What are the CIS Controls? | 20 CIST Controls

Home  »  Blog  »  Cyber Security  »  What are...

By Bill Minahan   |   June 15, 2021   |   2 Comments

CIS Controls

20 CIS Controls

What are the CIS Controls?

The CIS Controls are a set of actions that protect your organization from the most pervasive cyber attacks. There are 20 total critical controls that prioritize the most essential actions your organization can take in order to gain the highest pay-off results.

The controls are derived from widespread attack patterns. Specifically, the most trusted threat reports identify attack patterns, which are then vetted across a broad community of trusted industry and government practitioners. AKA, the individuals who know how attacks work.

For example, the NSA Red and Blue teams, the US Department of Energy nuclear energy labs, and law enforcement organizations, all of which work together to answer the question— “what do we need to do to stop known attacks?

From this community of experts comes the 20 CIS controls to provide direction on how to stop today’s most common attacks. So let’s dive into who needs them, what each control requires, and how to implement them.

Who needs CIS Controls?

Unlike many other standards and compliance regulations aimed at improving security, the CIS Controls are not industry-specific. CIS Controls are universally applicable and industry-agnostic. As a result, they can successfully strengthen any organization’s information security and IT governance.

So, if your organization stores, transmits, or uses, sensitive data that needs to be protected, then the answer is: You need CIS controls.

Correct implementation of all 20 critical controls significantly reduces your security risk, lowers operational costs, and greatly improves an organization’s defensive posture.

There are significant differences between CIS controls and other security frameworks. However, the most important is that CIS controls acknowledge that some organizations are limited in resources.

Every organization cannot implement each and every control that they would like and may very well need. As a result, the 20 controls prioritize risk. That way, your organization can work towards mitigating the largest risks first.

CIS Controls List

The CIS controls are divided into categories: basic, foundational, and organizational families. For ease of implementation, each control is further subdivided into sections.

The controls cover not only data, software, and hardware, but also people and processes.

The first six controls prioritize the “basic” security controls.

The following is a complete list of the top 20 critical controls:

CIS Controls List: Basic controls

CIS Control 1: Inventory and Control of Hardware Assets

Control 1 is the first control within the framework of 20 critical controls.

Control 1 focuses on actively managing (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized or unmanaged devices are found and blocked from gaining access.

This control is split into 6 focused sections relating to network access control, automation, and asset management. The control specifically focuses on the need for awareness of what is connected to your network. It also prioritizes internal inventory management and management automation.

Implementing inventory control is not the most glamorous way to improve your security program, however, it is a foundational security control that is a pre-requisite for the additional 19 security controls.

When done right, it reduces insider threat and loss risks, cleans up your IT environment, and provides greater visibility and organization to your network.

Why is this CIS Control Critical?

CIS Control 1 is critical because bad actors online search for new and unprotected systems and are particularly interested in devices that come and go off the network. For instance, Bring-Your-Own-Devices (BYOD), mobile devices, and IoT devices.

Not only do these devices risk being out of synch with security updates but worse still, they could already be compromised.

Even devices that are not visible from the internet can be used by bad actors who have already gained internal access.

Large, complex enterprises often struggle with managing intricate, fast-changing environments. As a result, it is a known weakness that bad actors capitalize on. Therefore, managed control of devices plays a critical role in planning and executing system backup, incident response, and recovery.

How to Implement CIS Control 1

The following is a list of the sub-controls of CIS Control 1:

  • CIS Control 1.1: Utilize an Active Discovery Tool
    • Utilize an active discovery tool to identify devices connected to the organization’s network. Update the hardware asset inventory.
  • CIS Control 1.2: Use a Passive Asset Discovery Tool
    • Utilize a passive discovery tool to identify devices connected to the organization’s network and automatically update the organization’s hardware asset inventory.
  • CIS Control 1.3: Use DHCP Logging to Update Asset Inventory
    • Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP address management tools to update the organization’s hardware asset inventory.
  • CIS Control 1.4: Maintain Detailed Asset Inventory
    • Maintain an accurate and up-to-date inventory of all technology assets with the potential to store as well as process information. This inventory should include all assets, whether connected to the organization’s network or not.
  • CIS Control 1.5: Maintain Asset Inventory Information
    • Ensure that the hardware asset inventory records the network address, hardware address, machine name, data asset owner, and department for each asset and whether or not the hardware asset has been approved to connect to the network.
  • CIS Control 1.6: Address Unauthorized Assets
    • Ensure that unauthorized assets are either removed from the network, quarantined or the inventory is updated in a timely manner.
  • CIS Control 1.7: Deploy Port Level Access Control
    • Utilize port-level access control, following 802.1x standards, to control which devices can authenticate to the network. Tie the authentication systems into the hardware asset inventory data to ensure only authorized devices can connect to the network.
  • CIS Control 1.8: Utilize Client Certificates to Authenticate Hardware Assets
    • Use client certificates to authenticate hardware assets connecting to the organization’s trusted network.

CIS Control 2: Continuous Vulnerability Management Inventory and Control of Software Assets

CIS Control 2 focuses on actively managing (inventory, track, correct) all software on the network so that only authorized software is installed and able to execute. Likewise, all unauthorized and unmanaged software is found and blocked from installation and execution.

Essentially, CIS Control 2 calls for you to be aware of what software is on your system, who installed it, and what it does. The control focuses on the need to know what is running on your systems and network at all times. It also focuses on the need for internal inventory management. That way, if anything were to ever happen, your team would be able to easily identify and remove software that is not on your inventory list.

When done right, it reduces insider threat and loss risks, cleans up your IT environment, and provides greater visibility and organization to your network.

Why is this CIS Control Critical?

Attackers continuously target organizations that are running vulnerable versions of software because it is easy to exploit remotely.

Furthermore, some attackers also distribute documents, media files, hostile web pages, and other malicious content via their own web pages or otherwise trustworthy third-party sites. If unsuspecting users access this content with a vulnerable browser then attacks can compromise their machines. Then, attackers often install backdoor programs and bots that give them long-term, undetected control of the system.

Once an attacker exploits a single machine, they often use it to gather sensitive information about the corporation, the compromised system, as well as any other systems connected to it.

Therefore, without complete knowledge or control of the software deployed in an organization, defenders can not properly secure their assets or identify software that should not be there. Or worse, might already be there and be malicious.

Managed control of all software also plays a critical role in planning and executing system backup, incident response, and recovery. As a result, CIS Control 2 strengthens multiple aspects of your cyber security posture and is worthwhile for your team to implement.

How to Implement CIS Control 2

The following is a list of the sub-controls of CIS Control 2:

  • CIS Control 2.1: Maintain Inventory of Authorized Software
    • Maintain an up-to-date list of all authorized software that is required in the enterprise for any business purpose on any business system.
  • CIS Control 2.2: Ensure Software Is Supported by Vendor
    • Ensure that only software applications or operating systems currently supported/ receiving vendor updates are added to the organization’s authorized software inventory. Unsupported software should be tagged in the inventory system.
  • CIS Control 2.3: Utilize Software Inventory Tools
    • Utilize software inventory tools throughout the organization to automate the documentation of all software.
  • CIS Control 2.4: Track Software Inventory Information
    • The software inventory system should track the name, version, publisher, and install date for all software, including operating systems authorized by the organization.
  • CIS Control 2.5: Integrate Software and Hardware Asset Inventories
    • The software inventory system should be tied into the hardware asset inventory so all devices and associated software are tracked from a single location.
  • CIS Control 2.6: Address Unapproved Software
    • Ensure that unauthorized software is either removed or the inventory is updated in a timely manner.
  • CIS Control 2.7: Utilize Application Whitelisting
    • Utilize application whitelisting technology to ensure that only authorized software executes, and all unauthorized software is blocked from executing on assets.
  • CIS Control 2.8: Implement Application Whitelisting of Libraries
    • The organization’s application whitelisting software must ensure that only authorized software libraries (such as *.dll, *.ocx, *.so, etc.) are allowed to load into a system process.
  • CIS Control 2.9: Implement Application Whitelisting of Scripts
    • The organization’s application whitelisting software must ensure that only authorized, digitally signed scripts (such as *.ps1,*.py, macros, etc.) are allowed to run on a system.
  • CIS Control 2.10: Physically or Logically Segregate High-Risk Applications
    • Physically or logically segregated systems should be used to isolate and run software that is required for business operations but incurs higher risk for the organization.

