In 2008 the United States defense industry suffered a severe data loss. The resulting chaos galvanized the industry to create one of the most robust cybersecurity frameworks for business, government, and institutions worldwide. The framework was taken over by the Center for Internet Security (CIS). They devised a series of 20 CIS controls known as the critical security controls (CSC). The CIS top 20 gives a detailed account of what an organization should do to defend themselves against cyber-threats.
In this article we will give you a brief introduction to the 20 CIS critical security controls. Do keep in mind that these are a basic look at the 20 controls, and if you wish to implement a robust cybersecurity architecture, consult RSI Security for help today!
Implementation Groups
Before delving deeper into the CIS top 20, it is necessary to understand the implementation groups are.
In the most recent revision of the CIS CSC framework, the organization realized that the cybersecurity resources are not the same across industry or business. To account for this, the established different tiered implementation groups number one through three.
Each group would then only be obligated to implement a part of each control, which is broken down into sub controls. A tier 3 organization would be expected to implement all sub controls.
Whilst reading over the 20 controls please consult the official document by the CIS on which sub controls should be implemented depending on the tier of organization your business may fall under.
Download our free checklist today to see which CIS security controls you need to address.
Basic CIS Controls
The first group of CIS critical security controls is known as the basic controls. The wider cybersecurity community often refers to these controls as “cyber hygiene” as it is something that should be done continuously and as a practice of maintaining the organization’s cyber-health.
1. Inventory and Control of Hardware Assets
What is it?: This CIS critical security control requires active management of all authorized hardware devices with network access to prevent unauthorized devices from gaining access. Active management requires accurate inventory records, updated tracking of hardware devices, and the correction of any problems that arise.
Why is it important?: Without accurate inventory, it is impossible to control and maintain the security of an organization’s hardware assets. Security updates and patches require system-wide coverage to be effective, and this is especially compromised in situations where personnel are permitted to Bring Your Own Device (BYOD) to work or remotely connect to the organization’s network. These BYOD’s may already be compromised at the time they join the network, an issue that pertains to hardware devices that do not yet appear on the official inventory of an organization.
Tools and Procedures:
- Discover Tools (Internet Control Message Protocol)
- Transmission Control Protocol (TCP)
- Synchronize or Acknowledge Packets (SYN, ACK)
- Asset discovery tools
2. Inventory and Control of Software Assets
What is it?: This CIS critical security control, similar to the first, requires the organization to inventory (track, analyze, correct, and delete) all software that is installed on the network. This is to ensure that unauthorized software is not installed or executed.
Why is it important?: Like the first CIS critical security control, attackers are consistently scanning networks for vulnerabilities, and software is not exempt from this. The attackers will often deploy applications or clickable links on the organization’s network baiting victims into executing them. The result of such actions could mean unauthorized software is installed or executed which could have a knock-on effect throughout the network.
Tools and Procedures:
- Security Information and Events Management (SIEM) software
- Software Inventory Tools (whitelisting tools and policies)
- Intrusion Detection Systems (IDS)
- Anti-malware, Anti-virus, Anti-spyware (many have built-in inventory tools).
Here are a few more articles to help you learn more about CIS CSC :
3. Continuous Vulnerability Management
What is it?: Managing security vulnerabilities has one main objective: to stop attackers from gaining access to the organization’s network. In reality this requires the continuous identification of weaknesses and security vulnerabilities and their effective remediation. The focus in CIS critical security control 3 is on information, specifically the gaining of current information and the active response to new information about cybersecurity vulnerabilities.
Why is it important?: Cyber threats and emergent security vulnerabilities are a daily occurrence and organizations are required to show proactive measures that minimize their exposure to risk and attacks — both for their shareholders and regulatory compliance. Bad actors within and outside the organization have the same access to information about security vulnerabilities, sometimes even before the organization itself.
Tools and Procedures:
- Incident response plans (IRP)
- SIEM
- Discovery and Identification Tools
4. Controlled Use of Administrative Privileges
What is it?: This CIS critical security control requires that the organization tracks and manages (analyze, correct, remediate, or delete) who has administrative privileges (admin privileges). Admin privileges essentially give the user(s) of a network power to make any change they desire whether it is allowing other users access to the network or installing or executing programs, etc.
Why is it important?: Controlling the use and distribution of admin privileges is necessary because abuse of admin privileges can have long-lasting detrimental effects. Attackers that have somehow acquired admin privileges, possibly through social engineering or spoofing, can lock any user out of the network, install what they please (such as malware, spyware, or keyloggers). It essentially gives them super control over the entire system if proper safeguards are not in place.
Tools and Procedures:
- Operating systems that have in-built admin listing tools.
- Admin accounts should have restricted browsing capabilities.
- Detection system that can list when user admin privilege has been added or deleted.
5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
What is it?: Management of cybersecurity through stringent hardware and software change management and configuration protocols. This CIS CSC specifies the rigorous tracking, reporting, and correction of the security configurations for all hardware and the software on moveable devices, workstations, and servers.
