The Center for Internet Security (CIS) is a group made up of volunteers and experts hoping to educate individuals and enterprises on common and damaging cyberattacks. Their security standards are often cited by cyber insurance companies as being within compliance. They are a great standard through which to view your own security hygiene.
With the current version of CIS Controls, v8, they have introduced three implementation groups: IG1, IG2, and IG3.
Implementation Group 1 is designed for small and medium-sized organizations with limited time and resources to use on IT cybersecurity. The data of these organizations have low sensitivity and usually involves the personal information of their employees. Someone with not a lot of IT knowledge should be able to implement these best practice guidelines.
The top priority for an IG1 organization is to protect their operations and keep work going.
IG2 (Includes IG1)
An IG2 organization employs people to manage and protect their IT infrastructure. There are multiple departments in this organization as well as varying levels of sensitivity in the data they handle. An IG2 organization may need to comply with insurance or industry standards.
A data breach for this kind of enterprise could stop work and lead to a massive loss of confidence from the public and their clients.
IG3 (Includes IG1 and IG2)
If an organization is in Implementation Group 3, they employ security experts to polish their cybersecurity in areas such as risk management, penetration testing, application security, and vulnerability scanning. This enterprise regularly handles sensitive data. In a successful attack, the public could be affected or harmed.
IG3 standards must be able to withstand sophisticated attacks and plan to guard against zero-day attacks. Zero-day attacks refer to threats made on the day that a company releases a software or firmware update. Attackers exploit this first day on a new system, because it is more likely there is a bug or exploitation they can use to infiltrate.
In addition to classifying need with these implementation groups, the CIS also outlines 18 Critical Security Controls, with different levels of preparedness for the different implementation groups. Consider them 18 areas of IT security to think about and prepare for.
For even more in-depth explanations on the 18 critical security controls, consider downloading their free guide on CIS Critical Security Controls v8, the most recent version at the time of this writing. It is yours for the low price of your email, name, and organization. The amount of steps and guidelines with each control increase with an organization’s implementation group. IG3 has the most steps.
Control 1: Inventory Control of Enterprise Assets
Account for and manage all of the assets of your organization. This includes items such as desktops, laptops, other end-user devices, network devices, Internet of Things devices and servers (cloud and physical).
This is critical because a threat actor can use any device connected to your network to exploit your vulnerabilities. All organizations should both take an initial inventory of their assets and create a system for maintenance and upkeep.
Control 2: Inventory and Control of Software Assets
Similar to an organization’s physical assets, the next step is to inventory every software used on the network. Doing so will ensure that an organization knows every software that is being used and what software might be unauthorized or unmanaged.
Don’t skip this step; this is critical to prevent attacks. If an employee were to click on a malicious link, backdoor programs could be installed and give access to everything in the network.
Creating an inventory for an organization’s software includes ensuring that the software is supported.
Control 3: Data Protection
Make processes to identify, classify, retain, and dispose of data. This includes everything on an organization’s server, their employees’ end-user devices, the cloud, and whoever they may share something with. An enterprise has to protect not only their own data, but the data of their customers, clients, or anyone else they might have personal information for.
Commonly in attacks, a threat actor’s first move is to extract data. If an organization doesn’t have a system in place to monitor when sensitive data is leaving the enterprise environment, they might not even be aware when data is stolen. Data encryption is one step of many to ensure truly protected data.
Control 4: Secure Configuration of Enterprise Assets and Software
Do you remember those inventories back in Controls 1 and 2? Great. Now that an organization understands what they have, they can decide secure configurations for all software and devices. Everything that comes pre-configured with a device or piece of software is designed to be deployed easily and start using. These basic configurations are usually less secure than what is best for protection.
Change default passwords or network names, remove excess access, and create a strong configuration. After the initial strong configuration, maintain it. It must be managed with updated patches, new security vulnerabilities, and other things that will change over time.
Control 5: Account Management
Manage, observe, and assign authorization for the user accounts associated with your organization, including accounts in assets and software. It is easier for a threat actor to gain access to a user account and get into your organization data that way instead of “hacking.” They could gain entry through a weak password, accounts that are still active after an employee has left, account credentials that haven’t been changed for months or years, service accounts hidden in the scripts of applications, or a password that has been reused across accounts, and a different account’s information was leaked.
Pay special attention to administrative accounts or accounts with most of the privileges. These types of accounts are the most targeted, because a threat actor would get the most use from their credentials.
Account logging and monitoring is another step that would protect your business.
Control 6: Access Control Management
Have processes to keep track of the privileges of users. Users should have the minimum number of permissions required and nothing more; extraneous permissions will lead to security vulnerabilities.
Best practices include consistent use of access rights for each role and assigning groups of users to roles.
Control 7: Continuous Vulnerability Management
Adopt a process of identifying, prioritizing, documenting and remediating weak points in an IT environment. The process involves continuously assessing and tracking vulnerabilities on all enterprise assets within the enterprise’s infrastructure, to remediate and minimize things to exploit for attackers.
