What is CIS?
I want to start this article by introducing you to our good friends at Centro de Seguridad de Internet better known as CIS (Center of internet security). CIS is a forward-thinking nonprofit organization that harnesses the power of a global IT community to protect public and private organizations against cyber threats.
CIS provides us, free of charge, with many information resources such as:
- CIS Bechmarks
- More than 100 configuration guides for more than 25 product manufacturers to safeguard systems from the cyber threats that invade us every day.
- CIS Controls
- It is a prioritized set of actions to protect your organization and data from known cyberattack vectors.
- CIS offers a variety of tools, memberships and services to help organizations around the world get started and stay secure.
In this article we will focus specifically on the 20 critical CIS security controls for effective cyber defense.
The main benefit of these controls is that they prioritize and focus fewer actions with high results. The controls are effective because they are derived from the most common attack patterns highlighted in major threat reports.
Why are CIS controls important?
Minimize the risk of:
- Data breaches
- Data leakage
- Theft of intellectual property
- Corporate espionage
- Identity Theft
- Loss of privacy
- Denial of service and other cyber threats.
CIS controls help us answer questions such as:
- What are the most critical areas for establishing a risk management program?
- Which defensive measures provide the greatest value?
- How can we track the maturity of our risk management program?
- How can we share our information about attacks and attackers and identify root causes?
- Which tools are best used to solve which problems?
- What CIS controls are assigned to my organization’s regulatory and compliance frameworks?
20 CIS controls
CIS separates controls into three categories, basic, fundamental and organizational, regardless of industry. These categories and the prioritization of the controls is what makes the CIS controls work so well.
Basic controls (6)
- Hardware asset inventory and control: This control requires organizations to manage hardware devices on their network to ensure that only authorized devices have access to sensitive areas.
- Inventory and control of software assets: Without adequate knowledge or control of the software deployed in an organization, defenders cannot adequately protect their assets, resulting in data breaches and exposure of sensitive data.
- Continuous vulnerability management: Vulnerability management and assessment requires that cyber defenders receive a constant flow of new information, software updates, patches, security advisories, etc.
- Controlled use of administrative privileges: The principle of least privilege and other access control methods are designed to create processes and tools to track, control, prevent and correct the use, assignment and setting of administrative privileges.
- Secure configuration of hardware and software on devices: Default configurations for operating systems and applications are generally geared towards ease of deployment and use, rather than security, correct this is priority.
- Maintenance, monitoring and analysis of audit logs: Weaknesses in security logging and analysis allow attackers to hide their location, malware installation and activity on the victim’s machine.
Fundamental Controls (10)
- Email and web browser protections: This control can minimize the attack surface and opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems.
- Malware defenses: Organizations must control the installation, propagation and execution of malicious code, while optimizing the use of automation to enable rapid defense updates, data collection and corrective action.
- Limiting and controlling network ports, protocols and services: This control should manage the ongoing operational use of ports, protocols and services on networked devices to minimize the windows of vulnerability available to attackers.
- Data recovery capabilities: When an attacker is discovered, organizations must be able to remove all aspects of the attacker’s presence from the machine.
- Secure configuration for network devices: Organizations must establish, implement and actively manage the security configuration of network infrastructure devices through configuration management and change control processes to prevent attackers from exploiting vulnerable services and configurations.
- Perimeter security: Defense controls detect, prevent and correct the flow of information that is transferred across networks of different levels of trust with a focus on security-harming data.
- Data Protection: Data protection controls are processes and tools designed to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of confidential information.
- Access control: Controls should be implemented to mitigate the threat of data breaches in the first place.
- Wireless access control: Wireless access controls are processes and tools for tracking, monitoring, preventing and correcting secure network usage.
- Account monitoring and control: This control requires active management throughout the lifecycle of application and system accounts (their creation, use, inactivity and deletion) to minimize opportunities for attackers.
Organizational controls (4)
- Implement a security awareness and training program.
- Application software security: Validate the input and output fields of the applications and take care of the errors you expose.
- Incident response and management: Quickly discovering attacks, containing the damage, eradicating attacker access and restoring integrity is critical in every organization.
- RedTeam penetration testing and exercises: Organizations should test their overall defense by simulating the objectives and actions of an attacker.
Now that you are aware of the existing controls and risks… What do I do?
The objective of this article is to provide you with the necessary tools for the implementation of these controls.
[table id=”2″ /]
[table id=”3″ /]
[table id=”4″ /]
Security controls are a simple, yet powerful tool that allows industries to prevent cyber-attacks that can be detrimental to their company’s infrastructure.