Why is it important?: Out of the box hardware and software are usually configured to make installation and initial operation easy for the user. In practice, this means that security settings are at their lowest and bad actors and attackers exploit these well-known vulnerabilities. The integration of new hardware and software into an organization’s system is a process that requires high-level security configuration expertise.
Tools and Procedures:
- Documented policy for standard security config for all authorized devices.
- Security Content Automation Protocol (SCAP)
6. Maintenance, Monitoring, and Analysis of Audit Logs
What is it?: This control is relatively straightforward, it requires organizations to maintain a detailed account of all events that happen on a network. This process can help in the event of a breach. Analysis of the logs can aid in identifying where a breach may have started and the extent to which a system has been compromised.
Why is it important?: If the organization does not maintain even basic logs, an attacker can remain undetected on the network indefinitely. Undetected attackers can deploy a whole host of undesirables such as malware, viruses, and scripts. In some cases maintaining logs is the only evidence a breach even occurred.
Tools and Procedures:
- Firewalls and anti-spy/malware with built-in logging capabilities
- Logging capabilities should be active where possible with active analysis and management.
- SIEM software
Foundational CIS Controls
The foundational CIS critical security controls number 7-15. These controls are more technical than the basic controls and involve more specific measures.
7. Email and Web Browser Protections
What is it?: CIS critical security control 7 requires enhanced protection for email and web browser activity to minimize the risk of manipulation of personnel by attackers.
Why is it important?: Social engineering through direct contact with users is one of the most common points of entry for bad actors seeking to exploit an organization’s security vulnerabilities. Another very common exploit is the injection or activation of malicious code delivered through clickable links or malicious websites.
Tools and Procedures:
- Only authorized and fully supported web browsers are permitted.
- Implement Domain-based message authentication, DMARC policy, and verification.
8. Malware Defense
What is it?: The organization should control and manage the spread or execution of malware by using protection where applicable. Utilizing autonomous processes that can actively scan, remove threats, and correct or update defense are encouraged.
Why is it important?: This is another CIS critical security control that is pretty straightforward. Any network is best when malware-free. Malware is a favorite tool of the attacker as it is relatively easy to deploy on unsecured networks and runs autonomously. In essence, it is a fire and forget missile that can create massive disruptions.
Tools and Procedures:
- Anti-malware software
- Anti-spyware software
- Anit-virus software
- Intrusion Detection Systems (IDS)
9. Limitation and Control of Network Ports, Protocols, and Services
What is it?: As with all CIS CSC controls requiring management, CSC 9 specifies the need for active management of the use of ports, protocols, and services. These must be actively tracked and controlled, where necessary corrections must be made to minimize vulnerabilities.
Why is it important?: Attackers will exploit remotely accessible entry points into an organization’s network and these often appear in the form of pre-installed software, fully open ports, and badly configured domain name servers.
Tools and Procedures:
- Perform port scans regularly (ensure only authorized devices are connected).
10. Data Recovery Capability
What is it?: This CIS critical security control requires that the organization has a process and proven methodology in place for the timely back-up and recovery of critical information.
Why is it important?: When attackers successfully infiltrate a system, they will most likely make changes to the systems configuration, software, or data. These changes, subtle or significant, will jeopardize the organization’s effectiveness. Without an effective back-up or recovery tool, it can be very difficult for an organization to restore itself to adequate functioning capabilities.
Tools and Procedures:
- Utilizing imaging software for complete system backup
- Regularly run backup processes
11. Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
What is it?: CSC 11 pertains to the protection of network infrastructure devices through the active management of their security configuration via the tracking and reporting of vulnerabilities and their effective correction.
Why is it important?: Any compromise to the security of the network’s infrastructure is a serious issue since it allows attackers to access sensitive data, redirect traffic flows, and even undermine many other systems through long-term undetected access to the network.
Tools and Procedures:
- Compare security configs of devices against approved standards
- Employ multi-factor authentication for managed network devices
12. Boundary Defense
What is it?: This CIS critical security control requires the correction, detection, and prevention of sensitive information that is transferred between networks of varying trust levels.
Why is it important?: Attackers will try to exploit a weakness in any part of the network, and perimeter systems are a potential attack vector. As businesses become more interconnected the perimeter systems between networks become undefined. The result of a perimeter attack could not only compromise your network but possibly that of a business partner or sister network. These are referred to as extranet networks. Any device that is connected with your network creates an extranet environment, including the wider business network.
Tools and Procedures:
- Build upon the controls outlined in CSC 9.
- Create internal network segmentation to limit access to intruders.
- Deploy packet sniffers on boundary points.
- IDS that is tailored to boundary defense.
13. Data Protection
What is it?: The protection of data, especially sensitive data requires processes and tools specifically designed for its protection. Data should be categorized according to its level of sensitivity and relevant levels of protection applied accordingly, including encryption to minimize risk where data has been exfiltrated.
Why is it important?: Organizations often use the same level of protection on all their data, regardless of the importance of sensitivity of the data. This is an obvious vulnerability, especially when dealing with bad actors already inside the network or organization. An easy method for understanding the need for the categorization and enhanced protection of sensitive data is to ask the simple question: what would the impact be of a data breach (or loss) of this specific information?
