detect new devices. “Discovering and responding to these devices represents a new challenge,” Cummins said, “especially if the agency is dealing with these manually or is using different security solutions to manage these new classes of devices.”
The report recommended using hardened benchmarks from CIS or the Defense Information Systems Agency to establish a secure baseline for cyber practices and hold stakeholders accountable for improving cyber hygiene.
Government agencies are also pushing to consolidate all audit logs into one security management system, but Cummins noted that, while this may be effective, “the best place to detect a problem is usually right where that problem is taking place.” Agencies must review their logs as efficiently as possible, she said, “not just assume that any problems will be detected at the departmental level.”