CIS Control 3: Controlled Use of Administrative Privileges

CIS Control 3 focuses on the need to continuously acquire, assess, and act on new information in order to identify new vulnerabilities, remediate, and minimize the opportunity for attackers.

Organizations operate in a constant stream of new security information: evolving threats, software updates, patches, security advisories, etc.

Essentially, CIS Control 3 calls for you to continuously understand and manage these vulnerabilities.

The control consists of 8 different sections relating to vulnerability awareness and management.

Why is this CIS Control Critical?

Understanding and managing vulnerabilities at a constant rate requires time, attention, and resources. In most cases, attackers have access to the same information and can take advantage of gaps between the appearance of new knowledge and remediation.

For instance, researchers reporting on new vulnerabilities can cause a race between multiple parties: attackers (trying to weaponize and exploit the vulnerability, vendors (trying to deploy patches and updates to protect users), and defenders (trying to assess risk and protect their systems.)

Organizations that do not scan for vulnerabilities or proactively address discovered vulnerabilities increase the likelihood of exploits and attacks.

How to Implement CIS Control 3

  • CIS Control 3.1: Run Automated Vulnerability Scanning Tools
    • Utilize an up-to-date Security Content Automation Protocol (SCAP) compliant vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization’s systems.
  • CIS Control 3.2: Perform Authenticated Vulnerability Scanning
    • Perform authenticated vulnerability scanning with agents running locally on each system or with remote scanners that are configured with elevated rights on the system being tested.
  • CIS Control 3.3: Protect Dedicated Assessment Accounts
    • Use a dedicated account for authenticated vulnerability scans, which should not be used for any other administrative activities and should be tied to specific machines at specific IP addresses.
  • CIS Control 3.4: Deploy Automated Operating System Patch Management Tools
    • Deploy automated software update tools in order to ensure that the operating systems are running the most recent security updates provided by the software vendor.
  • CIS Control 3.5: Deploy Automated Software Patch Management Tools
    • Deploy automated software update tools in order to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor.
  • CIS Control 3.6: Compare Back-to-Back Vulnerability Scans
    • Regularly compare the results from consecutive vulnerability scans to verify that vulnerabilities have been remediated in a timely manner.
  • CIS Control 3.7: Utilize a Risk-Rating Process
    • Utilize a risk-rating process to prioritize the remediation of discovered vulnerabilities.

CIS Control 4: Secure Configuration of Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

CIS Control 4 focuses on controlling the use of administrative privileges.

Specifically, this control focuses on reducing administrative privilege and restricting it to only users who require it in order to perform their job roles. In most cases, the majority of users do not require administrative privilege to do daily tasks. Yet, many businesses grant all users, regardless of their job role, administrative privileges.

However, this is risky.

CIS Control 4 focuses on using processes and tools to track, control, prevent, and correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.

Why is this CIS Control Critical?

CIS Control 4 is critical because hackers are constantly on the lookout for organizations that fail to control/restrict their admin. users.

Misuse of privilege is an increasingly popular method for attackers to land and expand inside networks.

For instance, two common attacks that rely on administrative privileges to execute are the following:

First, an attacker manipulates a user running with administrative privilege into opening a malicious PDF or attachment. Or, a user is infected with malware after visiting a site that loads it silently in the background.

Privileged accounts make these attacks specifically quick and dangerous to carry out. User machines can instantly be controlled, have keylogging installed, and other malicious activity can occur, all out of plain sight.

When this is executed on a device with administrative privileges, the attacker can completely take over the victim’s machine and infect other systems on the network.

The second common attack is known as an elevation of privileges attack by guessing or cracking a password set for an administrative user in order to gain access to a target machine. If administrative privileges are loosely given out, or identical (Or similar) passwords are used on less critical systems, then the attacker can easily gain full control of your systems.

As a result, restricting access to data by job function is one of the most effective ways to reduce your risk.

How to Implement CIS Control 4

  • CIS Control 4.1: Maintain Inventory of Administrative Accounts
    • Use automated tools to inventory all administrative accounts, including domain and local accounts, to ensure that only authorized individuals have elevated privileges.
  • CIS Control 4.2: Change Default Passwords
    • Before deploying any new asset, change all default passwords to have values consistent with administrative level accounts.
  • CIS Control 4.3: Ensure the Use of Dedicated Administrative Accounts
    • Ensure that all users with administrative account access use a dedicated or secondary account for elevated activities. However, this account should only be used for administrative activities and not Internet browsing, email, or similar activities.
  • CIS Control 4.4: Use Unique Passwords
    • Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system.
  • CIS Control 4.5: Use Multi-Factor Authentication for All Administrative Access
    • Use multi-factor authentication as well as encrypted channels for all administrative account access.
  • CIS Control 4.6: Use Dedicated Workstations For All Administrative Tasks
    • Ensure administrators use a dedicated machine for all administrative tasks as well as tasks requiring administrative access. This machine will be segmented from the organization’s primary network and therefore not be allowed Internet access. Likewise, this machine will not be used for reading email, composing documents, or browsing the Internet.
  • CIS Control 4.7: Limit Access to Scripting Tools
    • Limit access to scripting tools (such as Microsoft® PowerShell and Python) to only administrative or development users with the need to access those capabilities.
  • CIS Control 4.8: Log and Alert on Changes to Administrative Group Membership
    • Configure systems to issue a log entry and alert when an account is added to or removed from any group assigned administrative privileges.
  • CIS Control 4.9: Log and Alert on Unsuccessful Administrative Account Login
    • Configure systems to issue a log entry and alert on unsuccessful logins to an administrative account.

CIS Control 5: Maintenance, Monitoring, and Analysis of Audit Logs

CIS Control 5 focuses on secure configuration for hardware and software on mobile devices, laptops, workstations, and servers.

Specifically, this control focuses on establishing, implementing, and then actively managing the security configuration of devices using rigorous configuration management and change control processes in order to prevent hackers from exploiting vulnerable services and settings.

Why is this CIS Control Critical?

CIS Control 5 is critical because default configurations for operating systems and applications are mostly geared towards ease of use and not security. As a result, basic controls, open services and ports, default accounts or passwords, older protocols, and pre-installation of unnecessary software can be easy to exploit in their default state.

Therefore, it is important to develop configuration settings with sophisticated security properties. However, this can be a complex task beyond the ability of individual users. In fact, it can require the analysis of hundreds or thousands of options in order to make the right choices.

For instance, even if a strong initial configuration is developed and installed, it must be continuously managed in order to avoid security degradation as software is updated or patched, new security vulnerabilities are reported, and configurations are tweaked. In most cases, configurations are tweaked to allow the installation of new software or in order to support new operational requirements.

If it is not, attackers will find opportunities to exploit both network-accessible services as well as client software.

As a result, it is critical to develop and implement a secure configuration of your devices.

How to Implement CIS Control 5

  • CIS Control 5.1: Establish Secure Configurations
    • Maintain documented security configuration standards for all authorized operating systems and software.
  • CIS Control 5.2: Maintain Secure Images
    • Maintain secure images or templates for all systems in the enterprise based on the organization’s approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates.
  • CIS Control 5.3: Securely Store Master Images
    • Store the master images and templates on securely configured servers, validated with integrity monitoring tools, to ensure that only authorized changes to the images are possible.
  • CIS Control 5.4: Deploy System Configuration Management Tools
    • Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals.
  • CIS Control 5.5: Implement Automated Configuration Monitoring Systems
    • Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur.

CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs

CIS Control 6 focuses on collecting, managing, and analyzing audit logs of events that could help your team detect, understand, and recover from an attack.

Specifically, this control focuses on establishing, implementing, and then actively managing the process by which your logs are monitored and analyzed.

Why is this CIS Control Critical?

CIS Control 6 is critical because deficiencies in security logging and analysis can allow attackers to hide their location, malicious software, and activities on victims’ machines. The longer an attacker is on your device undetected, the more damage they are capable of inflicting. Furthermore, even if the victims are aware of an attacker on their system, without protected and complete logging records you can be blind to the details of the attack.

Without solid audit logs, an attack may go unnoticed indefinitely and the damage done may be irreversible.

In some cases, logging records are the only evidence of a successful attack. Many organizations keep audit records for compliance purposes. However, attackers rely on the fact that such organizations rarely examine audit logs, and therefore, do not know that their systems have been compromised.

