What are the CIS Controls for Effective Cyber Defense?

The CIS Critical Security Controls are a prioritized set of actions for cybersecurity that form a defense-in-depth set of specific and actionable best practices to mitigate the most common cyber attacks. A principle benefit of the CIS Controls are that they prioritize and focus on a small number of actions that greatly reduce cybersecurity risk.

While initially developed by the SANS Institute and known as the SANS Critical Controls, the CIS Controls are now managed by the Center for Internet Security and developed by a community of experts who apply their experience as CISOs and security professionals, creating globally accepted security best practices. These experts come from a wide range of sectors including retail, manufacturing, healthcare, education, government agencies and defense.

Table of contents

  1. Why are the CIS Controls important?
  2. Why do the CIS Controls work?
  3. What are the five critical tenets of effective cyber defense?
  4. What are the 20 CIS Controls?
  5. How UpGuard can improve your organization’s cybersecurity

1. Why are the CIS Controls important?

The CIS Controls are important because they minimize the risk of data breaches, data leaks, theft of intellectual property, corporate espionage, identity theft, privacy loss, denial of service and other cyber threats.

As security professionals, we have access to an array of security tools and technologies, security standards, training, certifications, vulnerability databases, best practices, security controls, checklists, benchmarks and recommendations.

To help us understand threats, we’ve seen the introduction of security ratings, third-party security ratings, data leak detection and the NIST Cybersecurity Framework. Not to mention, we’re surrounded by regulatory requirements like GDPR, LGPD, CCPA, FISMA, CPS 234, GLBA, PCI DSS and PIPEDAthat require clear third-party risk management frameworks, vendor risk management and robust risk assessment methodologies.

With businesses growing, dependencies expanding, threats evolving and customers expecting more, robust cybersecurity has never been more important.

The CIS Controls help us answer questions like:

  • What are the most critical areas to establish a risk management program?
  • Which defensive steps provide the greatest value?
  • How can we track our risk management program maturity?
  • How can we share our insights into attacks and attackers and identify root causes?
  • Which tools are best used to solve which problems?
  • Which CIS controls map to my organization’s regulatory and compliance frameworks?

2. Why do the CIS Controls work?

The CIS Controls work because they are:

  • Informed by common attacks and effective defenses
  • Reflect the knowledge of experts from companies, government and individuals, as well as sectors (government, power, defense, finance, transportation, academia, consulting, security, IT)
  • From every role (threat responders and analysts, technologists, vulnerability-finders, tool makers, solution providers, defenders, users, policy-makers, auditors, etc.)

The defense identified in the CIS controls deal with reducing the initial attack surface by hardening servers, identifying compromised machines, disrupting command-and-control or malicious software and establishing adaptive, continuous defenses that are continually improved.

Additionally, the CIS benchmarks acknowledge the reality that most organization face, in that resources are limited and priorities must be set.

As such, CIS separates controls into three categories, basic, foundational and organizational, regardless of industry. These categories and the prioritization of controls is what makes CIS Controls work so well.

3. What are the five critical tenets of effective cyber defense?

The five critical tenets of an effective cyber defense system are:

  1. Offense informs defense: Use actual cyber attacks that have compromised systems to provide the foundations to learn from and to build effective, practical defenses. Avoid defense that haven’t been shown to stop real-world attacks.
  2. Prioritization:Invest in controls that provide the greatest risk reduction and protection from the most dangerous attacks that can be feasibility implemented.
  3. Measurements and metrics: Use common metrics to provide a shared language for executives, security professionals, auditors and employees to measure the effectiveness of security measures within your organization.
  4. Continuous diagnostics and mitigation: Continuously monitor your security posture to test and validate the effectiveness of security controls and to help drive next steps.
  5. Automation:Automate defenses to reliably scale and continuously monitor for adherence to controls. Consider extending this to your third-party vendors and their vendors by continuously monitoring third-party and fourth-party security postures.

4. What are the 20 Critical Security Controls?

The 20 Critical Security Controls for effective cyber defense (sometimes called the SANS Top 20) are split into three groups:

  1. Basic CIS Controls (1–6) are the starting point for any organization’s cybersecurity
  2. Foundational CIS Controls (7–16)
  3. Organizational CIS Controls (17–20)

You can download the entire CIS Controls white paper from https://www.cisecurity.org/controls/.

1. Inventory and Control of Hardware Assets

Attackers are continuously scanning for new and possibly vulnerable systems to be attached to a target’s network. They are particularly interested in devices that come and go from the enterprise network, such as laptops or Bring-Your-Own-Devices (BYOD), that don’t install security updates or may already be compromised.

