April 3, 2019
The CIS Controls is a framework of 20 steps designed to protect your organisation from known cyber attacks. The steps have been prioritised to make it easier to implement. If you have each preceding step underway, you’ll have many of the tools in place to be able to proceed to the next.
So, if you haven’t got to grips with the Basic CIS Controls yet, we suggest you back up and read our article on those first:
- Overview of the top 20 CIS Critical Security Controls (Part 1): What are they?
- CIS Critical Security Controls: The 6 BASIC controls (Part 2)
- The 10 Foundational CIS Critical Security Controls (Part 3)
- Understanding the Organisational CIS Critical Security Controls (Part 4)
Ready for the next level of security controls?
Here’s our quick overview of the ten “Foundational CIS Controls” and why they’re critical for your business…
The Foundational CIS Controls
These are technical best practices that provide clear security benefits and are a smart move for any organisation to implement.
7. Email and Web Browser Protections
Because of their flexible nature, email and web browsers make it easy for attackers to trick users into allowing malicious code into your network with clever phishing and social engineering techniques.
Imagine a dartboard that’s three times the size of a regular one.
A pretty easy target and definitely an unfair advantage for the player. Now imagine your organisation is that oversized dartboard and the player is a hacker. You’ll want to reduce your attack surface as much as possible to reduce their chances of hitting the bullseye.
Ensuring you only use fully supported web browsers and email clients helps you do just that.
8. Malware Defences
Malware is always evolving and can get into your environment through multiple access points. You need to be able to keep up with these dynamic threats.
Make you can control malicious code being installed and executed at multiple points across your organisation. It’s no small task and needs continuous action. Therefore, the most effective way is to use automated tools that continuously monitor servers, workstations and mobile devices with anti-spyware, anti-virus, firewalls and host-based IPS functionality.
9. Limitation and Control of Networks Ports, Protocals and Services
Remotely accessible network services are particularly vulnerable to hacker exploitation. Common entry points include poorly configured mail and web servers, file and print services, and DNS servers that have been installed by default on your users’ devices. This makes it critical that only ports, protocols, and services with a real business need are allowed to run.
You need to manage and track the use protocols, ports and services and close down any unnecessary entry points.
10. Data Recovery Capability
If the worst should happen and an attack manages to change your data, configurations and software, you need reliable backup and recovery. Downtime and lost data can and will seriously hurt your organisation.
While not a defensive move, recovery is a critical one. Implementing a proven method of timely recovery and backups that run at least weekly can seriously reduce the impact of any attack on your data.
11. Secure Configuration for Network Devices
Just like applications and operating systems, the default settings for network infrastructure devices are geared towards easy deployment, not optimal security. Also, network device security configurations tend to degrade over time. Attackers know this all too well. They exploit these configuration flaws to get access to your networks.
To thwart these threats, you need to actively manage the configuration of network infrastructure devices such as firewalls, routers and switches.
12. Boundary Defence
Configuration and architectural vulnerabilities in perimeter systems, network devices and machines accessing the internet leave the door open to attackers. Through these cracks in your defences, attacks can gain access to your network.
You need the ability to detect and manage the flow of information between networks, prioritising data that could most seriously damage your security. You need technology that provides deep visibility and control across your entire environment, such as intrusion detection prevention systems.
13. Data Protection
A hot topic over the past year but not a new threat. While we talk a lot about deliberate data theft, data loss can also be down to human error and poor security practices.
You need the right tools and processes to mitigate the risk of data loss, theft and corruption, especially where your most sensitive information lives. To minimise these threats, you’ll need a combination of integrity protection, encryption and data loss prevention techniques.
14. Controlled Access Based on the Need to Know
Not everyone working at the bank needs the code to the safe. Who really needs access to your most critical assets and sensitive data? If you’re not separating users accordingly, it’s far easier for a phisher, malicious insider or malware attack to infiltrate and take over an account.
Track, control and secure access to your critical assets so you can easily determine which people, devices and applications should have access to your most sensitive assets.
15. Wireless Access Control
Wireless devices are a convenient route for attackers to get long-term access to your IT environment. As workforces become more mobile, the opportunity for wireless clients to become infected is on the rise. They connect to a LAN while they’re away on business and when they come back and connect to your office network, they could be carrying infections that spread to your network.
Conduct network vulnerability scanning tools to ensure that all wireless devices network match an authorised configuration and security profile.
16. Account Monitoring and Control
Have a contractor that’s left? Or a long-term employee? Deactivate their account on the day they go so you don’t leave a gateway to would-be attackers.
As part of your joiners, movers and leavers process, you need to monitor and control all user accounts. If an account is no longer needed, delete it before it has a chance to fall into the wrong hands. Running regular audits on top of your existing protocols helps you identify any chinks in your account handling armour.
Should I DIY our CIS Controls Management Process?
The CIS Controls are a great foundation for any organisation looking to strengthen their cyber security – and the resource is free to download! But implementation to harden defences against attack vectors you’re likely to encounter, isn’t free. Even with the best free resources, most organisations find it a tall order keeping pace with the latest security threats, as well as managing people, process and associated technologies.
›› The importance of an on-going Cyber Security Programme
Often, a more cost-effective route is to seek external help from security experts rather than hiring, training and retaining your own 24-7 cyber security team.
Whether fully outsourced, or working in partnership with internal teams, an outsourced Security Operations Centre will help you to quickly scale your security, keep pace with ever-changing threats – and ultimately make a real difference to your cyber security posture.
Once you have the Foundational CIS Controls in hand, you’re ready for the third and final tier in the framework, the Organisational Controls. These are a little different in character from both the Basic and Foundational – although they have many technical aspects, this final set of controls focuses more on people and the processes involved in cyber security.
All articles in the series:
» Overview of the top 20 CIS Critical Security Controls (Part 1): What are they?
» CIS Critical Security Controls: The 6 BASIC controls (Part 2)
» The 10 Foundational CIS Critical Security Controls (Part 3)
» Understanding the Organisational CIS Critical Security Controls (Part 4)
›› View a FREE sample Penetration Test Report
Regular penetration testing, training and audits will help you identify weak spots as your technology, team and environment continues to evolve. Take a look at a sample risk-based report to understand the approach, critical security intelligence and actionable steps with our CREST-certified penetration tests.
- How to create strong passwords you can remember
- What is SIEM? (Part 1): Cyber Security 101
- 8 most common cyber attacks explained
- Is ransomware the biggest threat to your IT security?
- Type of penetration test – what’s the difference?
- Pros and cons of outsourcing your cyber security: In-house of Managed SOC?
About Comtact Ltd.
Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).
Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact’s state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK’s leading organisations.