The Center for Internet Security (CIS) is a nonprofit organization devoted to improving the security and safety for all internet users. Among the various services and tools the CIS provides it’s best known for the Critical Security Controls (CSC).
The CIS controls were curated to help protect businesses and other organizations from cybercrime, especially hacking. As a whole the controls protect against all types of hacking, but it’s a complex list with various specifications dedicated to certain kinds of attacks.
This guide will break down everything you need to know about the kinds of attacks the CIS CSC framework protects against, and how.
Center for Internet Security Controls Framework
The CIS CSC framework is the product of collaboration between cybersecurity experts with experience from a wide variety of fields, including education, government, technology, and various private sector commercial industries. The CIS Controls are based upon these experts’ shared set of principles, which guide the entire framework.
Per the CIS, the five tenets of cyber defense that drive and inform the controls are:
- Offense informs defense
- Measurements and metrics
- Continuous diagnostics and mitigation
The controls are informed by information from actual previous attacks rather than hypotheticals or simulations. It creates safeguards from the most common types of hacking and attacks, including:
- Man-in-the-middle attacks
- Denial-of-service attack
- SQL Injection
- Zero-day exploits
- DNS Tunneling
To mitigate risk and cover the most ground the CIS CSC prioritizes broad swath cyber security protections. And while the tenets of the controls apply to defense against all kinds of hacks, the main differentiation between various kinds of attacks occurs across the tiers of controls, implementation groups, and sub-controls.
Tiers of Controls, Sub-Controls, and Implementation Groups
The 20 controls are best practices that all organizations should implement, ideally.
Each organization is unique and has different needs and means. So, the controls list breaks down into three tiers that correlate to general priority, from highest to lowest:
- Basic (controls 1-6)
- Foundational (controls 7-16)
- Organizational (controls 17-20)
The controls within these tiers are general principles that guide particular actions. Most controls apply to all organizations but with a few exceptions.
Within these tiers and their respective controls each segment breaks down into various sub-controls. Sub-controls dictate specific actions—such as protecting or detecting—along with specific ways of applying these actions. But sub-controls don’t apply equally to all organizations.
Beyond different tiers the CIS also establishes three distinct Implementation Groups (IGs):
- Implementation Group 1 (IG1)
- Implementation Group 2 (IG2)
- Implementation Group 3 (IG3)
While the tiers and IGs are both groups of three they don’t map onto each other (Basic tier controls aren’t only for IG1). Instead, each IG corresponds to a different level of size and overall risk profile of an organization, with IG1 being the smallest and IG3 being the largest. In practice each control’s various sub-controls are recommended for one, two, or all three IGs.
Herein lies the main difference between various types of hacks the CIS controls prevent.
All controls and sub-controls have wide applications and prevent all kinds of attacks. The differences in hacks prevented depend on who should adopt which controls and how.
Various Protections Within Individual Controls
Each control in the list offers a wide range of protections that are applicable to numerous kinds of attacks. However, the various sub-controls within a control are applicable to different types, levels, and frequencies of hacks.
For example, CSC 1: Inventory and Control of Hardware Assets is a Basic Control (Tier 1). It recommends that you keep accurate inventory of all hardware on the organization’s network, like laptops and cellular devices. This ensures that “only authorized devices are given access” and “unmanaged devices are found and prevented from gaining access.”
These precautions protect against any kind of hack.
However, distinctions in the sub-controls for control 1 address different kinds of risks:
- Low-level, low-volume threats – Of the eight sub-controls, only two apply to IG1. Both of them are more general, base-level safety precautions that prevent most kinds of low-level, low-intensity attacks. These include non-targeted hacks:
- Sub-Control 1.4: Maintain a Detailed Asset Inventory
- Sub-Control 1.6: Address Unauthorized Assets
- High-level, high-volume threats – Of the eight sub-controls, two apply to only IG3. These are far more specific and require tools to safeguard against frequent, robust, and targeted threats:
- Sub-Control 1.2: Use a Passive Asset Discovery Tool
- Sub Control 1.8: Utilize Client Certificates to Authenticate Hardware Assets
The first control is designed to prevent various different types of hacks, from less serious threats to more dangerous ones. The type of hack prevented depends on which sub-controls are being implemented, which in turn depends on which IG an organization belongs to.
Below, all three IGs, their various risk profiles, and corresponding types of jacks protected against will be broken down in more detail.
But first let’s briefly review all the controls, tier by tier.
Critical Security Controls
This section highlights the three tiers and their distinguishing features. For further reading the CIS Critical Security Controls are detailed in full in the CIS’s publication, CIS Controls, which is now in version 7.1.
The publication CIS Controls V7.1 is not directly accessible via the internet, but can be downloaded for free following email confirmation. The controls are also explained individually, in digest-form, through links collected on the CIS page The 20 CIS Controls & Resources.
Language in the numbered list below is adapted from CIS Controls V7.1.
The first tier, “Basic,” governs the bare minimum security efforts that all organizations must cover. They’re designed to provide baseline coverage for all kinds of attacks, and all of them include sub-controls recommended for the three IGs.
The first six controls are:
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Continuous Vulnerability Management
- Controlled Use of Administrative Privileges
- Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Maintenance, Monitoring, and Analysis of Audit Logs
These controls cover inventory maintenance for the cybertools of the trade, regardless of industry. The next step up involves similar tasks spread out over not just tools, but cyber-infrastructure (networks) and stock (data).
The second tier, “Foundational,” includes measures that go beyond the most basic level of security for all organizations. Like tier 1 each Foundational Control includes sub-controls for all three IGs.
