CIS Critical Security Controls

CIS Critical Security Controls specifies and recommends the appropriate actions for organizations to take to improve their critical infrastructure.

Although organizations are taking preventative measures and securing their networks, systems are still being compromised on a regular basis. It is recommended to secure your cyber defenses with CIS Critical Security Controls. These controls are a set of blueprints that prioritize a small number actions that help detect and respond to 60-70% of attacks seen today. This short list consists of effective, high-priority defense actions for every organization to improve their cyber defenses.

The 20 CIS Critical Security Controls include:

  1. Inventory of Authorized and Unauthorized Devices
  2. Inventory of Authorized and Unauthorized Software
  3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  4. Continuous Vulnerability Assessment and Remediation
  5. Controlled Use of Administrative Privileges
  6. Maintenance, Monitoring, and Analysis of Audit Logs
  7. Email and Web Browser Protections
  8. Malware Defenses
  9. Limitation and Control of Network Ports, Protocols, and Services
  10. Data Recovery Capability
  11. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  12. Boundary Defense
  13. Data Protection
  14. Controlled Access Based on the Need to Know
  15. Wireless Access Control
  16. Account Monitoring and Control
  17. Security Skills Assessment and Appropriate Training to Fill Gaps
  18. Application Software Security
  19. Incident Response and Management
  20. Penetration Tests and Red Team Exercises

The top five CIS Critical Security Controls and how to apply them:

CSC 1: Active managing and monitoring of hardware devices to ensure only authorized devices gain access to the network to reduce the possibility of an attacker exploiting the vulnerable and unauthorized systems. The hardware devices should include any device with an IP address such as printers, Voice Over IP phones, servers, mobile devices, or mainframes. To successfully apply CSC 1; identify all devices, keep a list of the inventory, and constantly maintain updates.

CSC 2: Unauthorized and unprotected software is identified and prevented from executing malicious attacks to increase your visibility by allowing you to locate unauthorized software. To successfully apply CSC 2; identify and create a list of all authorized software and deploy tools for the software. Regularly manage all software through scanning and updating, ensuring the latest version is installed.

CSC 3: Secure security configurations using thorough configuration management for hardware and software of laptops, workstations, and servers to prevent the exploitation of services and settings. To successfully apply CSC 3, determine a baseline for securing configurations; CIS security configuration guidelines can be found for free ( ). Build a secure standard image for all systems in your organization and maintain configuration checklists for different classes of systems.

CSC 4: Regularly identify vulnerabilities reported by security professionals to minimize and reduce the chance of an attack. Run vulnerability scanning tools on all systems on a regular basis, such as CIS-CAT Pro ( ). Running these tools can ensure how secure your configurations are, provide a log of the target system, and identify assets in your network.

CSC 5: With the use of tools and processes, protect your organization’s information and assets on all devices: computers, networks, phones, or tablets to protect your system from attackers both inside and outside. Set policies to manage all user accounts and keep an inventory of all the users. Limit the number of administrative accounts to ensure your organization’s privacy does not fall into the wrong hands. Also, use multi-factor authentication and require complex passwords to maintain control over your systems. Never use common passwords or share your passwords, which can make it easier for attackers to steal information. Lastly, administrator’s computers should be separated from the rest of the network.

Tools for the implantation of CIS Control Tools can be found at: