Short for Center for Internet Security, the CIS is an independent non-profit organization dedicated to creating confidence in the connected world. This largely means helping to establish and document internet-related security controls, best practices, standards, etc. By knowing how to implement CIS Controls, you’ll be hardening your cybersecurity using some of the best advice that exists.
CIS Controls® is one of the organization’s flagship initiatives and has already gone through numerous revisions with v7.1 being the latest available version. This document describes best practices for organizations to implement to improve their cyber defenses. It provides actionable advice that security experts can take to assess and improve their current security state.
CISOs, IT security experts, compliance auditors, and more use the CIS Controls to:
- Leverage the battle-tested expertise of the global IT community to defend against cyber attacks
- Focus security resources based on proven best practices, not on any one vendor’s solution
- Organize an effective cybersecurity program according to Implementation Groups
While CIS Controls is definitely a must-read for al security-minded organizations and professionals, it is a hefty 76-page document. To help you get started, we’ll provide some practical advice on how you can successfully implement CIS Controls:
Classify Your Organization
The latest version focusses more heavily on implementation groups (IGs) which helps organizations classify themselves and focus their security resources and expertise using CIS controls:
In the documentation, you can find more criteria to help self-classify. And, throughout the document, you’ll find helpful mappings for which controls are especially needed for your group.
Step #1: Inventory and Control of Hardware Assets
Attackers continuously scan the networks of potential victims, waiting to detect vulnerable or unprotected systems to exploit. Ensuring security coverage across your network, starts by having clear visibility of all your assets. However, this should happen on a continual basis as come-and-go devices, such as laptops or smartphones, are particularly sought-after targets as they might be out of sync with other networked assets.
Organizations need to actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
Step #2: Inventory and Control of Software Assets
Software systems are under similar threat due to similar reasons as networked hardware. Attackers are continually looking for vulnerable software, or particularly vulnerable versions of said software, to exploit. Insecure software can also be exploited via hostile web pages, document files, media files, and other content distributed via attackers’ own web pages or otherwise trustworthy third-party sites.
Step #3: Continuous Vulnerability Management
Once you’ve properly inventoried all your hardware and software assets and systems, you need to continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
For example, new versions of software are frequently released, and while they may come with patches for previously known vulnerabilities, they may introduce entirely new ones. That’s why you should keep up with the latest software updates, patches, security advisories, threat bulletins such as 0-day alerts. This gives you the chance of proactively addressing flaws or vulnerabilities before they are exploited in the wild.
Step #4: Controlled Use of Administrator Privileges
This step involves the processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
Attackers often aim to incrementally unlock higher privileges on a network in order to access more sensitive information or cause more damage. Enacting principles of least privilege, tracking and ensuring only the correct individuals have privileged access, enforcing strong login practices (passwords, MFA, SSO, etc.) on administrator accounts, etc. are just some controls that can be implemented to minimize the threat.
Step #5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
Default device and software configurations are often geared for ease-of-deployment and ease-of-use – not necessarily security. With proper inventory management, these potential weaknesses can be kept in mind and policies/best practices enacted to circumvent them.
Step #6: Maintenance, Monitoring and Analysis of Audit Logs
Shortcomings in how we collect, analyze, and log activity can lead to security blindspots as well as the inability to properly respond to incidents. Security experts need to properly collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.
Often, attacks are only detected days, weeks, or even months after they have occurred. In these cases, logs are the only source of information to track the damage, the techniques used, and other forensic information to be used in damage mitigation and tracing.
Conclusion
These are just the basics of implementing some of the top controls and practices to help secure your connected business today. With the internet becoming an indispensable part of operating in any field, businesses need any advantage they can find to stay ahead of the numerous threats that await them. While these are just the basics, comprehensively securing your networked systems can be made easier and more effective working with a trusted security partner.
