Are you troubled about the security of your organisation’s data and systems? Cyber threats are becoming more sophisticated daily, and a robust cyber security posture is more important than ever. The consequences of cyber attacks can be disastrous, from data breaches to financial losses and damage to your organisation’s reputation. The good news is that a proven framework, the CIS Critical Security Controls, can help you protect your organisation against these threats.
This framework provides a set of prioritised actions organisations can take to improve their security posture and reduce their risk of cyber attacks. So, keep reading to learn more about this essential framework and how it can benefit your organisation’s data and systems against cyber threats.
What is CIS?
The CIS Critical Security Controls are prioritised security measures designed to improve an organisation’s cyber security posture and protect against cyber attacks. The controls were developed by the Center for Internet Security (CIS), a nonprofit organisation that specialises in cyber security best practices and solutions.
The CIS (Center for Internet Security) Critical Security Controls are based on real-world threats and attacks and are continuously updated to reflect changes in the threat landscape. The controls cover security measures, from basic cyber hygiene practices to advanced threat detection and response capabilities.
The CIS security controls are divided into three categories:
- Basic Controls
- Foundational Controls
- Organisational Controls
a) Basic CIS Controls
The initial group of CIS critical security controls is the basic controls. These controls are also known as cyber hygiene by the broader cyber security community because they are practices that should be continuously done to maintain an organisation’s cyber health. They include the following:
1. Inventory and Control of Enterprise Assets
This set of CIS critical security controls will need active management of all authorised enterprise devices (end-user devices such as mobile devices, network devices, servers and IoT devices) connected to an organisation’s infrastructure physically, virtually, remotely and within cloud environments. Protection requirements included preventing unauthorised devices from gaining access and proactive asset management requiring accurate inventory records, updated hardware device tracking, and correcting any issues that could arise.
Why Is It Important?
It is impossible to manage and maintain the security of an organisation’s enterprise assets without an accurate inventory. Security updates and patches require system-wide coverage to be successful, which is notably compromised when employees are authorised to Bring Your Own Device (BYOD) to work or remotely connect to the organisation’s network.
When they join the network, BYODs may already be compromised, a problem that affects hardware devices that do not yet appear on an organisation’s official inventory.
2. Inventory and Control of Software Assets
This CIS control is like the first one, which needs the organisation to inventory (track, analyse, correct, and delete) all software installed on the network. This ensures that no unauthorised software is executed or installed.
Why Is It Important?
Attackers, like in the first CIS vital security control, constantly analyse networks for vulnerabilities; software is no exception. Attackers often place programs or clickable links on the organisation’s network to trick victims into running them. As a result of such operations, unauthorised software may be installed or executed, causing havoc throughout the network.
3. Data Protection
Although this is one of the CIS controls that sound easy, it’s one of the most difficult for an organisation to achieve. This control requires organisations to implement technical controls and develop robust processes to handle the identification, classification, handling, retention, and disposal of data. Key examples of achieving these elements include the likes of risk management processes, core information security policies and strong encryption.
Why Is It Important?
Companies often use the same level of protection on all of their data, regardless of its relevance or sensitivity. This is an apparent weakness, especially when dealing with threat actors already inside the network or organisation. The simple issue of the impact of a data breach (or loss) of this specific information is a straightforward way of understanding the need for categorisation and better protection of sensitive data.
4. Secure Configuration of Enterprise Assets and Software
Businesses must establish, implement, and monitor the security configuration of laptops, servers, and workstations. Organisations must employ strong configuration management and change control processes to prevent attackers from exploiting weak services and settings.
Why Is It Important?
Manufacturers and resellers provide default configurations of operating systems and apps for ease of deployment and usage, not for high security. Since open services, ports, and default accounts and passwords can be exploited in their default state, businesses must establish configuration settings with good security characteristics.
5. Account Management
This control specifies the need for account life cycle management systems. Inactive accounts are deleted or made dormant, and the establishment of new accounts is closely monitored and tracked. This includes administrator and service accounts, controlling the assignment and management of authorisation controls for these accounts to enterprise assets and software.
