The saying – with knowledge comes power – holds as much in cybersecurity as anywhere. A vital part of a cybersecurity professional’s job is to know the threats to the enterprise assets and the severity of the impact of those threats. The framework for actionable controls and security best practices from the Center for Internet Security (CIS) provides this know-how for cybersecurity practitioners.
CIS offers this framework through its advisories known as the CIS Controls® and CIS Benchmarks™.
Overall, the CIS controls are derived from a framework that consists of 20 security controls and resources. This framework is organized into inter-related areas, from basic, through foundational, to organizational. The ten CIS Foundational Controls (CIS controls, 7-16) builds on the six CIS Basic Controls (CIS controls, 1-6). Together they help an organization protect against common cyber-threats.
An overview of the ten foundational controls
The ten Foundational Controls offer tried and tested ways to prevent specific security threats, such as phishing and network exploits. Using the guidance in each is a positive move towards proactive security.
CIS Control 7: Email and Web Browser Protections
What is this? Cybercriminals are renowned for using human touchpoints, such as email and web browsers, for manipulating behavior to carry out an attack. This control is about reducing that attack surface.
Why is this important? Proofpoint research has found that 99% of cyber-attacks require human interaction to succeed. Emails and the Internet are trusted areas of technology that cybercriminals routinely use to trick users into performing actions, such as clicking on a malicious URL.
How to defend? Use only approved web browsers. Be aware of malicious extensions. Check for HTTPS connections and look for misspelled hostnames, e.g., m1crosoft.com. Keep the browser and other software patched and up to date. Use security measures such as email and content filtering. Use a Reporting and Conformance policy, for example, Domain-based message authentication (DMARC), which builds on Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) protocols. These use author linkage and policies for recipient handling of authentication failures, other mechanisms to prevent phishing.
CIS Control 8: Malware Defenses
What is this? The control for malware defenses is essential for preventing data exfiltration, theft of credentials, and ransomware.
Why is this important? AVTEST registers over 350,000 new malware and potentially unwanted applications (PUA) each day. One in fifty URLs is malicious. And to make matters worse, attackers now use malware that is fileless and polymorphic and, as such, more difficult to detect.
How to defend? Automated patching services can fix the vulnerabilities that the malware typically exploit. Anti-virus and a host-based intrusion prevention system (HIPS) should be implemented.
CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
What is this? The CIS control addresses how to track, control, and correct operational use of ports, protocols, and services on networked devices to mitigate massive attack surfaces.
Why is this important? Many attacks now center on misconfigured web servers and databases, for example. Automatically installed file and cloud print services, and Domain Name System (DNS) servers are also open to attacks. According to the “Global Print Security Survey 2019,” 60% of organizations have had at least one print-based cyber-attack.
How to defend? Use port scanning to ensure only necessary ports, protocols, and services are running. Set alerts to notify if any unauthorized ports are detected.
CIS Control 10: Data Recovery Capabilities
What is this? The control focuses on the tools used to backup information.
Why is this important? Disaster recovery is an integral part of a holistic cybersecurity strategy. Backups can be a vital tool in ransomware attacks to help continue business-as-usual by avoiding large ransoms.
How to defend? Deploy regular and automated backup systems. All critical systems should be backed up using imaging for fast recovery. Backup systems must be ransomware-proof.
CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
What is this? The control suggests security best practices to install, configure, and maintain networks, operating systems, infrastructure, containers, cloud, etc. over time.
Why is this important? Unencrypted protocols, default settings, unrestricted access, and other insecure configurations can open pathways that attackers can exploit.
How to defend? Use of secure configuration benchmarks and best practices, including network vulnerability scanning, compliance scanning, robust security configurations, prompt patching, and multi-factor authentication (MFA) across network devices.
CIS Control 12: Boundary Defense
What is this? The control prescribes methods to allow access to enterprise assets without compromising security.
Why is this important? Network perimeters have been dissipating. In the Post-COVID era, enterprises must allow access from various device types and remote locations to keep business running. All of this expands the attack surface.
How to defend? A layered approach and Zero Trust (ZT) security are required for the complexities of the modern enterprise IT infrastructure, including IP blocking, network and entity monitoring (UEBA), and robust authentication to control access. ZT security assumes no implicit trust is granted to assets or user accounts based solely on their physical or network location.
CIS Control 13: Data Protection
What is this? The control is about preventing data exfiltration, mitigation of the impact of exfiltrated data, and maintaining the privacy and security of data.
Why is this important? Data is accessed and shared via cloud-based IT infrastructures in a highly fluid manner. Data can be easily exfiltrated or accidentally exposed without the right measures in place.
How to defend? Monitor networks and users using User and Entity Behavioral Analytics (UEBA). Data Loss Prevention settings can be utilized for cloud platforms such as GSuite and Office 365 to protect data. If using external hard drives and other removable media, where possible, keep an inventory and enable logging on data exports.
CIS Control 14: Controlled Access Based on the Need to Know
What is this? The control suggests setting up least privilege access rights on a need to know basis.
Why is this important? Credential misuse is behind 74% of data breaches.
How to defend? Use a Zero Trust approach to access control. Segment areas on the network. Use robust authentication measures such as MFA. Allow access on a need-to-know basis only.
CIS Control 15: Wireless Access Control
What is this? The control deals with securing wireless local area networks (WLANs), access points, and wireless client systems.
Why is this important? Wireless networks have inherent vulnerabilities. COVID-19 has worsened the situation as employees can access from insecure WLANs (e.g., coffee shops).
How to defend? Create wireless security policies applicable to remote workers and non-employees. Use the Advanced Encryption Standard (AES) to encrypt wireless data in transit. Add ZT tenets like traffic monitoring and encryption by assuming Wi-Fi as insecure.
CIS Control 16: Account Monitoring and Control
What is this? The control is to protect against account takeover through proactive monitoring and control.
Why is this important? Compromised accounts tend to be of those users who have not logged in for more than 90 days.
How to defend? Disable all accounts not used for a specified period. Enforce the use of MFA. Monitor account activity using user behavior analytics, ZT, and block suspicious account activity.
Conclusion
CIS Foundational Controls offer a series of best practices that provide know-how and measures to shore up your corporate security. By implementing the controls, you will de-risk your enterprise operations and put a protective layer around data and IT systems.