In short, if log analysis processes are poor or nonexistent, then attackers can sometimes control victim machines for months or years without anyone in the organization realizing it. Although there is surely evidence of the attack, often times the only records of it are in unexamined log files.

Therefore, it is important to establish, implement, and manage the processes your team has for monitoring security logs.

How to Implement CIS Control 6

  • CIS Control 6.1: Utilize Three Synchronized Time Sources
    • Use at least three synchronized time sources from which all servers and network devices retrieve time information on a regular basis so that timestamps in logs are consistent.
  • CIS Control 6.2: Activate Audit Logging
    • Ensure that local logging has been enabled on all systems and networking devices.
  • CIS Control 6.3: Enable Detailed Logging
    • Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.
  • CIS Control 6.4: Ensure Adequate Storage for Logs
    • Ensure that all systems that store logs have adequate storage space for the logs generated.
  • CIS Control 6.5: Central Log Management
    • Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.
  • CIS Control 6.6: Deploy SIEM or Log Analytic Tools
    • Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation and analysis.
  • CIS Control 6.7: Regularly Review Logs
    • On a regular basis, review logs to identify anomalies or abnormal events.
  • CIS Control 6.8: Regularly Tune SIEM
    • On a regular basis, tune your SIEM system to better identify actionable events and decrease event noise.

CIS Controls List: Foundational Controls

CIS Control 7: Email and Web Browser Protections

Control 7 focuses on minimizing the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems.

Why is this CIS Control Critical?

CIS Control 7 is critical because web browsers and email clients are common points of entry and attack. This is due to their technical complexity, flexibility, and their direct interaction with users and with other outside systems and websites. As a result, it’s a critical attack surface for every organization to consider and secure.

Content can be crafted to entice or spoof users into taking actions that threaten the organization and increase overall risk. In most cases, these risks take the form of malicious code, loss of valuable data, and other attacks.

Since these applications are the main means that users interact with untrusted environments, they are therefore potential targets for both code exploitation as well as social engineering.

How to Implement CIS Control 7

  • CIS Control 7.1: Ensure Use of Only Fully Supported Browsers and Email Clients
    • Ensure that only fully supported web browsers and email clients can execute in the organization, ideally only using the latest version of the browsers and email clients provided by the vendor.
  • CIS Control 7.2: Disable Unnecessary or Unauthorized Browser or Email Client Plugins
    • Uninstall or disable any unauthorized browser or email client plugins or add-on applications.
  • CIS Control 7.3: Limit Use of Scripting Languages in Web Browsers and Email Clients
    • Ensure that only authorized scripting languages are able to run in all web browsers and email clients.
  • CIS Control 7.4: Maintain and Enforce Network-Based URL Filters
    • Enforce network-based URL filters that limit a system’s ability to connect to websites not approved by the organization. This filtering shall be enforced for each of the organization’s systems, whether they are physically at an organization’s facilities or not.
  • CIS Control 7.5: Subscribe to URL Categorization Service
    • Subscribe to URL-categorization services to ensure that they are up-to-date with the most recent website category definitions available. Block uncategorized sites by default.
  • CIS Control 7.6: Log All URL Requests
    • Log all URL requests from each of the organization’s systems, whether on-site or a mobile device, in order to identify potentially malicious activity and assist incident handlers with identifying potentially compromised systems.
  • CIS Control 7.7: Use of DNS Filtering Services
    • Use Domain Name System (DNS) filtering services to help block access to known malicious domains.
  • CIS Control 7.8: Implement DMARC and Enable Receiver-Side Verification
    • To lower the chance of spoofed or modified emails from valid domains, implement Domain-based Message Authentication, Reporting and Conformance (DMARC) policy and verification, starting by implementing the Sender Policy Framework (SPF) and the Domain Keys Identified Mail (DKIM) standards.
  • CIS Control 7.9: Block Unnecessary File Types
    • Block all email attachments entering the organization’s email gateway if the file types are unnecessary for the organization’s business.
  • CIS Control 7.10: Sandbox All Email Attachments
    • Use sandboxing to analyze and block inbound email attachments with malicious behavior.

CIS Control 8: Malware Defenses

CIS Control 8 focuses on controlling the installation, spread, and execution of malicious code at multiple points of the organization.

In addition, it focuses on optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.

Why is CIS Control 8 Critical?

CIS Control 8 is critical because malicious software is an integral and dangerous aspect of Internet threats, as it is designed to attack your systems, devices, and your data.

Furthermore, it is fast-moving, fast-changing, and enters through any number of points. For example, end-user devices, email attachments, web pages, cloud services, user actions, and removable media.

Unfortunately, modern malware is designed to either avoid defenses or attack and disable them.

As a result, malware defenses must be able to operate in this dynamic environment through large-scale automation, rapid updating, and integration with processes like incident response plans.

Furthermore, defenses must also be deployed at all possible attack vectors in order to detect, stop the spread, and control the execution of malicious software.

Enterprise endpoint security suites provide administrative features to verify that all defenses are active and current on every managed system.

How to Implement CIS Control 8

  • CIS Control 8.1: Utilize Centrally Managed Anti-Malware Software
    • Utilize centrally managed anti-malware software to continuously monitor and defend each of the organization’s workstations and servers.
  • CIS Control 8.2: Ensure Anti-Malware Software and Signatures Are Updated
    • Ensure that the organization’s anti-malware software updates its scanning engine and signature database on a regular basis.
  • CIS Control 8.3: Enable Operating System Anti-Exploitation Features/ Deploy Anti Exploit Technologies
    • Enable anti-exploitation features such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) that are available in an operating system or deploy appropriate toolkits that can be configured to apply protection to a broader set of applications and executables.
  • CIS Control 8.4: Configure Anti-Malware Scanning of Removable Media
    • Configure devices so that they automatically conduct an anti-malware scan of removable media when inserted or connected.
  • CIS Control 8.5: Configure Devices to Not Auto-Run Content
    • Configure devices to not auto-run content from removable media
  • CIS Control 8.6: Centralize Anti-Malware Logging
    • Send all malware detection events to enterprise anti-malware administration tools and event log servers for analysis and alerting.
  • CIS Control 8.7: Enable DNS Query Logging
    • Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious domains.
  • CIS Control 8.8: Enable Command-Line Audit Logging
    • Enable command-line audit logging for command shells, such as Microsoft PowerShell and Bash.

CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services

CIS Control 9 focuses on managing (tracking, controlling, and correcting) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize the windows of vulnerability available to attackers.

Why is this CIS Control Critical?

CIS Control 9 is critical because attackers often search for remotely accessible network services that are vulnerable to exploitation.

For instance, common examples include poorly configured web servers, mail servers, file and print services, and DNS servers. These are often installed by default on a variety of different device types, often without a business need.

Furthermore, many software packages automatically install services and turn them on as part of the installation of the main software package. This can occur without informing a user or administrator that the services have been enabled.

Attackers scan for such services and attempt to exploit these services, usually by attempting to exploit default user IDs and passwords or widely available exploitation code.

As a result, it is critical to limit and control network ports, protocols, and services.

How to Implement CIS Control 9

  • CIS Control 9.1: Associate Active Ports, Services, and Protocols to Asset Inventory
    • Associate active ports, services, and protocols to the hardware assets in the asset inventory.
  • CIS Control 9.2: Ensure Only Approved Ports, Protocols, and Services Are Running
    • Ensure that only network ports, protocols, and services listening on a system with validated business needs are running on each system.
  • CIS Control 9.3: Perform Regular Automated Port Scans
    • Perform automated port scans on a regular basis against all systems and alert if unauthorized ports are detected on a system.
  • CIS Control 9.4: Apply Host-Based Firewalls or Port-Filtering
    • Apply host-based firewalls or port-filtering tools on end systems, with a default-deny rule that drops all traffic except those services and ports that are explicitly allowed.
  • CIS Control 9.5: Implement Application Firewalls
    • Place application firewalls in front of any critical servers to verify and validate the traffic going to the server. Block and log any unauthorized traffic.

CIS Control 10: Data Recovery Capabilities

CIS Control 10 focuses on the processes and tools used to properly back up critical information with a proven methodology for a timely recovery.

Why is this CIS Control Critical?

CIS Control 10 is critical because when attackers compromise machines, they often make significant changes to configurations and software.

Furthermore, they can make subtle alterations to data stored on compromised machines, which can, in turn, jeopardize organizational effectiveness with inaccurate or incomplete data.

When and if attackers are discovered, it can be difficult for organizations to find and remove all aspects of the attacker’s presence and changes made on the machine.

