CIS Controls v.8 – Proven To Reduce Your Cyber-Risk
Cyber security frameworks are great tools to measure the effectiveness of your company’s cyber security posture. There are several well-respected cyber security frameworks organizations can adopt. One such reputable framework is The Center for Internet Security’s (CIS) Critical Security Controls.
CIS recently released version 8 of the CIS Controls. The number of controls has been reduced from 20 down to 18. The CIS team re-assessed their current controls and how they matched up against the modern threat landscape. As a result, the controls have been updated and incorporate cloud and mobile technologies. This post summarizes the importance of each control.
CIS Controls
1. Inventory and Control of Enterprise Assets
It is vital to know what assets your organization has and what company information is on those assets. That includes on-premise, mobile, IoT, and Cloud. You cannot protect what you do not now exists. Having confidence in your inventory and ability to manage your inventory will help in other areas of your security program such as incident response, software management, malware defences to name a few.
2. Inventory and Control of Software Assets
Having an inventory of the software running on your assets is imperative to increasing your security posture. This control is about having the necessary visibility and control over all software running on your company’s systems. It allows you to know what vulnerable software and Operating Systems are running in your organization and can act accordingly. Without controls 1 and 2, you are going in blind.
3. Data Protection
Classifying and protecting your company information is a top priority and should be considered an enterprise level risk. Company information can include, but is not limited to, customer information, intellectual property, financial data, and employee information. This data is valuable to an organization. It is equally valuable to a criminal. Your data must be protected from theft, loss, inappropriate access, ransomware and other types of attacks. Encryption at rest and in transit is one technique to reduce the risk of an attack however there is also a data privacy component to data protection. How your company manages this data is equally as important as the security controls. This is especially true for personally identifiable information data.
4. Secure Configuration of Enterprise Assets and Software
Having a secure and standardized configuration of your company’s system assets and software significantly reduces the management of those systems. Complexity is the enemy of security. Take the time upfront to build a secure configuration of similar type of assets. Knowing that your hardware assets and software are configured using a standard configuration brings a higher level of confidence they are secured in a consistent way across your organization.
5. Account (Identity) Management
Identity is the new perimeter. Criminals know this and have shifted a lot of their focus on compromising accounts. They know accounts have access to company data or has elevated access in a company’s environment. This is especially true of administrative accounts. Treat accounts as you would computer assets. Inventory and know your administrative level accounts vs service accounts vs regular accounts. Monitor and alert on unusual behavior from those accounts.
6. Access Control Management
Ensuring accounts only have access to information to perform their role is paramount. This can be a tedious task when done manually. Having a process which grants and revokes access to data based on role is best practice. An Identity and Access Management solution provides the foundation for access management. Other controls to consider is implementing MFA for high privilege accounts.
7. Continuous Vulnerability Management
This is an ongoing game of cat and mouse for security practitioners. Cyber criminals are constantly looking for vulnerabilities in systems which will help them infiltrate the network. They need to exploit one vulnerability to be successful. Therefore, it is important that security practitioners have timely access to relevant threat intelligence to know what vulnerabilities exist in their environment. In addition to this, having a vulnerability scanner or endpoint security tool can help identify what systems are vulnerable and how to remediate the vulnerability. Do not take vulnerability management lightly.
8. Audit Log Management
Without proper logging in place, it is very difficult to detect a security compromise or an attack in the network. Having the right logs also help investigators determine what occurred during an investigation. This is a necessity when conducting Incident Response.
9. Email and Web browsing protections
Email and web browsing protections must be in place as these are the tools used to interact on hostile networks like the internet. Browsers must always be up to date. Browser plugins should be disabled otherwise ensure they are up to date. Implement URL filtering. Add a spam filter on the email clients. These are just a few recommendations to protect your email and web browsing tools.
10. Malware Defences
The endpoint – laptop, desktop, and mobile device – directly connects to a hostile network. The internet. There are cyber criminals trying to entice your team to click on links or open an attachment which contain malware. Having appropriate malware defences reduces the risk of the malware being effective when on a target system.
11. Data Recovery
Being able to recover data is important in a security incident or disaster recovery situation. Trusting the integrity of your backups can only be done by testing the restores. With the rise of ransomware infections, it is more critical than ever to be able to recover to a pre-incident state. Data recovery does not mean just backups. Being able to recover data can be accomplished in different ways. Examples include, but not limited to, mirroring a system, cloning a virtual machine, using containers replicating a data to warm/cold standby.
12. Network Infrastructure Management
The network infrastructure is responsible for sending your company’s information to and from its destination. Protecting this information means ensuring there is proper visibility into the network. Visibility can begin by including your network infrastructure into the organization’s vulnerability management program to ensure vulnerabilities are detected and subsequently remediated. Using standardized secure configurations for the network infrastructure is also important as that brings down the management overhead and simplifies the security.
13. Networking Monitor and Defence
Being able to monitor against attacks on the network or criminals moving laterally reduces the chances of a breach occurring. Tools such as an Intrusion Prevention System (IPS), network segmentation, traffic flow telemetry, centralized logging to name a few will reduce the impact of an attack or suspected attack.
14. Security Awareness and Skills Training
Criminals have had some of the most success infiltrating a network or stealing data when exploiting human emotion. Phishing emails continue to be a successful attack method. Criminals entice an individual to click on a link or open an attachment. Conducting relevant and ongoing security training can reduce the risk of these social engineering attack from being successful.
15. Service Provider Management
Criminals are targeting organization’s third-party service providers in an attempt to get into their target’s organization. Too often, we are reading about a third party who got their accounts compromised and criminals are using those accounts to send phishing emails to the target organization. The target organization may feel it is a legitimate email because it came from a trusted partner and click on a link or open an attachment. Assessing a service provider’s security is important as it has direct consequences on your organization. Start by sending the service provider a list of security related questions. Review their responses with the service provider to remove any ambiguity in the responses.
16. Application Software Security
As with infrastructure, applications also need to be developed with security in mind. Whether built in-house or a 3rd party cloud-based application, security and functionality must be top of mind. The risk is even more heightened if the application is exposed to the internet. Have your developers trained on secure application development and ensure the training is on-going. Secondly, incorporate the application in your vulnerability management program to report and remediate on any vulnerabilities discovered.
17. Incident Response Management
The ability to prepare, detect, and respond to an attack can be the difference between containing a small security incident to an all-out public breach. Build an Incident Response program to help manage security incidents. NIST has an industry recognized framework to use for Incident Response.
18. Penetration Testing
A penetration test assesses how vulnerable a network, system or application is to being compromised by an attacker. A tester simulates a real-world criminal attacking an organization’s asset. This provides a company on where an attacker will target its attacks and what an organization can do to remediate what the tester discovered.