Cybercrime is a significant problem for businesses across the country, one that’s not going away any time soon. In fact, it’s only getting worse. In 2018 “the average cost of cybercrime for an organization has increased $1.4 million over the past year, to $13.0 million, and the average number of security breaches in the last year rose by 11 percent from 130 to 145.”
Fortunately, there’s a way you can protect your business from 97 percent of cyberattacks. How?
By implementing the 20 CIS critical security controls framework.
To help aid you in this process let’s run through each one and then discuss how to properly implement them at your business, company, or organization.
How to Implement the CIS CSC at your Business
The Center for Internet Security Critical Security controls are fondly referred to as the 20 Commandments of cybersecurity. Although there’s no cis security certification process or legal requirments for a company to apply them, if you follow the contorls, your organization’s cybersecurity will be strengthened.
CIS organized them into three tiers by order of importance:
- Basic – Critical Controls 1-6
- Foundational – Critical Controls 7-16
- Organizational – Critical Controls 17-20
So how do you start implementing them in your business?
You begin with the basic controls, which cover the vast majority of common cyberthreats. The remaining gaps in your cyberdefenses can then be mitigated by the foundational and organizational controls. It takes a concerted and coordinated organizational effort, but by rigorously applying all twenty, you can fully secure your business.
Note: Entire chapters have been written on each of these controls. For the sake of brevity, we’ll focus on the six most important measures cybersecurity measures your business can take. The remaining we’ll review, but in less detail.
Implementing the Basic Critical Security Controls 1-6
The first six critical controls are the most important security protocols. They’ll shield you from basic cyberattacks. By embracing controls 1-6 on a continuous, evolving basis, you can dramatically reduce your cyber risk.
CSC 1 – Inventory and Control of Hardware Assets
One of the primary ways hackers breach an organization is through unprotected hardware assets, mostly Bring-Your-Own-Devices (BYOD) connecting to the network. All it takes is one insecure device for them to latch onto your system and establish a staging point for further intrusions.
You can thwart that threat through active management of all hardware devices. Active management is defined as “inventory, tracking, and correcting.” Inventory and control ensures that only approved devices are able to gain entry to your network.
How to implement CSC 1:
- Equip both active and passive discovery tools to identify devices and update the hardware asset inventory.
- Implement Dynamic Host Configuration Protocol (DHCP) logging to update your hardware asset inventory.
- Maintain a detailed asset inventory and catalogue, including those that aren’t connected to your organization’s network, so that it clearly links each device to an approved employee.
- Address unauthorized assets by either removing or quarantining them, or updating inventory.
- Deploy port level access controls to perform device authentication for authorized use before hardware can connect to the network.
- Utilize client certificates to authenticate hardware assets.
This step typically involves a worthwhile investment in a service such as Microsoft System Center Configuration Manager (SCCM). With these digital tools even small IT teams can make an instant impact on your security.
CSC 2 – Inventory and Control of Software Assets
Do you know what software is running on your system and network?
Hackers often attempt to gain access through software security exploits. Or, they send malware, which unsuspecting employees click on. When that happens the entire system can be held hostage.
To counter software vulnerabilities perform active management on all software on your network. Software must be authorized before it’s installed and executed.
How to implement CSC 2:
- Limit local administrator access and install rights to a few key employees.
- Manage and maintain an up-to-date catalogue of authorized inventory software.
- Only install software on vendor-approved applications and operating systems.
- Utilize software inventory tools that automate software cataloguing.
- Keep track of software inventory information—name, publisher, version, and install date.
- Implement application whitelisting and blacklisting of scripts and libraries.
- Segregate high risk applications.
By managing your inventory you make it easier and quicker to respond to an incident. Inventory management simplifies policy development, implementation, and enforcement. Also, it will help you out with controls seven, eight, and thirteen.
CS3 – Continuous Vulnerability Management
The cyberthreats your organization faces are constantly evolving. Each time there’s an update, fix, or protocol, attackers seek a new point of entry.
You need to be able to instantly identify and then respond to a threat. But that requires a constant flow of information.
How to implement CSC 3:
- Run automated vulnerability scanning tools to highlight security exposures.
- Conduct authenticated vulnerability scanning locally or remote on each system.
- Utilize and safeguard a dedicated assessment account that’s used solely for authentication vulnerability scanning.
- Deploy automated software and operating system patch management tools to ensure that all systems are up-to-date.
- Review back-to-back vulnerability scans to ensure that security gaps have been plugged.
- Rate and address vulnerabilities according to their level of risk.
CS4 – Controlled Use of Administrative Privileges
Hackers typically gain administrative access in one of two ways:
- A privileged user clicks on malware, loads a malicious website or surfs on unprotected webcontent.
- Hacker guesses admin’s password then gains entry into the system.
To prevent this it’s important that your organization diligently monitor administrative privileges on all computers, networks, and applications. Correct administrative configurations, uses, and assignments need to be tracked and controlled.
How to implement CSC 4:
- Maintain an automated inventory of administrative accounts to ensure that only authorized users have access or elevated privileges.
- Always change default passwords to unique passwords that are 14 characters or more.
- Set up dedicated administrative accounts.
- Use dedicated workstations and multi-factor authentication for all accounts with administrative access.
By limiting and controlling admin access you reduce risk and simplify operations.
CS5 – Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
Most manufacturers are focused on ease-of-deployment and functionality over security. Recently acquired devices come in their default mode, which is easily exploitable.
You can mitigate this threat by actively managing the security configurations on all organizational assets including mobile devices, tablets, laptops, and desktops.