Why Is It Important?
Like other critical security controls, attackers constantly scan for potential attack vectors. Incorrect management of system account lifecycles may allow attackers to exploit inactive or dormant accounts and obtain access to critical information, leading to complete system access. After accessing inactive accounts, attackers could mimic legitimate users to trick other users into revealing data or essential information.
6. Access Control Management
This security control requires organisations to limit personnel and staff access to critical assets and information depending on the trust level of persons inside the organisation (approved classification). Specifically, tailored processes and technological controls should be implemented to create, assign, manage and revoke access credentials and other privileges for personnel and staff roles.
Why Is It Important?
It is essential because if the assets and information within an organisation are protected with the idea that only valid personnel can gain access, coupled with strict access rules, then it will be useless for an attacker to try and attempt to attack the organisation in this way in the event of a potential breach.
b) Foundational CIS Controls
These CIS security controls are more technical than basic controls and involve more specific measures.
7. Continous Vulnerability Management
The main objective of managing security vulnerabilities is preventing attackers from gaining access to an organisation’s network. So, you must identify security vulnerabilities and weaknesses and ensure their effective remediation continuously. The main focus of this security control is on the information, precisely to gain current information and an active response to new information about cyber security vulnerabilities.
Why Is It Important?
This CIS control is essential since cyber threats and emergent security vulnerabilities are daily occurrences. Hence, it helps to take proactive measures that minimise exposure to risk and attacks for shareholders and regulatory compliance.
8. Audit Log Management
Organisations must collect, manage, and analyse event logs to detect anomalous activity and investigate security breaches.
Why Is It Important?
Inadequate security logging and analysis allow attackers to hide their location and network activities. Even if the target business knows which systems have been infiltrated, understanding what an attacker has done thus far and responding effectively to the security issue would be difficult without accurate logging records.
9. Email and Browser Protections
These CIS controls need enhanced protection for email and web browser activities to minimise the risk of attackers manipulating personnel.
Why Is It Important?
Social engineering is among the most common entry points for bad actors looking to exploit organisations’ security vulnerabilities. Another common exploit is the activation or injection of malicious code delivered through malicious websites or clickable links.
10. Malware Defences
An organisation should use protection where applicable to control and manage the distribution and execution of malware. It is recommended that autonomous processes that can actively detect and remove threats and rectify or update defences be used.
Why Is It Important?
This is a straightforward CIS control, where any network is better when it is malware-free. Attackers prefer malware because it is simple to install on insecure networks and runs autonomously. In short, it is a fire-and-forget missile capable of causing massive disturbances.
11. Data Recovery Capabilities
This CIS control needs any organisation to have a process and a proven method for timely backup and recovery of critical information.
Why Is It Important?
Attackers who successfully breach a system will most likely change its configuration, software, or data. These subtle or significant changes will threaten the organisation’s performance. Without an adequate backup or recovery mechanism, it can be challenging for a business to restore itself to sufficient operational effectiveness.
12. Network Infrastructure Management
As with all CIS critical security controls that need management, this one specifies the need to actively manage network devices after they have been securely established and implemented into an organisation’s network infrastructure. Furthermore, organisations must establish, install, and actively maintain secure configurations for all network assets. They must be actively tracked and controlled, and necessary corrections should be made to minimise vulnerabilities arising from vulnerable network services and access points that attackers can exploit.
Why Is It Important?
Attackers will exploit the remotely accessible entry points into an organisation’s network frequently. Examples include pre-installed software, fully open ports, and poorly configured domain name servers. The default configurations for network infrastructure devices, like those for operating systems and applications, are designed for ease of deployment rather than security. Furthermore, network devices frequently become less securely configured over time. Attackers use these configuration weaknesses to obtain network access or to portray a compromised machine as a trusted system.
13. Network Monitoring and Defence
These CIS controls need correction, detection and prevention of sensitive information transferred between networks of different trust levels.
