As companies rely more heavily on digital assets for critical operations, and cyber attackers continually advance their malicious agendas, the need for strong cybersecurity controls has heightened. While advanced security programs and technology play an important role in combating these attacks, the majority of these growing risks can be reduced through fundamentally basic security controls. For example, it’s been reported that 60 percent of cybersecurity breaches leveraged a known vulnerability that simply hadn’t been patched yet. Patching is a common best practice, like many basic security controls, that can help organizations avoid the majority of the attacks threatening them today.
To help provide a straightforward list of security fundamentals for organizations, the Center for Internet Security (CIS) created a list of 20 controls organized in progressing tiers of (1) basic, (2) foundational, and (3) organizational. These controls serve as a recommended starting point that companies can refer to as they work to set a secure foundation for combating cyber threats against the enterprise.
Like a junior athlete looking to become the next all-star player, building a solid foundation and understanding the ins and outs of the cybersecurity game are imperative. The “basic” level of CIS controls is a critical milestone for every company looking to get into the game and grow into a mature enterprise security posture.
The Six Basics of CIS Controls
The CIS framework has consolidated the knowledge of cybersecurity experts into a set of advisories. At the basic level, there are six controls, and each contains a number of sub-controls that set out the baseline of a solid cybersecurity approach. The CIS Basic Controls are:
- Inventory and Control of Hardware Assets: You can’t protect what you don’t know is there. Knowing what hardware assets an organization has under its control will allow those assets to be mapped to a risk level. This then informs the required protection measures and security decisions.
- Inventory and Control of Software Assets: Software control can pose a challenge in today’s enterprises where employees leverage SaaS applications, personal devices, and more across the IT infrastructure. In addition, risks due to insecure configurations, unmanaged software assets, and more, all stem from a lack of control over software assets. It’s important to document and control software assets.
- Continuous Vulnerability Management: Software and hardware vulnerabilities offer a constant source of opportunity for cybercriminal exploitation. This can result in data breaches and other devastating IT resource attacks. Vulnerabilities are not only common, but they occur on a regular basis. In 2019, there were 12,174 vulnerabilities recorded in popular software products. To manage vulnerabilities, you need to apply continuous monitoring to an IT ecosystem. This allows an organization to identify, remediate, and minimize vulnerabilities and, thus, cyber-attack opportunities. Businesses often rely on security experts to help in the active monitoring of an extended IT ecosystem and identify and remediate vulnerabilities.
- Controlled Use of Administrative Privileges: Cyber-attackers often target administrator accounts for their privileged access to databases and other important assets. The 2020 Insider Threat Report found that 63% of respondents believed that privileged users were the biggest insider risk in their organization. The discipline of Privileged Access Management (PAM) can help alleviate this risk.
- Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers: Insecure setup and misconfiguration are two key risk areas in an enterprise. An example of how devastating a misconfiguration can be was the recent exposure of over 1 million U.S. student records because of an insecure Elasticsearch database. Secure configuration across all enterprise assets is a fundamental requirement for protection against attacks.
- Maintenance, Monitoring, and Analysis of Audit Logs: Visibility and insight into what is happening on a network is paramount. This is gained from data obtained through monitoring and logging system events and can help support everything from threat detection to incident response.
Next Level CIS Controls
Once the basics are understood, an organization can move into more focused and specialized areas. CIS takes organizations and their cybersecurity teams into more advanced areas under the banners of:
Foundational CIS Controls
Foundational CIS Controls focuses on the defense measures used to mitigate vulnerabilities. For example, one of the controls is “data protection.” The mitigation measures used to protect data across an expanded enterprise network covers many areas, including:
- Securing a cloud infrastructure against cyber-attacks
- Vulnerability scanning to help identify where an attack could occur
- Data loss prevention (DLP) methodologies and specialist tools
- Security tools, including firewalls, endpoint protection, and more.
With over 15 billion data records exposed in 2019, this area of cybersecurity is essential to understand.
Organizational CIS Controls
Cyber threat response and mitigation need to be supported with policy, procedure, and awareness. Organizational CIS Controls take an organization to the next level in response. They cover the areas of security awareness training, penetration testing, incident response and management, and application software security.
Together, the CIS Controls cover all aspects of building a secure enterprise.
Achieve CIS basics through Implementation Groups (IGs)
Once the recommendations are understood, how do you implement and use these controls effectively? CIS suggests that an organization implement the controls using CIS Implementation Groups (IGs).
IGs are a type of classification system that allows an organization to map their level of expertise and capability against control choice and application. An organization can become more effective while using this system.
Implementation Groups (IGs):
Each of the three IGs builds upon the previous:
IG1: This covers smaller organizations with little internal cybersecurity expertise or bandwidth. The sensitivity of data is low.
IG2: This applies to enterprises with medium level resources and some internal cybersecurity expertise. Some sensitive client or company data to protect.
IG3: This applies to larger organizations that are typically targeted in advanced attacks.
Mapping IGs to Security Frameworks
The discipline of cybersecurity is strengthened through the development and use of industry policies and frameworks. The IGs can be mapped to a number of these frameworks to strengthen, enhance, and build upon the controls.
Applies to U.S. government organizations as they move operations to the cloud. The framework covers infrastructure security requirements. Moderate security controls under FedRAMP cover many aspects of access control to assets. Compliance with FedRAMP is helped by applying the CIS controls.
Mapping CIS controls against Cybersecurity Maturity Model Certification(CMMC) controls can help improve security posture and compliance with industry requirements. For example, CIS control 2, sub-control 2.1 “Maintain Inventory of Authorized Software” maps to several CMMC controls as understanding your asset inventory is fundamental to any security program.
The NIST Computer Security Framework (NIST-CSF) maps closely to the CIS Controls. For example, framework requirement “DE.CM-8” expects that an organization “Perform Authenticated Vulnerability Scanning”: this maps to CIS control 3 requiring continuous vulnerability management.
Implementation of the CIS controls helps establish compliance with many security frameworks, not just those mentioned here.
Building a solid cybersecurity foundation is an important sport for organizations of all sizes. Similar to an all-star basketball team, to become a successful player, you need a committed and diligent understanding of the fundamentals of the game, cybersecurity requires diligence. To become a star player, you must first master the basics.
Having a solid knowledge of the basics in cybersecurity gives an enterprise the capability to prevent and respond to attacks, and allows for informed choices in technology solutions. Though navigating these control frameworks can be complex, understanding security controls at a basic level is a great starting point. Once that’s understood, having a solid security services partner helps make it easier to deliver enterprise security needs.