New Version of the Top 20 Critical Security Controls Released by CIS
Earlier this week, the Center for Internet Security (CIS) released the latest version of their Top 20 Critical Security Controls. A ground-breaking set of globally recognized best practice guidelines for securing IT systems and data, the controls have been proven to defeat over 85% of the most prevalent cyberattacks when applied.
The Critical Security Controls were first developed by the SANS Institute in 2008 and were later transferred to CIS in 2015. The guidelines are continuously being revised and refined by a volunteer global community of experienced IT professionals.
The Six Basic Controls
Most major security incidents occur when even basic controls are lacking or are poorly implemented. Using the results of a Verizon study of 2017, it was proven that 85% of cyberattacks can be prevented by the adoption of the first six Critical Security Controls alone. Applying all twenty can prevent as much as 97% of attacks.
The first six controls were therefore developed as the most basic requirements organizations should follow in order to have a minimum of cybersecurity:
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Continuous Vulnerability Management
- Controlled Use of Administrative Privileges
- Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Maintenance, Monitoring and Analysis of Audit Logs
The first two points are particularly pertinent today, when shadow IT or use of unauthorized devices and software within company networks have become a widespread concern for IT departments. CIS suggests the building of inventories for both devices and software, but that information pertaining to them should be protected as personal information. They also emphasize the need for privacy policies that inform employees of the privacy risks associated with the use of unauthorized devices and software.
Control three addresses the need to continuously assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers, while control six refers to the management and analysis of audit logs of events that might prove useful in the detection, understanding and recovery from an attack.
Controls four and five on the other hand, require the implementation of tools to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications as well as the rigorous management of the security configuration of mobile devices, laptops, servers, and workstations.
Data Protection Control
Data Protection is included among the Foundational Critical Security Controls:
- Email and Web Browser Protections
- Malware Defenses
- Limitation and Control of Network Ports, Protocols, and Services
- Data Recovery Capabilities
- Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- Boundary Defense
- Data Protection
- Controlled Access Based on the Need to Know
- Wireless Access Control
- Account Monitoring and Control
The CIS recognizes the need for protection against data loss and mitigation of potential data compromise as companies increasingly move towards the cloud and mobile access. The guidelines state that data protection is best achieved through the application of a combination of encryption, integrity protection and data loss prevention techniques.
Products such as Endpoint Protector can be automatically deployed system-wide and monitor for unauthorized transfers of sensitive information, block these transfers and alert administrators about them. It can identify sensitive information on endpoints and take remediation actions such as deletion or encryption when it is found on unauthorized users’ computers. Systems can also be configured to allow the use of only specific trusted devices.
The last four controls focus on security issues encountered at organizational level:
- Implement a Security Awareness and Training Program
- Application Software Security
- Incident Response and Management
- Penetration Tests and Red Team Exercises
These address the potential skills gap in the workforce and help identify behavior that might leave systems vulnerable. The same principle is applied to applications and ensuring secure coding practices are being followed. The last two controls underline the need for an incident response plan and the testing of the overall strength of a company’s defense by organizing simulated attacks.
The CIS Critical Security Controls form a solid base for a company’s cybersecurity strategy, focusing on both security and privacy concerns, but can also be used as a stepping stone to compliance for regulations such as HIPAA, GDPR, GLBA, etc. In fact, the National Institute of Standards and Technology (NIST) referenced the controls as a recommended implementation approach for its Cybersecurity Framework. Therefore, companies unsure on where to get started on the road to securing their networks against cyberattacks, can confidently turn to the battle-tested CIS Critical Security Controls.