The CIS sets for ten foundational cybersecurity controls that will help protect your organization against more sophisticated hackers.
George Orwell’s book “1984” may have predicted it best. He said, “Big Brother is watching you.” And indeed, the growing shift to the digital realm of organizations across the globe has given rise to another dangerous industry — cybercrime. Hence the subsequent development and implementation of critical security controls.
Cybercriminals have become very astute in identifying and taking advantage of security vulnerabilities, which is why organizations must take deliberate measures in securing and protecting their information assets, by way of implementing critical security controls. In mounting an appropriate defense system, these critical security controls are necessary to guarantee that all bases, no matter how seemingly insignificant, are covered.
The Rise of Cybercrime and the Industry’s Response via Critical Security Controls
The first recorded cyber-attack took place in 1988, when Cornell University graduate student Robert Tappan Morris, perhaps unwittingly, developed a program meant to assess how big the Internet was. He created the Morris Worm, a program that was supposed to tally how many users and devices were connected to the network, until the task became too tremendous for the control server to handle, triggering a distributed denial of service (DDoS) attack.
Since then, the cybercrime industry has become one of the largest and most pervasive criminal activities across the globe, taking advantage of the data being shared by over 20 billion devices of different types, ranging from fitness trackers and mobile devices to large-scale data centers. A study conducted by Cybersecurity Ventures has reported that cybercrimes will cost companies around the world some $6 trillion per year by 2021, from only $3 trillion in 2015.
Cybercriminals are very astute in identifying and taking advantage of security vulnerabilities, which is why organizations must take deliberate measures in securing and protecting their information assets. And in mounting an appropriate defense system, clear protocols are required to guarantee that all bases, no matter how seemingly insignificant, are covered.
This is where you need to write a new and appropriate subhead – promise the solution!
To help companies formulate their respective IT safety and security plans, the Center for Internet Security (CIS) developed 20 CIS critical security controls that are intended to protect organizations from about 85% different cyber-attacks, and help them further refine and improve their respective systems management and cybersecurity strategies.
With these protocols, regarded as industry best practices across the US, UK, and the EU, organizations will not be starting from scratch, but will instead be utilizing the combined expertise of public and private IT safety and security professionals. Furthermore, these can be used either independently, or in tandem with other IT safety and security frameworks and regulations, including the NIST Cybersecurity Framework, ISO 27000 series, NERC CIP, and GDPR, among others.
Technological advancements also mean that cybercriminals are constantly upgrading their skills. As such, these CIS critical security controls are also updated to prepare for new cybersecurity threats and measures. Version 7 of the CIS critical security controls were released in March 2018, and are divided into three specific components: basic, foundational, and organizational.
Understanding the 10 Foundational Critical Security Controls
The CIS has identified these 10 specific best practices that organizations are advised to follow to be able to effectively handle potential cybersecurity threats.
Email and Web Browser Protections
Email systems are perhaps the most targeted platform of cybercriminals because they are widely used by individuals and organizations as an accepted mode of communication. They use its active usage as an opening to penetrate vulnerable systems, access confidential company information, or even hostage its IT infrastructure in exchange for large sums of money.
Common email threats include the following:
- Unwarranted use of email by company employees: There can be instances where employees may take advantage of their given freedom to use company email to send sensitive personal data or even confidential company information across. Such acts may unintentionally expose vulnerabilities in the company’s IT systems, and may even be used as a vehicle for email spoofing, or sending tainted information by pretending to be part of the organization’s network.
- Spam emails, malware and phishing: Deliberately sending a large bulk of unsolicited messages or spam mails to a targeted email system may result in the penetration of malicious software or malware into a company’s email system, apart from overextending its IT resources. Malware, which includes worms, viruses, and spyware, can enable cybercriminals to monitor users’ online activity, and wrongfully control connected devices and servers. Once an email system is compromised, it can be used in the distribution of phishing communications, which is meant to trick recipients into turning over sensitive information such as usernames, passwords, and financial information.
To protect the organization from these attacks, this CIS critical security control recommends using only fully supported email clients and web browsers such as Google Chrome, Mozilla Firefox, and Apple Safari.
Just like cybercriminals, malware is dynamic – it evolves and becomes much harder to detect every time.
Because malware can unduly compromise a company’s privacy and integrity, this CIS critical security control suggests that organizations must invest in automated tools to protect their systems from such. This includes the installation and/or use of:
- Software patches to allow for automatic updates that can help fix any security issues and vulnerabilities.
- Anti-virus software that includes anti-spyware tools, which instantly recognizes malware and other potential threats, and prevents it from penetrating devices and systems. It is important to regularly update anti-virus software to make it effective in detecting even the newest viruses and malware.
- Firewalls, which are designed to monitor incoming and outgoing network traffic, and provide an effective barrier that will block unauthorized access from viruses and malware. Firewalls guard traffic at a computer’s ports, where information with external sources is exchanged. Firewalls can also be either hardware or software but it may do companies best to have both, as they provide different layers of protection.
Limitation and Control of Network Ports, Protocols, and Services
The coronavirus has increased the need for remote access to company network services, with most employees mandated to work from home. These access points, which include web and mail servers, can be used by cybercriminals to illicitly access your organization’s information network, especially when poorly configured.
