The Center for Internet Security has created a comprehensive list of recommendations for any entity looking to increase its cyber defense.
The controls are broken down based on task, rather than who manages the devices. You can download the comprehensive list here where you will find more details, safeguards, and definitions. To save you time, we have summarized each control below.
CIS Control 1: Inventory and Control of Enterprise Assets
The first control states that an enterprise should actively manage ALL assets connected to the infrastructure. There should be a thorough understanding of these assets and how they should be monitored. You can’t protect what you don’t know you have.
Some recommended safeguards are:
- Maintain Asset Inventory
- Use Asset Discovery Tools
- Address Unauthorized Assets
CIS Control 2: Inventory and Control of Software Assets
A complete software inventory is essential to protecting against cyberattacks. Often attackers will find vulnerabilities in unpatched or outdated software. To prevent this, it’s important to update and patch any vulnerable software. All unauthorized and unmanaged software should be prevented.
Some recommended safeguards are:
- Establish and Maintain Software Inventory
- Ensure Authorized Software is Currently Supported
- Utilize Automated Software Inventory Tools
CIS Control 3: Data Protection
Sensitive data is kept in different places including the cloud and portable end-user devices. This data may also be shared between partners or online services across the globe. Managing data appropriately is essential to safeguard against ransomware and other cyberattacks.
Some recommended safeguards are:
- Establish and Maintaining Data Management and Inventory Processes
- Encrypt data on Removable Media and Sensitive Data in Transit
- Deploy a Data Loss Prevention Solution.
CIS Control 4: Secure Configuration of Enterprise Assets and Software
When assets and software come straight from the manufacturer, they often come with presets for ease of deployment. These default configurations are not ideal for security. Enterprises should establish and maintain secure configurations of assets and software.
Some recommended safeguards are:
- Configure Automatic Session Locking on Enterprise Assets
- Implement and Manage a Firewall on Servers and End-User Devices
- Separate Enterprise Workspaces on Mobile End-User Devices
CIS Control 5: Account Management
This control recommends using processes and tools to manage authorization to credentials for all accounts linked to enterprise assets and software.
It is easier for an attacker to gain unauthorized access by using valid user credentials. These credentials may include weak passwords, accounts of people who left the enterprise, dormant or lingering test accounts, etc.
Administrative accounts are hot-ticket items for attackers because they allow them to add other accounts and make changes to assets.
Some recommended safeguards are:
- Establish and Maintain an Inventory of Accounts
- Disable Dormant Accounts
- Restrict Administrator Privileges
CIS Control 6: Access Control Management
Similar to CIS Control 5, Control 6 focuses on managing what access the above accounts have. This means the data someone has access to should only be what’s appropriate for their role. Processes and tools should be used to create, assign, manage and revoke access credentials.
Some recommended safeguards are:
- Establish Access Granting and Revoking Process
- Require MFA for:
- Externally-Exposed Applications
- Remote Network Access
- Administrative Access
- Define and Maintain Role-Based Access Control
CIS Control 7: Continuous Vulnerability Management
Managing vulnerabilities is a constant task. Enterprises should prioritize the vulnerabilities based on potential impact. Then, implement a management system. A plan should be developed to continuously assess and track vulnerabilities. All enterprise assets and public and private industry sources need to be monitored.
Some recommended safeguards are:
- Establish and Maintain a Vulnerability Management and Remediation Process
- Perform Automated Operating System Patch Management
- Remediate Detected Vulnerabilities
CIS Control 8: Audit Log Management
This control is quoted directly from the CIS: “Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.”
Some recommended safeguards are:
- Establish and Maintain an Audit Log Management Process
- Collect Audit Logs, DNS Query Audit Logs, URL Request Audit Logs, and Command-Line Audit Logs
- Conduct Audit Log Reviews
CIS Control 9: Email and Web Browser Protections
A common way attackers find their way into an enterprise is through direct contact with a person. They use tactics such as phishing and Business Email Compromise to engage with email users within the enterprise.
