Recently, the Center for Internet Security (CIS) released its next revision of the Top 20 Security Controls.
Initially developed by the SANS Institute and known as the SANS Critical Controls, these best practices are indispensable to organizations both large and small. By adopting these sets of controls, organizations can prevent the majority of cyberattacks.
20 Critical Security Controls for Effective Cyber Defense
A study of the previous release found that by adopting just the first five controls, 85 percent of attacks can be prevented. Adopting all 20 controls will prevent upwards of 97 percent of attacks. With this release, one of the main goals was to be consistent with the workflow of each set of controls. Even existing controls that did not change much in terms of content saw a shuffling of the order of requirements. For each control, we will now see an abstract version of assess, baseline, remediate, and automate.
Additionally, the language has been cleaned up considerably from previous revisions. Now we see very concise wording, which has a higher abstraction than previous releases. This will be great in terms of allowing the set of controls to fit a wider range of platforms and attacks.
However, it leaves it up to the organization and the tools at their disposal on how to actually implement the controls. This may be challenging for organizations going at it alone, so enterprises should work with their security vendors, as they can provide guidance on the “in the weeds” details of various controls.
Many of the existing controls have stayed the same, albeit with some consolidation to remove duplicate requirements or simplify some wording.
A Quick Overview of Each CIS 20 Critical Control
The top five basic controls remain the same (with some ordering changes), which makes sense since they can block the majority of the attacks. Here is a rundown of the basic requirements of each of the version 7 controls:
CIS Control 1: Inventory and Control of Hardware Assets
A comprehensive view of the devices on your network is the first step in reducing your organization’s attack surface. Use both active and passive asset discovery solutions on an ongoing basis to monitor your inventory and make sure all hardware is accounted for.
CIS Control 2: Inventory and Control of Software Assets
Another one of the top controls also deals with asset discovery, making network inventorying the single most critical step you can take to harden your system. After all, you can’t keep track of assets that you don’t know you have on your network.
CIS Control 3: Continuous Vulnerability Management
Scanning your network for vulnerabilities at regular intervals will reveal security risks before they result in an actual compromise of your data. It’s important to run automated and authenticated scans of your entire environment.
CIS Control 4: Controlled Use of Administrative Privileges
Administrative credentials are a prime target for cybercriminals. Luckily, there are several steps you can take to safeguard them, such as keeping a detailed inventory of admin accounts and changing default passwords.
CIS Control 5: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Leverage file integrity monitoring (FIM) to keep track of configuration files, master images, and more. This control speaks to the need for automating of configuration monitoring systems so that departures from known baselines trigger security alerts.
CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
System logs provide an accurate account of all activity on your network. This means that in the event of a cybersecurity incident, proper log management practices will give you all the data you need about the who, what, where, when, and how of the event in question.
CIS Control 7: Email and Web Browser Protections
There are more security threats in email and web browsers than phishing alone. Even a single pixel in an email image can give cybercriminals the information they need in order to carry out an attack.
CIS Control 8: Malware Defenses
Make sure your antivirus tools integrate well with the rest of your security toolchain. Implementing this control completely also means keeping accurate logs of command-line audits and DNS queries.
CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
Control 9 implementation will help you reduce your attack surface by way of tactics like automated port scanning and application firewalls.
CIS Control 10: Data Recovery Capabilities
Are you performing regular, automated backups? Ensuring proper data recovery capabilities will protect you from threats like ransomware.
CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
Network devices can be secured using multi-factor authentication and encryption—just two of the many steps covered in control 11 benchmarks.
CIS Control 12: Boundary Defense
This control deals with the way you control communications across your network boundaries. Implementing it requires using network-based IDS sensors and intrusion prevention systems.
CIS Control 13: Data Protection
Control 13, despite its simple name, is one of the more complex and difficult to put into practice thanks to ongoing processes like inventorying sensitive information.
CIS Control 14: Controlled Access Based on the Need to Know
By encrypting information in transit and disabling communication between workstations, you can start to limit potential security incidents that can occur when data privileges are overly lax.
CIS Control 15: Wireless Access Control
The first step in implementing this control is inventorying your network’s wireless access points. From there, the control takes a deep dive into mitigating all types of wireless access risks.
CIS Control 16: Account Monitoring and Control
In order to keep valid credentials out of hackers’ hands, you must have a system in place to control authentication mechanisms.
CIS Control 17: Implement a Security Awareness and Training Program
Security training should be a bigger priority at most organizations, due in part to the widening cybersecurity skills gap. This control also emphasizes the need for ongoing security training rather than one-time engagements.
CIS Control 18: Application Software Security
Code developed in-house needs security assessments through processes like static and dynamic security analysis to uncover hidden vulnerabilities.
CIS Control 19: Incident Response and Management
This control helps you put strategies in place to plan and test for cybersecurity incidents so you’re not left scrambling when they occur.
CIS Control 20: Penetration Tests and Red Team Exercises
Regular penetration testing helps you identify vulnerabilities and attack vectors that would otherwise go unknown until discovered by malicious actors.
See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber attack vectors by downloading this guide here.