While the firewall system can help prevent these unauthorized accesses, it remains highly advisable for an organization’s IT Security Officer to take into account all existing remote access ports for regular monitoring and comparison with an available list of abused ports. Closing unnecessary ports are also recommended by this CIS critical security control, as leaving ports open, especially multiple ones, increases pockets of vulnerability, and is comparable to sending a siren call to cybercriminals.
Data Recovery Capability
The CIS states that the primary component for this specific security control is “the processes and tools used to properly back up critical information with a proven methodology for its timely recovery”. Moreover, this CIS critical security control lists down four foundational requirements that focus on system backups and testing.
- Systems should be backed up on a weekly basis, or more often for those that store highly confidential or sensitive data. The backup should include even the operating system and application software and must be compliant with official regulatory requirements. Moreover, an organization must have multiple data backups so that in the event of a malware issue, data restoration can be from a version that precedes the infection.
- Check on the integrity of the backup data by regularly performing a data restoration process.
- Data backups, including remote and cloud backups, must be protected by either physical security or encryption when they are stored, as well as when they are moved within the organization’s network.
- Important systems must have at least one backup destination that is not consistently accessible by operating system calls. This can help prevent malevolent attacks that can cause damage to addressable data shares, which includes backup destinations.
Secure Configuration for Network Devices
Large-scale organizations and conglomerates are equipped with IT infrastructure systems that are meant to be easily established, in order to effectively transmit and store massive amounts of mission-critical data. However, there can be instances where security can take a backseat to operational agility — and attackers are well aware of this. They use these loopholes to weaken defenses, access or disrupt networks, and even intercept information while it is being transmitted.
This CIS critical security control advises organizations to thoroughly check all network device configurations, and see if these abide by approved security configurations. Any gaps and inconsistencies must immediately be flagged and rectified to prevent potential security breaches. Furthermore, it is recommended that network devices employ measures such as encrypted sessions and multi-factor authentication for additional security.
Cybercriminals are always on the lookout for weaknesses and vulnerabilities in organizations’ information assets, may it be its internal network or external systems. Should the internal network be seemingly impenetrable, they look for chinks in the system’s so-called armor and use these architectural vulnerabilities to weaken its external systems. Because of the increased use of wireless devices, as well as the growing interconnectivity within and between organizations, the boundaries between internal and external systems are being weakened.
This CIS critical security control finds it imperative for companies to understand and manage the flow of information between networks so that the most valuable data can be duly protected. They must also equip their information systems with Intrusion Detection Systems IDS to scan for unusual attack mechanisms at each of its network boundaries.
Increasingly, organizations understand the intrinsic need to secure and protect their information networks from external forces, without taking into account that sensitive data can also be exfiltrated, whether deliberately or accidentally, by its very own team members.
Companies must understand that they should store sensitive assets separately from less crucial data to reduce the risk of data exfiltration. As such, this CIS critical security control prescribes that internal and external network perimeters must be fitted with automated tools that can monitor, signal, and block the unauthorized transfer of information.
Moreover, should the use of USBs be permitted, the use of enterprise software must be used in configuring systems that will accommodate the use of these devices.
Controlled Access Based on the Need to Know
Giving everyone in the organization, regardless of their rank or role, access to every piece of information that it owns and manages is like giving attackers or malicious insiders a free pass to debilitate your information systems, much less use confidential information for their benefit and the company’s disadvantage.
This CIS critical security control proposes that companies must group their information assets, and assign specific job functions, devices, and applications that will be able to view these to avoid its needless access. Sensitive information must be stored in separate Virtual Local Area Networks (VLANs) to allow for its due partition and isolation.
Wireless Access and Control
As mentioned earlier, the use of wireless devices, even for professional purposes, has become so popular, to the extent that keeping track of all the devices accessing an organization’s information network can be very tedious.
However, cyber attackers consider wireless devices as easy ways to access vulnerable networks, since an individual would normally have access to his office email and work-related files from his mobile phone or tablet. All it takes is for this person to access the internet via an unsecured public network, and these attackers can potentially be one step closer to infiltrating the company’s data systems.
It will help immensely if the company performs a vulnerability scanning on its wireless device network to check whether or not its networks are penetrable. In addition to this, this CIS critical security control declares that organizations must ensure that only official devices should be allowed access to its networks remotely and that these are fitted with verification systems as an extra layer of security.
Account Monitoring and Control
Guaranteeing information security includes overseeing the end to end process of account creation, management, and deletion. Regularly auditing user accounts will allow the organization to weed out and disable dormant accounts from the inactive ones, effectively diminishing the opportunity for cyber attackers to use these assets for their malicious activities.
RSI Security Provides CIS Critical Security Controls at a Reasonable Amount
The above-mentioned CIS critical security controls provide simple yet clear-cut measures on how companies can effectively protect themselves from malicious and costly cyber attacks. While these CIS critical security controls may sound expensive to deploy, there are agencies that can provide professional services that abide by these controls at a reasonable amount.
To safeguard your organization’s valuable information assets and systems, it is imperative that you develop and maintain a strong and impenetrable line of defense, in order to deter cybercriminals from even attempting to access your networks. Working with a team that is well-versed in the implementation and management of CIS critical security controls, such as RSI Security, will help your company achieve utmost IT safety and security, and give you the assurance that your IT assets are duly protected and managed 24/7.