Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

7/28/2011
01:28 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Security Best Practices A Big FAIL In Most Organizations

Enterprises, government agencies mostly missing the boat in proper security practices

New data released today reveals how enterprises and government agencies are failing to adopt best practices for security: nearly all of the 420 organizations that participated in the survey were at some risk in security or compliance.

The Echelon One/Venafi-sponsored survey, 2011 IT Security Best Practices Assessment, was based on 12 best security practices defined by Echelon One.

Here's how the organizations fared in the top five best practices:

Some 77 percent don't perform quarterly security and training compliance training; 64 percent don't encrypt all of their cloud data and cloud transactions; 82 percent don't rotate their SSH keys every 12 months; 55 percent don't have a process in place in the event of a certificate authority compromise; and 10 percent don't use encryption throughout their organizations.

"Training once a year is not enough. It has to be done on a regular basis, and quarterly is best," says Bob West, founder and CEO of Echelon One, who says he was shocked by the high rate of failure in the survey. "But 77 percent are not doing this."

Jeff Hudson, CEO of Venafi, says the good news from the survey is the widespread use of encryption. "But it's incredibly poorly managed. SSH keys are a mess," he says.

"Very few are thinking about encrypting data as it goes in the cloud. Ninety percent say they use encryption throughout the organization, but that number falls off drastically when data goes into the cloud," Hudson says. "As apps and data move into the cloud … there's not a well-developed thought process on how to protect data under your direct control."

"People are not planning for compromises, and the biggest ones were when people were caught flat-footed, especially with a CA room compromise, and the Comodo RA compromise," for example, he says.

Among some of the other findings from the survey: 40 percent of the respondents didn't know whether their organizations encrypted their data in Google Apps, Salesforce.com, or Dropbox, and 41 percent didn't know how often their SSH keys were rotated. Around 10 percent aren't using encryption in authentication.

Venafi and Echelon One are now offering a free self-assessment survey for organization to measure their best practices status here, as well as to obtain copy of the full report.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5423
PUBLISHED: 2020-12-02
CAPI (Cloud Controller) versions prior to 1.101.0 are vulnerable to a denial-of-service attack in which an unauthenticated malicious attacker can send specially-crafted YAML files to certain endpoints, causing the YAML parser to consume excessive CPU and RAM.
CVE-2020-29454
PUBLISHED: 2020-12-02
Editors/LogViewerController.cs in Umbraco through 8.9.1 allows a user to visit a logviewer endpoint even if they lack Applications.Settings access.
CVE-2020-7199
PUBLISHED: 2020-12-02
A security vulnerability has been identified in the HPE Edgeline Infrastructure Manager, also known as HPE Edgeline Infrastructure Management Software. The vulnerability could be remotely exploited to bypass remote authentication leading to execution of arbitrary commands, gaining privileged access,...
CVE-2020-14260
PUBLISHED: 2020-12-02
HCL Domino is susceptible to a Buffer Overflow vulnerability in DXL due to improper validation of user input. A successful exploit could enable an attacker to crash Domino or execute attacker-controlled code on the server system.
CVE-2020-14305
PUBLISHED: 2020-12-02
An out-of-bounds memory write flaw was found in how the Linux kernel’s Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat ...