With the astounding amount of new tech available to both individuals and organizations, it’s hard for industries to keep up to date with the cybersecurity demands that arise from their implementation. The Center for Internet Security Critical Security Controls (CIS CSC), is a constantly updated framework that is designed by the wider cybersecurity community that tackles this very issue.
Possibly not the best cocktail party conversation starter (they could also do well to hire a creative director), the CIS CSC, was developed in 2008 in response to a serve data loss experienced by some organizations in the US Defense Industrial Base. It was formerly called the Consensus Audit Guidelines. The compliance framework consists of 20 action points known as Critical Security Controls (CSC).
The CSC is used to block or mitigate known attacks, and are designed in such a way that automation becomes the primary means in which they are implemented, enforced, and monitored.
The critical security controls can then recommend actionable steps, in response to a breach or attack, that are easy to understand by IT and non-IT professionals.
The 20 action points have been revised over the years with the most recent revision in April 2019 (version 7.1). In this blog, we will take you through a brief description of the 20 points and a guide to using the CIS benchmark and security controls implementation as a means of CIS Certification.
The compliance mapping for CIS certification is broken down into two main elements outlined by the Center for Internet Security. These are:
- CIS Control
- CIS Benchmarks
They, rightly, state collaboration between industry, government, and professionals as key, a sentiment regarded by the wider cybersecurity community as fundamental to enhancing cybersecurity worldwide.
As a part of the CIS CSC certification, the CIS recognizes certain global frameworks is important to adhere to as a basis of compliance, these include:
Certain state legislations leverage the 20 controls (CSC) and these are:
- Ohio Data Protection Act
- California 2016 Data Breach Report
- Nevada S.B. 302
- Idaho Executive Order 2017-02
- National Governor’s Association
In the next section we will explore the first element, CIS controls.
To start CIS certification, you must have an understanding of the CIS controls and their implementation. In total there are 20 CIS Controls, known as CSC (Critical Security Controls). For ease of organization the CIS has broken down the 20 controls into three groupings, basic CIS controls, Foundational CIS controls, and finally Organizational CIS Controls.
Please note that the brief description of the controls below is exactly that: a brief description, each control could be expanded into its article. Having said that it is still important in CIS security certification to have a general knowledge of each control.
Basic CIS Controls
The first grouping of CIS controls, known as basic CIS controls, includes the first 6 key actions that your organization must take to become obtain CIS security certification. Below you will find an ordered list with a brief description of what is meant by the key action.
1. Inventory and Control of Hardware Access – in this action the organization must find and manage all hardware assets on their network. This is so all authorized hardware is granted access and all unauthorized or unmanaged assets are found and prevented access. Most home network wifi routers allow you to do this through MAC filtering, this would also be similar to what an organization’s network would do through a SIEM system (Security Information and Events Management). This is especially important for organizations that allow BYOD (Bring Your Own Devices) to work as hardware is continuously attaching and detaching from the network (which is a potential attack vector).
- Useful software: SIEM, Discovery Tools (may be included in antivirus and firewalls)
2. Inventory and Control of Software Access – Similar to the previous action point, this involves the careful analysis of all software that is installed and executed on the organization’s network. This is to ensure that only authorized software is installed and/or executed. This would stop such attacks like malware and trojans (which may be deployed through link clicking). Attackers consistently scan networks for unused software or vulnerable machines that they can install and execute unwanted software on.
- Useful Software: SIEM, Software Inventory tools (consult with RSI Security for the best tools and cybersecurity architecture)
3. Continuous Vulnerability Management – This key action involves the continuous stream of new information to assess and reorient the network to potential new threats. With this stream of information, the organization and the network can identify, remediate, and minimize (the window of opportunity) and the fallout of cyberattacks. Understanding and responding to the streams of information has become a constant activity and defenders must be prepared with software patches, threat bulletins, etc. If they wish to remain ahead of the attackers (who are prone to exploiting gaps)
- Useful Software/Tools: SIEM, Incident Response Plan (IRP), discovery, and identification tools.
4. Controlled Use of Administrative Privileges – The organization should have processes and controls in place that govern the use of admin privileges (on computers, networks, and applications). The lack in the controlled use of admin privileges can spell disaster for an organization, through this attack vector, attackers can access the entire network. With this free reign over the network, they can then add unwanted programs, restrict access to defenders, and ultimately collapse the entire or steal data.
- Useful Software/Tools: make sure that admin privileges are on a secondary account so that regular browsing is restricted. Use an ID tool to alert you when accounts are added or deleted from the admin account.
5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers – Indeed another mouthful from the team at CIS CSC, but an important control point none the less. In this CSC the organization must actively manage the security config on all devices mentioned above. Essentially, when any devices are bought with factory settings enabled they are not secure. This is because they are designed for ease-of-use and not security (think, open ports, non-password protected, etc.). The organization should then actively manage the security config of all devices so that attackers can not exploit any vulnerabilities. It is recognized that this is a difficult task and should be left to a dedicated security team (primarily due to, potentially, thousands of entry points from various devices).
- Useful Software/Tools: A documented account of the standard security config for all authorized devices. Security Content Automation Protocol (SCAP) compliant config that can monitor and verify security config elements.
6. Maintenance, Monitoring, and Analysis of Audit Logs – This control point involves the logging of data, particularly from security events. If the organization does not maintain detailed logs of events they may remain blind to future and current attacks. Even if it is known that an event is occurring without a detailed account, the organization may not know the location (within the network), the types of malware being installed, and in some cases logged details are the only evidence that an attack ever took place.
- Useful Software/Tools: Ensure that local logging is taking place on all devices and that details are being sent to a central log management system.
That wraps us the basic control points in the CIS CSC framework, in the next section we will explore the foundational CIS controls
Foundational CIS Controls
The foundational CIS controls compromise points 7-15, they are a bit more detailed and involved than the basic controls.
7. Email and Web Browser Protection – In this CSC organization should minimize the attack vectors and opportunities for bad actors to manipulate human behavior through their interactions on the web. Both email and web activity are commonplace for would-be attackers to gain unauthorized access to networks and systems. Oftentimes they use social engineering and content crafting to trick users into compromising the system. This environment is the main means where users interact with untrusted applications.
- Useful Software/Tools: it is best that only authorized and fully supported web browsers and email clients can be executed on the network. Ensure that they are fully up to date with the latest patches installed to minimize vulnerabilities. Implement Domain-based Message Authentication, DMARC policy and verification, etc.
8. Malware Defense – Utilize rapid updating to combat the execution of malicious code on the network. Malware is a deadly string of code, that when activated on a network can cause serious or even irreparable damage. Systems must utilize the appropriate technology to combat their effects.
- Useful Software/Tools: Centralized anti-malware management system that can detect and combat malware in dynamic environments, Data Execution Prevention (DEP).
9. Limitation and Control of Network Ports, Protocols, and Services – This involves the tracking and monitoring of network ports, which are the points of entry where devices will then attach themselves to the network. In factory settings most ports are open and as described in CSC 5 you should configure all devices with security enabled. Poorly configured DNS (domain name servers), web servers, and email servers are a prime vulnerability that can be exploited by attackers.
- Useful Software/Tools: Perform, as often as possible, a port scan to ensure that only business devices are connected to authorized ports and that no unauthorized port is active.
10. Data Recovery Capability – What capabilities does the organization have in place for the timely recovery of lost data? In this control point, there must be a process and tools in place that allow for the recovery of data in the event of a breach or loss. This CSC is for the aftermath of an attack, it can be tricky to find what has happened and there is a need for tools and processes to detect what has occurred.
- Useful Software/Tools: Make sure that data is backed up regularly, uses processes like imaging to have a complete backup of the system in case there is a complete shutdown.
11. Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches – Much like other out of the factory devices, the devices mentioned in this control point as designed for ease of deployment, not security. It should be on the onus of the organization to make sure all of the network devices are reconfigured to meet the needs of security, this also includes firewalls which are often not just a plug and play solution for cybersecurity.
- Useful Software/Tools: compare all the security configs of your devices against approved standards of security configurations for respective devices. Manage network devices with multi-factor authentication.
12. Boundary Defense – This control has an emphasis on the detection and correction of the flow of sensitive information between devices on a network, of varying trust levels. Attackers often use perimeter systems to exploit weaknesses, these perimeter systems are becoming more blurred as the businesses become more interconnected. This could result in attackers not only gaining access to your organizational system but to others that may be in contact with yours.
- Useful software/Tools: Make sure only trusted IP’s are connected to the network, use of Firewalls and IDS (Intrusion Detection Systems) that are tailored to boundary detection.
13. Data Protection – Organizations must ensure the protection, privacy, and integrity of sensitive information. Employing techniques of data protection can be an involved process but it begins with the identification of the most sensitive data and where it is stored. After, the encryption of the data and other processes that might involve maintaining the integrity and privacy of the data can be applied. It is important to note that sensitive data may not only include things such as personally identifiable information, but also information on how certain management processes work, or information on the internal workings of an organization’s network system (which attackers could easily exploit).
- Useful Software/Tools: Automated tools that can detect the unauthorized transfer of sensitive data while blocking said transfer.
14. Controlled Access Based on a Need To Know – This control involves restricting access to critical assets and information based on the rights and privileges of individuals within the organization. It may not be necessary for all departments to know the HR data of employees, but it is in the interest of the HR department, therefore the organization’s data practices and policies must restrict access to that data to only the HR department. Most data losses occur due to poor data practices and policy not from theft and/or espionage, this is why this control point is important, getting a good grasp of what each individual/department needs access to fulfill their needs means fewer vectors or leakage for the organization as a whole.
