There is a shared sense of satisfaction we all get when unboxing the latest phone or gadget. The same sensation can be felt even on organizational levels for the latest systems upgrade, but we seldom think of the security issues following a purchase of “off the shelf” software and devices.
When an individual purchases a new network active device, application, or software, it is generally configured for ease of use and not security in mind (open ports, non-password protected, etc.).
These phenomena have led to an increase in cyberattacks over the last decade. Enter the Center for Internet Security (CIS) and their security configurations framework. The organization has been in operation since early 2000 and has banded together with the IT and Information Security community at large to devise a framework of best practices for cybersecurity worldwide.
The CIS has developed 20 control points that organizations should implement for the best cyberdefense. These controls are known as the Center for Internet Security Critical Security Controls (CIS CSC). The CIS critical security controls are broken down into three groups: basic, foundational, and organizational, with the latest revision in 2019 being version 7.1.
In this article we will explore the six basic controls in detail outlining what they are, why they are important, and the implementation groups.
Overview of the Basic Controls
The basic CIS critical security controls are coined by the organization as “cyber hygiene.” These are the basic measures all organizations should implement as a means of basic cyberdefense.
By just implementing the CIS top 5 security controls, an organization can mitigate the risk of cyberattacks by 84 percent. Implementing all 20 controls, an organization can mitigate attacks by 96 percent.
Whether a nascent business or a seasoned organization with high resources, the basic CIS security controls are a must for any cyber-conscious individual, organization, or government.
Assess your cybersecurity
Implementation Groups
The implementation groups are a recent addition to the CIS CSC framework. Over the years of operation CIS received feedback to the somewhat restricting requirements imposed on smaller organizations.
The CIS reviewed the controls and broke them down into sub-controls that could be partially implemented by organizations with varying cybersecurity resources. They are as follows:
Implementation Group 1: An organization with limited cybersecurity resources and expertise. May have low data sensitivity in general and expected technical expertise of staff is low.
-
- Family Run Business
- SMEs and Start-Ups
Implementation Group 2: An organization with moderate cybersecurity resources and expertise. May deal in sensitive data, technical expertise of staff is varied
-
- Established Organizations that may not be in IT sector (regional)
- Manufacturing Industry (Medium to Large Factories)
Implementation Group 3: A mature organization with large cybersecurity resources and expertise. Deals with highly sensitive data, and expected technical expertise of staff is very knowledgeable.
-
- Multi-nationals with large budgets and global reach
- Pseudo-government organizations with wide reach
The implementation groups will make more sense as we explore the six basic CIS security controls as each control has separate sub-controls that each implementation group should be able to implement.
The 6 Basic CIS Security Controls
This section of the blog will explore and expand the six basic CIS security controls, what they are, why they are important, and what is expected from each of the different implementation groups.
1. Inventory and Control of Hardware Assets
What is it?: This CIS security control involves the active management and inventory of all hardware devices attached to your organization’s network. The hardware devices include but are not limited to:
- Laptops
- Mobile devices (phones)
- Office computers (desktops)
- Servers
This is so that only authorized devices are granted access to the network, and unauthorized devices are quickly discovered and booted or blocked from access.
Why is it important?: Would-be attackers are constantly looking for the next attack vector, and hardware assets could be one of them. New hardware that is installed on a network may not be patched with a security update till a later time, and attackers can take advantage of that fact. Often, hardware is connecting and disconnecting from the network, such as employees taking their laptops to work. Again attackers can take advantage. If this security control is not implemented, the organization can not tell who is who.
This control is especially important if the network is running test systems or demonstrations that are temporarily attached to the network. These should also be actively managed and isolated to limit the time attackers may have.
It may seem difficult for a large organization to implement such a control especially in such a fast-paced and changing environment. However, attackers have taken the time to inventory and manage these assets on a large scale waiting for an opportunity, so the organization should take the time and resources to do the same.
