The major crux faced by IT security professionals across the industry today is that threats evolve at the same speed as technology. Technology is vital to business, especially as more professionals work outside the standard office environment, and that creates additional vulnerabilities. The CIS 20 Critical Security Controls framework is so widely used, that there are several different ways to reference them:
- CIS CSC
- CIS 20
- CCS CSC
- SANS Top 20
- CAG 20
The key to mitigating risk is having a solid security foundation on which to build industry or business specific security protocols. The CIS 20 Critical Security Controls (CSC) are that foundation.
What are the CIS 20 Critical Security Controls?
The CSC are a security foundation of actionable best practices developed by the Center for Internet Security (CIS) and the SANS Institute. Knowledge is garnered from a wide array of security professionals, condensed and clarified by industry experts, and presented in a format that can be adapted by any organization to counter the leading forms of cyber attack and protect data assets.
These basic principles allow IT professionals to respond swiftly and effectively against growing security concerns, which allows organizations to reduce cybersecurity risks.
How do the CIS 20 apply to your organization?
All organizations must navigate the deep and complex waters that are risk and compliance. Industry standards often define the specific dive level an organization has to make into those murky depths, but they rarely indicate how. The CIS Critical Security Controls are a set of best practices that recommend how to combat the most common cybersecurity threats, and are applicable to all organizations.
The CSC are broken into three implementation groups, each set of controls being a progression based upon an organization’s needs:
- Basic implementation is applying controls 1 – 6, and is advised for all organizations. These six controls can be implemented with conservative resources, and will provide a basic level of protection that even the smallest of organizations can utilize.
- Foundational implementation is applying the basic controls and controls 7 – 16, and is advised for mid-level organizations that have more resources and cybersecurity professionals to implement security measures.
- Organizational implementation is applying all 20 security controls, and is intended for developed organizations that have rich resources and robust cybersecurity expertise.
By segmenting the controls into resource and expertise specific sections, an organization is given the option of choosing the best fit for their infrastructure.
Why use CIS Controls for Security and Compliance?
The CIS top 20 Critical Security Controls are an evolution of worldwide knowledge from IT professionals that are arm-deep in security each and every day. The results of using the CSC are phenomenal; studies have shown that 85% of cyberattacks can be thwarted by using just the basic implementation of CSC. Using the organizational implementation of all 20 Critical Security Controls has a staggering 97% success rate. By using these outlined best practices, an organization will have a strong security base that has already proven its worth. A base that is perfect for building in any additional industry specific security requirements.
How do the CIS Critical Security Controls work with other standards?
The CSC are cross-compatible because they are effective best-practices that encompass a large threat range. Industry specific standards and security framework ideologies are growing and evolving with technology, and the CSC helps organizations keep up with the ever changing security environment.
For example, the California Consumer Privacy Act (CCPA) and General Data Protection Act (GDPR) require organizations to maintain reasonable security to protect consumers’ private data. In addition, the IoT Cybersecurity Act requires connected devices to meet a minimum level of cybersecurity. Using the CIS Top 20 Critical Security Controls allows an organization to meet these thresholds.
Also, the CSC maps well to other well known security standards:
- National Institute of Standards and Technology (NIST)
- International Organization for Standardization (ISO)
- Payment Card Industry Data Security Standard (PCI-DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- Control Objectives for Information and Related Technologies (COBIT)
- Federal Information Security Modernization Act of 2014 (FISMA)
- NERC Critical Infrastructure Protection Standards (NERC CIP)
- Federal Financial Institutions Examinations Council (FFIEC)
- Department of Homeland Security Continuous Diagnostics and Mitigation (DHS CDM)
- National Security Agency Manageable Network Plan Guide (NSA MNP)
- Data Security and Protection Toolkit Standard (NHS DSP Toolkit)
The CSC are beneficial aids for organizations that need to meet these complex industry standards or regulations.
An overview of the CIS Controls
Basic CIS Controls
The basic level of implementation is applying controls 1 – 6, and is considered the minimum amount of security that all organizations should use to be ready against cyber attacks.
Control 1: Inventory and Control of Hardware Assets
Knowing who and what is using the network is key to preventing unauthorized access. This includes maintaining a detailed inventory via both active and passive discovery and using access controls. An in-depth view of all the devices that use an organization’s network provides a first line of defense.
Control 2: Inventory and Control of Software Assets
Software needs to be inventoried and monitored in a way that allows the organization to see what’s been installed, who did the installing, and what the software is doing. Implementing authorization lists, installation rights, and integrity management are a must. Just like hardware assets, software can be used as a vulnerable point of entry into the protected network.
