Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

7/28/2011
01:28 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Security Best Practices A Big FAIL In Most Organizations

Enterprises, government agencies mostly missing the boat in proper security practices

New data released today reveals how enterprises and government agencies are failing to adopt best practices for security: nearly all of the 420 organizations that participated in the survey were at some risk in security or compliance.

The Echelon One/Venafi-sponsored survey, 2011 IT Security Best Practices Assessment, was based on 12 best security practices defined by Echelon One.

Here's how the organizations fared in the top five best practices:

Some 77 percent don't perform quarterly security and training compliance training; 64 percent don't encrypt all of their cloud data and cloud transactions; 82 percent don't rotate their SSH keys every 12 months; 55 percent don't have a process in place in the event of a certificate authority compromise; and 10 percent don't use encryption throughout their organizations.

"Training once a year is not enough. It has to be done on a regular basis, and quarterly is best," says Bob West, founder and CEO of Echelon One, who says he was shocked by the high rate of failure in the survey. "But 77 percent are not doing this."

Jeff Hudson, CEO of Venafi, says the good news from the survey is the widespread use of encryption. "But it's incredibly poorly managed. SSH keys are a mess," he says.

"Very few are thinking about encrypting data as it goes in the cloud. Ninety percent say they use encryption throughout the organization, but that number falls off drastically when data goes into the cloud," Hudson says. "As apps and data move into the cloud … there's not a well-developed thought process on how to protect data under your direct control."

"People are not planning for compromises, and the biggest ones were when people were caught flat-footed, especially with a CA room compromise, and the Comodo RA compromise," for example, he says.

Among some of the other findings from the survey: 40 percent of the respondents didn't know whether their organizations encrypted their data in Google Apps, Salesforce.com, or Dropbox, and 41 percent didn't know how often their SSH keys were rotated. Around 10 percent aren't using encryption in authentication.

Venafi and Echelon One are now offering a free self-assessment survey for organization to measure their best practices status here, as well as to obtain copy of the full report.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Is Zero Trust the Best Answer to the COVID-19 Lockdown?
Dan Blum, Cybersecurity & Risk Management Strategist,  5/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13616
PUBLISHED: 2020-05-26
The boost ASIO wrapper in net/asio.cpp in Pichi before 1.3.0 lacks TLS hostname verification.
CVE-2020-13614
PUBLISHED: 2020-05-26
An issue was discovered in ssl.c in Axel before 2.17.8. The TLS implementation lacks hostname verification.
CVE-2020-13615
PUBLISHED: 2020-05-26
lib/QoreSocket.cpp in Qore before 0.9.4.2 lacks hostname verification for X.509 certificates.
CVE-2020-9046
PUBLISHED: 2020-05-26
A vulnerability in all versions of Kantech EntraPass Editions could potentially allow an authorized low-privileged user to gain full system-level privileges by replacing critical files with specifically crafted files.
CVE-2020-12388
PUBLISHED: 2020-05-26
The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape. *Note: this issue only affects Firefox on Windows operating systems.*. This vulnerability affects Firefox ESR < 68.8 and Firefox < 76.