In the early days of technology the interwebs were similar to the Wild Wild West—anarchic, lawless, and unregulated. While the interweaving of technology and society created many benefits and conveniences, it also spawned a multibillion dollar cybercrime industry.
In response to this growing threat a group of volunteer security experts formed a non-profit organization they called the Center for Internet Security (CIS). It’s mission—to help public and private sector entities manage their cybersecurity risks.
But how do they accomplish this? Let’s discuss.
What is the CIS Center for Internet Security
In October of 2000 the Center for Internet Security was established as a 501(c)(3) nonprofit organization. Its charter had two clearly stated goals:
- Identify, develop, validate, promote, and sustain best practice solutions for cyber defense.
- Build and lead communities to enable an environment of trust in cyberspace.
Headquartered in New York, the organization has hundreds of IT security professionals representing governmental agencies, the military, large corporations, conglomerates, and academic institutions.
Over time it set the global standard for internet security and best practices, most of which are outlined in its CIS Controls and CIS Benchmarks. Participating organizations include:
- The American Institute of Certified Public Accountants (AICPA)
- The Institute of Internal Auditors (IIA)
- The International Information Systems Security Certification Consortium (ISC2)
- Systems Administrations, Networking and Security (SANS) Institute
The CIS Crowdsourcing Structure
The world of cybercrime is mercurial. It’s composed of tens of thousands of individuals working self-autonomously—each with their own goals, methods, and strategies. In terms of security this decentralization creates a massive problem. There are too many criminals and too many potential areas of attack for one entity to handle on its own.
To fight fire with fire CIS eschewes a top-down security control model. Instead it favors a unique group defense that heavily relies on crowdsourcing. Individual members of CIS are deputized. This gives them authority to perform two primary tasks:
- Identify security liabilities
- Propose refinements to security measures
An alert or recommendation is shared between and evaluated by the community, then brought up for a vote. If it passes, the security measure is integrated.
Over the years this collaboration has helped form the framework for the CIS Critical Security Controls and Benchmarks.
The 20 CIS Critical Security Controls
The CIS Critical Security controls are composed of 20 essential security protocols, which are grouped into three tiers:
- Basic – Controls 1-6
- Foundational – Controls 7-16
- Organizational – Controls 17-20
The CIS controls aren’t all of the possible security protocols avaialble to you; however, they do form a vital first line of defense against most cyberattacks.
The first 5 controls are the most critical. They’ll stop 85% of attacks. Over the years basic controls have been added to, refined, and updated—the most recent being V7.1. With each newly released version, the security prescriptions are more applicable and actionable.
Because the controls are regularly updated using current attack data, they are able to remain effective against today’s evolving cyber threats. Per the AHA, “CIS Controls act as a blueprint for network operators to cut through clutter of innumerable recommendations made by innumerable sources—the “Fog of More”—to improve cybersecurity by suggesting specific actions to be done in a priority order.”
So, what are the basic security controls?
- CSC 1 – Inventory and Control of Hardware Assets
- The Threat – Hackers are always monitoring targets and waiting for new unprotected systems to enter the network, particularly Bring-Your-Own-Devices (BYOD).
- The Response – Perform active management (inventory, track, and correct) of all your hardware devices to ensure that only authorized devices have access to your network. Unauthorized and unmanaged devices must be immediately identified and refused access.
- CSC 2 – Inventory and Control of Software Assets
- The Threat – Hackers are constantly monitoring targets, searching for vulnerable softwares to be exploited.
- The Response – Perform active management (inventory, track, and correct) of all software on the network to ensure that only authorized software is installed and can execute. Unauthorized and unmanaged software must be identified and blocked from installation or execution.
- CS3 – Continuous Vulnerability Management
- CSC 1 – Inventory and Control of Hardware Assets
- The Threat – Hackers are searching for exposure gaps that occur between newly identified security threats and the remediating actions.
- The Response – Continuously gather, analyze, and act upon new information (software updates, security advisories, threat bulletins, patches) to highlight exposures and minimize their threat.
- CS4 – Controlled Use of Administrative Privileges
- The Threat – One of the most common ways attackers can spread within a target organization is through administrative privileges misuse.
- The Response – Monitor administrative privileges on computers, applications, and networks. Utilize tools to track, control, prevent and correct administrative configurations, uses, and assignments.
- CS5 – Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- The Threat – Most devices are geared for easy deployment and use but not for security. This makes them vulnerable and exploitable, particularly in their default state.
- The Response – Perform active management (track, report on, correct) on the security configuration of devices such as workstations, laptops, and mobile phones. Employ configuration management to enhance device security beyond its default state.
- CS6 – Maintenance, Monitoring, and Analysis of Audit Logs
- The Threat – Failure to properly log and analyze security enables hackers to conceal their actions, location, or malware on machines.
- The Response – Acquire, manage, and assess event audit logs in order to detect an attack, understand what is happening, and then respond properly.
The Foundational Security Controls
Although we won’t go into detail, the foundational security controls include:
- CS7 – Email and Web Browser Protections
- CS8 – Malware Defenses
- CS9 – Limitations and Control of Network Ports, Protocols, and Services
- CS10 – Data Recovery Capabilities
- CS11 – Secure Configuration for Network Devices such as Firewalls, Routers, and Switches
- CS12 – Boundary Defense
- CS13 – Data Protection
- CS14 – Controlled Access Based on the Need to Know
- CS15 – Wireless Access Control
- CS16 – Account Monitoring and Control
The Organizational Security Controls
Similarly, the four remaining controls are:
- CS17 – Implement a Security Awareness and Training Program
- CS18 – Application Software Security
- CS20 – Penetration Tests and Red Team Exercises
Control Companion Guides
In addition to the general security controls the Center for Internet Security provides members with companion guides that are tailored to specific devices or platforms. They include:
- Internet of Things Security (IoT) Companion Guide – The integration of smart devices—tablets, phones, laptops, wearables—represent new security gaps that hackers are looking to expose. This guide applies the CIS Controls to both current and future IoT.
