Do you have Any Questions?
Call Now +34 663989414
+602 596 5313

WHAT ARE THE 20 CIS CRITICAL SECURITY CONTROLS?

Basic CIS Controls

The first group of CIS critical security controls is known as the basic controls. The wider cybersecurity community often refers to these controls as “cyber hygiene” as it is something that should be done continuously and as a practice of maintaining the organization’s cyber-health.

  • 1. Inventory and Control of Hardware Assets
  • 2. Inventory and Control of Software Assets
  • 3. Continuous Vulnerability Management
  • 4. Controlled Use of Administrative Privileges
  • 5. Secure Configuration for Hardware and Software
  • 6. Maintenance, Monitoring, and Analysis of Audit Logs
  • 7. Email and Web Browser Protections
  • 8. Malware Defense
  • 9. Limitation and Control of Network Ports, Protocols, and Services
  • 10. Data Recovery Capability
  • 11. Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
  • 12. Boundary Defense
  • 13. Data Protection
  • 14. Controlled Access Based on a Need To Know
  • 15. Wireless Access Control
  • 16. Account Monitoring and Control
  • 17. Implement a Security Awareness and Training Program
  • 18. Application Software Security
  • 19. Incident Response and Management
  • 20. Penetration Tests and Red Team Exercises

What is it?:

This CIS critical security control requires active management of all authorized hardware devices with network access to prevent unauthorized devices from gaining access. Active management requires accurate inventory records, updated tracking of hardware devices, and the correction of any problems that arise.

Why is it important?:

Without accurate inventory, it is impossible to control and maintain the security of an organization’s hardware assets. Security updates and patches require system-wide coverage to be effective, and this is especially compromised in situations where personnel are permitted to Bring Your Own Device (BYOD) to work or remotely connect to the organization’s network. These BYOD’s may already be compromised at the time they join the network, an issue that pertains to hardware devices that do not yet appear on the official inventory of an organization.

Tools and Procedures:

  • Discover Tools (Internet Control Message Protocol)
  • Transmission Control Protocol (TCP)
  • Synchronize or Acknowledge Packets (SYN, ACK)
  • Asset discovery tools

What is it?:

This CIS critical security control, similar to the first, requires the organization to inventory (track, analyze, correct, and delete) all software that is installed on the network. This is to ensure that unauthorized software is not installed or executed.

Why is it important?:

Like the first CIS critical security control, attackers are consistently scanning networks for vulnerabilities, and software is not exempt from this. The attackers will often deploy applications or clickable links on the organization’s network baiting victims into executing them. The result of such actions could mean unauthorized software is installed or executed which could have a knock-on effect throughout the network.

Tools and Procedures:

  • Security Information and Events Management (SIEM) software
  • Software Inventory Tools (whitelisting tools and policies)
  • Intrusion Detection Systems (IDS)
  • Anti-malware, Anti-virus, Anti-spyware (many have built-in inventory tools).

What is it?:

Managing security vulnerabilities has one main objective: to stop attackers from gaining access to the organization’s network. In reality this requires the continuous identification of weaknesses and security vulnerabilities and their effective remediation. The focus in CIS critical security control 3 is on information, specifically the gaining of current information and the active response to new information about cybersecurity vulnerabilities.

Why is it important?:

Cyber threats and emergent security vulnerabilities are a daily occurrence and organizations are required to show proactive measures that minimize their exposure to risk and attacks — both for their shareholders and regulatory compliance. Bad actors within and outside the organization have the same access to information about security vulnerabilities, sometimes even before the organization itself.

Tools and Procedures:

  • Incident response plans (IRP)
  • SIEM
  • Discovery and Identification Tools

What is it?:

This CIS critical security control requires that the organization tracks and manages (analyze, correct, remediate, or delete) who has administrative privileges (admin privileges). Admin privileges essentially give the user(s) of a network power to make any change they desire whether it is allowing other users access to the network or installing or executing programs, etc.

Why is it important?:

Controlling the use and distribution of admin privileges is necessary because abuse of admin privileges can have long-lasting detrimental effects. Attackers that have somehow acquired admin privileges, possibly through social engineering or spoofing, can lock any user out of the network, install what they please (such as malware, spyware, or keyloggers). It essentially gives them super control over the entire system if proper safeguards are not in place.

Tools and Procedures:

  • Operating systems that have in-built admin listing tools.
  • Admin accounts should have restricted browsing capabilities.
  • Detection system that can list when user admin privilege has been added or deleted.

 

Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

What is it?:

Management of cybersecurity through stringent hardware and software change management and configuration protocols. This CIS CSC specifies the rigorous tracking, reporting, and correction of the security configurations for all hardware and the software on moveable devices, workstations, and servers.