As a result, it is critical to have effective data recovery solutions that you trust.

How to Implement CIS Control 10

  • CIS Control 10.1: Ensure Regular Automated Backups
    • Ensure that all system data is automatically backed up on a regular basis.
  • CIS Control 10.2: Perform Complete System Backups
    • Ensure that all of the organization’s key systems are backed up as a complete system, through processes such as imaging, to enable the quick recovery of an entire system.
  • CIS Control 10.3: Test Data on Backup Media
    • Test data integrity on backup media on a regular basis by performing a data restoration process to ensure that the backup is properly working.
  • CIS Control 10.4: Protect Backups
    • Ensure that backups are properly protected via physical security or encryption when they are stored, as well as when they are moved across the network. This includes remote backups and cloud services.
  • CIS Control 10.5: Ensure All Backups Have at Least One Offline Backup Destination
    • Ensure that all backups have at least one offline (i.e., not accessible via a network connection) backup destination.

CIS Control 11: Secure Configuration for Network Devices such as Firewalls, Routers, and Switches

CIS Control 11 focuses on establishing, implementing, and actively managing (track, report on, and correct) the security configuration of network infrastructure devices. This is done by using rigorous configuration management and a change control process in order to prevent attackers from exploiting vulnerable services and settings.

Why is this CIS Control Critical?

CIS Control 11 is critical because in most cases, the default configurations for network infrastructure devices and geared towards ease-of-use and ease-of-deployment, not security.

For instance, open services and ports, default accounts (including service accounts) or passwords, support for older (vulnerable) protocols, pre-installation of unnecessary software, can all be exploited in their default state.

As a result, the management of the security configurations for networking devices is not a one-time action, but a process that involves continued analysis and evaluation of not only the configuration items but also the permitted traffic flows.

Oftentimes, attackers take advantage of network devices becoming less secure in their configurations over time as users demand exceptions for specific business needs. In some cases, the security risk of the exception is neither properly analyzed nor measured against the associated business need. Furthermore, both business risk and need can change over time.

Attackers search for vulnerable default settings, gaps, and inconsistencies in firewall rule sets, routers, and switches and use those holes to penetrate defenses.

Furthermore, they exploit flaws in these devices to gain access to networks, redirect traffic on a network, and intercept information while in transmission. Through these actions, the attacker is able to gain access to sensitive data, alter important information, and can even use a compromised machine to pose as another trusted system on the network.

As a result, it is critical to secure the configuration for network devices, such as firewalls, routers, and switches.

How to Implement CIS Control 11

  • CIS Control 11.1: Maintain Standard Security Configurations for Network Devices
    • Maintain documented security configuration standards for all authorized network devices.
  • CIS Control 11.2: Document Traffic Configuration Rules
    • All configuration rules that allow traffic to flow through network devices should be documented in a configuration management system with a specific business reason for each rule, a specific individual’s name responsible for that business need, and an expected duration of the need.
  • CIS Control 11.3: Use Automated Tools to Verify Standard Device Configurations and Detect Changes
    • Compare all network device configurations against approved security configurations defined for each network device in use, and alert when any deviations are discovered.
  • CIS Control 11.4: Install the Latest Stable Version of Any Security-Related Updates on All Network Devices
    • Install the latest stable version of any security-related updates on all network devices.
  • CIS Control 11.5: Manage Network Devices Using Multi-Factor Authentication and Encrypted Sessions
    • Manage all network devices using multi-factor authentication and encrypted sessions.
  • CIS Control 11.6: Use Dedicated Workstations for All Network Administrative Tasks
    • Ensure network engineers use a dedicated machine for all administrative tasks or tasks requiring elevated access. This machine should be segmented from the organization’s primary network and not be allowed Internet access. This machine should not be used for reading email, composing documents, or surfing the Internet.
  • CIS Control 11.7: Manage Network Infrastructure Through a Dedicated Network
    • Manage the network infrastructure across network connections that are separated from the business use of that network, relying on separate VLANs or, preferably, on entirely different physical connectivity for management sessions for network devices.

CIS Control 12: Boundary Defense

CIS Control 12 focuses on detecting, preventing, and correcting the flow of information across networks of different trust levels with a focus on security-damaging data.

Why is this CIS Control Critical?

CIS Control 12 is critical because attackers often focus on exploiting systems that they can reach across the internet, including not only DMZ systems but also workstations and laptop computers that pull content from the internet via network boundaries.

For instance, threats such as organized crime groups and nation-states use configuration and architectural weaknesses found on perimeter systems, network devices, and internet-accessing client machines in order to gain the initial access into an organization.

Then, with a base of operations on these machines, attackers will often pivot to get deeper inside the boundary in order to steal or change information or to set up a persistent presence for later attacks against internal hosts.

Additionally, many attacks occur between business partner networks, sometimes referred to as extranets, as attackers hop from one organization’s network to another, exploiting vulnerable systems and extranet perimeters.

In order to control the flow of traffic through network borders as well as police content by looking for attacks and evidence of compromised machines, boundary defenses should be multi-faceted. This can be obtained by relying on firewalls, proxies, DMZ perimeter networks, and network-based IPS and IDS.

It is also critical to filter both inbound and outbound traffic.

It should also be noted that boundary lines between internal and external networks are diminishing as a result of increased connectivity within and between organizations. Furthermore, the deployment of wireless technologies is also a contributing factor.

These blurring lines often allow attackers to gain access inside networks while bypassing boundary systems. However, even with this blurring of boundaries, effective security deployments still rely on carefully configured boundary defenses that successfully separate networks with different threat levels, sets of users, data, and levels of control.

Despite the blurring of internal and external networks, effective multi-layered defenses of perimeter networks help lower the number of successful attacks, allowing security personnel to focus on attackers who have devised methods to bypass boundary restrictions.

How to Implement CIS Control 12

  • CIS Control 12.1: Maintain an Inventory of Network Boundaries
    • Maintain an up-to-date inventory of all of the organization’s network boundaries.
  • CIS Control 12.2: Scan for Unauthorized Connections Across Trusted Network Boundaries
    • Perform regular scans from outside each trusted network boundary to detect any unauthorized connections which are accessible across the boundary.
  • CIS Control 12.3: Deny Communications With Known Malicious IP Addresses
    • Deny communications with known malicious or unused Internet IP addresses and limit access only to trusted and necessary IP address ranges at each of the organization’s network boundaries.
  • CIS Control 12.4: Deny Communication Over Unauthorized Ports
    • Deny communication over unauthorized TCP or UDP ports or application traffic to ensure that only authorized protocols are allowed to cross the network boundary in or out of the network at each of the organization’s network boundaries.
  • CIS Control 12.5: Configure Monitoring Systems to Record Network Packets
    • Configure monitoring systems to record network packets passing through the boundary at each of the organization’s network boundaries.
  • CIS Control 12.6: Deploy Network-Based IDS Sensors
    • Deploy network-based Intrusion Detection Systems (IDS) sensors to look for unusual attack mechanisms and detect compromise of these systems at each of the organization’s network boundaries.
  • CIS Control 12.7: Deploy Network-Based Intrusion Prevention Systems
    • Deploy network-based Intrusion Prevention Systems (IPS) to block malicious network traffic at each of the organization’s network boundaries.
  • CIS Control 12.8: Deploy NetFlow Collection on Networking Boundary Devices
    • Enable the collection of NetFlow and logging data on all network boundary devices.
  • CIS Control 12.9: Deploy Application Layer Filtering Proxy Server
    • Ensure that all network traffic to or from the Internet passes through an authenticated application layer proxy that is configured to filter unauthorized connections.
  • CIS Control 12.10: Decrypt Network Traffic at Proxy
    • Decrypt all encrypted network traffic at the boundary proxy prior to analyzing the content. However, the organization may use whitelists of allowed sites that can be accessed through the proxy without decrypting the traffic.
  • CIS Control 12.11: Require All Remote Logins to Use Multi-Factor Authentication
    • Require all remote login access to the organization’s network to encrypt data in transit and use multi-factor authentication.
  • CIS Control 12.12: Manage All Devices Remotely Logging into Internal Network
    • Scan all enterprise devices remotely logging into the organization’s network prior to accessing the network to ensure that each of the organization’s security policies has been enforced in the same manner as local network devices.