Once detected, attackers can take advantage of this hardware and gain access to an organization or use it to launch additional cyber attacks.

This control requires organizations to manage hardware devices on their network to ensure only authorized devices have access to sensitive areas. Managed control of all devices also plays a critical role in planning and executing system backup, incident response and recovery.

2. Inventory and Control of Software Assets

A good example is EternalBlue, a vulnerability in old versions of the Windows operating system that was used to launch the WannaCry ransomware computer worm.

When a victim accesses the content on an exploitable machine, attackers can gain access and install unauthorized software or different types of malware.

Without proper knowledge or control of the software deployed in an organization, defenders cannot properly secure their assets leading to data breaches and exposure of sensitive data. Compromised machines within a network can then be used to launch additional cyber attacks.

This control mitigates this risk by requiring organizations to actively manage all software on the network so only authorized software is installed and can execute.

3. Continuous Vulnerability Management

Vulnerability management and vulnerability assessment requires cyber defenders to take in a constant stream of new information, software updates, patches, security advisories, etc.

Attackers will use this same information to take advantage of gaps between the appearance of new vulnerabilities and their remediation to attack targets.

To minimize this risk, this control requires organizations to continuously acquire, assess and take action on new information in order to identify vulnerabilities, remediate them and minimize the window of opportunity.

Without scanning for vulnerabilities and proactively addressing issues, organizations face the significant risk of compromise.

4. Controlled Use of Administrative Privileges

This helps to reduce the abuse of administrative privileges, which is a common method of attack to spread inside an organization.

If the victim has administrative privileges, the attacker can take over the victim’s machine installing malware, spyware or stealing sensitive data.

5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Default configurations for operating systems and applications are generally geared towards ease of deployment and use, rather than security. Basic controls, open services and ports, default passwords and outdated protocols can be exploited when left in the default state.

To minimize this risk, organizations must establish, implement and actively manage the security configuration of mobile devices, laptops, servers and workstations using configuration management and change control processes to prevent attackers from exploiting vulnerable services and settings.

6. Maintenance, Monitoring and Analysis of Audit Logs

Deficiencies in security logging and analysis allows attackers to hide their location, the installation of malicious software and their activity on a victim’s machine.

To mitigate this, organizations must collect, manage and analyze audit logs of events to help the detection, identification and recover from attacks.

7. Email and Web Browser Protections

Web browsers and email clients are common points of attack because of their technical complexity, flexibility and high use. Content can be crafted to entice or spoof users into taking action, allowing the theft of valuable data or the introduction of malicious code.

This control can minimize the attack surface and opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems.

8. Malware Defenses

Malicious software is designed to attack your systems, devices and data. It can enter through end-user devices, email attachments, web pages, cloud services, user actions and removable media. Sophisticated threats are even designed to circumvent, avoid and disable defenses.

Organizations must control the installation, spread and execution of malicious code, while optimizing the use of automation to enable rapid updating of defense, data gathering and corrective action.

9. Limitation and Control of Network Ports, Protocols and Services

Attackers remotely search for accessible network services that are vulnerable for exploitation. Common examples include poorly configured web servers, mail servers, file and print services and DNS servers installed by default.

This control must manage the ongoing operational use of ports, protocols and services on networked devices in order to minimize windows of vulnerability available to attackers.

10. Data Recovery Capabilities

When attackers gain access to a machine, they can make significant changes to configuration and software. In some situations, they make subtle alterations to data stored potentially damaging the organization’s ability to operate. When an attacker is discovered, organizations need to be able to remove all aspects of the attacker’s presence from the machine.

This is why organizations must use processes and tools to properly backup critical information with a proven methodology for timely recovery of it.

11. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

Default configurations of network infrastructure are designed for ease of deployment and use rather than security. Open services and ports, default passwords, support for older protocols and pre-installed software may be exploitable in default states.

Organizations must establish, implement and actively manage the security configuration of network infrastructure devices by using configuration management and change control processes to prevent attackers from exploiting vulnerable services and settings.

This is a continuous process as hardware and software configuration is not a one-time event, attackers can take advantage of slipping configuration over time as users demand exceptions for legitimate business needs. These exceptions can be left open when the business need is no longer, opening up potential attack vectors.

12. Boundary Defense

Attackers focus on exploiting systems that are Internet accessible. Organized crime groups and nation-state actors can abuse configuration and architectural weaknesses found in perimeter systems, network devices and client machines to gain initial access to organizations.

Boundary defense controls detect, prevent and correct the flow of information transferring across networks of different trust levels with a focus on security-damaging data.

13. Data Protection

Sensitive dat are sides in many places. Protection of that data is best achieved through the combination of encryption, integrity protection and data loss prevention techniques.