Why is it important?:

Out of the box hardware and software are usually configured to make installation and initial operation easy for the user. In practice, this means that security settings are at their lowest and bad actors and attackers exploit these well-known vulnerabilities. The integration of new hardware and software into an organization’s system is a process that requires high-level security configuration expertise.

Tools and Procedures:

  • Documented policy for standard security config for all authorized devices.
  • Security Content Automation Protocol (SCAP)

What is it?:

This control is relatively straightforward, it requires organizations to maintain a detailed account of all events that happen on a network. This process can help in the event of a breach. Analysis of the logs can aid in identifying where a breach may have started and the extent to which a system has been compromised.

Why is it important?:

If the organization does not maintain even basic logs, an attacker can remain undetected on the network indefinitely. Undetected attackers can deploy a whole host of undesirables such as malware, viruses, and scripts. In some cases maintaining logs is the only evidence a breach even occurred.

Tools and Procedures:

  • Firewalls and anti-spy/malware with built-in logging capabilities
  • Logging capabilities should be active where possible with active analysis and management.
  • SIEM software
  • Foundational CIS Controls
  • The foundational CIS critical security controls number 7-15. These controls are more technical than the basic controls and involve more specific measures.

What is it?:

CIS critical security control 7 requires enhanced protection for email and web browser activity to minimize the risk of manipulation of personnel by attackers.

Why is it important?:

Social engineering through direct contact with users is one of the most common points of entry for bad actors seeking to exploit an organization’s security vulnerabilities. Another very common exploit is the injection or activation of malicious code delivered through clickable links or malicious websites.

Tools and Procedures:

  • Only authorized and fully supported web browsers are permitted.
  • Implement Domain-based message authentication, DMARC policy, and verification.

 

What is it?:

The organization should control and manage the spread or execution of malware by using protection where applicable. Utilizing autonomous processes that can actively scan, remove threats, and correct or update defense are encouraged.

Why is it important?:

This is another CIS critical security control that is pretty straightforward. Any network is best when malware-free. Malware is a favorite tool of the attacker as it is relatively easy to deploy on unsecured networks and runs autonomously. In essence, it is a fire and forget missile that can create massive disruptions.

Tools and Procedures:

  • Anti-malware software
  • Anti-spyware software
  • Anit-virus software
  • Intrusion Detection Systems (IDS)

 

What is it?:

The organization should control and manage the spread or execution of malware by using protection where applicable. Utilizing autonomous processes that can actively scan, remove threats, and correct or update defense are encouraged.

Why is it important?:

This is another CIS critical security control that is pretty straightforward. Any network is best when malware-free. Malware is a favorite tool of the attacker as it is relatively easy to deploy on unsecured networks and runs autonomously. In essence, it is a fire and forget missile that can create massive disruptions.

Tools and Procedures:

  • Anti-malware software
  • Anti-spyware software
  • Anit-virus software
  • Intrusion Detection Systems (IDS)

What is it?:

This CIS critical security control requires that the organization has a process and proven methodology in place for the timely back-up and recovery of critical information.

Why is it important?:

When attackers successfully infiltrate a system, they will most likely make changes to the systems configuration, software, or data. These changes, subtle or significant, will jeopardize the organization’s effectiveness. Without an effective back-up or recovery tool, it can be very difficult for an organization to restore itself to adequate functioning capabilities.

Tools and Procedures:

  • Utilizing imaging software for complete system backup
  • Regularly run backup processes

 

What is it?: 

CSC 11 pertains to the protection of network infrastructure devices through the active management of their security configuration via the tracking and reporting of vulnerabilities and their effective correction.

Why is it important?:

Any compromise to the security of the network’s infrastructure is a serious issue since it allows attackers to access sensitive data, redirect traffic flows, and even undermine many other systems through long-term undetected access to the network.

Tools and Procedures:

  • Compare security configs of devices against approved standards
  • Employ multi-factor authentication for managed network devices

 

What is it?:

This CIS critical security control requires the correction, detection, and prevention of sensitive information that is transferred between networks of varying trust levels.

Why is it important?:

Attackers will try to exploit a weakness in any part of the network, and perimeter systems are a potential attack vector. As businesses become more interconnected the perimeter systems between networks become undefined. The result of a perimeter attack could not only compromise your network but possibly that of a business partner or sister network. These are referred to as extranet networks. Any device that is connected with your network creates an extranet environment, including the wider business network.

Tools and Procedures:

  • Build upon the controls outlined in CSC 9.
  • Create internal network segmentation to limit access to intruders.
  • Deploy packet sniffers on boundary points.
  • IDS that is tailored to boundary defense.

 

What is it?:

The protection of data, especially sensitive data requires processes and tools specifically designed for its protection. Data should be categorized according to its level of sensitivity and relevant levels of protection applied accordingly, including encryption to minimize risk where data has been exfiltrated.