CIS Control 13: Data Protection

CIS Control 13 focuses on the processes and tools used to prevent data exfiltration in order to mitigate the effects of exfiltrated data and ensure the privacy and integrity of sensitive information.

Why is this CIS Control Critical?

CIS Control 13 is critical because data resides in many places and protection of it is best achieved through the application of a combination of encryption, integrity protection, and data loss prevention techniques.

As organizations continue their move towards cloud computing and mobile access, it is critical to ensure that proper care is taken to limit and report on data exfiltration while also mitigating the effects of data compromise.

For instance, some organizations do not carefully identify and separate their most sensitive and critical assets from less sensitive, publicly accessible information on their internal networks.

Furthermore, in many environments, internal users have access to all or most of the critical assets.

Sensitive assets may also include systems that provide management of control of physical systems. For instance, Supervisory Control and Data Acquisition (SCADA). Once attackers have penetrated such a network, they can easily find and exfiltrate important information, cause physical damage, or disrupt operations with little to no resistance.

For example, in several high-profile data breaches over the past few years, attackers were able to gain access to sensitive data stored on the same servers with the same level of access to far less important data.

In other cases, attackers were able to use access to the corporate network to gain access to, then control over, physical assets in order to cause damage.

As a result, it is important to manage the process and tools used to protect your data.

CIS Control 13: Procedures and Tools

It is essential that an organization understand what its sensitive information is, where it resides, and what users need access to it.

In order to derive sensitivity levels, organizations should put together a list of the key types of data and the overall importance of said data to the organization.

Then, this analysis can be used to create an overall data classification scheme for the organization.

For instance, organizations should define labels such as “Sensitive”, “Business Confidential”, and “Public.” Afterward, they can classify their data according to those labels.

Once the private information has been identified, further subdivide it based on the impact it would have on the organization if it were compromised.

After the sensitivity of the data has been classified, create a data inventory or mapping that identifies business applications and the servers that house those applications. The network should then be segmented so that systems of the same sensitivity level are on the same network and separated from systems with different trust levels.

If possible, then firewalls should control access to each segment.

Furthermore, access to data should be based on job requirements and only handed out on a need-to-know basis. Job requirements should be created for each user group in order to determine what information the group needs access to. Based on the requirements, access should only be given to the data segments or servers that are needed for each job function.

Finally, detailed logging should be turned on for servers in order to track access and allow for security personnel to examine incidents in which data was improperly accessed.

How to Implement CIS Control 13

  • CIS Control 13.1: Maintain an Inventory of Sensitive Information
    • Maintain an inventory of all sensitive information stored, processed, or transmitted by the organization’s technology systems, including those located on-site or at a remote service provider.
  • CIS Control 13.2: Remove Sensitive Data or Systems Not Regularly Accessed by Organization
    • Remove sensitive data or systems not regularly accessed by the organization from the network. These systems shall only be used as stand-alone systems (disconnected from the network) by the business unit needing to occasionally use the system or completely virtualized and powered off until needed.
  • CIS Control 13.3: Monitor and Block Unauthorized Network Traffic
    • Deploy an automated tool on network perimeters that monitors for unauthorized transfer of sensitive information and blocks such transfers while alerting information security professionals.
  • CIS Control 13.4: Only Allow Access to Authorized Cloud Storage or Email Providers
    • Only allow access to authorized cloud storage or email providers.
  • CIS Control 13.5: Monitor and Detect Any Unauthorized Use of Encryption
    • Monitor all traffic leaving the organization and detect any unauthorized use of encryption.
  • CIS Control 13.6: Encrypt Mobile Device Data
    • Utilize approved cryptographic mechanisms to protect enterprise data stored on all mobile devices.
  • CIS Control 13.7: Manage USB Devices
    • If USB storage devices are required, enterprise software should configure systems to allow specific devices. You should maintain an inventory of such devices.
  • CIS Control 13.8: Manage System’s External Removable Media’s Read/Write Configurations
    • Configure systems not to write data to external removable media if there is no business need for supporting such devices.
  • CIS Control 13.9: Encrypt Data on USB Storage Devices
    • If USB storage devices are required,  encrypt all data stored on such devices while at rest.

CIS Control 14: Controlled Access Based on the Need to Know

CIS Control 14 focuses on the processes and tools used to track, control, prevent, correct, and secure access to critical assets. Specifically, control over assets such as information, resources, and systems, according to the formal determination of which users, computers, and applications have a need and right to access critical assets based on an approved classification.

Why is this CIS Control Critical?

CIS Control 14 is critical because encrypting data provides a level of assurance that even if data is compromised, it is impractical to access the plaintext without access to significant resources. However, controls should be put in place to mitigate the threat of data exfiltration in the first place. Many attacks occur across the network, while others involve physical theft of equipment. If the equipment stores sensitive data on it, then this threatens the organization and its data.

Furthermore, in many cases, the victims are not even aware that sensitive data is leaving their systems because they were not monitoring data outflows. Electronically and physically monitor the movement of data across network boundaries in order to minimize its exposure to attackers.

The loss of control over protected or sensitive data by organizations is a serious threat to business operations and can even be a potential threat to national security. Some data is lost or leaked because of theft or espionage. However, the vast majority of these problems result from ineffective data practices, poor policy architectures, and user error.

Data loss can even occur as a result of legitimate activities such as e-Discovery during litigation, particularly when records retention practices are ineffective or nonexistent.

As a result, the adoption of data encryption, both in transit and at rest, reduces the risk of data compromise. However, take proper care of the processes and technologies associated with the encryption operations. An example of this is the management of cryptographic keys used by the various algorithms that protect data. The process for the generation, use, and destruction of keys should be based on proven processes as defined in standards such as NIST SP 800-57.

Furthermore, take care to ensure that products used within an enterprise implement well-known and vetted cryptographic algorithms, as identified by NIST. Re-evaluation of the algorithms and key sizes used within the enterprise on an annual basis is also recommended to ensure that organizations are not falling behind in the strength of protection applied to their data.

For organizations that are moving data to the cloud, it is critical to understand the security controls applied to data in the cloud multi-tenant environment and determine the best course of action for encryption controls and security of keys. When possible, keys should be stored within secure containers such as Hardware Security Modules (HSMs).

Data loss prevention (DLP) refers to a comprehensive approach covering people, processes, and systems that identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage) through deep content inspection and with a centralized management framework.

Over the last several years, there has been a noticeable shift in the attention and investment from securing the network to securing systems within the network, and to securing the data itself. DLP controls are based on policy and include classifying sensitive data, discovering that data across an enterprise, enforcing controls, and reporting and auditing to ensure policy compliance.

CIS Control 14: Procedures and Tools

There are several commercial tools available to support enterprise management of encryption and key management. Furthermore, many of them include the ability to support the implementation of encryption controls within the cloud and mobile environments.

Organizations should define life cycle processes, roles, and responsibilities associated with key management.

There are Data Loss Prevention (DLP) solutions available to monitor exfiltration attempts as well as to detect other suspicious activities associated with a protected network holding sensitive information.

Organizations deploying such tools should carefully inspect their logs and closely examine discovered attempts, even those that are successfully blocked, to transmit sensitive information out of the organization without authorization.

How to Implement CIS Control 14

  • CIS Control 14.1: Segment the Network Based on Sensitivity
    • Segment the network based on the label or the classification level of the information stored on the servers, locate all sensitive information on separated Virtual Local Area Networks (VLANs).
  • CIS Control 14.2: Enable Firewall Filtering Between VLANs
    • Enable firewall filtering between VLANs to ensure that only authorized systems are able to communicate with other systems necessary to fulfill their specific responsibilities.
  • CIS Control 14.3: Disable Workstation-to-Workstation Communication
    • Disable all workstation-to-workstation communication to limit an attacker’s ability to move laterally and compromise neighboring systems, through technologies such as private VLANs or micro-segmentation.
  • CIS Control 14.4: Encrypt All Sensitive Information in Transit
    • Encrypt all sensitive information in transit.
  • CIS Control 14.5: Utilize an Active Discovery Tool to Identify Sensitive Data
    • Utilize an active discovery tool to identify all sensitive information stored, processed, or transmitted by the organization’s technology systems, including those located on-site or at a remote service provider, and update the organization’s sensitive information inventory.
  • CIS Control 14.6: Protect Information Through Access Control Lists
    • Protect all information stored on systems with file system, network share, claims, application, or database-specific access control lists. These controls will enforce the principle that only authorized individuals should have access to the information based on their need to access the information as a part of their responsibilities.
  • CIS Control 14.7: Enforce Access Control to Data Through Automated Tools
    • Use an automated tool, such as host-based Data Loss Prevention, to enforce access controls to data even when the data is copied off a system.
  • CIS Control 14.8: Encrypt Sensitive Information at Rest
    • Encrypt all sensitive information at rest using a tool that requires a secondary authentication mechanism not integrated into the operating system, in order to access the information.
  • CIS Control 14.9: Enforce Detail Logging for Access or Changes to Sensitive Data
    • Enforce detailed audit logging for access to sensitive data or changes to sensitive data (utilizing tools such as File Integrity Monitoring or Security Information and Event Monitoring).

