Top 20 Critical Security Controls for Effective Cyber Defense

With data breaches increasing, more than ever organizations have to ensure that they have all necessary security controls in place to keep their data safe. As a response to growing security threats, the SANS Institute, together with the Center for Internet Security (CIS) and other organizations, developed the 20 Critical Security Controls (CSC) for Effective Cyber Defense. The CIS CSC provides IT pros with a prioritized, focused set of actions to help them stop most dangerous cyber attacks and ensure data security.

This blog post explains the 20 controls in the CIS CSC and why each of them is critical, and then offers 5 steps for implementing the controls in a pragmatic way.

The complete list of CIS Critical Security Controls, version 6.1

The CIS CSC is a set of 20 controls (sometimes called the SANS Top 20) designed to help organizations safeguard their systems and data from known attack vectors. It can also be an effective guide for companies that do yet not have a coherent security program. Although the CIS Controls are not a replacement for any existing compliance scheme, the controls map to several major compliance frameworks (e.g., the NIST Cybersecurity framework) and regulations (e.g., PCI DSS and HIPAA).

The 20 controls are based on the latest information about common attacks and reflect the combined knowledge of commercial forensics experts, individual penetration testers and contributors from U.S. government agencies.

#1. Inventory of Authorized and Unauthorized Devices.

Organizations must actively manage all the hardware devices on the network, so that only authorized devices are given access and unauthorized devices can be quickly identified and disconnected before they inflict any harm.

Why is this critical? Attackers are continuously scanning the address space of organizations, waiting for new and unprotected systems to be attached to the network. This control is especially critical for organizations that allow BYOD, since hackers are specifically looking for devices that come and go off of the enterprise’s network.

#2. Inventory of Authorized and Unauthorized Software.

Organizations must actively manage all software on the network, so only authorized software is installed. Security measures like application whitelisting can enable organizations to quickly find unauthorized software before it has been installed.

Why is this critical? Attackers look for vulnerable versions of software that can be remotely exploited. They can distribute hostile web pages, media files and other content, or use zero-day exploits that take advantage of unknown vulnerabilities. Therefore, proper knowledge of what software has been deployed in your organization is essential for data security and privacy.

#3. Secure Configurations for Hardware and Software.

Companies need to establish, implement and manage the security configuration of laptops, servers and workstations. Companies have to follow strict configuration management and implement change control processes to prevent attackers from exploiting vulnerable services and settings.

Why is this critical? Manufacturers and resellers design the default configurations of operating systems and applications for ease of deployment and use, not strong security. Open services and ports, as well as default accounts or passwords, can be exploitable in their default state, so companies have to develop configuration settings with good security properties.

#4. Continuous Vulnerability Assessment and Remediation.

Organizations need to continuously acquire, assess and take action on new information (e.g.,software updates, patches, security advisories and threat bulletins) to identify and remediate vulnerabilities attackers could otherwise use to penetrate their networks.

Why is this critical? As soon as researchers report new vulnerabilities, a race starts among all relevant parties:  Culprits strive to use the vulnerability for an attack, vendors deploy patches or updates, and defenders start performing risk assessments or regression testing. Attackers have access to the same information everyone else, and can take advantage of gaps between the appearance of new knowledge and remediation.

#5. Controlled Use of Administrative Privileges.

This control requires companies to use automated tools to monitor user behavior and keep track of how administrative privileges are assigned and used in order to prevent unauthorized access to critical systems.

Why is this critical? The misuse of administrative privileges is a primary method for attackers to spread inside an enterprise. To gain administrative credentials, they can use phishing techniques, crack or guess the password for an administrative user, or elevate the privileges of a normal user account into an administrative account. If organizations do not have resources to monitor what’s going on in their IT environments, it is easier for attackers to gain full control of their systems.

#6. Maintenance, Monitoring, and Analysis of Audit Logs.

Organizations need to collect, manage and analyze event logs to detect aberrant activities and investigate security incidents.

Why is this critical? Lack of security logging and analysis enables attackers to hide their location and activities in the network. Even if the victim organization knows which systems have been compromised, without complete logging records, it will be difficult for them to understand what an attacker has done so far and respond effectively to the security incident.

#7. Email and Web Browser Protections.

Organizations need to ensure that only fully supported web browsers and email clients are used in the organization in order to minimize their attack surface.

Why is this critical? Web browsers and email clients are very common points of entry for hackers because of their high technical complexity and flexibility. They can create content and spoof users into taking actions that can introduce malicious code and lead to loss of valuable data.

#8. Malware Defenses.

Organizations need to make sure they can control the installation and execution of malicious code at multiple points in the enterprise. This control recommends using automated tools to continuously monitor workstations, servers and mobile devices with anti-virus, anti-spyware, personal firewalls and host-based IPS functionality.

Why is this critical? Modern malware can be fast-moving and fast-changing, and it can enter through any number of points. Therefore, malware defenses must be able to operate in this dynamic environment through large-scale automation, updating and integration with processes like incident response.

#9. Limitation and Control of Network Ports, Protocols, and Services.

Organizations must track and manage the use of ports, protocols and services on network devices to minimize the windows of vulnerability available to attackers.

 Why is this critical? Attackers search for remotely accessible network services that are vulnerable for exploitation. Common examples include poorly configured web servers, mail servers, and file and print services, as well as domain name system (DNS) servers that are installed by default on a variety of devices. Therefore, it is critical to make sure that only ports, protocols, and services with a validated business need are running on each system.

#10. Data Recovery Capability.

Companies need to ensure that critical systems and data are properly backed up on at least a weekly basis. They also need to have a proven methodology for timely data recovery.

Why is this critical? Attackers often make significant changes to data, configurations and software. Without reliable backup and recovery, it is difficult for organizations to recover from an attack.