Implementation Groups:
| Sub Group | Security Function | Control Title | Group
1 2 3 |
||
| 1.1 | Identify | Utilize an active discovery tool | ✔ | ✔ | |
| 1.2 | Identify | Use a passive asset discovery tool | ✔ | ||
| 1.3 | Identify | Use DHCP Logging to Update Asset Inventory | ✔ | ✔ | |
| 1.4 | Identify | Maintain Detailed Asset Inventory | ✔ | ✔ | ✔ |
| 1.5 | Identify | Maintain Asset Inventory Information | ✔ | ✔ | |
| 1.6 | Respond | Address Unauthorized Assets | ✔ | ✔ | ✔ |
| 1.7 | Protect | Deploy Port Level Access Control | ✔ | ✔ | |
| 1.8 | Protect | Utilize Client Certificates to Authn. Hardware Assets | ✔ | ||
Tools and Procedures:
The organization should employ active asset scanning tools that can sweep the network and identify any type of hardware that currently has access. In addition to inventory scanning tools, the organization should have passive tools that listen on networks and announce the connection of hardware devices. Any device that has an IP address virtual or otherwise should be added to the inventory. The following employee protocols should be monitored:
- Transmission Control Protocol (TCP)
- Synchronize Packets (SYN)
- Acknowledge Packets (ACK)
- Media Access Control, management protocol (MAC)
2. Inventory and Control of Software Assets
What is it?: Similar to the first CIS Security Control, this involves the active management and inventory of software assets connected to the organization’s network. This is so only authorized software is installed and executed on the network, and that all unauthorized software is blocked from installing and/or executing.
Why is it important?: Again much like the first control, attackers continuously look for new attack vectors and software is no different. There may be vulnerable software that has not been patched, and attackers could take advantage of any security flaw in the older versions. Attackers may also create media files, websites, document files, etc., where unsuspecting victims may fall prey. They may access these traps from unsecured web browsers or applications. When this happens, an attacker can create a backdoor and have long-term access to the system.
Oftentimes devices attached to organizational networks are running unneeded software that can create opportunities for attackers to exploit. All it takes is for one machine to be compromised with some kind of malware for the attacker to eventually have access to the entire network. The planned inventory of both software and hardware assets can also aid in the backup recovery in the event of a breach.
Implementation Groups:
| Sub Group | Security Function | Control Title | Group
1 2 3 |
||
| 2.1 | Identify | Maintain Inventory of Authorized Software | ✔ | ✔ | ✔ |
| 2.2 | Identify | Ensure Software Is Supported by Vendor | ✔ | ✔ | ✔ |
| 2.3 | Identify | Utilize Software Inventory Tools | ✔ | ✔ | |
| 2.4 | Identify | Track Software Inventory Information | ✔ | ✔ | |
| 2.5 | Identify | Integrate Software and Hardware Asset Inventories | ✔ | ||
| 2.6 | Respond | Address Unapproved Software | ✔ | ✔ | ✔ |
| 2.7 | Protect | Utilize Application Whitelisting | ✔ | ||
| 2.8 | Protect | Implement Application Whitelisting of Libraries | ✔ | ||
| 2.9 | Protect | Implement Application Whitelisting of Scripts | ✔ | ||
| 2.10 | Protect | Physically or Logically Segregate High Risk Applications | ✔ | ||
Tools and Procedures
The organization should employ whitelisting tools along with company policies and an application executing tools that have antivirus built-in. It is also best to use popular operating systems that have strong service support, this way any vulnerabilities can be quickly patched.
There is a wide range of enterprise inventory tools that can scan for 100’s of commercially used applications. Useful tools include:
- Intrusion Detection Systems (IDS)
- Intrusion Prevention Systems (IPS)
- Antivirus
- Antimalware
- Antispyware
3. Continuous Vulnerability Management
What is it?: This CIS security control involves the continuous assessment of new information that may identify vulnerabilities in the network. It also requires that organizations remediate, delete, and make additions to that new information. This operation will minimize the opportunities attackers have over system vulnerabilities.
