The Center for Internet Security (CIS) offers a series of advisories for cybersecurity professionals. The advisories comprise of grouped actions that, when implemented, offer an effective defense-in-depth approach to a best practice security posture. In following the guidance of the CIS Controls, an organization can mitigate against the most common attacks on IT systems and networks.
One of the reasons why the CIS Controls are powerful is that they have been developed by the IT cybersecurity community itself. Years of direct, hands-on experience and knowledge of this community have helped to create the CIS Controls. The controls are not just a random, unconnected list of topics. Instead, the controls and associated sub-controls are designed to cover all levels of cybersecurity measures from basic through foundational and more advanced ‘organizational’ levels.
The Four Organizational Level Controls from CIS
No organization is safe from a cyber-attack unless it puts stringent and effective security measures in place. This position is borne out by ever-increasing sophisticated and complex attack types. Threats such as Advanced Persistent Threats (APTs), malware, phishing, and Distributed Denial of Service (DDoS) attacks, are now part of everyday corporate life. A roundtable held by Cybercrime Magazine looking at the situation offered this insight:
“Every American organization — in the public and private sector — has been or will be hacked, is infected with malware, and is a target of hostile nation-state cyber intruders” – former CIO at the United States Department of Agriculture (USDA).
The four CIS Organizational Controls guide the right technology and approach to maintain security within an aggressive cybersecurity climate.
Following on from the CIS Foundational Levels 7-16:
CIS Control 17: Implement a Security Awareness and Training Program
Being aware of the types of tricks and scams used to propagate cybersecurity attacks is an essential aspect of securing the enterprise. Now remote working has made security awareness for all employees an imperative. Research performed by Aberdeen Group alongside Proofpoint, found that 91% of enterprises use awareness training to reduce cybersecurity risk related to user behavior. Security awareness training is the 17th CIS Organizational Control. The control and sub-controls provide the framework to ensure that staff can help to prevent security scams and other remote work issues, including improving security hygiene.
Putting CIS Control 17 in place
There are nine sub-controls to deliver CIS Control 17:
17.1: Perform a skills gap: Know what employees know and need to know about security.
17.2: Deliver training to fill the skills gap: Connect employees to quality training opportunities from reputable education partners.
17.3: Implement a Security Awareness Program: Ensure the awareness training is deployed across the entire workforce performed at regular intervals.
17.4: Update awareness content frequently: Keep employees up to date with changes in the security threat landscape.
17.5: Train workforce on secure authentication: Employ robust authentication measures and explain why to staff as this is vital in preventing phishing.
17.6: Train workforce on identifying social engineering attacks: Train in areas such as phishing, impersonation scams, and Business Email Compromise (BEC).
17.7: Train workforce on sensitive data handling: Maintain a keen eye on data leaks and accidental exposure is vital for data privacy compliance and data leak prevention.
17.8: Train workforce on causes of unintentional data exposure: Train on security hygiene such as awareness of data lost carelessly, is an important aspect of security awareness.
17.9: Train workforce members on identifying and reporting incidents: Educate them on things like common indicators that an incident has or may occur.
CIS Control 18: Application Software Security
As cloud computing and remote working have taken off, the number of cloud-based apps and connected devices has soared. Application vulnerabilities across this large number of interconnected apps, operating systems, infrastructure, containers, cloud, platforms, and devices have led to increased exploits, cyber-attacks, and data breaches. The Open Web Application Security Project® (OWASP) maintains a list of the top ten security risks against applications, including cloud apps. Risks include injection flaws, broken authentication measures, and poor data protection. The 2020 Verizon Data Breach Investigations Report (DBIR) concurs with OWASP, finding that in 43% of data breaches, web applications were the target.
CIS Level 18 offers an understanding of typical risks and vulnerabilities in software applications and how to mitigate them.
Putting CIS Control 18 in place
CIS Control 18 has 11 sub-controls:
18.1: Establish secure coding practices: Secure coding is a practice encouraged by OWASP and others, these techniques are fundamental to creating secure apps (see also 18.6).
18.2: Ensure that explicit error checking is performed for all in-house developed software: Error checking should be a best practice in developing in-house apps.
18.3: Verify that acquired software is still supported: Ensure that third-party software is maintained.
18.4: Only use up-to-date and trusted third-party components: In line with 18.3 above, ensure that vulnerabilities do not enter via third-party products.
