As cybersecurity threats continue to proliferate, it’s important for organizations to understand what best practice looks like when it comes to designing, implementing, and maintaining a robust security system.
To better support the industry, the Center for Internet Security (CIS) maintain a set of critical security controls organizations should implement to defend themselves from known threats. These controls were commonly known as the CIS Top 20, but after the recent publication of Version 8 in May 2021, are now referred to more simply as the CIS Controls.
The controls outline a series of priorities that IT professionals and Managed Security Service Providers (MSSP’s) should focus on to best protect their organizations and clients. With the most recent publication of Version 8, there are now 18 controls. These controls are not exhaustive, but do offer rigorous, structured guidance on actions organizations should take to drive increased levels of security in their organization.
The controls are updated on a regular basis to reflect new developments in the IT and cybersecurity world. The most recent update focused on increasing security for cloud and mobile solutions amidst the surge in remote work. Here, we break down the most recent CIS Controls and explore what the controls mean for organizations and cybersecurity professionals:
Control 1: Inventory and Control of Enterprise Assets
It’s important organizations monitor and manage all the devices on their network, including computer, network, peripheral, and removable media assets. Only authorized devices should be able to access the network; any unauthorized devices should be quickly identified and removed, and analysis should be conducted to determine the reasons for their presence.
Control 2: Inventory and Control of Software Assets
Similar to hardware assets, it’s also crucial organizations monitor software assets. Only authorized software should be installed and able to execute; any unauthorized software represents a vulnerability that can be exploited by attackers. Clear guidelines outlining approved software should be provided to employees to minimize confusion.
Control 3: Data Protection
Data no longer lives solely within the parameters of an organizational network; it exists on a variety of end user devices, in the cloud, and within partner’s networks.
It’s important to take steps to appropriately manage and safeguard this data. Data privacy is a hot button topic, and firms who handle certain types of controlled data are subject to all kinds of regulation. There are often severe ramifications for data privacy failings. Mismanagement of important data could expose the organization to legal, financial, or reputational damages.
Control 4: Secure Configuration of Enterprise Assets and Software
The majority of enterprise assets and software platforms are primarily configured for ease of use – not for security. Organizations should take steps to develop a secure configuration for all devices and software used in their organization. This configuration should be updated on a regular basis. This ensures any vulnerabilities are addressed and new enterprise assets and software are appropriately deployed.
Control 5: Account Management
Often, the easiest way for bad actors to gain access to an organization is through valid user credentials obtained via methods such as social engineering or malware. Highly-privileged administrator accounts tend to be the most prominent target for this type of attack.
Organizations should closely control access to administrator and service accounts, conduct regular account management audits, and implement measures such as frequent employee password changes. Together, these can help to strengthen defenses against attacks.
Control 6: Access Control Management
Whereas Control 5 focuses on account management, Control 6 focuses on managing the access that these accounts have. Every employee’s account should only have access to the systems, assets, and data required for their role.
Access to particularly sensitive assets and data should be closely monitored. These access control standards should be centrally defined and consistently applied across the organization.
Control 7: Continuous Vulnerability Management
Organizations should conduct regular vulnerability assessments in order to identify and remedy any weaknesses present in their network.
This is both an internal and an external process. Organizations should perform analysis on their own systems, but they should also keep up-to-date with newly discovered vulnerabilities reported by service providers, researchers, or the wider cybersecurity community.
Control 8: Audit Log Management
It’s crucial that organizations have the ability to quickly access and conduct analysis of audit logs. This enables organizations to detect malicious activity quickly, better diagnose the issue, and form a plan for remediation.
Log analysis often falls by the wayside, but attackers are increasingly leveraging vulnerabilities in audit log management practices to hide sophisticated attacks on large scale networks, so it’s important to stay on top of this.
Control 9: Email and Web Browser Protections
It’s often the case that the systems and network are not the focal point of an attack; rather it’s the organization’s people. In particular, web browsers and email clients represent common routes of entry for attackers, who gain access by spoofing legitimate looking communications that unwitting employees engage with.
It’s important for organizations to mandate periodic security awareness training to ensure that their people form a human firewall against potential attackers.
Control 10: Malware Defenses
Many attackers weaponize malicious software to breach organizations. Malware can enter organizations from many routes, but most frequently leverages insecure behavior from end users.
To remain secure, organizations should deploy sophisticated malware detection software, conduct routine vulnerability management programs, and ensure employees are educated on common malware threats.
Control 11: Data Recovery
Data is now integral to the functioning of virtually all organizations. In the event of an attack, organizations must have the ability to quickly and completely recover any lost data assets. This has become particularly important with the rise in ransomware attacks in recent years.
Control 12: Network Infrastructure Management
All devices in a network can represent vulnerabilities, and it’s important for organizations to actively manage the infrastructure of their network in order to define and safeguard vulnerable access points.
One pivotal element of network infrastructure management is the security architecture of the organization. This should be updated on a regular basis to reflect any new vulnerabilities or external threats.
Control 13: Network Monitoring and Defense
Secure networks, no matter how well they are designed and implemented, are rarely completely impenetrable. Adversaries are constantly evolving and adopting new technologies. Organizations should proactively and continuously monitor for security threats throughout their entire network and user base.
Control 14: Security Awareness and Skills Training
An organization’s employees are the first line of defense when it comes to cybersecurity threats. A robust security awareness training program is an important investment, and helps employees to spot potential threats and respond appropriately.
Control 15: Service Provider Management
Many organizations work extensively with Managed Security Service Providers (MSSP’s). These third-party vendors manage sensitive data and are responsible for critical elements of an organization’s IT infrastructure.
Outsourcing these processes has many benefits, but organizations should vet and monitor third party providers to ensure they––and the services they provide––do not compromise security.
Control 16: Application Software Security
Modern organizations make use of a wide variety of applications. Given the high level of access applications tend to have to sensitive data, it’s crucial organizations monitor and manage the security posture of any applications used in their system. One example of this is Microsoft 365 Security.
Control 17: Incident Response Management
If a security incident occurs, organizations need a framework to refer to in order to quickly discover, diagnose, and respond to an attack. Without a documented procedure, organizations cannot respond effectively to attacks, manage recovery, and address vulnerabilities to minimize ongoing exposure. The best approach focuses on a holistic managed detection and response strategy.
Control 18: Penetration Testing
Any sophisticated cybersecurity infrastructure should be stress tested on a regular basis. This is typically achieved through penetration testing, where a team of ethical hackers attempts to breach the organization’s network. If any vulnerabilities are detected through this penetration testing, they should be immediately addressed.
Managing the CIS Controls in Your Organization
Building the infrastructure to design, implement, and manage all of these controls on an ongoing basis is far from easy, particularly for small and midsized organizations. In truth, effectively building and maintaining a security posture that adheres to all the CIS Controls requires a network of cybersecrity experts, deep technical expertise, and a suite of sophisticated solutions.
Here at TechHeads, we have the right blend of expertise and experience to help manage CIS controls in your organization. With over 25 years of experience providing cybersecurity solutions to the Pacific Northwest’s top companies, a deep technical bench of specialist consultants, and a variety of resources, we stand ready to help any organization.
- Why MSPs Should Implement the CIS Controls
- A Guide to Evaluating Your Managed Service Provider (MSP)
- How to Find an MSP That’s a Right Fit For Your Organization
- Anatomy of a Breach, Client Case #2: The Importance of Security Awareness Training
- Anatomy of a Breach, Client Case #1: The Importance of an Incident Response Plan