The Center for Internet Security has created a comprehensive list of recommendations for any entity looking to increase its cyber defense.
The controls focus on tasks rather than on who manages the devices. You can download the comprehensive list here where you will find more details, safeguards, and definitions. To save you time, we have summarized each control below.
CIS Control 1: Inventory and Control of Enterprise Assets
The first control emphasizes that an enterprise must actively manage all assets connected to its infrastructure. To achieve this goal, it is crucial to thoroughly understand these assets. Furthermore, you should determine the most effective ways to monitor them. This approach ensures comprehensive oversight and protection. After all, you can’t protect what you don’t know you have.
Consequently, some recommended safeguards are:
- Maintain Asset Inventory
- Use Asset Discovery Tools
- Address Unauthorized Assets
CIS Control 2: Inventory and Control of Software Assets
Maintaining a complete software inventory is crucial for protecting against cyberattacks. Often, attackers exploit vulnerabilities in unpatched or outdated software. Therefore, it’s important to regularly update and patch any vulnerable software. Additionally, all unauthorized and unmanaged software should be prevented from being used.
As a result, some recommended safeguards are:
- Establish and Maintain Software Inventory
- Ensure Authorized Software is Currently Supported
- Utilize Automated Software Inventory Tools
CIS Control 3: Data Protection
Sensitive data is kept in different places including the cloud and portable end-user devices. This data may also be shared between partners or online services across the globe. Managing data appropriately is essential to safeguard against ransomware and other cyberattacks.
Some recommended safeguards are:
- Establish and Maintaining Data Management and Inventory Processes
- Encrypt data on Removable Media and Sensitive Data in Transit
- Deploy a Data Loss Prevention Solution.
CIS Control 4: Secure Configuration of Enterprise Assets and Software
When assets and software come straight from the manufacturer, they often come with presets for ease of deployment. These default configurations are not ideal for security. Enterprises should establish and maintain secure configurations of assets and software.
Some recommended safeguards are:
- Configure Automatic Session Locking on Enterprise Assets
- Implement and Manage a Firewall on Servers and End-User Devices
- Separate Enterprise Workspaces on Mobile End-User Devices
CIS Control 5: Account Management
This control recommends using processes and tools to manage authorization and credentials for all accounts linked to enterprise assets and software. By implementing these measures, you can mitigate the risk of unauthorized access. For instance, attackers often exploit valid user credentials to gain unauthorized access. Such credentials may include weak passwords, accounts of former employees, dormant test accounts, and similar vulnerabilities.
Administrative accounts are hot-ticket items for attackers because they allow them to add other accounts and make changes to assets.
Some recommended safeguards are:
- Establish and Maintain an Inventory of Accounts
- Disable Dormant Accounts
- Restrict Administrator Privileges
CIS Control 6: Access Control Management
Just like CIS Control 5, Control 6 also focuses on managing the access levels of the accounts mentioned above. Specifically, this means that the data someone can access should only align with what’s appropriate for their role. Therefore, processes and tools should be employed to create, assign, manage, and, when necessary, revoke access credentials.
Some recommended safeguards are:
- Establish Access Granting and Revoking Process
- Require MFA for:
- Externally-Exposed Applications
- Remote Network Access
- Administrative Access
- Define and Maintain Role-Based Access Control
CIS Control 7: Continuous Vulnerability Management
Managing vulnerabilities is a constant task. Enterprises should prioritize the vulnerabilities based on potential impact. Then, implement a management system. A plan should be developed to continuously assess and track vulnerabilities. All enterprise assets and public and private industry sources need to be monitored.
Some recommended safeguards are:
- Establish and Maintain a Vulnerability Management and Remediation Process
- Perform Automated Operating System Patch Management
- Remediate Detected Vulnerabilities
CIS Control 8: Audit Log Management
This control, as quoted directly from the CIS, states: ‘Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.’
As a result, some recommended safeguards are
- Establish and Maintain an Audit Log Management Process
- Collect Audit Logs, DNS Query Audit Logs, URL Request Audit Logs, and Command-Line Audit Logs
- Conduct Audit Log Reviews
CIS Control 9: Email and Web Browser Protections
A common way attackers find their way into an enterprise is through direct contact with a person. They use tactics such as phishing and Business Email Compromise to engage with email users within the enterprise.