Why Is It Important?
Attackers will try to exploit a vulnerability in any part of the network, including perimeter systems. The perimeter systems between networks, known as extranet networks, become more undefined as businesses become more integrated. A perimeter attack could damage your network, business partner, or sister network. Any device connected to your network, including the more extensive business network, forms, and extranet environment.
14. Security Awareness Training Programme
This CIS critical security control addresses the overlooked role of personnel in providing enhanced organisational security through an ongoing awareness of security issues and training in security vulnerabilities. This is mainly relevant for the business-critical tasks and personnel involved in technical roles at the root or development level.
Why Is It Important?
Organisations often call cyber security an IT problem, creating a significant lack of awareness and understanding of the threats to critical infrastructure and the organisation’s effective functioning, including regulatory compliance.
15. Service Provider Management
Many organisations rely on third-party vendors and service providers to manage data and/or provide services to their critical or important business functions. It is important that organisations truly understand their business needs and risks and implement standards and core processes to grade and manage the various service providers they propose and actively use. Furthermore, several service providers may be held to different regulations and protection standards, so understanding these and upholding them is critical to business continuity.
Why Is It Important?
Organisation’s service providers can fall anywhere within entire supply chains, and ensuring that service providers adhere to security best practices and your organisation acknowledges and supports them through achieving good cyber security in line with relevant regulations, legislations, and standards is critical to achieving their business goals. Service providers should be managed by overarching policies in the organisation that ensure they are classified based on criticality to the organisation, service provider contracts include security requirements and are regularly assessed on their security capabilities.
16. Application Software Security
This control requires business organisations to manage the entire Software Development Life Cycle proactively and effectively, from start to finish. This ensures that only “clean source code” is eventually used for all software programs. This is necessary so that an organisation can correct, prevent, and track security weaknesses.
Why Is It Important?
Attackers can exploit the weaknesses of in-house developments without a security standard, such as security-conscious coding ethics or policy. Attackers can use poorly written code, coding errors, and logic flaws. Mistakes that could be used include input limits, poor memory management, failure to test for redundant strings, and others.
Tools and Procedures
- Foster secure coding practices for in-house developments through policy and training
- Using analytical tools that can verify security practices are getting implemented properly
c) Organisational Controls
The organisational controls are the final two CIS critical security controls. This group of CIS controls focuses on the strategic implementation of cyber security by design and intends to create a culture of cyber security within an organisation.
17. Incident Response Management
The only way your brand can recover within hours after being hit with a cyber attack is by having the appropriate incident response and management plan in place. This control also mandates that some items should be included in your incident response and management plan, including:
- Risk mitigation procedures
- The appropriate mechanism for reporting anything out of the ordinary
- How data and forensics should be collected
- Responsibilities of upper management
- Legal protocols that need to be undertaken
- The communications strategy
Why Is It Important?
Organisations often call cyber security an IT problem, creating a significant lack of awareness and understanding of the threats to critical infrastructure and the organisation’s effective functioning, including regulatory compliance.
18. Penetration Tests and Red Team Exercises
The final CIS critical security control is the practical testing of the 19 CIS controls. With penetration testing, an organisation can simulate an attack on the network, which allows it to see if it can still identify vulnerabilities that can be exploited.
Why Is It Important?
Penetration tests will indicate to an organisation where the vulnerabilities are, and this control can test the resilience of the organisation’s cyber security architecture overall.
Conclusion on CIS Top 18
In conclusion, implementing the CIS Top 18 Critical Security Controls is an innovative and effective way to protect your organisation against cyber threats. By following this framework, you can reduce your risk of a cyber attack, safeguard your critical assets and data, and improve your overall security posture.
Remember, the threat landscape constantly evolves, so staying up-to-date with the latest security measures and best practices is essential. Using the CIS Top 18 Critical Security Controls, you can be confident that you’re taking the proper steps to protect your organisation’s systems and data from harm.
To find out how we can help, contact us.