Data protection controls are processes and tools designed to prevent data exfiltration, mitigate the effects of exfiltrated data and ensure the privacy and integrity of sensitive information.

14. Controlled Access Based on the Need to Know

Encrypting data provides a level of assurance that even if a data breach occurs, it’s impractical to access the plaintext without significant resources. That said, controls should be put in place to mitigate the threat of data breaches in the first place.

Organizations must have processes and tools to track, control, prevent and correct secure access to critical assets according to access control rights of people, computers and applications based on a need or right previously classified.

15. Wireless Access Control

Many data breaches are initiated by attackers who have gained wireless access to organizations from outside the physical building, connecting wirelessly to access points.

Wireless access controls are processes and tools to track, control, prevent and correct the secure use of wireless local area networks (WLANs), access points and wireless client systems.

16. Account Monitoring and Control

Attackers frequently discover and exploit legitimate but inactive user accounts to impersonate legitimate, inactive user accounts to impersonate users making it harder for security personnel to detect them.

This control requires active management across the life cycle of system and application accounts — their creation, use, dormancy and deletion — to minimize opportunities for attackers.

17. Implement a Security Awareness and Training Program

While it’s tempting to think of cybersecurity as primarily a technical challenge, the actions of employees play a critical part in the success or failure of even the most automated cybersecurity program, whether it be in the design, implementation, operation, use or oversight.

This means for all functional roles, prioritizing for mission-critical functions or security, organizations must identify the specific knowledge, security skills and abilities need to support the defense of the organization, develop and execute a plan to assess, identify gaps and remediate through policy, planning, training and awareness programs.

18. Application Software Security

Attackers often take advantage of vulnerabilities found in web-based and other application software. These vulnerabilities can stem from coding mistakes, logic errors, incomplete requirements and failure to test for unusual or unexpected conditions.

To mitigate this attack vector, organizations must manage the security of all in-house and acquired software over its life cycle.

19. Incident Response and Management

Organizations must protect their information and reputation by developing and implementing an incident response infrastructure (e.g. plans, defined roles, training, communications, management oversight) to quickly discover attacks and then contain the damage, eradicate the attacker’s access and restore the integrity of the network and systems.

Security incidents are now part of every organization. Even large, well-funded and technically sophisticated organizations can struggle to keep up with cybercriminals, just look at Yahoo at the top of the world’s biggest data breaches.

20. Penetration Tests and Red Team Exercises

Organizations must test their overall defense (technology, processes and people) by simulating the objectives and actions of an attacker.

Attackers often exploit the gap between good defensive design and actual implementation. A good example is the window of time between when a vulnerability is discovered and when it is remediated on every vulnerable machine.

Successful defensive posture requires a comprehensive program with effective information security policies, strong technical defenses and appropriate action by people.

Red Team exercises take a comprehensive approach at the full spectrum of organization policies,processes, and defenses in order to improve organizational readiness, improve training for defensive practitioners, and inspect current performance levels.

5. How UpGuard can improve your organization’s cybersecurity

Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches, monitor for vulnerabilities and avoid malware.

We’re experts in data breaches and data leaks, our research has been featured in the New York Times, Wall Street Journal, Bloomberg, Washington Post, Forbes, Reutersand Techcrunch.

UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors’ security posture over time while benchmarking them against their industry.

Each vendor is rated against 50+ criteria such as presence of SSLand DNSSEC, as well as risk of domain hijacking, man-in-the-middle attacks and email spoofing for phishing.

UpGuard BreachSight can help monitor for DMARC, combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer’s trust through cyber security ratings and continuous exposure detection.

If you’d like to see how your organization stacks up, get your free Cyber Security Rating.

Book a demo of the UpGuard platform today.

Originally published at https://www.upguard.com.




https://www.upguard.com — UpGuard combines third-party security ratings, vendor questionnaires, and threat intelligence in a single cyber risk solution.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What is a Security Posture and How Can You Evaluate It?

My Crypto Consult scam review

Equifax Scandal: Massive Personal Data Breach From A Massive Government Contractor

Hack The Box — Optimum Walkthrough/Writeup OSCP

Hack The Box — Granny Walkthrough/Writeup OSCP

{UPDATE} Jewel Smash Mania Hack Free Resources Generator

Brute Force Web Logins

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


https://www.upguard.com — UpGuard combines third-party security ratings, vendor questionnaires, and threat intelligence in a single cyber risk solution.

More from Medium

A response to “Thinking About the Future of InfoSec”

Cybersecurity And Much More Newsletter — Week 03 (2022)

Cyber Deterrence is More Important than Nuclear Deterrence

3rd Simple & White-collar things about CyberSecurity