Some recommended safeguards are:
- Ensure the Use of Only Fully Supported Browsers and Email Clients
- Restrict Unnecessary or Unauthorized Browser and Email Client Extensions
- Deploy and Maintain Email Server Anti-Malware Protections
CIS Control 10: Malware Defenses
Malicious software, or malware, can become a significant threat by entering through vulnerabilities within the enterprise. For example, several possible entry points for malware include email attachments, webpages, cloud services, and more. Therefore, malware defenses should be implemented and managed regularly.
Therefore, some recommended safeguards are:
- Deploy and Maintain Anti-Malware Software
- Configure Automatic Anti-Malware Signature Updates
- Centrally Manage Anti-Malware Software
CIS Control 11: Data Recovery
After an incident, it’s crucial to be able to recover data quickly and effectively. With ransomware on the rise, enterprises must have a data recovery plan. This should restore the assets to the pre-incident state.
Some recommended safeguards are:
- Establish and Maintain a Data Recovery Process
- Perform Automated Backups
- Protect and Test Data Recovery
CIS Control 12: Network Infrastructure Management
Network Infrastructure Management involves taking inventory, tracking, and correcting network devices to prevent attacks. By maintaining a comprehensive overview of your network devices, you can proactively address vulnerabilities and ensure robust security.
As a result, some recommended safeguards are
- Ensure Network Infrastructure is Up-to-Date
- Securely Manage Network Infrastructure
- Centralize Network Authentication, Authorization, and Auditing (AAA)
CIS Control 13: Network Monitoring and Defense
Cyber attackers are constantly evolving. As technology advances, so do they. This is why continuous monitoring of your network is crucial to your cybersecurity. It is recommended that you operate processes and use tools to monitor your network to defend against security threats.
Some recommended safeguards are:
- Centralize Security Event Alerting
- Deploy a Host-Base and Network Intrusion Detection Solution
- Perform Traffic Filtering Between Network Segments
CIS Control 14: Security Awareness and Skills Training
Employee training is essential for ensuring cybersecurity within your enterprise. Although security programs are important, they alone will not keep an enterprise safe. Instead, employees must be trained and made aware of potential threats. In fact, the CIS suggests that annual training is insufficient. Therefore, there should be frequent and updated training on various topics related to cybersecurity.
Consequently, some recommended safeguards are:
- Train Workforce Members on:
- Causes of Unintentional Data Exposure
- Recognizing and Reporting Security Incidents
- Identify and Report if Their Enterprise Assets are Missing Security Updates
- Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks
- Conduct Role-Specific Security Awareness and Skills Training
CIS Control 15: Service Provider Management
If you rely on third-party infrastructure, it is essential to develop a process to ensure that those service providers are adequately protecting your platforms and data. By implementing such a process, you can verify that external providers meet your security standards and mitigate potential risks.
Therefore, some recommended safeguards are:
- Establish and Maintain an Inventory of Service Providers and a Service Provider Management Policy
- Classify, Assess, and Monitor Service Providers
- Securely Decommission Service Providers
CIS Control 16: Application Software Security
Applications are user-friendly tools to manage data for business functions. If the application has an insecure design, coding mistake, or weak authentication, it can become vulnerable to an attack. These software applications must be managed during their life cycle. Weaknesses should be detected and fixed before they hurt the enterprise.
So, some recommended safeguards are:
- Establish and Maintain a Secure Application Development Process
- Perform Root Cause Analysis and Security Vulnerabilities
- Separate Production from Non-Production Systems
CIS Control 17: Incident Response Management
Policies and procedures with defined roles and training should be established in case of an incident. A clear response plan helps guide your team through an incident.
Therefore, some recommended safeguards are:
- Designated Personnel to Manage Incident Handling
- Assign Key Roles and Responsibilities
- Conduct Post-Incident Reviews
CIS Control 18: Penetration Testing
A penetration test helps identify potential weaknesses by simulating an attack. Through these tests, vulnerabilities are revealed, and it’s determined whether the correct safeguards have been implemented.
As a result, some recommended safeguards are:
- Establish and Maintain a Penetration Testing Program
- Perform Periodic External Penetration Tests
- Remediate Penetration Test Findings
Concluding Thoughts
These CIS 18 Critical Security Controls are highly recommended for implementation at your enterprise. They are incredibly important measures to ensure safety against a cyber attack.
Their importance doesn’t negate the fact that they are extensive and time-consuming to implement.
Thankfully, vTECH io has a highly experienced staff to assist you. We have established relationships with the best cybersecurity solution providers. Our amazing team will help build comprehensive and layered protection for your organization.
If you want a safer, more secure network, partner with vTECH io today. Click HERE to set up a call now!