This article was contributed by Harman Singh, security professional, and consultant at Cyphere.
A Center of Internet Security (CIS) control is a standard for computer security. CIS controls were previously known as the SANS Critical Security Controls. It’s a top-priority list of best practices created to combat the most prevalent and hazardous dangers by reducing risk to an acceptable level as specified by CIS standards and guidelines. CIS critical security controls are essential in helping you protect your company’s data from malware, viruses, hackers, and other threats on the internet. In this article, we will discuss top CIS critical security controls that can be implemented on your business’ website to protect it from cyberattacks.
What are the goals of CIS controls?
The main goal of CIS controls is to reduce risk as much as possible. The CIS benchmarks are designed to ensure that your company’s data and systems stay safe from hackers, cyber-attacks, and other online threats.
CIS critical security measures help you maintain the confidentiality, integrity, and availability of information assets on a network or system by following industry best practices. CIS controls are designed to be non-intrusive and they do not prevent any actions that comply with your company’s policies or standards.
How CIS controls are designed
CIS controls are designed to reduce risk in a cost-effective manner by making sure that every employee knows how they can be protected from hackers on the internet. To make CIS controls work properly, it is important to implement CIS CSCs in a way that makes sure they are used properly and consistently. CIS CSCs should be accompanied by an appropriate security awareness program that can teach your employees how to avoid sensitive information from being compromised on the internet.
CIS controls are not designed for cyber-attacks without authorization or against another firm’s firewall, but they are applicable to your company’s internal security system. CIS controls are the best way to protect your business from viruses, malware, and other online threats that can cause a severe financial loss in addition to data breaches.
CIS CSCs include protection measures like antivirus or anti-malware systems that try to prevent any suspicious activity on your network before it happens. CIS CSCs also include the implementation of firewalls and security updates for your operating system.
What’s new in CIS v8?
The new CIS measures have improved the old 20 controls, which were designed with conventional methods and technologies, by incorporating new rules with contemporary IT and security industry adaptation.
In the updated version, the controls are integrated according to the activities and attack methods. As a result, in relevance with cloud, hybrid, and activity-based platforms, the controls have been reduced from 20 to 18.
Top CIS critical security controls for effective cyber defense
CIS CSCs are designed to help you maintain confidentiality, integrity, and availability of your business’ data. Here is the list of 18 CIS controls in version 8.0.
1. Inventory and control of hardware
It’s critical to monitor all of the network’s hardware devices so that only authorized ones are given access and evildoers may be detected and disconnected before they cause any damage.
2. Inventory and control of Software
To prevent unauthorized software from running on assets, use software inventory tools to automate the documentation of all software.
3. Data protection
Implement CIS CSCs to make sure all data is properly protected before it’s transmitted or stored.
It’s critical to keep in mind that most companies don’t usually consider their data and systems security until after a breach has occurred. Critical systems and data must be protected and regularly backed up, and companies must have a proven methodology for timely data recovery capabilities.
4. Secure configuration for hardware and software
Organizations must set up, maintain, and execute network infrastructure devices’ secure configuration.
5. Account management
It’s critical to make sure all users have strong, unique, and regularly changed passwords to prevent unauthorized access to sensitive data. Access controls like VPN or remote authentication help to secure your company’s network by implementing CIS CSCs.
All in-house or third-party managed systems should require multi-factor authentication.
6. Controlled access of administrative privileges
It’s vital to have an inventory of service accounts, administrative credentials, and sufficient password requirements in place. To prevent attackers from using administrative accounts, they must have controlled access-based privileges.
7. Continuous vulnerability management
Keep an eye on all security issues involved with CIS CSCs, including software updates and patches. Vulnerability management is the best way for companies of any size to avoid being hacked or suffering a data breach that can affect their operations.
Before a security issue becomes a real breach, it’s important to detect them. Scanning the network for weak spots, which can then be swiftly fixed, is critical. Keep up with vulnerability updates if you want the testing to be most effective.
8. Maintenance, monitoring, and analysis of audit logs
Regular checks and implementation of processes and procedures help to analyze event data, interpret the information correctly, and take action quickly.
Ensure that local logging is turned on and that necessary logs are transferred securely to a central log management system for continuous analysis and alerting.
9. Email and web browser protections
Email systems and web browsers are vulnerable to numerous dangers. The network can’t be secure if they aren’t safe. To minimize their attack surface, organizations must ensure that only fully supported web browsers and email clients are utilized in the organization.
10. Malware defenses
Malware is employed for a variety of criminal activities, including identity theft and corporate espionage. Users and the company are protected by antivirus software and malware prevention. Anti-malware software should be centrally managed to continuously monitor and defend each of the company’s workstations and servers.