Some recommended safeguards are:
- Ensure the Use of Only Fully Supported Browsers and Email Clients
- Restrict Unnecessary or Unauthorized Browser and Email Client Extensions
- Deploy and Maintain Email Server Anti-Malware Protections
CIS Control 10: Malware Defenses
Malicious software or malware can become a threat by entering through vulnerabilities within the enterprise. There are several possible entry points for malware including email attachments, webpages, cloud services, etc. Malware defenses should be implemented and managed regularly.
Some recommended safeguards are:
- Deploy and Maintain Anti-Malware Software
- Configure Automatic Anti-Malware Signature Updates
- Centrally Manage Anti-Malware Software
CIS Control 11: Data Recovery
After an incident, it’s crucial to be able to recover data quickly and effectively. With ransomware on the rise, it is important that enterprises have a data recovery plan. This should restore the assets to the pre-incident state.
Some recommended safeguards are:
- Establish and Maintain a Data Recovery Process
- Perform Automated Backups
- Protect and Test Data Recovery
CIS Control 12: Network Infrastructure Management
Network Infrastructure Management means taking inventory, tracking, and correcting network devices to prevent an attack.
Some recommended safeguards are:
- Ensure Network Infrastructure is Up-to-Date
- Securely Manage Network Infrastructure
- Centralize Network Authentication, Authorization, and Auditing (AAA)
CIS Control 13: Network Monitoring and Defense
Cyber attackers are constantly evolving. As technology advances, so do they. This is why a continuous monitoring of your network is crucial to your cybersecurity. It is recommended that you operate processes and use tools to monitor your network to defend against security threats.
Some recommended safeguards are:
- Centralize Security Event Alerting
- Deploy a Host-Base and Network Intrusion Detection Solution
- Perform Traffic Filtering Between Network Segments
CIS Control 14: Security Awareness and Skills Training
Employee training is a must for ensuring cybersecurity for your enterprise. Security programs by themselves will not keep an enterprise safe. Employees must be trained and made aware of potential threats. The CIS suggests that annual training is not enough. There should be frequent and updated training on different topics related to cybersecurity.
Some recommended safeguards are:
- Train Workforce Members on:
- Causes of Unintentional Data Exposure
- Recognizing and Reporting Security Incidents
- Identify and Report if Their Enterprise Assets are Missing Security Updates
- Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks
- Conduct Role-Specific Security Awareness and Skills Training
CIS Control 15: Service Provider Management
If you rely on third-party infrastructure, develop a process to make sure those service providers are protecting your platforms and data properly.
Some recommended safeguards are:
- Establish and Maintain an Inventory of Service Providers and a Service Provider Management Policy
- Classify, Assess, and Monitor Service Providers
- Securely Decommission Service Providers
CIS Control 16: Application Software Security
Applications are user-friendly tools to manage data for business functions. If the application has an insecure design, coding mistake, or weak authentication, it can become vulnerable to an attack. These software applications must be managed during their life cycle. Weaknesses should be detected and fixed before it hurts the enterprise.
Some recommended safeguards are:
- Establish and Maintain a Secure Application Development Process
- Perform Root Cause Analysis and Security Vulnerabilities
- Separate Production from Non-Production Systems
CIS Control 17: Incident Response Management
Policies and procedures with defined roles and training should be established in case of an incident. A clear response plan helps guide your team through an incident.
Some recommended safeguards are:
- Designated Personnel to Manage Incident Handling
- Assign Key Roles and Responsibilities
- Conduct Post-Incident Reviews
CIS Control 18: Penetration Testing
A penetration test will help identify potential weaknesses by simulating an attack. These tests show vulnerabilities and determine if the right safeguards have been implemented.
Some recommended safeguards are:
- Establish and Maintain a Penetration Testing Program
- Perform Periodic External Penetration Tests
- Remediate Penetration Test Findings
Concluding Thoughts
These CIS 18 Critical Security Controls are highly recommended for implementation at your enterprise. They are incredibly important measures to ensure safety against a cyber attack.
Their importance doesn’t negate the fact that they are extensive and time-consuming to implement.
Thankfully, vTECH io has a highly experienced staff to assist you. We have established relationships with the best cybersecurity solution providers. Our amazing team will help build comprehensive and layered protection for your organization.
If you want a safer, more secure network, partner with vTECH io today. Click HERE to set up a call now!