New Version of the Top 20 Critical Security Controls Released by CIS
Earlier this week, the Center for Internet Security (CIS) released the latest version of their Top 20 Critical Security Controls, a ground-breaking set of globally recognized best practice guidelines for securing IT systems and data. The Critical Security Controls were first developed by the SANS Institute in 2008 and were later transferred to CIS in 2015. The guidelines are continuously being revised and refined by a volunteer global community of experienced IT professionals.
The Six Basic Controls
Most major security incidents occur when even basic controls are lacking or are poorly implemented. A study of the previous version of the controls showed that 85% of cyberattacks can be prevented by the adoption of the then first five Critical Security Controls alone. Applying all twenty can prevent as much as 97% of attacks.
The first six controls were therefore developed as the most basic requirements organizations should follow in order to have a minimum of cybersecurity. They are:
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
These first two points are particularly pertinent today, when shadow IT or the use of unauthorized devices and software within company networks, has become a widespread practice and a grave concern for IT departments everywhere. CIS suggests building inventories for both devices and software. The information, once collected, should be protected as personal data. They also emphasize the need for privacy policies that inform employees of the security risks associated with the use of unauthorized devices and software.
3. Continuous Vulnerability Management
This control addresses the need to continuously assess information, identify vulnerabilities, take action on new information and minimize the window of opportunity for attackers.
4. Controlled Use of Administrative Privileges
5. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Controls four and five require the implementation of tools to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications as well as the rigorous management of the security configuration of mobile devices, laptops, servers, and workstations.
6. Maintenance, Monitoring and Analysis of Audit Logs
This point refers to the management and analysis of event audit logs that might prove useful in the detection, understanding and recovery from an attack.
Data Protection Control
Data Protection is included among the Foundational Critical Security Controls:
- Email and Web Browser Protections
- Malware Defenses
- Limitation and Control of Network Ports, Protocols, and Services
- Data Recovery Capabilities
- Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- Boundary Defense
- Data Protection
- Controlled Access Based on the Need to Know
- Wireless Access Control
- Account Monitoring and Control
CIS recognizes the need for protection against data loss and mitigation of potential data compromise as companies increasingly move towards the cloud and mobile platforms. The guidelines state that data protection is best achieved through the application of a combination of encryption, integrity protection and data loss prevention techniques.
Products such as Endpoint Protector can be automatically deployed system-wide and monitor for unauthorized transfers of sensitive information, block them and alert administrators about them. They can identify sensitive information on endpoints and take remediation actions such as deletion or encryption when it is found on unauthorized users’ computers. Systems can also be configured to allow the use of only specific trusted devices.
The last four controls focus on security issues encountered at organizational level:
- Implement a Security Awareness and Training Program
- Application Software Security
- Incident Response and Management
- Penetration Tests and Red Team Exercises
These address the potential skills gap in the workforce and help identify behavior that might leave systems vulnerable. The same principle is applied to applications and ensuring secure coding practices are being followed. The last two controls underline the need for an incident response plan and the testing of the overall strength of a company’s defense by organizing simulated attacks.
The CIS Critical Security Controls form a solid base for a company’s cybersecurity strategy, focusing on both privacy and security concerns, but can also be used as a stepping stone to compliance with regulations such as HIPAA, GDPR, GLBA, etc. In fact, the National Institute of Standards and Technology (NIST) referenced the controls as a recommended implementation approach for its Cybersecurity Framework. Therefore, companies unsure about where to get started on the road to securing their networks against cyberattacks, can confidently turn to the battle-tested CIS Critical Security Controls for a helping hand.