A continuous vulnerability management process should consist of 4 components: Identification, Evaluation, Remediation and Reporting. For best IT hygiene, organizations need to identify all their proprietary code, third-party applications, sensitive data, open-source components and other digital assets. Then identify their weaknesses. Patch or otherwise address the weaknesses according to their priority.
Keep documentation of all vulnerabilities that are identified, the results of the evaluation, and progress updates.
Control 8: Audit Log Management
Keep track of events that could point to an attack. Get in the habit of retaining and reviewing audit logs. A system log and an audit log will work together for a complete picture. The audit log keeps track of user-level events, such as time of logins, what files were accessed, what data was exfiltrated.
System logs are easier to start: this log is for system-level events, like start/end times, crashes, if a system is down. Starting a log is usually designed into these systems.
Not only is this good information to have, sometimes an organization’s audit log and system log is the only evidence pointing towards an attack. Taking the time to observe this level of engagement pays off in a big way.
Control 9: Email and Web Browser Protections
Think about protecting your organization’s email and web browsers. Web and email, where a user could click a link or interact with something malicious.
Protections on the Internet may come in the form of restrictions placed on users, pop-up blockers, or content filters. Email protection could be a tool that filters spam, scanning for malware at the email gateway, an encryption tool, and blocking suspicious senders.
Control 10: Malware Defenses
Malicious software, or malware, also called viruses or Trojans, is a common tool used in attacks. Malware is often triggered through end-user behavior, like clicking malicious links, opening attached files, or installing software. Because malware is ever evolving, your system of protection needs to be updated as well.
Consider adopting malware protection that includes endpoint malware prevention and detection. These systems should be controlled from one central place and maintained across devices consistently.
Control 11: Data Recovery
Have a plan for data recovery. Have systems in place designed to restart organization operations if there is an incident. The goal here is to return assets, data, and organization to a pre-incident, secure state.
Attackers may set out to exfiltrate your data or compromise it. Regular, organized backups can mitigate the threat of data loss and reduce the impact of attacks such as ransomware. To help organizations achieve this goal, CIS recommends five safeguards, including establishing and maintaining a well-documented data recovery process for backup implementation and restoration.
Control 12: Network Infrastructure Management
Actively managing and monitoring network devices will protect an organization’s network infrastructure. This includes tracking the status of all network devices and correcting any vulnerabilities that could be exploited by attackers. By implementing this control, an organization can improve its overall IT security and reduce the risk of cyber-attacks.
Control 13: Network Monitoring and Defense
Establish processes and tools to achieve and maintain comprehensive network monitoring and defense.
The goal of this control is to quickly identify suspicious traffic patterns or events so that threats can be detected before they result in a data breach or disrupt operations. To help organizations achieve this goal, consider centralizing security event alerting with a Security Information and Event Management (SIEM) solution to aggregate, correlate and analyze event log data from multiple systems and alert the right personnel about threats in real time.
Some organizations are unaware of when they are attacked. Proper network monitoring and defense will mitigate this issue.
Control 14: Security Awareness and Skills Training
Sometimes prevention is the best form of protection. Especially when it comes to threats like malware, which usually hinges on end-user behavior. A program that is designed to educate and inform your employees is necessary. Then, everyone will be working together in a common goal of protection.
Annual training is not enough; effective training would happen throughout the year, with updates quarterly or more to the training. Threat actors change tactics and learn. They are constantly thinking of new ways to get into your business. Training needs to be current.
Control 15: Service Provider Management
Evaluate service providers who hold sensitive data or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.
While reviewing the security of third parties has been a task performed for decades, there is not a universal standard for assessing security. ISO 27001 or the CIS controls is a good place to get ideas.
Control 16: Application Software Security
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.
Modern IT environments typically include a wide range of applications: software developed in house, hosted software platforms, open-source tools and purchased solutions. Because these applications access sensitive systems, data and other IT assets, cybercriminals are eager to exploit them during attacks. CIS Control 16 offers application software security controls for strengthening your organization’s security posture.
Control 17: Incident Response Management
Establish a program to develop and maintain an incident response capability to prepare, detect, and quickly respond to an attack. These preparations may include the creation of policies, plans, procedures, defined roles, training, and communications.
The primary goal of incident response is to identify threats to the enterprise, respond to them before they can spread, and remediate them before they can cause harm. Being prepared for an attack before it happens will reduce its harm.
Control 18: Penetration Testing
Test the strength of your system by mimicking an attack in a controlled environment. Pay attention to how people, processes, and technology perform under pressure. Any system, no matter how great, has weaknesses. Finding them before they are exploited will further secure an organization.
Penetration testing, correctly done, takes a lot of checks, time, preparation, and leads to its own risks. For those reasons, it’s best for experts and reputable vendors to conduct them.
The Larger Picture
Following these CIS controls can be overwhelming. It may be tempting to put it off, believe your current system is good enough, or follow half.
This is worth understanding and implementing. These are safeguards to protect an organization against cyberattacks. Consider this a self-actioned insurance; this is protecting against a worst-case scenario.
Here at SpireTech, we will help our clients establish these controls. With our assistance, we hope that adopting these controls becomes easier. Proper security, in our opinion, is a breath of fresh air.