It’s a well-known fact that most successful cyber attacks are easily preventable. That’s because the majority are neither highly sophisticated nor carefully customized.
Instead, they are of the “spray and pray” sort. They try to exploit known vulnerabilities for which patches are available, or to take advantage of weak configuration settings that IT departments could have handily and quickly hardened.
One recent and infamous example was the WannaCry ransomware, which infected 300,000-plus systems and disrupted critical operations globally in May. It spread using the EternalBlue exploit for a Windows vulnerability Microsoft had patched in March.
So why do many businesses, non-profit organizations and government agencies — including those with substantial cybersecurity resources and knowledge — continue falling prey to these largely unrefined and easy to deflect strikes?
In most cases, the main reason can be traced back to hygiene — of the cybersecurity type, of course. Just as personal hygiene practices reduce the risk of getting sick, applying cybersecurity hygiene principles goes a long way towards preventing security incidents.
That was the key message Qualys Product Management Director Tim White and SANS Institute Analyst John Pescatore delivered during the recent webcast “Automating CIS Critical Security Controls for Threat Remediation and Enhanced Compliance.”