With data breaches and cyber threats on the rise and new regulations increasing the stakes, organisations need to take more proactive security precautions.
Security excellence isn’t easy.
However, having a recognised framework as your guide helps you prioritise your security efforts and gives you direct instruction on protecting your business. The CIS Controls have been designed to help combat this exact problem.
In the second part of this four-part series, we briefly overview the first six critical controls in the framework, called “The Basic CIS Controls.” These are wide in scope but align with solid principles: ensuring the right users have access to the right assets and that all systems are kept up-to-date and as secure as possible.
Articles in the Series:
- Overview of the Top 20 CIS Critical Security Controls (Part 1): What Are They?
- CIS Critical Security Controls: The 6 BASIC controls (Part 2)
- The 10 Foundational CIS Critical Security Controls (Part 3)
- Understanding the Organisational CIS Critical Security Controls (Part 4)
The Basic CIS Controls
These basic controls are necessary for every organisation, regardless of size or industry. By following and implementing this framework, many cyber incidents can be prevented, laying a solid foundation that will yield great benefits to your business.
1. Inventory & Control of Hardware Assets
One of the easiest ways for your data and network to be exposed to security threats is through your hardware assets. As we all move to an increasingly mobile work life, the chances of leaving a laptop or mobile device unattended also increase.
If you don’t know what’s connecting to your network, who has data on their devices and when something goes missing, you certainly aren’t in a great position to protect your data. Even if you haven’t deployed mobile devices, you may find employees bringing their own and connecting to your network.
Create and maintain an accurate inventory of all devices allowed on your network... and who they’re used by. This helps to:
- Prevent unauthorised devices from accessing the network
- Discover unknown devices
- Track changes made to existing devices
2. Inventory & Control of Software
Just like hardware, software is an access point to your environment. Again, users don’t usually see any issue with downloading software you have never authorised onto your devices. If you don’t know which apps are connecting to your network, you’re working blind.
To manage this, develop and maintain an inventory of software in your network:
- What software has been installed on your systems?
- Who installed the software?
- What its functionalities are
- Create allowlists and blocklists to help maintain security
3. Continuous Vulnerability Management
Most cyber attacks exploit well-known vulnerabilities. Just as a burglar looks for homes with the least well-lit entrances, no visible cameras and a simple getaway route, attackers look for weak spots in your cyber security.
Please don’t make it so easy for them. Perform regular vulnerability scans in your environment.
This will:
- Highlight the vulnerabilities that threaten your security
- Provide actionable recommendations for remediation
- Demonstrate due diligence and proactive risk management
- Meet your compliance requirements
4. Controlled Use of Administrative Privileges
If you go away for the weekend, you don’t leave a set of house keys with everyone in your neighbourhood. You may want one or two trusted people to have access—people you can trust to lock up after themselves and not invite any strangers in. The same goes for admin privileges.
Reduce administrative privileges so that only the employees who need access have access. Reducing access can reduce phishing attacks that exploit human error. Common phishing attacks include:
- Tricking an admin user into opening a malicious file
- Cracking an admin-level user password to access a target machine
5. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
Operating systems and apps are usually configured with ease of deployment as a priority. Not security. Because of this, hackers can easily exploit default settings such as passwords, open ports and outdated protocols. Configuring robust settings requires the analysis of hundreds (if not thousands) of options.
Once you have your best configurations set up, you need to monitor and manage them continually:
- Establish, implement, and actively manage the security configuration of mobile devices, laptops, servers and workstations
- Maintain documented security configuration standards for all authorised operating systems and software
- Perform all remote administration of systems over encrypted channels using multi-factor authentication
- Use an automated monitoring system to verify all security configuration elements and alert your team to vulnerabilities
6 Maintenance, Monitoring and Analysis of Audit Logs
Collect, manage and analyse your event logs to detect anomalous activities and investigate all security incidents.
Without continuous logging and analysis, attackers can hide their location and activities in your network. Even if you become aware of which systems have been compromised, without accurate monitoring, you’ll have no way of knowing what damage has already been done and what (or who) is still lurking in your network. Ensure your audit logs include the following as a minimum:
- Dates
- Timestamps
- Source addresses
- Destination addresses
This will help you track down and retrace the steps of each threat you’ve detected against each transaction and packet.
Should I DIY our CIS Controls Management Process?
The CIS Controls are a great foundation for any organisation looking to strengthen its cyber security—and the resource is free to download! But implementing them to harden defences against attack vectors you’re likely to encounter isn’t free. Even with the best free resources, most organisations find it a tall order to keep pace with the latest security threats and manage people, processes and associated technologies.
The Importance of an Ongoing Cyber Security Programme
Often, a more cost-effective route is to seek external help from security experts rather than hiring, training and retaining your 24x7 cyber security team.
Whether fully outsourced or working with internal teams, an outsourced Security Operations Centre will help you quickly scale your security, keep pace with ever-changing threats, and improve your cyber security posture.
In the next two CIS articles, we dig deeper to help you implement as much as you can in-house and determine whether you’d be better off with any outsourced areas.
Further Articles in The Series:
- Overview of the Top 20 CIS Critical Security Controls (Part 1): What Are They?
- CIS Critical Security Controls: The 6 BASIC controls (Part 2)
- The 10 Foundational CIS Critical Security Controls (Part 3)
- Understanding the Organisational CIS Critical Security Controls (Part 4)