With the cost of a data breach at an all-time high of $4.35 million and regulations worldwide imposing steeper penalties for compliance failures, organizations must ensure that they have all necessary security controls in place to keep their data safe. Implementing the CIS Controls provides a sound foundation for effective defense against cyber threats
First developed in 2008, the CIS Controls are updated periodically in response to the evolution of both technologies and the threat landscape. The controls are based on the latest information about common attacks and reflect the combined knowledge of commercial forensics experts, individual penetration testers and contributors from U.S. government agencies.
This article details the 18 controls in CIS version 8. These guidelines take into account the rise of remote work and the resulting increase in access points and need for perimeter-less security.
Control 01. Inventory and Control of Enterprise Assets
The first step in developing and implementing a comprehensive cybersecurity strategy is to understand your company’s assets, who controls them and the roles they play. This includes establishing and maintaining an accurate, updated and detailed list of all hardware connected to your infrastructure, including assets that aren’t under your control, such as employees’ personal cell phones. Portable user devices will periodically join a network and then disappear, making the inventory of currently available assets very dynamic.
Why is this critical? Without this information, you can’t be sure you’ve secured all possible attack surfaces. Keeping an inventory of all assets connecting to your network and removing unauthorized devices can dramatically reduce your risk.
Control 02. Inventory and Control of Software Assets
Control 2 addresses threats from the dizzying array of software that modern companies use for business operations. It includes the following key practices:
- Identify and document all software assets, and remove any that are outdated or vulnerable.
- Prevent the installation and use of unauthorized software by creating an authorized software allowlist.
- Use automated software tracking tools to monitor and manage software application
Why is this critical? Unpatched software continues to be a primary vector for ransomware attacks. A comprehensive software inventory helps you ensure that all of your software is updated and any known vulnerabilities have been patched or mitigated. This is particularly critical for software that contains open-source components since their vulnerabilities are public knowledge.
Control 03. Data Protection
In version 7 of the CIS Controls, data protection was Control 13.
Your data is one of your company’s most valuable assets. CIS Control 3 outlines a method of protecting your data by detailing processes and technical controls to identify, classify, securely handle, retain and dispose of data. Be sure to include provisions for:
- Data inventory
- Data access controls
- Data retention
- Data disposal
- Data encryption in all phases and on removable media
- Data classification
- Data flow maps
- Segmenting data processing and storage based on sensitivity
- Data loss prevention
- Logging access and activity around sensitive data
Why is this critical? Although many data leaks are the result of deliberate theft, data loss and damage can also occur because of human error or poor security practices. Solutions that detect data exfiltration can minimize these risks and mitigate the effects of data compromise.
Control 04. Secure Configuration of Enterprise Assets and Software
This safeguard merges controls 5 and 11 of version 7. It details best practices to establish and maintain secure configurations on hardware and software assets.
Why is this critical? Even one configuration error can open up security risks and disrupt business operations. Using automated software simplifies the process of hardening and monitoring your IT assets; for example, Netwrix Change Tracker provides CIS-certified build templates that help you quickly establish strong baseline configurations and alerts you to unexpected changes in real time so you can promptly take action to minimize risk.
Control 05. Account Management
Account management was Control 16 in CIS Controls version 7.
Securely managing user, administrator and service accounts is vital to preventing their exploitation by attackers. Control 5 includes six steps for avoiding security problems caused by vulnerable accounts:
- Create and maintain an inventory of all accounts.
- Use unique passwords.
- Disable accounts that haven’t been used for 45 days.
- Restrict use of privileged accounts.
- Create and maintain an inventory of service accounts.
- Centralize all account management.
Why is this critical? Privileged and unused accounts provide an avenue for attackers to target your network. Minimizing and controlling these accounts will help protect your data and network from unauthorized access.
Control 06. Access Control Management
This safeguard merges controls 4 and 14 of version 7 of the CIS Controls.
Control 6 concerns controlling user privileges. Its best practices include establishing an access granting and revoking process, using multifactor authentication, and maintaining an inventory of systems for access control.
