Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

7/28/2011
01:28 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Security Best Practices A Big FAIL In Most Organizations

Enterprises, government agencies mostly missing the boat in proper security practices

New data released today reveals how enterprises and government agencies are failing to adopt best practices for security: nearly all of the 420 organizations that participated in the survey were at some risk in security or compliance.

The Echelon One/Venafi-sponsored survey, 2011 IT Security Best Practices Assessment, was based on 12 best security practices defined by Echelon One.

Here's how the organizations fared in the top five best practices:

Some 77 percent don't perform quarterly security and training compliance training; 64 percent don't encrypt all of their cloud data and cloud transactions; 82 percent don't rotate their SSH keys every 12 months; 55 percent don't have a process in place in the event of a certificate authority compromise; and 10 percent don't use encryption throughout their organizations.

"Training once a year is not enough. It has to be done on a regular basis, and quarterly is best," says Bob West, founder and CEO of Echelon One, who says he was shocked by the high rate of failure in the survey. "But 77 percent are not doing this."

Jeff Hudson, CEO of Venafi, says the good news from the survey is the widespread use of encryption. "But it's incredibly poorly managed. SSH keys are a mess," he says.

"Very few are thinking about encrypting data as it goes in the cloud. Ninety percent say they use encryption throughout the organization, but that number falls off drastically when data goes into the cloud," Hudson says. "As apps and data move into the cloud … there's not a well-developed thought process on how to protect data under your direct control."

"People are not planning for compromises, and the biggest ones were when people were caught flat-footed, especially with a CA room compromise, and the Comodo RA compromise," for example, he says.

Among some of the other findings from the survey: 40 percent of the respondents didn't know whether their organizations encrypted their data in Google Apps, Salesforce.com, or Dropbox, and 41 percent didn't know how often their SSH keys were rotated. Around 10 percent aren't using encryption in authentication.

Venafi and Echelon One are now offering a free self-assessment survey for organization to measure their best practices status here, as well as to obtain copy of the full report.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I feel safe, but I can't understand a word he's saying."
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11111
PUBLISHED: 2020-03-31
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
CVE-2020-11112
PUBLISHED: 2020-03-31
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
CVE-2020-11113
PUBLISHED: 2020-03-31
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
CVE-2020-10374
PUBLISHED: 2020-03-30
A webserver component in Paessler PRTG Network Monitor 19.2.50 to PRTG 20.1.56 allows unauthenticated remote command execution via a crafted POST request or the what parameter of the screenshot function in the Contact Support form.
CVE-2020-11104
PUBLISHED: 2020-03-30
An issue was discovered in USC iLab cereal through 1.3.0. Serialization of an (initialized) C/C++ long double variable into a BinaryArchive or PortableBinaryArchive leaks several bytes of stack or heap memory, from which sensitive information (such as memory layout or private keys) can be gleaned if...