18.5: Use only standardized and extensively reviewed encryption algorithms: All encryption algorithm support should be for industry reviewed and standard encryption.
18.6: Ensure software development personnel are trained in secure coding: In line with 18.1 above, developers should understand the techniques involved in secure coding.
18.7: Apply static and dynamic code analysis tools: SAST (static) and DAST (dynamic) checks should be used when developing applications –static analysis checks the source code for security errors, and dynamic checks code while it is running.
18.8: Establish a process to accept and address reports of software vulnerabilities: Document the procedures on vulnerability reporting.
18.9: Separate production and non-production systems: Isolate systems as far as possible to manage and tackle vulnerabilities.
18.10: Deploy web application firewalls: Deploy a WAF as a fundamental tool in securing IT systems and services.
18.11: Use standard hardening configuration templates for databases: Use templates to ensure that configurations are replicated correctly.
CIS Control 19: Incident Response and Management
A Ponemon Institute study found that 31% of consumers will stop using a company if a data breach happens. Incidents are often devastating and include ransomware, DDoS, and data breaches. An organization needs to act fast to contain an incident, to prevent data loss, and keep business running. CIS Control 19 looks at the incident response infrastructure required to respond and manage all manners of cyber-attacks to mitigate their impact.
Putting CIS Control 19 in place
CIS Control 19 has eight sub-controls:
19.1: Document incident response procedures: Documentation is the keystone of incident response planning.
19.2: Assign job titles and duties for incident response: Record who does what in handling computer and network incidents as part of CIS documentation.
19.3: Designate management personnel to support incident handling: Assign specific trained personnel to incident handling.
19.4: Devise organization-wide standards for reporting incidents: Document standards for use across the organization when reporting incidents.
19.5: Maintain contact information for reporting security incidents: Establish a contact hierarchy to ensure security incident reporting is robust.
19.6: Publish information regarding reporting computer anomalies and incidents: Make incident and anomaly information publicly available, and use it as part of your security awareness events.
19.7: Conduct periodic incident scenario sessions for personnel: Conduct regular incident response exercises. This ensures that employees are ready and prepared if an incident occurs.
19.8: Create incident scoring and prioritization schema: Define risk scores to determine priorities and document these scores.
CIS Control 20: Penetration Tests and Red Team Exercises
Penetration testing is about checking the robustness of a system, including the underlying process, people, and technology. A Penetration test begins by identifying vulnerabilities. Pen testers will use the same types of hacking tactics as cybercriminals use, including social engineering, to test against these vulnerabilities. To get a feel for how many vulnerabilities exist, MITRE compiles a vulnerabilities database of known application issues. The list currently holds over 147,000 known vulnerabilities. Penetration testing helps to find known vulnerabilities and can uncover unknown ones too.
A Red Team is made up of security professionals who can test a system once the vulnerabilities have been found and fixed to make sure it is fully hardened against attack. Both penetration testing and red team checks should be performed regularly.
Putting CIS Control 20 in place
CIS Control 20 has eight sub-controls:
20.1: Establish a Penetration Testing program: Set up your Pen test program, making sure it is holistic and covers all aspects of the expanded network and includes remote work device use.
20.2: Conduct regular external and internal Penetration Tests: Carry out regular Pen tests to reflect the changing security landscape.
20.3: Perform periodic Red Team exercises: Use your Red Team to check the system strength and the responsiveness of the organization in the event of a successful cyber-attack.
20.4: Include tests for presence of unprotected system information and artifacts: Ensure Pen tests are holistic by including tests to look for unprotected system information and artifacts.
20.5: Create a test bed for elements not typically tested in production: Make sure to include elements such as SCADA and IoT devices that may not typically be included in Pen tests
20.6: Use vulnerability scanning and Penetration Testing tools in concert: U both types of tests together to provide better insight for Pen test teams.
20.7: Ensure results from Penetration Test are documented using open, machine-readable standards: Document all tests and make the results machine-readable, so they can be compared over time.
20.8: Control and monitor accounts associated with Penetration Testing: Monitor and check Pen test accounts to ensure they are used for legitimate purposes.
Research from CompTIA shows that only one-third of organizations believe their security understanding is high enough. These final four organizational level controls, which complete the 20 critical controls offered by the Center for Internet Security, can help bridge the security understanding gap.