Why is this critical? Granting overly broad privileges for the sake of expediency opens an avenue of attack. By limiting each user’s access rights to only what’s required to do their job, you’ll limit your attack surface.
Control 07. Continuous Vulnerability Management
In version 7 of the CIS Controls, continuous vulnerability management was covered by Control 3.
This control covers identifying, prioritizing, documenting and remediating each security vulnerability in your network. Examples include open services and network ports, and default accounts and passwords.
Why is this critical? Organizations that don’t proactively identify infrastructure vulnerabilities and take remediation measures are likely to have their assets compromised or suffer business disruptions.
Control 08. Audit Log Management
This topic was covered under Control 6 in CIS Controls version 7.
Audit log management involves controls related to collecting, storing, retaining, time synchronizing and reviewing audit logs.
Why is this critical? Security logging and analysis helps prevent attackers from hiding their location and activities. Even if you know which systems were compromised in a security incident, if you don’t have complete logs, you’ll have a hard time understanding what an attacker has done so far and responding effectively. Logs will also be needed for follow-up investigations and determining the origin of attacks that remained undetected for a long time.
Control 09. Email and Web Browser Protections
This safeguard was Control 7 in CIS Controls version 7.
Email and web browsers are common vectors of attack. The primary technical controls for securing email servers and web browsers include blocking malicious URLs and file types. For more comprehensive protection against such attacks, you must also provide organization-wide training on best security practices.
Why is this critical? Using techniques like spoofing and social engineering, attackers can trick users into taking actions that can spread malware or provide access to confidential data.
Control 10. Malware Defenses
This topic was covered under Control 8 in CIS Controls version 7.
Organizations wielding ransomware and other malware have become as professional as mainstream businesses. This control describes safeguards to prevent or control the installation, execution and spread of malicious software. Centrally managing both behavior-based anti-malware and signature-based tools with automatic updates provides the most robust protection against malware.
Why is this critical? Malware can come in the form of trojan horses, viruses and worms that steal, encrypt or destroy your data. Ransomware is big business, with a global price tag expected to reach $265 billion by 2031. Following the practices outlined in Control 9 will help protect your organization against an expensive and damaging malware infection.
Control 11. Data Recovery
Data recovery was Control 10 in CIS Controls version 7.
Control 11 describes five safeguards for ensuring your data is backed up. They includes the following elements:
- Data recovery process
- Automated backups
- Protecting backup data
- Isolating backup data
- Testing data recovery protocols
Why is this critical? Ensuring you have a current backup of your data in a protected and isolated location may prevent you from having to give in to expensive extortion to regain access to your data after a ransomware attack. Moreover, effective data backup and recovery is also necessary to protect your organization from threats like accidental deletion and file corruption.
Control 12. Network Infrastructure Management
Network infrastructure management is a new control for version 8. It requires you to actively manage all your network devices to mitigate the risks of attacks aimed at compromised network services and access points.
Why is this critical? Network security is a foundational element in defending against attacks. Businesses must constantly evaluate and update configurations, access control and traffic flows to harden their network infrastructure. Fully documenting all aspects of your network infrastructure and monitoring it for unauthorized modifications can alert you to security risks.
Control 13. Network Monitoring and Defense
Control 13 is also a new addition to the CIS Controls. It focuses on using processes and tools to monitor and defend against security threats across your network infrastructure and user base. The 11 safeguards in this control cover how to collect and analyze the data required to detect intrusions, filter traffic, manage access control, collect traffic flow logs and issue alerts about security events.
Why is this critical? Combining automated technology and a team trained to implement processes to detect, analyze and mitigate network threats can help protect against cybersecurity attacks.
Control 14. Security Awareness and Skills Training
This topic was covered under Control 17 in CIS Controls version 7.
Control 14 concerns implementing an educational program to improve cybersecurity awareness and skills among all your users. This training program should:
- Train people to recognize social engineering attacks.
- Cover authentication best practices.
- Cover data handling best practices, including the dangers of transmitting data over insecure networks.
- Explain the causes of unintentional data exposure.
- Train users to recognize and report security incidents and .
- Explain how to identify and report missing security updates.