Control 3: Continuous Vulnerability Management
Security risks need to be identified before they result in an actual breach. The network should be scanned for weak points, which can then be quickly remediated. For the testing to be most effective, keep up-to-date on vulnerability advances.
Control 4: Controlled Use of Administrative Privileges
Inventory of service accounts, administrative credentials, and adequate password requirements need to be fundamental. Administrative accounts must be safeguarded to prevent them being used by attackers.
Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Update default configurations and automate processes that manage them. Configuration management is necessary to lock-down unnecessary risks that attackers can exploit.
Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
Logging will give an organization the ability to see all the activity of the network and provide pertinent details in the case of a breach. It also allows for the creation of alerts.
Foundational CIS Controls
The foundational level of implementation is also applying controls 7 – 16, and is considered appropriate for mid-level organizations that need to protect systems beyond basic needs.
Control 7: Email and Web Browser Protections
Numerous threats are directly related to email systems and web browsers. If they aren’t safe, the network isn’t either.
Control 8: Malware Defenses
Malware is used for everything from identity theft to corporate espionage. Antivirus software and malware prevention mitigates the risk to users and the organization.
Control 9: Limitation and Control of Network Ports, Protocols, and Services
Firewalls, port scans, and separation of critical services can reduce the available avenues open to attackers. Sharp focus here can prevent unauthorized access.
Control 10: Data Recovery Capabilities
Some forms of cyber attack, like ransomware, directly target data. Backups prevent losing data and give a benchmark for data comparison if data integrity is in question after a security breach.
Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
Encryption and advanced authentication methods are good starting points. Shielding network devices from improper access, shields the network and its data.
Control 12: Boundary Defense
An organization must control flow through the boundary using monitoring and analysis. Tight management of perimeter defenses keeps out unauthorized users and keeps in sensitive data.
Control 13: Data Protection
Data protection is complex and requires a multi-prong focus. Use managerial controls, procedures, and technology to ensure data is accessed only where authorized, is controlled, and maintains integrity.
Control 14: Controlled Access Based on the Need to Know
Classify data, segment based on that classification, and control the access based on what users/systems need to use that level of data. This prevents both internal and external unauthorized access to data.
Control 15: Wireless Access Control
Wireless access is a common area of risk for many organizations, and controls are necessary to mitigate as much risk as possible. Implementing protocols around SSID and broadcasting levels, guest networks, and monitoring the wireless network are ways to combat attacks.
Control 16: Account Monitoring and Control
Attackers using valid credentials is a concern that must be addressed. Two factor authentication and managing the account life cycle are common recommendations.
Organizational CIS Controls
The organizational level of implementation is applying all 20 CIS controls. It is considered appropriate for well-developed organizations that have more complex security needs and have the necessary resources/capabilities required for implementation.
Control 17: Implement a Security Awareness and Training Program
Users are an important piece of the cybersecurity puzzle. Refreshing users about security practices and new attacks to be wary of can be key to preventing breaches.
Control 18: Application Software Security
Keep applications current, use only trusted components, and harden applications where possible to prevent vulnerabilities. In-house applications should be accessed for security and kept within maintenance limits. Do not allow applications to provide a backdoor into the system.
Control 19: Incident Response and Management
Always be prepared by planning for possible incidents and testing where possible. Don’t leave the response measures unplanned until something actually happens.
Control 20: Penetration Tests and Red Team Exercises
Identify points of breach and remediate as they are found. Keep testing and remediations evolving as the attack vectors change.
How to implement CIS Controls
The CIS Top 20 Critical Security Controls are actionable best practices that organizations can use to protect themselves in an ever-changing technology environment. In order to successfully implement the CSC controls, organizations have to move forward against security risks by taking proper action to protect organizational devices, networks, and data.
This includes taking steps to implement proper discovery methods and ensuring the correct classifications of all devices on an organization’s network. In addition, an organization needs to continuously track device behavior and segment vulnerable devices. Risk assessment should be performed, as well, to ensure that security standards are being met.
The Ordr Systems Control Engine (SCE) gives organizations the power to enable visibility and security of their network-connected devices, with a simple and powerful solution to identify, classify, profile the behavior and risk, and automate action for every network-connected device in the enterprise.
One of the differentiated actions with Ordr SCE is that security and IT teams have access to dynamically generated segmentation policies to only allow sanctioned communications for every class of device. To learn more about how Ordr can enable an effective network-connected device security strategy for your organization, request a demo.