- CIS Controls Cloud Companion Guide – Certain operational environments, specifically the Cloud, present unique security challenges. Although many of the core security concerns are addressed by the standard CIS Controls, it can be difficult to apply the prescriptions universally. This is because various cloud systems operate under different security protocols and responsibilities. The guide applies to:
- Infrastructure as a Service (IaaS)
- Platform as a Service (PaaS)
- Software as a Service (SaaS)
- Function as a Service (FaaS)
- On premise private cloud
- Third-party hosted private cloud
- Community cloud
- Public cloud
- Mobile Security Companion Guide – The percentage of mobile devices being used for work purposes continue to increase. In response, organizations are building or porting applications to mobile platforms. This guide helps businesses address security concerns specific to BYOD policies and integration.
- Privacy Impact Assessment Companion – There are dozens of laws, regulations, and guidelines meant to enforce and protect individuals’ privacy. This companion piece focuses on applying general principles of the Fair Information Practice (FIPs) principles as well as Privacy by Design.
The Center for Internet Security has also created CIS Benchmarks. These are best practices for ensuring a secure configuration of a specific technology system. While there are over 100 benchmarks covering more than 14 technology groups, notable benchmarks include:
- Operating Systems
- Amazon Linux
- Amazon Web Services
- Apple OS
- Microsoft Windows Desktop
- Server Software
- Apache Cassandra
- Microsoft IIS
- Oracle Database
- Cloud Providers
- Amazon Web Services
- Google Cloud Computing Platform
- Microsoft Azure
- Mobile Devices
- Apple IOS
- Google Android
- Network Devices
- Palo Alto Networks
- Desktop Software
- Google Chrome
- Microsoft Office
- Microsoft Web Browser
- Mozilla Firefox
- Safari Browser
Each one of these benchmarks can be downloaded for free here.
How the Benchmarks are Developed
To build the benchmarks a group of experts, community members, and technology vendors work in conjunction with the CIS Benchmark Development team. Benchmarks start as a working draft, which focuses on defining the scope. Once completed they are discussed, developed, and tested. After consensus has been reached, the final benchmark is published to the community.
Typically, a CIS Benchmark is categorized into one of two profile levels:
- Level 1 Profile – The basic security protocols and prescriptions. These are designed to lower your organization’s attack surface without impacting the machine’s usability and functionality.
- Level 2 Profile – Defense in depth profiles are created for utmost security. They can adversely impact machine’s usability and functionality, particularly if they’re not implemented by IT professionals.
CIS Program Areas and Communities
The Center for Internet Security provides its members with various other program areas and communities, including:
- The Multi-State Information Sharing & Analysis Center (MS-ISAC) – MS-ISAC was created to help improve the overall security levels and response to cyberthreats. It works with the country’s federal, state, local and tribal governments to improve their prevention, protection, response, and recovery efforts. Services include:
- 24/7 security operation center
- Incident response services
- Cybersecurity advisories and alerts
- Secure communication and document sharing portals
- A cyber alert map
- Malicious code analysis platform (MCAP)
- CIS SecureSuite – Member organizations receive access to a variety of cybersecurity resources, tools, and best practice guidelines. It includes:
- Automated system reviews
- Automatic compliance tracking
- Customizable benchmarks
- Easily configurable system implementation
- Technical Support
- Access to a network of cybersecurity professionals
- CIS-CAT Pro – A program available to all members, it rapidly compares the configuration of your systems to the CIS Benchmark recommendations. You receive a conformance report based on a scale of 0-100. This allows you to:
- Regularly assess your system configurations
- Review assessments, reports, and dashboards
- Create standard configuration images
- Increase security awareness
- CIS WorkBench – A virtual group workbench where IT experts the world over can develop, assess, edit, and instill the secure configuration recommendations within the CIS Benchmarks. This collaborative space allows the Center for Internet Security to stay ahead of hackers and evolving cybersecurity threats. With it you can:
- Tailor benchmarks to your organization’s needs
- Discuss technical cybersecurity concepts
- Download CIS resources
- CIS Hardened Images – CIS provides secure, pre-configured, virtual images hardened according to CIS Benchmarks. These provide you with on-demand computing capabilities that are scalable and secure. Available cloud computing platforms include:
- Google Cloud Platform
- Oracle Cloud.
CIS Benchmark-hardened images help your business stay secure and reduce cost.
Applying CIS Controls and Benchmarks to Your Organization
Your business is under constant threat of cyberattacks, and that threat continues to evolve.
The Center for Internet Security was created to help businesses, both big and small, protect their data and networks. By banding together and collaborating, security experts can stay ahead of hackers.
Even if you don’t become a member of CIS, it’s essential that you apply its security controls and benchmarks to thwart the vast majority of cyber-intrusions.
Looking for a flexible and knowledgeable IT partner? Then you’re in good hands.
At RSI Security our team of experts focus on compliance, managed network security services, penetration testing, and cloud computing security services. We help you ensure that your organization is properly applying the CIS Controls and CIS Benchmarks from the top down. Ready to get started? Reach out today to speak with our trusted experts.