April 3, 2019
With data breaches and cyber threats on the rise and new regulations making the stakes higher than ever, organisations need to take more proactive security precautions.
Security excellence isn’t easy.
But having a recognised framework as your guide helps you prioritise your security efforts and gives you direct instruction on how to protect your business. The CIS Controls have been designed to help combat this exact problem.
In the second part of this 4-part series, we give a brief overview of the first 6 critical controls in the framework – called “The Basic CIS Controls”. These are wide in scope but align to solid principles: making sure the right users have access to the right assets, and that all systems are kept up-to-date and as secure as possible.
Articles in the series:
» Overview of the top 20 CIS Critical Security Controls (Part 1): What are they?
» CIS Critical Security Controls: The 6 BASIC controls (Part 2)
» The 10 Foundational CIS Critical Security Controls (Part 3)
» Understanding the Organisational CIS Critical Security Controls (Part 4)
The Basic CIS Controls
These basic controls are a must for every organisation, regardless of the size or the industry in question. By following and implementing against this framework, many cyber incidents can be prevented, laying a solid foundation that will yield great benefits to your business.
1. Inventory and Control of Hardware Assets
One of the easiest ways for your data and network to be laid bare to security threats is through your hardware assets. As we all move to an increasingly mobile work life, the chances of leaving a laptop or mobile device unattended also goes up.
If you don’t know what’s connecting to your network, who has data on their devices and when something goes missing, you certainly aren’t in a great position to protect your data. Even if you haven’t deployed mobile devices yourselves, you may well find employees bringing their own and connecting to your network.
Create and maintain an accurate inventory of all devices allowed on your network… and who they’re used by. This helps to:
- Prevent unauthorised devices from accessing the network
- Discover unknown devices
- Track changes made to existing devices
2. Inventory and Control of Software
Just like hardware, software is an access point to your environment. Again, users don’t usually see any issue with downloading software you never authorised onto your devices. If you don’t know which apps are connecting to your network, you’re working blind.
To manage this, develop and maintain an inventory of software in your network:
- What software has been installed on your systems?
- Who installed the software?
- What its functionalities are
- Create whitelists and blacklists to help maintain security
3. Continuous Vulnerability Management
Most cyber attacks exploit well-known vulnerabilities. Just as a burglar looks for the homes with the least well-lit entrances, no visible cameras and a simple getaway route, attackers look for weak spots in your cyber security. Don’t make it so easy for them. Perform regular vulnerability scans in your environment.
- Highlight the vulnerabilities that threaten your security
- Provide actionable recommendations for remediation
- Demonstrate due diligence and proactive risk management
- Meet your compliance requirements
4. Controlled Use of Administrative Privileges
If you go away for the weekend, you don’t leave a set of house keys with everyone in your neighbourhood. You may want one or two trusted people to have access. People you can trust to lock up after themselves and not invite any strangers in. The same goes for admin privileges.
Reduce administrative privileges so that only the employees that really need access have it. Reducing access can reduce phishing attacks that exploit human error. Common phishing attacks include:
- Tricking an admin user into opening a malicious file
- Cracking an admin-level user password to access a target machine
5. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
Operating systems and apps are usually configured with ease of deployment as a priority. Not security. Because of this, hackers can easily exploit default settings such as passwords, open ports and outdated protocols. Configuring robust settings requires the analysis of hundreds (if not thousands) of options.
Once you have your best configurations set up, you need to continually monitored and managed:
- Establish, implement and actively manage the security configuration of mobile devices, laptops, servers and workstations
- Maintain documented security configuration standards for all authorised operating systems and software
- Perform all remote administration of systems of encrypted channels using multi-factor authentication
- Use an automated monitoring system to verify all security configuration elements and alert your team to vulnerabilities
6. Maintenance, Monitoring and Analysis of Audit Logs
Collect, manage and analyse your event logs to detect anomalous activities and investigate all security incidents.
Without continuous logging and analysis, you allow attackers to hide their location and activities in your network. Even if you become aware of which systems have been compromised, without accurate monitoring, you’ll have no way of knowing what damage has already been done and what (or who) is still lurking in your network. Ensure your audit logs include the following as a minimum:
- Source addresses
- Destination addresses
This will help you track down and retrace the steps of each threat you’ve detected against each transaction and packet.
Should I DIY our CIS Controls Management Process?
The CIS Controls are a great foundation for any organisation looking to strengthen their cyber security – and the resource is free to download! But implementation to harden defences against attack vectors you’re likely to encounter, isn’t free. Even with the best free resources, most organisations find it a tall order keeping pace with the latest security threats, as well as managing people, process and associated technologies.
›› The importance of an on-going Cyber Security programme
Often, a more cost-effective route is to seek external help from security experts rather than hiring, training and retaining your own 24-7 cyber security team.
Whether fully outsourced, or working in partnership with internal teams, an outsourced Security Operations Centre will help you to quickly scale your security, keep pace with ever-changing threats – and ultimately make a real difference to your cyber security posture.
In the next two CIS articles, we dig a little deeper to help you implement as much as you can in-house and figure out whether you’d be better off with any areas being outsourced.
Further articles in the series:
- Overview of the top 20 CIS Critical Security Controls (Part 1): What are they?
- CIS Critical Security Controls: The 6 BASIC controls (Part 2)
- The 10 Foundational CIS Critical Security Controls (Part 3)
- Understanding the Organisational CIS Critical Security Controls (Part 4)
- How to create strong passwords you can remember
- What is SIEM? (Part 1): Cyber Security 101
- 8 most common cyber attacks explained
- Is ransomware the biggest threat to your IT security?
- Type of penetration test – what’s the difference?
- Pros and cons of outsourcing your cyber security: In-house of Managed SOC?
About Comtact Ltd.
Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).
Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.