#11. Secure Configurations for Network Devices.

Organizations must establish, implement and actively manage the security configuration of network infrastructure devices, such as routers, firewalls and switches.

Why is this critical? Just as with operating systems and applications (see Critical Security Control 3), the default configurations for network infrastructure devices are geared for ease of deployment, not security. In addition, network devices often become less securely configured over time. Attackers exploit these configuration flaws to gain access to networks or use a compromised machine to pose as a trusted system.

#12. Boundary Defense.

Organizations need to detect and correct the flow of information between networks of different trust levels, with a focus on data that could damage security. The best defense is technologies that provide deep visibility and control over data flow across the environment, such as intrusion detection and intrusion prevention systems.

Why is this critical? Culprits often use configuration and architectural weaknesses on perimeter systems, network devices and internet-accessing client machines to gain initial access into an organization’s network.

#13. Data Protection.

Organizations must use appropriate processes and tools to mitigate the risk of data exfiltration and ensure the integrity of sensitive information. Data protection is best achieved through the combination of encryption, integrity protection and data loss prevention techniques.

 Why is this critical? While many data leaks are deliberate theft, other instances of data loss or damage are the result of poor security practices or human errors. To minimize these risks, organizations need to implement solutions that can help detect data exfiltration and mitigate the effects of data compromise.

#14. Controlled Access Based on the Need to Know.

Organizations need to be able to track, control and secure access to their critical assets, and easily determine which people, computers or applications have a right to access these assets.

 Why is this critical? Some organizations do not carefully identify and separate their most critical assets from less sensitive data, and users have access to more sensitive data than they need to do their jobs. As a result, it is easier for a malicious insider — or an attacker or malware that takes over their account — to steal important information or disrupt operations.

#15. Wireless Access Control.

Organizations need to have processes and tools in place to track and control the use of wireless local area networks (LANs), access points and wireless client systems. They need to conduct network vulnerability scanning tools and ensure that all wireless devices connected to the network match an authorized configuration and security profile.

 Why is this critical? Wireless devices are a convenient vector for attackers to maintain long-term access into the IT environment, since they do not require direct physical connection. For example, wireless clients used by employees as they travel are infected on a regular basis and later used as back doors when they are reconnected to the organization’s network.

#16. Account Monitoring and Control.

It is critical for organizations to actively manage the lifecycle of user accounts (creation, use and deletion) to minimize opportunities for attackers to leverage them. All system accounts need to be regularly reviewed, and accounts of former contractors and employees should be disabled as soon as the person leaves the company.

 Why is this critical? Attackers frequently exploit inactive user accounts to gain legitimate access to an organization’s systems and data, which makes detection of the attack more difficult.

#17. Security Skills Assessment and Appropriate Training to Fill Gaps.

Organizations have to identify the specific knowledge and skills they need to strengthen security. This requires developing and executing a plan to identify gaps and fix them through policy, planning and training programs.

Why is this critical? It is tempting to think of cyber defense as primarily a technical challenge. However, employee actions are also critical to the success of a security program. Attackers often use the human factor to plan exploitations, for example, by carefully crafting phishing messages that look like normal emails, or working within the time window of patching or log review.

#18. Application Software Security.

Organizations must manage the security lifecycle of all software they use in order to detect and correct security weaknesses. In particular, they must regularly check that they use only the most current versions of each application and that all the relevant patches are installed promptly.

Why is this critical? Attackers often take advantage of vulnerabilities in web-based applications and other software. They can inject specific exploits, including buffer overflows, SQL injection attacks, cross-site scripting and click-jacking of code, to gain control over vulnerable machines.

#19. Incident Response and Management.

Organizations need to develop and implement proper incident response, which includes plans, defined roles, training, management oversight and other measures that will help them discover attacks and contain damage more effectively.

 Why is this critical? Security incidents are now a normal part of our daily life. Even large and well-funded enterprises struggle to keep up with the evolving cyber threat landscape. Sadly, in most cases, the chance of a successful cyber attack is not “if” but “when.” Without an incident response plan, an organization may not discover an attack until it inflicts serious harm, or be able to eradicate the attacker’s presence and restore the integrity of the network and systems.

#20. Penetration Tests and Red Team Exercises.

The final control requires organizations to assess the overall strength of their defenses (the technology, the processes and the people) by conducting regular external and internal penetration tests. This will enable them to identify vulnerabilities and attack vectors that can be used to exploit systems.

Why is this critical? Attackers can exploit the gap between good defensive intentions and their implementation, such as the time window between the announcement of a vulnerability, the availability of a vendor patch and patch installation. In a complex environment where technology is constantly evolving, organizations should periodically test their defenses to identify gaps and fix them before an attack occurs.

Implementing the Controls: A Pragmatic Approach

Getting value from the CIS Critical Security Controls does not necessarily mean implementing all 20 controls at once. Few organizations have the budget, human resources and time required to implement the entire set of controls simultaneously. A more pragmatic approach to implementing the controls includes the following steps:

  1. Discover your information assets and estimate their value. Perform risk assessment and think through potential attacks against your systems and data (including initial entry points, spread and damage). Prioritize the CIS Controls around your riskiest assets.
  2. Compare your current security controls to the CIS Controls. Make note of each area where no security capabilities exist or where additional work is needed.
  3. Develop a plan for adopting the most valuable new security controls and improving the operational effectiveness of your existing controls.
  4. Obtain management buy-in for the plan and form line-of-business commitments for necessary financial and personnel support.
  5. Implement the controls. Keep an eye on trends that could introduce new risks to your organization. Measure progress and risk reduction, and communicate your findings.

Want to know more about 20 Critical Security Controls? Visit the official website of the CIS Center for Internet Security: