The 20 CIS Controls

This is going to be probably one of the, if not the most, driest blog posts I've written. But I'm a huge fan of CIS benchmarks and controls - and these 20 controls are a great starting point in terms of compliance and general hardening of your organizations security. 

Update: I made a new post regarding CIS benchmarks and how to run an automatic assessment.

Source: invema group ltd.

First of all: What and/or who is CIS?

The Center for Internet Security (CIS) is a non-profit organization, focusing on a strong cyber security network and answers from both private and private environments, with a compliance based platform. They provide in-depth, essentially step-by-step, best practice guides for hardening various platforms. These guides are called benchmarks. CIS benchmarks are configuration baselines and best practices for securely configuring a system. 

Because of their reputation, these benchmarks are recommended as industry accepted system hardening procedures and are used by organizations in meeting various compliance requirements such as PCI and HIPAA. DISA is the only other agency that provides a subset of the benchmark. Aside from that, there are a few vendors that provide security documentation in benchmark for band, such as VMware, which provides VMware vSphere hunting guide to secure release for deployments. 

The difference between CIS Benchmarks and that CIS Controls are a general set of recommended practices for securing a wide range of systems and devices, whereas CIS Benchmarks are guidelines for hardening specific operating systems, middleware, software applications, and network devices.


1. Device inventory, both authorized and unauthorized

Organizations must actively manage all network hardware devices to ensure that only authorized devices have access and that unauthorized devices are quickly identified and disconnected from the network before causing damage.

What is the significance of this control?

Attackers scan a company's address range on a regular basis, waiting for new, unprotected devices to connect to the network. This control is especially important for businesses pursuing a BYOD strategy, because hackers are looking for devices that go online and offline frequently.


2. Software Inventory (Authorized and Unauthorized)

Only authorized software can be installed if organizations actively manage all software resources on the network. Unauthorized software can be quickly identified and prevented using security measures such as whitelisting specific applications.

What is the significance of this control?

Attackers are looking for vulnerable software versions that can be remotely exploited. They can, for example, infiltrate websites with malicious code, media files, and other content, or use zero-day attacks to exploit previously unknown vulnerabilities. To ensure data security and protection, you should be aware of the software that has been installed in your organization.


3. Hardware and software configurations that are secure

Security configurations for laptops, servers, and workstations must be defined, implemented, and managed by organizations. To prevent attackers from exploiting service and setting vulnerabilities, they must follow strict configuration management and implement change control processes.

What is the significance of this control?

Standard configurations for operating systems and applications are provided by manufacturers and distributors and are simple to install and use, but they are not designed for high security. Attacks can be launched against open services and ports, as well as default accounts and passwords. To ensure maximum security, configuration settings must be defined.


4. Vulnerability assessment and remediation on a continuous basis

New information and resources must be constantly retrieved, evaluated, and appropriate action taken (e.B software updates, patches, security advisories and reports on new threats). This enables them to find and fix vulnerabilities that could allow attackers to gain network access.

What is the significance of this control?

As soon as new vulnerabilities are discovered, a race between all parties involved begins: hackers attempt to exploit the flaw in order to launch an attack, manufacturers issue patches or updates, and security experts conduct risk analysis or regression testing. Because attackers have access to the same information as everyone else, they can take advantage of the time between when a vulnerability is discovered and when it is fixed.


5. Administrator rights are used in a controlled manner.

To prevent unauthorized access to critical systems, organizations must use automated tools to monitor user behavior, as well as the granting and use of administrative privileges.

What is the significance of this control?

Abusing administrative rights is a common way for attackers to gain access to a company's network. Use phishing methods, crack or guess the password of a user with administrator privileges, or extend a normal user account with administrator privileges to obtain administrator credentials. Attackers have an easy time gaining control of systems if companies do not have the resources to monitor the activities in their IT environment.


6. Audit logs are managed, monitored, and analyzed.

To detect unusual activity and investigate security incidents, organizations must collect, manage, and analyze event logs.

What is the significance of this control?

Inadequate security protocols and analytics allow attackers to hide their location and network activities. Even if the affected company is aware of which systems have been compromised, without complete logging, it is difficult to determine what steps an attacker has already taken. This also makes responding to a security breach more difficult.


7. Email systems and web browsers are protected.

Organizations must ensure that only fully supported web browsers and email clients are used to reduce their attack surface.

What is the significance of this control?

Because of their technical complexity and flexibility, hackers frequently use web browsers and email clients to gain network access. Attackers can use spoofed emails and web pages to trick users into taking actions that spread malware and lead to the loss of valuable data.


8. Anti-malware protection measures

Organizations must ensure that malware cannot be installed or executed at various points throughout the organization. It is recommended that automated tools with anti-virus, anti-spyware, personal firewalls, and host-based IPS functions be used for continuous monitoring of workstations, servers, and mobile devices for this purpose.

What is the significance of this control?

Modern malware is capable of rapidly spreading and exploiting new vulnerabilities. It can be added to the network in a variety of ways. Malware protection solutions must be able to keep up with these changing needs, for example, through comprehensive automation, updating, and integration into processes like incident response.


9. Restricting and controlling network ports, protocols, and services

To reduce the attack surface, organizations must monitor and manage the use of ports, protocols, and services on network devices.

What is the significance of this control?

Attackers are looking for network services that they can remotely access and exploit. Inadequately configured Web servers, e-mail servers, file and print services, and DNS servers, all of which are installed by default on a variety of devices, are typical examples. As a result, it's critical to make sure that each system only runs the ports, protocols, and services that are actually required for business.


10. Data recovery is a possibility

Critical systems and data must be backed up at least once a week by businesses. You'll also need a best practice for quickly recovering data.

What is the significance of this control?

Data, configurations, and software are frequently altered by attackers. It is difficult to resume system operations after an attack without a reliable backup and restore.


11. Network device configurations that are secure

The security configuration of network infrastructure devices such as routers, firewalls, and switches must be defined, implemented, and actively managed by organizations.

What is the significance of this control?

The default configurations of network infrastructure devices, like those of operating systems and applications (see Control 3), are designed for ease of deployment but not for high security. Furthermore, the security of network device configurations is frequently compromised over time. Attackers can gain access to networks by exploiting these configuration flaws, or they can use a compromised system to pose as a trusted system.


12. At the network's edge, there are security precautions to be taken.

Companies must be able to recognize and redirect information flow between networks with varying levels of trust. Data that could jeopardize security is given special attention. Technologies that provide comprehensive visibility and control over the flow of data throughout the environment, such as intrusion detection and defense systems, are the best defense method.

What is the significance of this control?

To gain access to an organization's network for the first time, attackers frequently exploit vulnerabilities in the configuration and architecture of perimeter systems, network devices, and client systems with Internet access.


13. Data protection

Organizations must mitigate the risk of data exfiltration and ensure the integrity of sensitive data by using the right processes and tools. The best method for achieving high data security is to use a combination of encryption, integrity protection, and data loss prevention methods.

What is the significance of this control?

While many data leaks are the result of deliberate data theft, data loss or corruption can also be the result of poor security or human error. Organizations must implement solutions that detect data exfiltration attempts and mitigate the impact of a data breach to mitigate these risks.


14. Controlled access to only the data and systems that are actually required

Businesses must be able to monitor, control, and secure access to their critical resources. It must also be simple to determine which individuals, computers, or applications have access to these resources.

What is the significance of this check?

Many businesses overlook the importance of carefully identifying their critical resources and separating them from less sensitive data. As a result, users have access to far more sensitive data than they require for their jobs. As a result, Insiders can take control of a user account, access important information quickly, and disrupt the system's operation.


15. Controlling unrestricted access

Businesses require processes and tools that allow them to monitor and control the use of local area networks (LANs), access points, and drahtless client systems. You must check the network for flaws and ensure that all drahtless devices connected to the network have an authorized configuration and security profile.