Why is it important?:

Organizations often use the same level of protection on all their data, regardless of the importance of sensitivity of the data. This is an obvious vulnerability, especially when dealing with bad actors already inside the network or organization. An easy method for understanding the need for the categorization and enhanced protection of sensitive data is to ask the simple question: what would the impact be of a data breach (or loss) of this specific information?

Tools and Procedures:

  • Automated tools that can detect the transfer of sensitive data.

What is it?:

This CIS critical security control requires organizations to restrict access to critical assets and information to personnel and staff based on the trust level of individuals within the organization (approved classification). This is so only those within the organization that need access to that information or asset have access.

Why is it important?:

If assets and information within an organization are encrypted with the idea that only valid personnel have access to it, then in an event of a breach it is rendered useless to the attacker. Access becomes virtually impossible (or at the least impractical).

Tools and Procedures:

  • Commercial/Enterprise tools that can support organizational encryption (multi-level)
  • Define life cycle of process and roles of key management as a part of security policy

What is it?:

Wireless local area networks (WLANs), wireless client systems, and access points must be actively managed through processes and procedures which track, control, detect and prevent malicious activity.

Why is it important?:

By their nature wireless devices allow for remote access and provide an attractive entry point for attackers and bad actors. The ability of an organization’s mobile devices to connect to unsecured and publicly accessible wifi is a major security issue and one which highlights the need for actively managed wireless access controls.

Tools and Procedures:

  • Utilize Advanced Encryption Standard (AES) to encrypt data packets over the wireless connection

What is it?:

This control outlines the need for systems management of accounts life cycles. This involves the deletion or dormancy of inactive accounts, and the creation of new accounts is closely monitored/tracked.

Why is it important?:

Like many of the other critical security controls, attackers are always scanning for potential attack vectors. The mismanagement of system account lifecycles could mean attackers can exploit inactive or dormant accounts and gain access to critical information that could then lead to full system access. Through gaining access to inactive accounts, the attackers could then impersonate legitimate users to spoof other users into giving up data or critical information.

Tools and Procedures:

  • Ensure that contractor accounts/terminated employee accounts are properly deleted.
  • Employ a policy for accounts management and lifecycle.
  • Employ multi-factor authentication for all accounts on the network.

Organizational Controls

The organizational controls consist of the last four CIS critical security controls. This group is focused on the strategic implementation of cybersecurity by design, intended to create a culture of cybersecurity within the organization.

What is it?:

CSC 17 addresses the often overlooked role of personnel in the provision of enhanced organizational security through their ongoing awareness of security issues and training in security vulnerabilities. This is especially relevant for business-critical roles and that personnel involved in technical roles at a root or development level.

Why is it important?:

Organizations often label cybersecurity as an ‘IT’ issue and this creates a significant lack of awareness and understanding of the threats posed to critical infrastructure and the effective functioning of the organization, including regulatory compliance.

Tools and Procedures:

  • Skill gap analysis (identify the overall skill of the workforce).
  • Employ staff training in cyber awareness.

What is it?:

This control point requires that organizations actively manage the security standards of in-house developments and acquired software. This is so the organization can correct, prevent, and track security weaknesses.

Why is it important?:

Without a security standard, such as security-conscious coding ethics or policy, attackers can exploit the weakness of in-house developments. Badly written coding, coding mistakes, and logic errors can all be exploited by attackers. Input limits, poor memory management, failure to test for unnecessary strings, and others are some examples of errors that could be exploited.

Tools and Procedures:

  • Foster secure coding practice for in-house developments (through policy and training).
  • Use analytical tools that can verify security practices are being implemented properly.

What is it?:

Reputation and data protection are addressed in CSC 19 through the development and implementation of an effective incident response infrastructure which includes all the elements needed to quickly and efficiently detect, respond to, mitigate and eliminate attacks.

Why is it important?:

Most data protection regulation includes the requirement for the organization to have incident response infrastructure in place in preparation for an inevitable attack. Shareholders also expect brand protection through reputation management and data breaches, especially those arising as a result of poor or lax cybersecurity standards, which tend to draw much negative publicity.

Tools and Procedures:

  • Have a written document outlining the process (response and recovery).

What is it?:

The final CSC is the practical testing of all previous 19 CIS critical security controls. With penetration testing (pen testing) the organization can simulate an attack on the network. This way they can see if there are still vulnerabilities that can be exploited.

Why is it important?:

A pen test can be like submerging an inflatable into a bathtub of water. If there are any holes, bubbles will start to form from the puncture point. A pen test will indicate to the organization where the holes, in this case, vulnerabilities, are. This control point will also test the resilience of the organization cybersecurity architecture overall.

Tools and Procedures:

  • It is best to ensure all previous controls are implemented before conducting a pen test.
  • Utilize testbeds, like a sandbox, to deploy potentially hazardous programs in a safe environment.
More information

CONTACT US