In 2008 the United States defense industry suffered a severe data loss, which galvanized the industry to create one of the most robust cybersecurity frameworks for business, government, and institutions worldwide. The framework was taken over by the Center for Internet Security (CIS), who created 20 controls known as the critical security controls (CSC). The CIS top 20 is a guide to what every organization should do to defend themselves against cyber-threats.
This post will focus on the 6 “Basic” controls. A study of the previous of the CIS Controls found that 85% of cyber incidents can be prevented by implementing just the Basics.
Control 1 – Inventory and Control of Hardware Assets – Active management of all authorized hardware devices with network access prevents unauthorized devices from gaining access. Meeting this control requires accurate inventory records, updated tracking of hardware devices, and the correction of any problems that arise.
Why is it important? Without an accurate inventory, you can’t control and maintain assets. Security updates and patches require system-wide coverage to be effective. This is especially difficult when users are permitted to Bring Your Own Device (BYOD) to work or remotely connect to the organization’s network.
Control 2 – Inventory and Control of Software Assets – Inventory (track, analyze, correct, and delete) all software that is installed on the network to ensure that unauthorized software is not installed or executed.
Why is it important? Like the first CIS critical security control, attackers consistently scan networks for vulnerabilities, and software is not exempt from this. The attackers will often deploy applications or clickable links on the organization’s network resulting in unauthorized software being installed or executed and data exposed.
Control 3 – Continuous Vulnerability Management – Continuous identification of weaknesses and security vulnerabilities for remediation. The focus of control 3 is to be aware of current cybersecurity vulnerabilities to address them promptly.
Why is it important? Organizations are required to show proactive measures that minimize their exposure to risk and attacks — both for their shareholders and regulatory compliance as these known vulnerabilities are commonly used by attackers to gain access to the network.
Control 4 – Controlled Use of Administrative Privileges – To track and manage (review and confirm or delete) who has administrative privileges that allow users to give other users access to the network or installing or executing programs, etc.
Why is it important? Incorrect use or abuse of admin privileges can allow unauthorized access to sensitive data. Attackers that obtain admin privileges through social engineering can lock any user out of the network, install malware, spyware, or keyloggers.
Control 5 – Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers – Tracking, reporting, and correction of the security configurations for all hardware and software on moveable devices, workstations, and servers.
Why is it important? Hardware and software are typically configured for ease of installation with standard admin login credentials and no security settings deployed. The integration of new hardware and software requires a review of the controls to ensure the implementation meets any compliance requirements and cybersecurity best practices.
Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs – Maintaining a detailed account of all events that occur on a network. Analysis of logs can help identify where a breach may have started and the extent to which a system has been compromised.
Why is it important? Undetected attackers can remain on the network long enough to deploy malware, viruses, and scripts and to obtain copies of data to blackmail the organization and/or sell on the Dark Web. Suppose logs are not available to prove that data has not been accessed during an incident. In that case, you must assume that it has, resulting in requirements to report the incident and additional remediation steps.
While the Basic controls don’t change, every customer’s environment differs in the data that they need to protect, the controls and processes in place, and risk tolerance. As assessment using the CIS 20 can provide invaluable insights to implement these controls effectively and reduce risk.