What is the significance of this control?

Because wireless devices do not require a direct physical connection, they are a convenient way for attackers to gain long-term access to the IT environment. Wireless clients used by employees on the go, for example, are frequently infected, allowing attackers to gain access through the back door once they are reconnected to the corporate network.


16. User account monitoring and control

To prevent attackers from exploiting user accounts, organizations must actively manage their lifecycle (creation, use, and deletion). All system accounts should be reviewed on a regular basis, and former employees and contractors should have their accounts deactivated as soon as they leave the company.

What is the significance of this control?

Inactive user accounts are frequently used by attackers to gain legal access to a company's systems and data. As a result, detecting such attacks is difficult in the first place.


17. Identifying security skills and filling knowledge gaps with appropriate training

To improve security, businesses must define what knowledge and skills they require. This entails creating and implementing a strategy for identifying and closing gaps through appropriate policies, planning, and training programs.

What is the significance of this control?

The temptation to view cyber-attack defense solely as a technical challenge is obvious. Employee actions, on the other hand, are just as important for the success of a safety program. When planning attacks, hackers frequently take advantage of human behavior, such as phishing messages that look like regular emails or exploiting the window of opportunity to patch or review logs.


18. Security of Application Software

To identify and fix security vulnerabilities in a timely manner, organizations must manage the security lifecycle of all software programs they use. They must, in particular, ensure that only the most recent version of an application is used and that all relevant patches are installed as soon as possible.

What is the significance of this control?

Vulnerabilities in web-based applications and other software programs are frequently exploited by attackers. You can use it to cause buffer overflows, inject SQL commands, and take control of vulnerable systems using cross-site scripting and code clickjacking, for example.


19. Security incidents are managed and countermeasures are taken.

To respond to security incidents, organizations must develop and implement appropriate measures. This includes plans, defined roles, training, management control, and other measures to effectively detect attacks and limit damage.

What is the significance of this control?

In both small and large businesses, security incidents have long been a part of life. Even with a sufficient budget, keeping up with the development of ever new cyber threats is difficult. Unfortunately, in the vast majority of cases, the question isn't whether a cyber attack will succeed, but rather when. An attack may not be detected until it has already caused significant damage if there are no well-defined measures in place to respond to security incidents, or it may not be possible to completely isolate the attacker and thus restore the network's and systems' integrity.


20. Red-team exercises and penetration tests

The final check entails evaluating the defensive measures' overall effectiveness (technology, processes and people). External and internal penetration tests are conducted on a regular basis for this purpose. Vulnerabilities and attack methods that allow unauthorized access to systems can be identified this way.

What is the significance of this control?

Attackers can take advantage of the lag between carefully planning and implementing defenses, such as the time between a vulnerability's announcement, the availability of a vendor patch, and the patch's installation. Organizations should regularly test their defenses to uncover and address gaps before an attack occurs in a complex environment where the technologies used are constantly evolving.


Last of all: Summing up CIS Controls implementation - a practical approach

You don't have to implement all 20 S Critical Security Controls at the same time to reap the benefits. Only a few companies have the necessary budget, personnel, and time to implement multiple projects at the same time. The steps below are part of a more practical approach:

Determine the value of your information resources by identifying them and estimating their value to your company. Conduct a risk assessment and think about how potential attacks on your systems and data could happen (including entry points, propagation, and damage). Prioritize CIS controls by concentrating on the resources that pose the greatest risk.

Compare your current security controls to those recommended by the CIS. Make a note of any areas where no safety precautions are in place or where extra precautions are required.

Create a strategy for implementing new security controls that will benefit your organization while also enhancing the effectiveness of existing controls.

Obtain management approval for the plan and commitments from each business unit to provide the required budget and personnel.

Put the controls in place. Keep an eye out for emerging trends that could expose your company to new dangers. Analyze the success and scope of risk mitigation and report on the findings.