Tools and Procedures:
- Automated tools that can detect the transfer of sensitive data.
14. Controlled Access Based on a Need To Know
What is it?: This CIS critical security control requires organizations to restrict access to critical assets and information to personnel and staff based on the trust level of individuals within the organization (approved classification). This is so only those within the organization that need access to that information or asset have access.
Why is it important?: If assets and information within an organization are encrypted with the idea that only valid personnel have access to it, then in an event of a breach it is rendered useless to the attacker. Access becomes virtually impossible (or at the least impractical).
Tools and Procedures:
- Commercial/Enterprise tools that can support organizational encryption (multi-level)
- Define life cycle of process and roles of key management as a part of security policy
15. Wireless Access Control
What is it?: Wireless local area networks (WLANs), wireless client systems, and access points must be actively managed through processes and procedures which track, control, detect and prevent malicious activity.
Why is it important?: by their nature wireless devices allow for remote access and provide an attractive entry point for attackers and bad actors. The ability of an organization’s mobile devices to connect to unsecured and publicly accessible wifi is a major security issue and one which highlights the need for actively managed wireless access controls.
Tools and Procedures:
- Utilize Advanced Encryption Standard (AES) to encrypt data packets over the wireless connection
16. Account Monitoring and Control
What is it?: This control outlines the need for systems management of accounts life cycles. This involves the deletion or dormancy of inactive accounts, and the creation of new accounts is closely monitored/tracked.
Why is it important?: Like many of the other critical security controls, attackers are always scanning for potential attack vectors. The mismanagement of system account lifecycles could mean attackers can exploit inactive or dormant accounts and gain access to critical information that could then lead to full system access. Through gaining access to inactive accounts, the attackers could then impersonate legitimate users to spoof other users into giving up data or critical information.
Tools and Procedures:
- Ensure that contractor accounts/terminated employee accounts are properly deleted.
- Employ a policy for accounts management and lifecycle.
- Employ multi-factor authentication for all accounts on the network.
Organizational Controls
The organizational controls consist of the last four CIS critical security controls. This group is focused on the strategic implementation of cybersecurity by design, intended to create a culture of cybersecurity within the organization.
17. Implement a Security Awareness and Training Program
What is it?: CSC 17 addresses the often overlooked role of personnel in the provision of enhanced organizational security through their ongoing awareness of security issues and training in security vulnerabilities. This is especially relevant for business-critical roles and that personnel involved in technical roles at a root or development level.
Why is it important?: Organizations often label cybersecurity as an ‘IT’ issue and this creates a significant lack of awareness and understanding of the threats posed to critical infrastructure and the effective functioning of the organization, including regulatory compliance.
Tools and Procedures:
- Skill gap analysis (identify the overall skill of the workforce).
- Employ staff training in cyber awareness.
18. Application Software Security
What is it?: This control point requires that organizations actively manage the security standards of in-house developments and acquired software. This is so the organization can correct, prevent, and track security weaknesses.
Why is it important?: Without a security standard, such as security-conscious coding ethics or policy, attackers can exploit the weakness of in-house developments. Badly written coding, coding mistakes, and logic errors can all be exploited by attackers. Input limits, poor memory management, failure to test for unnecessary strings, and others are some examples of errors that could be exploited.
Tools and Procedures:
- Foster secure coding practice for in-house developments (through policy and training).
- Use analytical tools that can verify security practices are being implemented properly.
19. Incident Response and Management
What is it?: Reputation and data protection are addressed in CSC 19 through the development and implementation of an effective incident response infrastructure which includes all the elements needed to quickly and efficiently detect, respond to, mitigate and eliminate attacks.
Why is it important?: Most data protection regulation includes the requirement for the organization to have incident response infrastructure in place in preparation for an inevitable attack. Shareholders also expect brand protection through reputation management and data breaches, especially those arising as a result of poor or lax cybersecurity standards, which tend to draw much negative publicity.
Tools and Procedures:
- Have a written document outlining the process (response and recovery).
20. Penetration Tests and Red Team Exercises
What is it?: The final CSC is the practical testing of all previous 19 CIS critical security controls. With penetration testing (pen testing) the organization can simulate an attack on the network. This way they can see if there are still vulnerabilities that can be exploited.
Why is it important?: A pen test can be like submerging an inflatable into a bathtub of water. If there are any holes, bubbles will start to form from the puncture point. A pen test will indicate to the organization where the holes, in this case, vulnerabilities, are. This control point will also test the resilience of the organization cybersecurity architecture overall.
Tools and Procedures:
- It is best to ensure all previous controls are implemented before conducting a pen test.
- Utilize testbeds, like a sandbox, to deploy potentially hazardous programs in a safe environment.
Closing Remarks
Cybersecurity best practice models can only truly work if the community comes together to share information. We have a duty to foster a safe and secure cyber environment both as individuals and organizations. The CIS emphasizes this need and here at RSI Security, we want to bring you the best possible cybersecurity service. Book a free consultation today, and let’s build your cyber resilience together.
Learn how RSI Security can help your organization. Request a Free Consultation