Why is it important?: Cyber defense has become a continuous activity, attackers are continuously looking for vulnerabilities in the system. This means that the defenders must now operate on a constant stream of information looking for weaknesses and patching where necessary, advising staff of potential threats, updating software, and posting threat bulletins for the wider community.
If defenders are not conducting gap analysis regularly, they increase their likelihood of an attacker successfully infiltrating their network.
Implementation Groups:
| Sub Group | Security Function | Control Title | Group
1 2 3 |
||
| 3.1 | Detect | Run Automated Vulnerability Scanning Tools | ✔ | ✔ | |
| 3.2 | Detect | Perform Authenticated Vulnerability Scanning | ✔ | ✔ | |
| 3.3 | Protect | Protect Dedicated Assessment Accounts | ✔ | ✔ | |
| 3.4 | Protect | Deploy Auto. Operating System Patch Management Tools | ✔ | ✔ | ✔ |
| 3.5 | Protect | Deploy Automated Software Patch Management Tools | ✔ | ✔ | ✔ |
| 3.6 | Respond | Compare Back-to-Back Vulnerability Scans | ✔ | ✔ | |
| 3.7 | Respond | Utilize a Risk-Rating Process | ✔ | ✔ | |
Tools and Procedures
Some useful tools to aid in implementing this control is a Security Incident and Event Management (SIEM) software. Other vulnerability scanning tools are also recommended. Various free and paid tools assess the various security configurations of local machines and devices.
Any sort of tool or policy/procedure that can feed information to a central security hub can be infinitely useful in combating potential attacks. Knowledge and understanding of what is happening within the business information system is most of the battle.
4. Controlled Use of Administrative Privileges
What is it?: This CIS security control has the organization track the use of admin privileges across the network. The organization should correct, prevent, and control the use and distribution of admin privileges on the system, to mitigate the chance of cyberattack.
Why is it important?: Misuse of admin is extremely dangerous for any system. Usually, admin privileges involve super control over all aspects of a network. This means if an attacker can get access to a terminal or user with admin privileges they can quickly lock out all users and make changes to the system that the organization may not be aware of. With access to admin privileges, the attackers can then install keyloggers, sniffers, and remote access software to the computer or device and later gain control of the whole system.
Implementation Groups:
| Sub Group | Security Function | Control Title | Group
1 2 3 |
||
| 4.1 | Detect | Maintain Inventory of Administrative Accounts | ✔ | ✔ | |
| 4.2 | Protect | Change Default Passwords | ✔ | ✔ | ✔ |
| 4.3 | Protect | Ensure the Use of Dedicated Administrative Accounts | ✔ | ✔ | ✔ |
| 4.4 | Protect | Use Unique Passwords | ✔ | ✔ | |
| 4.5 | Protect | Use Multi-Factor Authentication for All Administrative Access | ✔ | ✔ | |
| 4.6 | Protect | Use Dedicated Workstations For All Administrative Tasks | ✔ | ✔ | |
| 4.7 | Protect | Limit Access to Scripting Tools | ✔ | ||
| 4.8 | Detect | Log and Alert on Changes to Administrative Group Membership | ✔ | ✔ | |
| 4.9 | Detect | Log and Alert on Unsuccessful Administrative Account Login | ✔ | ✔ | |
Tools and Procedures:
Most modern operating systems have built-in applications that can pull up a list of users that have “superuser” privileges. Utilize such software to ensure that the users are meant to have admin privileges and that they are not using machines with admin privileges for day-to-day activities such as browsing or email reading.
Implemented scripts or manual checks that only authorized applications are running on admin accounts (i.e., no web browsing or email reading). On occasion, it may be required for administrators to run applications that should not be allowed, but be sure that this is only in the short term and that any long-term activities like this would be violating policy.
