Recently, the Center for Internet Security (CIS) released its next revision of the Top 20 Security Controls.
Initially developed by the SANS Institute, these controls have been used by organizations both large and small. By adopting these sets of controls, organizations can prevent the majority of attacks.
A study of the previous release found that by adopting just the first five controls, 85 percent of attacks can be prevented. Adopting all 20 controls will prevent upwards of 97 percent of attacks.
With this release, one of the main goals was to be consistent with the workflow of each set of controls. Even existing controls that did not change much in terms of content saw a shuffling of the order of requirements. For each control, we will now see an abstract version of assess, baseline, remediate, and automate.
Additionally, the language has been cleaned up considerably from previous revisions. Now we see very concise wording, which has a higher abstraction than previous releases. This will be great in terms of allowing the set of controls to fit a wider range of platforms and attacks.
However, it leaves it up to the organization and the tools at their disposal on how to actually implement the controls. This may be challenging for organizations going at it alone, so enterprises should work with their security vendors, as they can provide guidance on the “in the weeds” details of various controls.
Many of the existing controls have stayed the same, albeit with some consolidation to remove duplicate requirements or simplify some wording.
The top five basic controls remain the same (with some ordering changes), which makes sense since they can block the majority of the attacks.
Over the next few weeks, I will be providing a review of each individual control to offer my thoughts on each individual requirement.
Read more about the 20 CIS Controls here:
Control 20 – Penetration Tests and Red Team Exercises
Control 19 – Incident Response and Management
Control 18 – Application Software Security
Control 17 – Implement a Security Awareness and Training Program
Control 16 – Account Monitoring and Control
Control 15 – Wireless Access Control
Control 14 – Controlled Access Based on the Need to Know
Control 13 – Data Protection
Control 12 – Boundary Defense
Control 11 – Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
Control 10 – Data Recovery Capabilities
Control 9 – Limitation and Control of Network Ports, Protocols, and Services
Control 8 – Malware Defenses
Control 7 – Email and Web Browser Protections
Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs
Control 5 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Control 4 – Controlled Use of Administrative Privileges
Control 3 – Continuous Vulnerability Management
Control 2 – Inventory and Control of Software Assets
Control 1 – Inventory and Control of Hardware Assets