The CIS Controls is a framework of 20 steps designed to protect your organisation from known cyber attacks. The steps have been prioritised to make them easier to implement. If you have each preceding step underway, you’ll have many of the tools in place to proceed to the next.
So, if you haven’t got to grips with the Basic CIS Controls yet, we suggest you go back and read our article on those first:
Here’s our quick overview of the ten “Foundational CIS Controls” and why they’re critical for your business...
These are technical best practices that provide clear security benefits and are a smart move for any organisation to implement.
Because of their flexibility, email and web browsers make it easy for attackers to trick users into allowing malicious code into their networks through clever phishing and social engineering techniques.
Imagine a dartboard that’s three times the size of a regular one.
A pretty easy target and unfair advantage for the player. Imagine a dartboard, and the player is a hacker. You’ll want to reduce your attack surface as much as possible to reduce their chances of hitting the bullseye.
Ensuring you only use fully supported web browsers and email clients helps you do that.
Malware always evolves and can get into your environment through multiple access points. You need to be able to keep up with these dynamic threats.
You can control malicious code being installed and executed at multiple points across your organisation. This is no small task and requires continuous action. Therefore, the most effective way is to use automated tools that continuously monitor servers, workstations and mobile devices with anti-spyware, anti-virus, firewalls and host-based IPS functionality.
Remotely accessible network services are particularly vulnerable to hacker exploitation. Common entry points include poorly configured mail and web servers, file and print services, and DNS servers that have been installed by default on users’ devices. Therefore, it is critical that only ports, protocols, and services with a real business need are allowed to run.
You must manage and track the use protocols, ports and services and close any unnecessary entry points.
If the worst should happen and an attack manages to change your data, configurations and software, you need reliable backup and recovery. Downtime and lost data can and will seriously hurt your organisation.
While not a defensive move, recovery is a critical one. Implementing a proven method of timely recovery and backups that run at least weekly can seriously reduce the impact of any attack on your data.
Just like applications and operating systems, the default settings for network infrastructure devices are geared towards easy deployment, not optimal security. Also, network device security configurations tend to degrade over time. Attackers know this all too well. They exploit these configuration flaws to get access to your networks.
To thwart these threats, you must actively manage the configuration of network infrastructure devices such as firewalls, routers and switches.
Configuration and architectural vulnerabilities in perimeter systems, network devices, and machines that access the internet open the door to attackers. Attacks can gain access to your network through these cracks in your defences.
You need the ability to detect and manage the flow of information between networks, prioritising data that could most seriously damage your security. You need technology, such as intrusion detection prevention systems, that provides deep visibility and control across your entire environment.
Data loss has been a hot topic over the past year, but it is not a new threat. While we talk a lot about deliberate data theft, data loss can also be caused by human error and poor security practices.
You need the right tools and processes to mitigate the risk of data loss, theft and corruption, especially where your most sensitive information lives. You’ll need integrity protection, encryption and data loss prevention techniques. to minimise these threats
Not everyone working at the bank needs the code to the safe. Who has access to your most critical assets and sensitive data? If you’re not separating users accordingly, it’s far easier for a phisher, malicious insider or malware attack to infiltrate and take over an account.
Track, control and secure access to your critical assets so you can easily determine which people, devices and applications should have access to your most sensitive assets.
Wireless devices are a convenient route for attackers to get long-term access to your IT environment. As workforces become more mobile, the opportunity for wireless clients to become infected is on the rise. They connect to a LAN while they’re away on business, and when they come back and connect to your office network, they could be carrying infections that spread to your network.
Conduct network vulnerability scanning tools to ensure that all wireless devices on the network match an authorised configuration and security profile.
Do you have a contractor who’s left or a long-term employee? Deactivate their account the day they go, so you don’t leave a gateway for would-be attackers.
You must monitor and control all user accounts as part of your joiners, movers and leavers process. If an account is no longer needed, delete it before it can fall into the wrong hands. Running regular audits on top of your existing protocols helps you identify any chinks in your account handling armour.
The CIS Controls are a great foundation for any organisation looking to strengthen its cyber security—and the resource is free to download! But implementation to harden defences against attack vectors you’re likely to encounter isn’t free. Even with the best free resources, most organisations find it a tall order to keep pace with the latest security threats and manage people, processes and associated technologies.
›› The importance of an ongoing Cyber Security Programme
Often, a more cost-effective route is to seek external help from security experts rather than hiring, training and retaining your 24-cyber security team.
Whether fully outsourced or working in partnership with internal teams, an outsourced Security Operations Centre will help you quickly scale your security, keep pace with ever-changing threats, and ultimately improve your cyber security posture.
Once you have the Foundational CIS Controls in hand, you’re ready for the third and final tier in the framework, the Organisational Controls. These are a little different from both the Basic and Foundational - although they have many technical aspects, this final set of controls focuses more on people and the processes involved in cyber security.