11. Data recovery capability
Backups protect data from being lost in the event of a cyber attack. Backups keep data safe and provide a reference point for data comparison if data integrity is in doubt following a security incident.
Organizations must ensure that vital systems and data are backed up. They also need to have a proven approach for recovering data quickly.
12. Network infrastructure management
It’s critical for network infrastructure devices to have up-to-date firmware and software, as well as a host of other security measures.
The secure configuration of network infrastructure devices, such as routers, mobile devices, firewalls, and switches, must be established, implemented, and maintained by organizations.
13. Network monitoring and defense
It’s critical to monitor the network for both external and internal threats. Monitoring tools are available that can identify misconfigurations, unauthorized network devices, or suspicious activity without putting a significant load on endpoints’ resources. In this way, only authorized software will be able to access your data.
Every company must have a robust cyber-security strategy in place to detect and defend against internet dangers. Every business needs a solid cyber-security plan for any type of cyber assault.
14. Security awareness and skill training
In today’s digital age, it’s crucial for businesses to understand and prepare for a variety of cyber assaults. Employees must be educated on various types of cyberattacks, such as phishing, phone fraud, and impersonation calls, among others.
15. Service provider management
Today, more and more companies are using third-party service providers for business functions. This includes customer care phone services or credit card processors. It’s important to have processes and procedures that are expected of a service provider when it comes to data privacy and security controls.
16. Application software security
As the use of third-party applications continues to grow, so too does the risk for cyber attacks. It’s important for companies to have policies in place that govern how software is deployed and used within their organization.
17. Incident response management
An incident response plan is absolutely necessary for businesses to have in place. It’s important that organizations are prepared for all types of cyber threats, including malware and ransomware incidents, data breaches, system outages or disruptions, social engineering attempts by attackers posing as company employees, among others.
18. Penetration testing
Penetration tests are a necessary part of ongoing security management. It’s vital to have in place an effective penetration tests plan for evaluating vulnerabilities within the organization, including its enterprise applications, data stores and network devices.
Cybersecurity CIS framework
The common criteria for information security is a framework that defines the steps organizations need to take in order to have an effective cyber boundary defense. CIS has become an industry standard and recognized best practice guide for achieving this goal.
By following the CIS Critical Controls, organizations can effectively build a cyber security program for data protection of their company from various types of attacks.
How an organization can implement CIS controls
The CIS controls can be used by organizations to have an effective cyber defense.
CIS Controls should be included in the organization’s sensitive data security program and standards, architecture, policies, and procedures that are already in place for protecting IT hardware assets and software assets.
Different steps of applying CIS controls in your organization:
CIS critical security controls can be applied easily using a three-step process.
The first step is to identify the areas where CIS CSCs are applicable and useful for your business.
The second step is to prioritize CIS CSCs. You should assess them and choose a few that best suit your organization’s needs.
The third step is the implementation of CIS CSCs followed by continuous account monitoring and maintenance process which can be done on a regular basis or after any major change in your organization’s security system.
Why are CIS security controls important for every organization?
CIS CSCs are crucial for every organization because they help in protecting the company’s data, resources, and infrastructure. CIS CSCs are designed to help you implement an effective cyber defense system for your company. They include the latest industry best practices that can easily be implemented into most companies’ security systems without any major changes or investments in infrastructure.
Make sure that all of CIS critical controls are implemented in your organization to help you maintain confidentiality, integrity, and availability of all information assets on the network. These are designed for effective cyber defense without any trade-offs or compromises that can affect business productivity.
Frequently asked questions
What does CIS CCSs stand for?
CIS CSCs stands for the Centre of Internet Security Critical Security Controls which is a set of top industry best practices that every organization should have in place to protect their company from cyber security threats.
How do CIS CSCs help?
The CIS CSCs can be implemented easily and quickly without any major changes or investments required. They are designed for effective cyber defense without any trade-offs or compromises in business productivity.
What are the 5 critical tenets of an effective cyber defense system as reflected in the CIS Controls?
These are the 5 critical tenets of an effective cyber defense system:
What is the CIS critical control implementation guide?
The CIS critical control implementation guide includes a set of best practices that can be implemented in various types of systems or organizations to help them have an effective cyber defense. These controls are designed for all types of organizations and can be implemented at different levels with minimal changes required.
Harman Singh is a security professional with more than 10 years of consulting experience across private and public sector organizations. His day job involves consulting businesses at Cyphere to reduce their security concerns. Cyphere’s primary expertise is offensive security assessments across traditional networks and cloud computing threat landscapes in addition to security compliance assessments. Besides delivering pen testing, he has also delivered talks and training at Black Hat and regional conferences. His favorite security topics are Active Directory, Azure & Networks.