- Useful software/Tools: Segment levels of the network creating a tier system for authorized access, encrypt all sensitive data on transit.
15. Wireless Access Controls – This control involves the process and tools that track the use/access and the prevention/control of the security use wireless local area networks (WLANs). It is important to employ security controls on wireless access points as attackers can access the network from outside the physical building or location.
- Useful Software/Tools: Utilized AES (advanced encryption standard) to encrypt data packets (over wireless networks) in transit.
16. Account Monitoring and Control – The organization must monitor the life cycle of systems and application accounts. This involves ensuring that the creation of systems accounts, the dormancy, and the deletion of inactive ones are closely tracked. This control point ensures that attackers can not exploit inactive/unused accounts to impersonate a potential employee, or otherwise, to spoof the defenders.
- Useful Software/Tools: employ multi-factor authentication for all accounts on the network, disable accounts that are not associated with the business or business owner.
The final three controls in the CIS CSC framework, the organizational controls, involve the strategic implementation of cybersecurity by design. Whilst the first 16 controls are more to do with the technical implementation, they will only take you so far with compliance and overall cybersecurity coverage. The strategic implementation will ensure the continued growth of the cybersecurity environment within the organization, and will drastically reduce the risk of a cyberattack.
17.Implement a Security Awareness and Training Program – It is often thought that cybersecurity is a purely technical implementation, but ask any cybersecurity professional and they will tell you a different story. The human element in an overall business information system is as critical as the technical side, and in some cases even more so. From developers who may have little security awareness at the root level, to everyday staff who may be more susceptible to social engineering and phishing attacks, it is paramount that the organization has the policy, training, and tools in place to foster a security-conscious environment at all levels of the organization big or small.
- Useful Software/Processes: Skills gap analysis that can identify where the workforce is falling short in their overall security awareness and adherence to policy. Staff training can be administered by a trusted third party or in house.
18. Application Software Security – In this control point, the organization should actively manage the security lifecycle of in house developed and acquired software. The active management should include using the correct coding language that is up to standard with inbuilt security principles. This could avoid exploitation from errors in coding and logic patterns.
- Useful Software/Processes: Foster a secure coding practice for in house developments and ensure its security through the use of analytical tools that verify that the security practices are being adhered to.
19. Incident Response and Management – Cyberattacks are becoming more frequent that the question of organizations’ minds is not “if” but “when” will an attack occur. This has prompted governments and organizations to prepare a readiness plan in the event of a breach. These are formally known as Incident Response Plans (IRP). The organization should have a plan in place to let members and personnel know about their roles and responsibilities in the event of a cyberattack or data breach so that the fallout damage can be minimized.
- Useful Software/Processes: There are no direct software or tools that can aid in this control other than having a written document outlining the process. Although it is highly recommended that you maintain a third party team that can aid in the event of an incident.
20. Penetration Tests and Red Team Exercises – Having all previous controls implemented is an ideal position to be in, but without testing the organization can not know for sure the rigidity of the system overall. In the final control point organization should be simulating the event of an attack to test how well their cybersecurity architecture can handle it. The pen test should also test the response time in the event of a breach or attack. Like many of the other points, there is a lot involved in pen testing that you can find on our blog.
- Useful Software/Processes: Implement a program that can dish out a wide array of simulated attacks, from wireless to client-based, to phishing attempts. Use testbeds (like a sandbox) that can mimic or execute certain attacks in a safe environment.
That finishes the section on CIS controls, the first step toward CIS certification is having a basic understanding of the CIS controls and their implementation. Once implemented the next step would be to use the CIS benchmarks to test the overall effectiveness of the security configuration of devices, operating systems, etc. that interface the organization’s network.
CIS benchmarks are a consensus-based security configuration for various “out of the box” devices, software, operating systems, applications, etc. If you can recall in some of the previous control points a lot of software and devices bought out of the factory are configured for ease of use and not security in mind.
What the CIS benchmarks do is, many members of the cybersecurity community, in partnership with CIS, come together on a consensus-based committee to agree on the best security configurations for all the things mentioned above.
Once agreed on by the consensus model, the organization can either download the PDF file from the CIS website and implement said security configurations to that device, operating system, etc. The second way is to join the secure suite where CIS has a full range of automated tools to assist in the security configuration implementation.
Although it is not necessary to join the CIS Secure suite to have CIS certification, they do make it easier to benchmark using the CIS-CAT Pro platform.
Although full CIS certification includes all the CSC controls outlined above, it is important to understand the needs of your business. A small enterprise would still be required to implement most, if not all of the controls, but not to the same degree as a large organization. Even with just implementing the first five controls most organizations can eliminate 84% of their cyber vulnerabilities.
RSI Security understands the needs of organizations both small and large. Consult with our team today to assess your cybersecurity resilience and requirements.