Center for Internet Security (CIS) checks are a relatively short high priority listHighly effective defensive actions that provide a “must do, do first” starting point for all businesses looking to improve their cyber defense.
Initially developed by the SANS Institute and known as SANS Critical Controls, these best practices are a must for organizations large and small. By adopting these sets of controls, organizations can prevent most cyberattacks.
18 Critical Security Controls for Effective Cyber Defense
The latest version of the CIS Controls is version eight, which was released in 2021. The list is still prioritized in order of importance, but there are some notable changes to the controls and their order. Controls are now focused on tasks and combined by activities. Another change is that what were previously called sub-controls are now called safeguards.
CIS Control 1: Inventory and Control of Business Assets
A comprehensive view of the devices on your network is the first step in reducing your organization’s attack surface. Use active and passive asset discovery solutions on an ongoing basis to monitor your inventory and ensure all hardware is accounted for.
CIS Control 2: Software Asset Inventory and Control
Another of the core controls also deals with asset discovery, making network inventory the most critical step you can take to harden your system. After all, you can’t keep track of assets you don’t know you have on your network.
CIS Control 3: Data Protection
A comprehensive data management plan incorporates the answers to these questions with policy decisions and incident response procedures. Knowing what data a company produces or consumes, as well as being able to classify it based on sensitivity, are the keys to this plan. Despite its simple name, this is one of the most complex and difficult controls to implement thanks to ongoing processes such as the inventory of sensitive information.
CIS Control 4: Secure Configuration of Enterprise Software and Assets
Leverage file integrity monitoring (FIM) to keep track of configuration files, master images, and more. This control speaks to the need to automate configuration monitoring systems so that deviations from known baselines trigger security alerts. Systems in scope under this control include mobile devices, laptops, workstations, servers, and other devices.
CIS Control 5: Account Management
To keep valid credentials out of the hands of hackers, you must have a system in place to control authentication mechanisms. Administrative credentials are a prime target for cybercriminals. Fortunately, there are several steps you can take to protect them, such as keeping a detailed inventory of administrator accounts and changing default passwords. Monitoring and controlling accounts makes it much more difficult for malicious actors to successfully attack a business and steal or damage assets.
CIS Control 6: Access Control Management
The first step in implementing this control is to take an inventory of the wireless access points on your network. From there, the control goes deeper into mitigating all kinds of wireless access risks. By encrypting information in transit and disabling communication between workstations, you can also begin to limit potential security incidents that can occur when data privileges are too lax.
CIS Control 7: Ongoing Vulnerability Management
A major challenge in cybersecurity involves keeping up with all the Common Vulnerabilities and Exposures (CVE) identified in real time around the world. Effective security programs must keep up with a plethora of new vulnerabilities every day. CIS lists ongoing vulnerability assessment and remediation as a key part of risk and governance programs.
CIS Control 8: Audit Log Management
System logs provide an accurate account of all activity on your network. This means that in the event of a cybersecurity incident, proper records management practices will give you all the data you need on the who, what, where, when, and how of the event in question. Security teams should pay attention to logs and use them in conjunction with tools that are designed to analyze log information and generate actionable management guidance.
CIS Control 9: Email and Web Browser Protections
There are more security threats to email and web browsers than just phishing. Even a single pixel in an email image can provide cybercriminals with the information they need to carry out an attack. Attackers often use web browsers and email clients as entry points for code exploitation and social engineering, and controls need to be in place to protect against interactions with untrusted environments.
CIS Control 10: Defenses Against Malware
The rise in ransomware attacks requires organizations to strengthen their defenses against malware. Make sure your antivirus tools integrate well with the rest of your security toolchain. Deploy anti-malware software and make sure it is regularly updated. This control also involves disabling certain features, such as autorun and autoplay for removable media.
CIS Control 11: Data Recovery
Organizations must have a solid plan in place to deal with the recovery of lost data in the event preventive controls fail. Are you doing regular, automated backups? Are you protecting your backed up data? Ensuring proper data recovery capabilities will protect you from threats like ransomware. It’s also important to practice and test restoring your data to be prepared in the event of actual data loss.
CIS Control 12: Network Infrastructure Management
Implementing this control will help you reduce your attack surface through tactics like automated port scanning and application firewalls. Network devices can be viewed as the gateways to your business, whether physical or virtual. Proper management and secure configuration of routers, switches, firewalls, and other network devices are essential to managing inbound and outbound filtering rules for enterprise policy-based protection.
CIS Control 13: Network Monitoring and Defense
This control involves centralizing security event alerts, implementing host-based intrusion detection systems, using a network intrusion detection system, and more. Network monitoring and defense should be viewed as an ongoing process to which security teams pay substantial attention. Security measures such as network segmentation and application layer filtering will help ensure that networks remain protected from attack.
CIS Control 14: Security Awareness and Skills Training
Security training should be a higher priority in most organizations, due in part to the growing cybersecurity skills gap. This control also emphasizes the need for ongoing safety training rather than one-time commitments. When employees understand how to practice strict cyber hygiene, they are much more difficult to exploit through phishing and social engineering attacks.
CIS Control 15: Service Provider Management
Most organizations entrust certain processes and functions to external service providers who often have access to sensitive data. Unfortunately, service providers have become an attack vector for cybercriminals, so managing the security of your organization’s service providers is now a necessity. And this is not just for security reasons; many compliance standards, HIPAA and PCI, for example, require compliance to cover third-party service providers.
CIS Control 16: Application Software Security
Internally developed code needs security assessments through processes such as static and dynamic security scans to uncover hidden vulnerabilities. The most popular target for hackers is your application base, so implementing a comprehensive program of application security controls is essential. This should include software development lifecycle controls (SDLC), analysis, and testing.
CIS Control 17: Incident Response Management
This control helps you implement strategies for planning and testing for cybersecurity incidents so you don’t run into problems when they happen. Know who in your organization is responsible for handling incidents and what processes they will use to mitigate them. Post-incident reviews are also crucial to understand what happened and how to prevent a recurrence.
CIS Control 18: Penetration Tests
Regular penetration testing helps you identify vulnerabilities and attack vectors that are otherwise unknown until discovered by malicious actors. It is an important aspect of discovering and identifying potential critical vulnerabilities within your organization’s external network, internal network, applications, or systems.
Use Tripwire to comply with CIS controls
See how simple and effective security controls can create a framework to help protect your organization and your data from known cyberattack vectors by downloading this guide here.