CIS Control 15: Wireless Access Control

CIS Control 15 focuses on the processes and tools used to track, control, prevent, correct, and secure the use of wireless local area networks (WLANs), access points, and wireless client systems.

Why is this CIS Control Critical?

CIS Control 15 is critical because major thefts of data have been initiated by attackers who have gained wireless access to organizations from outside the physical building. In most cases, bypassing organizations’ security perimeters and connecting wirelessly to access points inside the organization.

Wireless clients accompanying travelers are infected on a regular basis through remote exploitation while on public wireless networks found in airports and cafes. Exploited systems are then reconnected to the network and used as backdoors.

Other organizations have reported the discovery of unauthorized wireless access points on their networks, planted and sometimes hidden for unrestricted access to an internal network. Since they do not require direct physical connections, wireless devices are a convenient vector for attackers to maintain long-term access into a target environment.

CIS Control 15: Procedures and Tools

Organizations should perform effective wireless scanning, detection, and utilize discovery tools such as wireless intrusion detection systems.

Additionally, the security team should periodically capture wireless traffic from within the borders of a facility. Then, use analysis tools to determine whether the wireless traffic was transmitted using weaker protocols or encryption than the organization mandates. When devices relying on weak wireless security settings are identified, they should be found within the organization’s asset inventory and either reconfigured more securely or denied access to the organization’s network.

Finally, the security team should employ remote management tools on the wired network to pull information about the wireless capabilities and devices connected to managed systems.

How to Implement CIS Control 15

  • CIS Control 15.1: Maintain an Inventory of Authorized Wireless Access Points
    • Maintain an inventory of authorized wireless access points connected to the wired network.
  • CIS Control 15.2: Detect Wireless Access Points Connected to the Wired Network
    • Configure network vulnerability scanning tools to detect and alert unauthorized wireless access points connected to the wired network.
  • CIS Control 15.3: Use a Wireless Intrusion Detection System
    • Use a wireless intrusion detection system (WIDS) to detect and alert unauthorized wireless access points connected to the network.
  • CIS Control 15.4: Disable Wireless Access on Devices if Not Required
    • Disable wireless access on devices that do not have a business purpose for wireless access.
  • CIS Control 15.5: Limit Wireless Access on Client Devices
    • Configure wireless access on client machines that do have an essential wireless business purpose, to allow access only to authorized wireless networks and to restrict access to other wireless networks.
  • CIS Control 15.6: Disable Peer-to-Peer Wireless Network Capabilities on Wireless Clients
    • Disable peer-to-peer (ad hoc) wireless network capabilities on wireless clients.
  • CIS Control 15.7: Leverage the Advanced Encryption Standard (AES) to Encrypt Wireless Data
    • Leverage the Advanced Encryption Standard (AES) to encrypt wireless data in transit.
  • CIS Control 15.8: Use Wireless Authentication Protocols That Require Mutual, Multi-Factor Authentication
    • Ensure that wireless networks use authentication protocols such as Extensible Authentication Protocol-Transport Layer Security (EAP/TLS), which requires mutual, multi-factor authentication.
  • CIS Control 15.9: Disable Wireless Peripheral Access to Devices
    • Disable wireless peripheral access of devices [such as Bluetooth and Near Field Communication (NFC)], unless such access is required for a business purpose.
  • CIS Control 15.10: Create Separate Wireless Network for Personal and Untrusted Devices
    • Create a separate wireless network for personal or untrusted devices. Enterprise access from this network should be treated as untrusted and filtered and audited accordingly.

CIS Control 16: Account Monitoring and Control

CIS Control 16 focuses on actively managing the life cycle of system and application accounts. For instance, their creation, use, dormancy, and deletion, in order to minimize opportunities for attackers to leverage them.

Why is this CIS Control Critical?

CIS Control 16 is critical because attackers frequently discover and exploit legitimate but inactive user accounts to impersonate legitimate users. As a result, discovering the attacker can be difficult for security teams. Accounts of terminated contractors and employees, or accounts set up for penetration testing (but not deleted after) have been misused in this way.

Furthermore, these can also be access points for malicious insiders and former employees to gain access to accounts left behind in a system long after contract expiration. Attackers can maintain access to an organization’s computing system as well as sensitive data for unauthorized or malicious purposes.

CIS Control 16: Procedures and Tools

Most operating systems are capable of logging information about account usage. However, sometimes these features are disabled by default. Furthermore, even when such features are present and active, they often do not provide specific detail about access to the system by default. Therefore, security personnel should configure systems to record more detailed information about account access, and use home-grown scripts or third-party log analysis tools to analyze this information and profile user access of systems.

Track accounts closely. Disable and remove any account that is dormant from the system. Trace all active accounts back to authorized users and enable multi-factor authentication.

Finally, log out users after a period of inactivity to minimize the possibility of an attack. Attackers can use their system to extract information from the organization.

How to Implement CIS Control 16

  • CIS Control 16.1: Maintain an Inventory of Authentication Systems
    • Maintain an inventory of each of the organization’s authentication systems, including those located on-site or at a remote service provider
  • CIS Control 16.2: Configure Centralized Point of Authentication
    • Configure access for all accounts through as few centralized points of authentication as possible, including network, security, and cloud systems.
  • CIS Control 16.3: Require Multi-Factor Authentication
    • Require multi-factor authentication for all user accounts, on all systems, whether managed on-site or by a third-party provider.
  • CIS Control 16.4: Encrypt or Hash All Authentication Credentials
    • Encrypt or hash with a salt all authentication credentials when stored.
  • CIS Control 16.5: Encrypt Transmittal of Username and Authentication Credentials
    • Configure wireless access on client machines that do have an essential wireless business purpose, to allow access only to authorized wireless networks and to restrict access to other wireless networks.
  • CIS Control 16.6: Maintain an Inventory of Accounts
    • Maintain an inventory of all accounts organized by an authentication system.
  • CIS Control 16.7: Establish Process for Revoking Access
    • Establish and follow an automated process for revoking system access by disabling accounts immediately upon termination or change of responsibilities of an employee or contractor. Disabling these accounts, instead of deleting accounts, allows for the preservation of audit trails.
  • CIS Control 16.8: Disable Any Unassociated Accounts
    • Disable any account that is not associated with a business process or a business owner.
  • CIS Control 16.9: Disable Dormant Accounts
    • Automatically disable dormant accounts after a set period of inactivity
  • CIS Control 16.10: Ensure All Accounts Have An Expiration Date
    • Ensure that all accounts have an expiration date that is monitored and enforced.
  • CIS Control 16.11: Lock Workstation Sessions After Inactivity
    • Automatically lock workstation sessions after a standard period of inactivity.
  • CIS Control 16.12: Monitor Attempts to Access Deactivated Accounts
    • Monitor attempts to access deactivated accounts through audit logging.
  • CIS Control 16.13: Alert on Account Login Behavior Deviation
    • Alert when users deviate from normal login behavior, such as time of day, workstation location, and duration.

CIS Controls List: Organizational Controls

CIS Control 17: Implement a Security Awareness and Training Program

CIS Control 17 focuses on identifying the specific knowledge, skills, and abilities needed to support the defense of the enterprise, specifically focusing on all functional roles in the organization but prioritizing those mission-critical to the business and its security. It also focuses on developing and executing an integrated plan to assess, identify gaps, and remediate risks through policy, organizational planning, training, and awareness programs.

Why is this CIS Control Critical?

CIS Control 17 is critical because the actions of people play a critical part in the success or failure of an enterprise. Cyber defense is far more than a technical challenge. People fulfill important functions at every stage of system design, implementation, operation, and oversight.