How to implement CSC 5:
- Set a secure configuration standard for all authorized OS and software.
- Keep secure images and templates for all systems.
- Establish system configuration management tools to automatically impose configuration standards.
- Use an automated Security Content Automation Protocol (SCAP) to confirm that the system config remains in place. If it is changed, that system can then alert you.
Remember that configuration changes are continuous. Staying atop vulnerabilities that come from patches, updates, or new software deployment is the only way to ensure your continued security.
CS6 – Maintenance, Monitoring, and Analysis of Audit Logs
Audit logs are a vital part of security compliance. With them you can find the details of an attack and see what actions attackers take. When audit logs are deficient, you lack the visibility to locate possible threats or root out attacks that have successfully penetrated the system.
How to implement CSC 6:
- Ensure that log timestamps are accurate by using multiple synchronized time sources via Network Time Protocol (NTP) configuration.
- Activate local audit logging on all systems and network devices.
- Allow the system to perform detailed logging of events.
- Make sure that you have the storage space needed to save the logs.
- Deploy a central log management system that analyzes and reviews all logs.
- Embrace Security Information and Event Management (SIEM) tools to analyze logs and keep that system tuned up.
- Regularly perform manual reviews of logs.
Applying the Foundational Critical Controls 7-16
The foundational security controls add further protections to the basic security perimeter. These technical best practices are directed towards specific security exposure gaps. They include:
CS7 – Email and Web Browser Protections – To minimize the risk that email clients and web browsers pose focus on email and browser safety.
- Implement content filtering
- Embrace a Sender Policy Framework (SPF)
- Disable browser plugins
- Only allow authorized scripting language for unvetted software
CS8 – Malware Defenses – To prevent malware implement protections at the system, network, and organizational levels.
- Use centrally managed anti-virus and anti-malware software, and keep it up-to-date
- Centralize anti-malware logs to monitor incidents and track them over time
- Ensure that each device on your network uses antivirus tech
- Enable DNS query logging and command-line audit logging
CS9 – Limitations and Control of Network Ports, Protocols, and Services – By understanding what’s running on your network and eliminating redundant or unnecessary channels you can significantly lower your attack surface.
- Conduct port scans using a vulnerability scanner
- Limit system communication between servers via host-based firewalls
- Station application firewalls before essential servers
- Scan servers to ensure that only authorized traffic gains access
CS10 – Data Recovery Capabilities – If attackers compromise a machine, they can make significant changes to both the software and the system configurations. All critical information must be properly backed up and easily recoverable so that you can revert to an undamaged system.
- Automatically back the system at least once per week
- Ensure backup policies are compliant with regulatory and official requirements
- Conduct regular data restoration tests
- Protect backups via encryption and physical security
- Make sure that all backups have at least one backup destination that’s removed from the operating system.
CS11 – Secure Configuration for Network Devices such as Firewalls, Routers, and Switches – To reduce a cyberattack’s efficacy critical network devices have to be hardened against compromise.
- Compare security configurations against standard protocols
- Set up change management and change detection
- Use Two-factor authentication and encryption
- Update security regularly
- Limit administrative access
CS12 – Boundary Defense – System exploits on network boundaries can be minimized by controlling the flow of network traffic through your network borders with protection and detection techniques.
- Keep an up-to-date inventory of network boundaries
- Segment network and control flow
- Deploy intrusion detection systems (IDS) and intrusion prevention systems (IPS) throughout the network
- Track and monitor firewall logs
- Restrict access for remote login access
- Require remote logins to use multi-factor authentication
CS13 – Data Protection – Data exfiltration represents a significant privacy concern for your customers. This data can be protected via:
- Managerial controls such as data inventory and tracking
- Procedural controls like performing scans or developing data protection configurations
- Technical controls can include data loss prevention tools (DLP), privileged account management (PAM) tools, and account control lists (ACL)
CS14 – Controlled Access Based on the Need to Know – Define which employees, devices, and applications have a need and a right to access critical assets.
- Create an expansive data classification policy for all IT systems based on level of sensitivity
- Segment your network using your classification policy
- Utilize ACLs on every system
- Encrypt data that’s resting and in transit
- Remove and archive old data sets
CS15 – Wireless Access Control – Defend your wireless network from data theft by active management of wireless local area networks (WLANs)
- Keep your network name (SSID) private
- Apply protocols like extensible authentication protocol-transport layer security (EAP/TLS) certificates
- Restrict your radio broadcast levels to your building
- Create a guest network
- Actively monitor who’s connected to your network
CS16 – Account Monitoring and Control – Actively manage accounts of employees and contractors (both current and past) to prevent them from being exploited or impersonated.
- Perform regular account lifecycle management
- Review the various types of accounts and deactivate those out of use
- Change configuration settings to automatically log users off
- Set lock screens on all devices
- Require two-factor authentication
The Organizational Security Controls
Similarly, the four remaining controls cover active steps your business can take to ensure your cybersecurity defense is strong. They include:
- Implementing a security awareness and training program
- Embracing application software security
- Instilling incident response and management
- Conducting penetration testing and red team exercises.
Implementing CIS CSC at Your Business
The cyberthreats your business faces are constantly changing. Fortunately, most of them can be minimized or wholly elminatined by active management and implementation of the CIS critical security controls, including:
- Basic controls
- Foundational controls
- Organizational controls
Ready to get started? RSI Security can help you apply the CIS controls throughout your business. As cybersecurity experts we specialize in compliance, penetration testing, cloud computing security services, and managed network security services. Reach out now to communicate with our dexterous staff and start fortifying your cyberdefenses!