- Email and Web Browser Protections
- Malware Defenses
- Limitation and Control of Network Ports, Protocols, and Services
- Data Recovery Capabilities
- Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- Boundary Defense
- Data Protection
- Controlled Access Based on the Need to Know
- Wireless Access Control
- Account Monitoring and Control
These controls extend the kinds of monitoring and protection from the Basic tier into the various other cyber objects and platforms that any organization encounters. The next and last tier, however, moves from maintenance of objects to control over individuals.
The final tier, “Organizational,” differs from the first two tiers in that it has less to do with specific software protocols and more to do with the behavior and attitudes of personnel within the organization.
The final four controls are:
- Implement a Security Awareness and Training Program
- Application Software Security
- Incident Response and Management
- Penetration Tests and Red Team Exercises
Another unique quality of the Organizational tier is that it includes the only two controls without any specific sub-controls recommended for IG1: CSC 18 and CSC 20. That said, many IG1 organizations may find these (and all) controls useful or necessary for their specific cybersecurity needs.
Let’s move on to what the IGs mean and the different kinds of risks each faces.
Organizations in the real world come in all shapes and sizes. This wide range of businesses also means that their cybersecurity concerns and needs may vary dramatically.
CIS divides all organizations into three IGs based on the following criteria:
- Data sensitivity and criticality of services offered by the organization
- Expected level of technical expertise exhibited by staff or on contract
- Resources available and dedicated toward cybersecurity activities
The IGs are a way to think about companies themselves. Typically, smaller businesses with fewer employees fall under IG1, medium-sized companies are in IG2, and large, mature companies are in IG3. However, a small company that handles sensitive data—such as medical records—should adopt IG3 sub-controls.
The IGs are also a way to think about the priority of each control’s sub-controls. Organizations should scale up, beginning with implementing all IG1 sub-controls, then all IG2 sub-controls, then all IG3 sub-controls. In many cases IG1 sub-controls are prerequisites for IG2 and IG3.
Let’s get into each IG in more detail:
Implementation Group 1
The CIS also refers to IG1 as “Cyber Hygiene.” That’s because most IG1 sub-controls are the most fundamental measures any and all companies should take.
Organizations that fall into IG1 are typically small, including businesses like:
- Family-owned restaurants
- Small retail operations
- Sole proprietorships, partnerships, and LLCs
More important than size, however, is their available resources, especially for IT. An IG1 organization typically has little to no budget dedicated toward IT personnel and assets.
The main prioritized threat to the business is downtime, which compromises slim profit margins. That’s because the data these organizations process is low-volume or low-risk: information pertinent to just the business and its employees.
Likewise, the types of hacks IG1 organizations risk facing are often general attacks that cybercriminals invest fewer resources into, since the potential rewards are not as great. These include general phishing and other non-targeted attacks.
Implementation Group 2
Organizations in IG2 are typically medium to large in size, often with multiple divisions each facing different risk profiles. These organizations do employ individuals and sometimes entire departments dedicated to cybersecurity and broader IT concerns.
Unlike IG1s, these organizations can typically withstand periods of downtime. They house or process large quantities of sensitive data of both internal personnel and external clientele. Their major risk profiles relate to this data which they’re entrusted to protect.
A cybersecurity breach could cause a data leak, which cybercriminals could then use as is or leverage as collateral. Common attacks IG2-level sub-controls protect against are larger and more dangerous in scope, including targeted hacks designed specifically to harm an individual company.
Implementation Group 3
Finally, all IG3-level organizations are well-equipped with vast resources and expertise devoted to cybersecurity. They’re mostly large organizations or those in fields such as:
These organizations have extraordinarily high-stake security needs due to vast amounts of extremely sensitive data they host, manage, and process.
Threats to these organizations represent potentially serious consequences not only for the organizations themselves, but for the public at large. These organizations are subject to the largest volume of targeted attacks, launched by the most sophisticated cybercriminals in the world. In addition to highly complex and long-term schemes these organizations face zero-day exploits, or attacks registered the same day a loophole is found.
All sub-controls recommended for IG3-level adoption utilize the most up-to-date, detailed, and extensive measures to track, defend against, and learn from attacks.
Sub-Controls and Implementation
Once you understand which IG your organization belongs to, you know that you’ll need to implement the proper sub-controls for that group. The groups scale up cumulatively, so it follows that:
- All organizations in IG3 should implement all sub-controls in IG1, IG2, and IG3.
- All organizations in IG2 should implement all IG1 and IG2 sub-controls.
- An organization may fit most squarely IG1 but still need to cover some sub-controls germane to IG2 or IG3.
It’s important to practice flexibility.
Implementation Group distinction is a guideline, not a rule. And, under ideal conditions, all organizations would implement all sub-controls.
In a perfect world we wouldn’t need cybersecurity at all! But in our real one enlisting the assistance of professional cybersecurity experts is the best way to keep your organization safe.
Protect Yourself With Professional Cybersecurity
The CIS CSC framework is a great way to start understanding what your organization needs to do to create a safeguard against any kind of cyberattack. However, understanding these needs is only the beginning. You must constantly assess your cybersecurity risks and address any loopholes that present themselves as your organization grows.
The kinds of attacks you’re subject to depends not only on your business, but also on the evolving technology you rely on every day. From adoption of CIS to compliance with legally required protocols like HIPAA, professional cybersecurity can be the difference between failing and thriving in this digital landscape.
For the implementation, we addressed in this article RSI Security is here to help. Contact RSI Security today!