For instance, system developers and programmers, who may not understand the opportunity to resolve root cause vulnerabilities early in the system life cycle; IT operations professionals, who may not recognize the security implications of IT artifacts and logs; end-users, who may be susceptible to social engineering schemes such as phishing; Security analysts, who struggle to keep up with a plethora of new information; and executives and system owners, who struggle to quantify the role that cyber security plays in the overall operational/mission risk, and therefore have no reasonable way to make relevant investment decisions.

Unfortunately, attackers are conscious of these issues and exploit them. For instance, carefully crafted phishing messages that looked like routine and expected traffic to an unwary user. Or, by exploiting the gaps between policy and technology (Policies that have no technical enforcement.) Or, by exploiting the time window of patching or log review and using nominally non-security-critical systems as jump points or bots. And that is only to list a few.

As a result, empowering people with adequate cyber defense habits can significantly decrease your risk and increase your readiness if an attack were to occur.

CIS Control 17: Procedures and Tools

An effective enterprise-wide training program should take a holistic approach. It should consider policy and technology throughout the training. Design policies with not only technical measurement but enforcement. Furthermore, reinforce policies by training to fill gaps in understanding. Implement technical controls to protect systems and data in order to minimize the opportunity for mistakes. With technical controls in place, training can focus on the concepts and skills that cannot be technically managed.

An effective cyber defense training program is more than an annual event; it is an ongoing process of improvement that combines the following key elements:

  • The training is specific, tailored, and focused based on the specific behaviors and skills needed by the workforce, depending on their job role and responsibility.
  • The training is repeated periodically, measured and tested for effectiveness, and updated regularly.
  • It will increase awareness and discourage risky workarounds by including the rationale for good security behaviors and skills.

How to Implement CIS Control 17

  • CIS Control 17.1: Perform a Skills Gap Analysis
    • Perform a skills gap analysis to understand the skills and behaviors workforce members are not adhering to, using this information to build a baseline education roadmap.
  • CIS Control 17.2: Deliver Training to Fill the Skills Gap
    • Deliver training to address the skills gap identified to positively impact workforce members’ security behavior.
  • CIS Control 17.3: Implement a Security Awareness Program
    • Create a security awareness program for all workforce members to complete on a regular basis to ensure they understand and exhibit the necessary behaviors and skills to help ensure the security of the organization. Communicate the organization’s security awareness program in a continuous and engaging manner.
  • CIS Control 17.4: Update Awareness Content Frequently
    • Update the organization’s security awareness program frequently (at least annually) in order to address new technologies, threats, standards, and business requirements.
  • CIS Control 17.5: Train Workforce on Secure Authentication
    • Train workforce members on the importance of enabling and utilizing secure authentication.
  • CIS Control 17.6: Train Workforce on Identifying Social Engineering Attacks
    • Train the workforce on how to identify different forms of social engineering attacks, such as phishing, phone scams, and impersonation calls.
  • CIS Control 17.7: Train Workforce on Sensitive Data Handling
    • Train workforce members on how to identify and properly store, transfer, archive, and destroy sensitive information.
  • CIS Control 17.8: Train Workforce on Causes of Unintentional Data Exposure
    • Train workforce members to be aware of causes for unintentional data exposures, such as losing their mobile devices or emailing the wrong person due to autocomplete in email.
  • CIS Control 17.9: Train Workforce Members on Identifying and Reporting Incidents
    • Train workforce members to be able to identify the most common indicators of an incident and be able to report such an incident.

CIS Control 18: Application Software Security

CIS Control 18 focuses on managing the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.

Why is this CIS Control Critical?

CIS Control 18 is critical because attacks often take advantage of vulnerabilities found in web-based and other application software. Vulnerabilities arise for several reasons. For instance, coding mistakes, logic errors, incomplete requirements, and failure to test for unusual or unexpected conditions.

Examples of specific errors include failure to check the size of user input; failure to filter out unneeded but potentially malicious character sequences from input streams; failure to initialize and clear variables; and poor memory management that allows flaws in one part of the software to affect unrelated (and more security-critical) portions.

Furthermore, there is a plethora of public and private information about such vulnerabilities available to both attackers and defenders. There is also a robust marketplace for tools and techniques that weaponize vulnerabilities into exploits.

CIS Control 18: Procedures and Tools

The security of applications (in-house developed or acquired off-the-shelf or from external developers) is a complex activity. It requires a complete program that considers enterprise-wide policy, technology, and people.

Regularly test all software for vulnerabilities before putting it into production. Application vulnerability scanning is consolidated within CIS Control 3: Continuous Vulnerability Management. However, the most effective approach is to implement a full supply chain security program for externally acquired software and a Secure Software Development Life Cycle for internally developed software. This control addresses such aspects.

For software developed in-house or custom software developed externally under contract, an effective program for application software must address security throughout the entire life cycle. It should embed security as a natural part of establishing requirements, training, tools, and testing.

Modern development cycles and methods do not allow for sequential approaches. Acceptance criteria should always include requirements for running application vulnerability testing tools. Document all known vulnerabilities. It is safe to assume that software will not be perfect, so a development program must plan up-front for bug reporting and remediation as an essential security function.

For acquired software(commercial, open-source, etc.), application security criteria should be part of the evaluation criteria. Furthermore, take efforts to understand the source’s software practices, testing, and error reporting and management. Whenever possible, require suppliers to show evidence that they used standard commercial software testing tools or services and that no known vulnerabilities are present in the current version.

How to Implement CIS Control 18

  • CIS Control 18.1: Establish Secure Coding Practices
    • Establish secure coding practices appropriate to the programming language and the development environment.
  • CIS Control 18.2: Ensure That Explicit Error Checking Is Performed for All In-House Developed Software
    • For in-house developed software, ensure that explicit error checking is performed and documented for all input, including for size, data type, and acceptable ranges or formats.
  • CIS Control 18.3: Verify That Acquired Software Is Still Supported
    • Verify that all outside software is still supported by the developer or appropriately hardened based on developer security recommendations.
  • CIS Control 18.4: Only Use Up-to-Date and Trusted Third-Party Components
    • Only use up-to-date and trusted third-party components for the software developed by the organization.
  • CIS Control 18.5: Use only Standardized and Extensively Reviewed Encryption Algorithms
    • Use only standardized, currently accepted, and extensively reviewed encryption algorithms.
  • CIS Control 18.6: Ensure Software Development Personnel Are Trained in Secure Coding
    • Ensure that all software development personnel receive training in writing secure code for their specific development environment and responsibilities.
  • CIS Control 18.7: Apply Static and Dynamic Code Analysis Tools
    • Apply static and dynamic analysis tools to verify adherence to secure coding practices for internally developed software.
  • CIS Control 18.8: Establish a Process to Accept and Address Reports of Software Vulnerabilities
    • Establish a process to accept and address reports of software vulnerabilities, including providing a means for external entities to contact your security group.
  • CIS Control 18.9: Separate Production and Non-Production Systems
    • Maintain separate environments for production and non-production systems. Developers should not have unmonitored access to production environments.
  • CIS Control 18.10: Deploy Web Application Firewalls
    • Protect web applications by deploying web application firewalls (WAFs) that inspect all traffic flowing to the web application for common web application attacks. For applications that are not web-based, deploy specific application firewalls. If the traffic is encrypted, the device should either sit behind the encryption or decrypt the traffic prior to analysis. If neither option is appropriate, deploy a host-based web application firewall.
  • CIS Control 18.11: Use Standard Hardening Configuration Templates for Databases
    • For applications that rely on a database, use standard hardening configuration templates. Test all systems that are part of critical business processes.

CIS Control 19: Incident Response and Management

CIS Control 19 focuses on protecting the organization’s information, as well as its reputation, by developing and implementing incident response infrastructure. For instance, plans, defined roles, training, communications, and management oversight. Such areas allow organizations to quickly discover an attack and effectively contain the damage so it can eradicate the attacker’s presence and restore the integrity of the network and systems.

Why is this CIS Control Critical?

CIS Control 19 is critical because even enterprises that are large, well-funded, and technically sophisticated struggle to keep up with the frequency and complexity of attacks. The question of a successful cyber attack against an enterprise is not “if” but “when.”

After an incident occurs is not the right time to develop effective procedures, reporting, data collection, management responsibility, legal protocols, and communication strategy. And, it is these things that will enable your organization to successfully understand, manage, and recover.

Without an incident response plan, an organization may not even discover an attack in the first place. Or, if detected, the organization may not effectively follow procedures to contain damage, eradicate the attacker’s presence, and recover in a secure fashion. Thus allowing the attacker to have a far greater impact and cause more damage. For instance, infecting more systems, and potentially exfiltrating more sensitive data than would have otherwise been possible.