5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
What is it?: A bit of a mouthful, this CIS security control is arguably one of the most important of the 6 basic controls. This is primarily due to the nature of new devices that are purchased “off the shelf.” This type of hardware or software is often configured for ease of use and not security.
The organization must actively track, manage, and correct the security configurations of all hardware and software that is operating on the network.
Why is it important?: As mentioned above, most devices and software out of the box are configured with default settings. Most of the time default settings are not secure. They are designed for ease of use. This means that they could have open network ports, are non-password protected, may have pre-installed/unnecessary software, and outdated protocols among other things. This becomes prime “hunting grounds” for would-be attackers, who could exploit nonsecure devices and software to gain access to the network.
Implementation Groups:
| Sub Group | Security Function | Control Title | Group
1 2 3 |
||
| 5.1 | Protect | Establish Secure Configurations | ✔ | ✔ | ✔ |
| 5.2 | Protect | Maintain Secure Images | ✔ | ✔ | |
| 5.3 | Protect | Securely Store Master Images | ✔ | ✔ | |
| 5.4 | Protect | Deploy System Configuration Management Tools | ✔ | ✔ | |
| 5.5 | Detect | Implement Automated Configuration Monitoring Systems | ✔ | ✔ | |
Tools and Procedures:
Developing a robust security configuration can be a challenging task, especially for larger organizations, and should not be undertaken by an individual. The complex task of developing the right policy and configuration settings takes a dedicated team, which is why it is best to adopt the public frameworks developed by either the CIS Benchmarks, or one which is also recommended by the CIS, such as the NIST National Checklist Program.
6. Maintenance, Monitoring, and Analysis of Audit Logs
What is it?: The final of the basic CIS security controls, point 6 requires that organizations maintain logs of all events on the network. The collection, analysis, and management of the audit logs can help the organization in case of a breach with the recovery of the system.
Why is it important?: Failing to keep adequate logs of any sort of event occurring on your organization’s network can allow attackers to remain undetected on a network. While remaining undetected attackers can deploy all sorts of malware, keyloggers, etc. In many cases logging is the only evidence showing that an attack even occurred, which can then be used by digital forensics.
Implementation Groups:
| Sub Group | Security Function | Control Title | Group
1 2 3 |
||
| 6.1 | Detect | Utilize Three Synchronized Time Sources | ✔ | ✔ | |
| 6.2 | Detect | Activate Audit Logging | ✔ | ✔ | ✔ |
| 6.3 | Detect | Enable Detailed Logging | ✔ | ✔ | |
| 6.4 | Detect | Ensure Adequate Storage for Logs | ✔ | ✔ | |
| 6.5 | Detect | Central Log Management | ✔ | ✔ | |
| 6.6 | Detect | Deploy SIEM or Log Analytic Tools | ✔ | ✔ | |
| 6.7 | Detect | Regularly Review Logs | ✔ | ✔ | |
| 6.8 | Detect | Regularly Tune SIEM | ✔ | ||
Tools and Procedures:
Most operating systems and tools of the trade (firewalls, proxies, network services) have built-in logging capabilities. All logging capabilities should be activated where appropriate and continuous management and tracking of the logs should be implemented.
Closing Remarks
Implementing the six basic controls has been reported to decrease the chance of suffering a cyberattack by 84 percent. As mentioned at the beginning of the article these controls are known by the wider cybersecurity community as “cyber-hygiene.”
These controls should be second nature to any organization that takes its security seriously. Think of it like brushing your teeth in the morning! If you wish to learn more about CIS and get a deeper understanding of the sub-controls of each CIS security control, be sure to check out the CIS website.
We hope you have a better understanding of the basic controls and how your organization can implement them. If you have any concerns, questions, or want a check-up on your cybersecurity health, contact us today. RSI Security lives and breathes cybersecurity and is always happy to help. Book a free consultation here!
Speak with a Cybersecurity expert today – Schedule a Free Consultation