- Provide role-specific security awareness and skills training.
Why is this critical? Many data breaches are caused by human error, phishing attacks and poor password policies. Training your employees in security awareness can prevent costly data breaches, identity theft, compliance penalties and other damage.
Control 15. Service Provider Management
Control 15 is the last new control in version 8. It deals with data, processes and systems handled by third parties. It includes guidelines for creating an inventory of service providers, managing and classifying service providers, including security requirements in your contracts, and assessing, monitoring and securely dismissing service providers.
Why is this critical? Even when you outsource a service, you’re ultimately responsible for the security of your data and could be held liable for any breaches. Although using service providers can simplify your business operations, you can run into complications quickly if you don’t have a detailed process for ensuring that data managed by third parties is secure.
Control 16. Application Software Security
This safeguard was Control 18 in the 7th version of CIS Controls.
Managing the security lifecycle of your software is essential to detecting and correcting security weaknesses. You should regularly check that you’re using only the most current versions of each application and that all the relevant patches are installed promptly.
Why is this critical? Attackers often take advantage of vulnerabilities in web-based applications and other software. Exploitation methods such as buffer overflows, SQL injection attacks, cross-site scripting and click-jacking of code can enable them to compromise your data without having to bypass network security controls and sensors.
Control 17. Incident Response Management
Incident response management was Control 19 in the 7th version of CIS Controls.
Proper incident response can be the difference between a nuisance and a catastrophe. It includes planning, role definition, training, management oversight and other measures required to help discover attacks and contain damage more effectively.
Why is this critical? Sadly, in most cases, the chance of a successful cyberattack is not “if” but “when.” Without an incident response plan, you may not discover an attack until it inflicts serious harm. With a robust incidence response plan, you may be able to eradicate the attacker’s presence and restore the integrity of the network and systems with little downtime.
Control 18. Penetration Testing
This topic was covered by Control 20 in the 7th version of CIS Controls.
This control requires you to assess the strength of your defenses by conducting regular external and internal penetration tests. Implementation of this control will enable you to identify vulnerabilities in your technology, processes and people that attackers could use to enter your network and do damage.
Why is this critical? Attackers are eager to exploit gaps in your processes, such delays in patch installation. In a complex environment where technology is constantly evolving, it is especially vital to periodically test your defenses to identify gaps and fix them before an attacker takes advantage of them.
Implementing the Controls: A Pragmatic Approach
Getting value from the CIS Critical Security Controls does not necessarily mean implementing all 18 controls simultaneously. Few organizations have the budget, human resources and time required to simultaneously implement the entire group of controls.
The following steps provide a practical guide for getting started:
- Discover your information assets and estimate their value. Perform risk assessment and think through potential attacks against your systems and data, including initial entry points, spread and damage. Develop a risk management program to guide the implementation of controls.
- Compare your current security controls to the CIS Controls. Make note of each area where no security capabilities exist or additional work is needed.
- Develop a plan for adopting the most valuable new security controls and improving the operational effectiveness of your existing controls.
- Obtain management buy-in for the plan and form line-of-business commitments for necessary financial and personnel support.
- Implement the controls. Keep an eye on trends that could introduce new risks to your organization. Measure progress in risk reduction, and communicate your findings.
Want to know more about the 18 Critical Security Controls? Visit the official website of the CIS Center for Internet Security: https://www.cisecurity.org/controls/
FAQ
What are CIS Controls?
CIS Controls are guidelines that provide organizations with a list of effective, high-priority tasks for defending against the most common and devastating cybersecurity attacks. They provide a starting point for any organization to improve its cybersecurity.
How many CIS Controls are there?
In the latest version (version 8), there are 18 CIS Controls.
Who created the CIS Controls?
The CIS Controls were created by a group of international volunteers, including cybersecurity professionals and policy makers from both government agencies and the private sector.
Why should an organization implement the CIS Controls?
One of the biggest benefits of CIS Controls is the inherent prioritization in the 18 action steps. Cybersecurity is a broad area that can be overwhelming for organizations beginning to set up a strategy. The CIS Controls list the most high-value actions you can take to protect your systems and data.