CIS Control 19: Procedures and Tools

After defining detailed incident response procedures, the incident response team should engage in periodic scenario-based training. For instance, working through a series of attack scenarios catered to the threats and vulnerabilities the organization faces. Scenarios help ensure that team members understand their role on the incident response team. They also help prepare them to handle incidents. It is inevitable that exercise and training scenarios will identify gaps in plans and processes as well as unexpected dependencies.

The actions in CIS Control 19 provide specific, high-priority steps that can improve enterprise security, and should be a part of any comprehensive incident and response plan.

How to Implement CIS Control 19

  • CIS Control 19.1: Document Incident Response Procedures
    • Ensure that written incident response plans define roles of personnel as well as phases of incident handling/management.
  • CIS Control 19.2: Assign Job Titles and Duties for Incident Response
    • Assign job titles and duties for handling computer and network incidents to specific individuals, and ensure tracking and documentation throughout the incident through resolution.
  • CIS Control 19.3: Designate Management Personnel to Support Incident Handling
    • Designate management personnel, as well as backups, who will support the incident handling process by acting in key decision-making roles.
  • CIS Control 19.4: Devise Organization-wide Standards For Reporting Incidents
    • Devise organization-wide standards for the time required for system administrators and other workforce members to report anomalous events to the incident handling team, the mechanisms for such reporting, and the kind of information that should be included in the incident notification.
  • CIS Control 19.5: Maintain Contact Information For Reporting Security Incidents
    • Assemble and maintain information on third-party contact information to report a security incident, such as Law Enforcement, relevant government departments, vendors, and Information Sharing and Analysis Center (ISAC) partners.
  • CIS Control 19.6: Publish Information Regarding Reporting Computer Anomalies and Incidents
    • Publish information for all workforce members, regarding reporting computer anomalies and incidents, to the incident handling team. Include such information in routine employee awareness activities.
  • CIS Control 19.7: Conduct Periodic Incident Scenario Sessions for Personnel
    • Plan and conduct routine incident response exercises and scenarios for the workforce involved in the incident response to maintain awareness and comfort in responding to real-world threats. Exercises should test communication channels, decision making, and incident responder’s technical capabilities using tools and data available to them.
  • CIS Control 19.8: Create Incident Scoring and Prioritization Schema
    • Create incident scoring and prioritization schema based on known or potential impact to your organization. Utilize score to define the frequency of status updates and escalation procedures.

CIS Control 20: Penetration Tests and Red Team Exercises

CIS Control 20 focuses on testing the overall strength of an organization’s defense. Specifically, the technology, processes, and users, by stimulating the objectives and actions of an attacker.

Why is this CIS Control Critical?

CIS Control 20 is critical because in most cases attackers exploit the gap between good defense designs/intentions and implementation/maintenance. For instance, the time window between the announcement of a vulnerability, the availability of a vendor patch, and actual installation on every machine. Other examples include: well-intentioned policies that have no enforcement mechanism (especially those intended to restrict risky human actions); failure to apply good configurations to machines that come on and off of the network; and failure to understand the interaction among multiple defensive tools, or with normal system operations that have security implications

A successful defensive posture requires a comprehensive program. This should include effective policies and governance, strong technical defenses, and appropriate action by people. In a complex environment where technology is constantly evolving, new attacker methods appear regularly. As a result, organizations should periodically test their defenses to identify gaps and to assess their readiness by conducting penetration testing.

Penetration testing starts with the identification and assessment of vulnerabilities. Next, tests are designed and executed to demonstrate how an attacker can either subvert the organization’s security goals (e.g., the protection of specific Intellectual Property) or achieve specific adversarial objectives (e.g., the establishment of a covert Command and Control infrastructure.)

The results provide deeper insight, through demonstration, into the business risks of various vulnerabilities.

Red Team exercises take a comprehensive approach to the full spectrum of organization policies, processes, and defenses in order to improve organizational readiness. Furthermore, it improves training for defensive practitioners and inspects current performance levels. Independent Red Teams can provide valuable and objective insights about the existence of vulnerabilities and the efficiency of defenses and mitigating controls.

CIS Control 20: Procedures and Tools

Historically, penetration tests and Red Team exercises are for specific purposes:

  • As a “dramatic” demonstration of an attack, usually to convince decision-makers of their enterprise’s vulnerability;
  • As a means to test the correct operation of enterprise defenses (verification); and
  • To test that the enterprise has built the right defenses in the first place (validation)

In general, these kinds of tests are expensive, complex, and can potentially introduce their own risks. However, when basic defensive measures are already in place, they can provide significant value. And, when these tests are a part of comprehensive, ongoing security management and improvement program.

Test events are a very expensive way to discover that your enterprise does a poor job with patching and configuration management, for example.

Each organization should define a clear scope and rules of engagement for penetration testing and Red Team exercises. The scope of such projects should include, at a minimum, systems with the organization’s highest value information and production processing functionality.  Test other lower-value systems to see if they can be used as pivot points to compromise higher-value targets. Furthermore, the rules of engagement should define specific times of day for testing, the duration of tests, and the overall test approach.

The actions in CIS Control 20 provide specific, high-priority steps that can improve enterprise security, and should be a part of any penetration testing and Red Team program.

How to Implement CIS Control 20

  • CIS Control 20.1: Establish a Penetration Testing Program
    • Establish a program for penetration tests that includes a full scope of blended attacks, such as wireless, client-based, and web application attacks.
  • CIS Control 20.2: Conduct Regular External and Internal Penetration Tests
    • Conduct regular external and internal penetration tests to identify vulnerabilities and attack vectors that can exploit enterprise systems.
  • CIS Control 20.3: Perform Periodic Red Team Exercises
    • Perform periodic Red Team exercises to test organizational readiness to identify and stop attacks or to respond quickly and effectively
  • CIS Control 20.4: Include Tests for Presence of Unprotected System Information and Artifacts
    • Include tests for the presence of unprotected system information and artifacts that would be useful to attackers, including network diagrams, configuration files, older penetration test reports, emails, or documents containing passwords or other information critical to system operation.
  • CIS Control 20.5: Create a Test Bed for Elements Not Typically Tested in Production
    • Create a testbed that mimics a production environment for specific penetration tests and Red Team attacks against elements not typically tested in production. For instance, attacks against supervisory control and data acquisition and other control systems
  • CIS Control 20.6: Use Vulnerability Scanning and Penetration Testing Tools in Concert
    • Use vulnerability scanning and penetration testing tools in concert. The results of vulnerability scanning assessments should be a starting point to guide and focus penetration testing efforts.
  • CIS Control 20.7: Ensure Penetration Test Results Are Documented Using Open, Machine-Readable Standards
    • Wherever possible, ensure that Red Team results are documented using open, machine-readable standards (e.g., SCAP). Devise a scoring method for determining the results of Red Team exercises so that results can be compared over time.
  • CIS Control 20.8: Control and Monitor Accounts Associated With Penetration Testing
    • Any user or system accounts performing penetration testing should be controlled and monitored to ensure they are only being used for legitimate purposes. Furthermore, that they are removed or restored to normal function after testing is over.

How to implement CIS Controls

Before your organization begins to implement CIS controls, it is important to find out where you stand and which security controls you already have in place.

Furthermore, it is important to benchmark your current security posture so that you, your team, and those who you report to can track your progress.

NIST cyber security framework is a popular and robust tool that draws on the controls for several of their best practices.

As a result, a NIST cyber security assessment is a great place to start before you begin diving deeper into the controls.

aNetworks offers a free automated NIST security assessment tool for those looking to benchmark their current posture. You can use it here.

If you have already taken a security assessment and are looking for assistance working through CIS controls, then please contact us.

aNetworks will walk through the controls with you and assist you with implementing the solutions needed to strengthen your security. We can help you better understand CIS controls as a framework and take some of the heavy lifting off your shoulders.

Contact Us

If you are looking for more resources, then please check out our resource center.

Finally, you can always find us on TwitterLinkedIn, and Facebook.


Category: Cyber Security



Comments

zovre lioptor

June 21, 2021 | 6:26 pm

Really useful info here. Best compile of the CIS Controls I've come across online.

zovrelioptor

June 17, 2021 | 9:31 pm

Very interesting subject, appreciate it for posting.