By Bill Minahan | June 15, 2021 | 5 Comments
The CIS Controls are a set of actions that protect your organization from the most pervasive cyber attacks. There are 20 total critical controls that prioritize the most essential actions your organization can take in order to gain the highest pay-off results.
The controls are derived from widespread attack patterns. Specifically, the most trusted threat reports identify attack patterns, which are then vetted across a broad community of trusted industry and government practitioners. AKA, the individuals who know how attacks work.
For example, the NSA Red and Blue teams, the US Department of Energy nuclear energy labs, and law enforcement organizations, all of which work together to answer the question— “what do we need to do to stop known attacks?”
From this community of experts comes the 20 CIS controls to provide direction on how to stop today’s most common attacks. So let’s dive into who needs them, what each control requires, and how to implement them.
Unlike many other standards and compliance regulations aimed at improving security, the CIS Controls are not industry-specific. CIS Controls are universally applicable and industry-agnostic. As a result, they can successfully strengthen any organization’s information security and IT governance.
So, if your organization stores, transmits, or uses, sensitive data that needs to be protected, then the answer is: You need CIS controls.
Correct implementation of all 20 critical controls significantly reduces your security risk, lowers operational costs, and greatly improves an organization’s defensive posture.
There are significant differences between CIS controls and other security frameworks. However, the most important is that CIS controls acknowledge that some organizations are limited in resources.
Every organization cannot implement each and every control that they would like and may very well need. As a result, the 20 controls prioritize risk. That way, your organization can work towards mitigating the largest risks first.
The CIS controls are divided into categories: basic, foundational, and organizational families. For ease of implementation, each control is further subdivided into sections.
The controls cover not only data, software, and hardware, but also people and processes.
The first six controls prioritize the “basic” security controls.
The following is a complete list of the top 20 critical controls:
Control 1 is the first control within the framework of 20 critical controls.
Control 1 focuses on actively managing (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized or unmanaged devices are found and blocked from gaining access.
This control is split into 6 focused sections relating to network access control, automation, and asset management. The control specifically focuses on the need for awareness of what is connected to your network. It also prioritizes internal inventory management and management automation.
Implementing inventory control is not the most glamorous way to improve your security program, however, it is a foundational security control that is a pre-requisite for the additional 19 security controls.
When done right, it reduces insider threat and loss risks, cleans up your IT environment, and provides greater visibility and organization to your network.
CIS Control 1 is critical because bad actors online search for new and unprotected systems and are particularly interested in devices that come and go off the network. For instance, Bring-Your-Own-Devices (BYOD), mobile devices, and IoT devices.
Not only do these devices risk being out of synch with security updates but worse still, they could already be compromised.
Even devices that are not visible from the internet can be used by bad actors who have already gained internal access.
Large, complex enterprises often struggle with managing intricate, fast-changing environments. As a result, it is a known weakness that bad actors capitalize on. Therefore, managed control of devices plays a critical role in planning and executing system backup, incident response, and recovery.
The following is a list of the sub-controls of CIS Control 1:
CIS Control 2 focuses on actively managing (inventory, track, correct) all software on the network so that only authorized software is installed and able to execute. Likewise, all unauthorized and unmanaged software is found and blocked from installation and execution.
Essentially, CIS Control 2 calls for you to be aware of what software is on your system, who installed it, and what it does. The control focuses on the need to know what is running on your systems and network at all times. It also focuses on the need for internal inventory management. That way, if anything were to ever happen, your team would be able to easily identify and remove software that is not on your inventory list.
When done right, it reduces insider threat and loss risks, cleans up your IT environment, and provides greater visibility and organization to your network.
Attackers continuously target organizations that are running vulnerable versions of software because it is easy to exploit remotely.
Furthermore, some attackers also distribute documents, media files, hostile web pages, and other malicious content via their own web pages or otherwise trustworthy third-party sites. If unsuspecting users access this content with a vulnerable browser then attacks can compromise their machines. Then, attackers often install backdoor programs and bots that give them long-term, undetected control of the system.
Once an attacker exploits a single machine, they often use it to gather sensitive information about the corporation, the compromised system, as well as any other systems connected to it.
Therefore, without complete knowledge or control of the software deployed in an organization, defenders can not properly secure their assets or identify software that should not be there. Or worse, might already be there and be malicious.
Managed control of all software also plays a critical role in planning and executing system backup, incident response, and recovery. As a result, CIS Control 2 strengthens multiple aspects of your cyber security posture and is worthwhile for your team to implement.
The following is a list of the sub-controls of CIS Control 2:
CIS Control 3 focuses on the need to continuously acquire, assess, and act on new information in order to identify new vulnerabilities, remediate, and minimize the opportunity for attackers.
Organizations operate in a constant stream of new security information: evolving threats, software updates, patches, security advisories, etc.
Essentially, CIS Control 3 calls for you to continuously understand and manage these vulnerabilities.
The control consists of 8 different sections relating to vulnerability awareness and management.
Understanding and managing vulnerabilities at a constant rate requires time, attention, and resources. In most cases, attackers have access to the same information and can take advantage of gaps between the appearance of new knowledge and remediation.
For instance, researchers reporting on new vulnerabilities can cause a race between multiple parties: attackers (trying to weaponize and exploit the vulnerability, vendors (trying to deploy patches and updates to protect users), and defenders (trying to assess risk and protect their systems.)
Organizations that do not scan for vulnerabilities or proactively address discovered vulnerabilities increase the likelihood of exploits and attacks.
CIS Control 4 focuses on controlling the use of administrative privileges.
Specifically, this control focuses on reducing administrative privilege and restricting it to only users who require it in order to perform their job roles. In most cases, the majority of users do not require administrative privilege to do daily tasks. Yet, many businesses grant all users, regardless of their job role, administrative privileges.
However, this is risky.
CIS Control 4 focuses on using processes and tools to track, control, prevent, and correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
CIS Control 4 is critical because hackers are constantly on the lookout for organizations that fail to control/restrict their admin. users.
Misuse of privilege is an increasingly popular method for attackers to land and expand inside networks.
For instance, two common attacks that rely on administrative privileges to execute are the following:
First, an attacker manipulates a user running with administrative privilege into opening a malicious PDF or attachment. Or, a user is infected with malware after visiting a site that loads it silently in the background.
Privileged accounts make these attacks specifically quick and dangerous to carry out. User machines can instantly be controlled, have keylogging installed, and other malicious activity can occur, all out of plain sight.
When this is executed on a device with administrative privileges, the attacker can completely take over the victim’s machine and infect other systems on the network.
The second common attack is known as an elevation of privileges attack by guessing or cracking a password set for an administrative user in order to gain access to a target machine. If administrative privileges are loosely given out, or identical (Or similar) passwords are used on less critical systems, then the attacker can easily gain full control of your systems.
As a result, restricting access to data by job function is one of the most effective ways to reduce your risk.
CIS Control 5 focuses on secure configuration for hardware and software on mobile devices, laptops, workstations, and servers.
Specifically, this control focuses on establishing, implementing, and then actively managing the security configuration of devices using rigorous configuration management and change control processes in order to prevent hackers from exploiting vulnerable services and settings.
CIS Control 5 is critical because default configurations for operating systems and applications are mostly geared towards ease of use and not security. As a result, basic controls, open services and ports, default accounts or passwords, older protocols, and pre-installation of unnecessary software can be easy to exploit in their default state.
Therefore, it is important to develop configuration settings with sophisticated security properties. However, this can be a complex task beyond the ability of individual users. In fact, it can require the analysis of hundreds or thousands of options in order to make the right choices.
For instance, even if a strong initial configuration is developed and installed, it must be continuously managed in order to avoid security degradation as software is updated or patched, new security vulnerabilities are reported, and configurations are tweaked. In most cases, configurations are tweaked to allow the installation of new software or in order to support new operational requirements.
If it is not, attackers will find opportunities to exploit both network-accessible services as well as client software.
As a result, it is critical to develop and implement a secure configuration of your devices.
CIS Control 6 focuses on collecting, managing, and analyzing audit logs of events that could help your team detect, understand, and recover from an attack.
Specifically, this control focuses on establishing, implementing, and then actively managing the process by which your logs are monitored and analyzed.
CIS Control 6 is critical because deficiencies in security logging and analysis can allow attackers to hide their location, malicious software, and activities on victims’ machines. The longer an attacker is on your device undetected, the more damage they are capable of inflicting. Furthermore, even if the victims are aware of an attacker on their system, without protected and complete logging records you can be blind to the details of the attack.
Without solid audit logs, an attack may go unnoticed indefinitely and the damage done may be irreversible.
In some cases, logging records are the only evidence of a successful attack. Many organizations keep audit records for compliance purposes. However, attackers rely on the fact that such organizations rarely examine audit logs, and therefore, do not know that their systems have been compromised.
In short, if log analysis processes are poor or nonexistent, then attackers can sometimes control victim machines for months or years without anyone in the organization realizing it. Although there is surely evidence of the attack, often times the only records of it are in unexamined log files.
Therefore, it is important to establish, implement, and manage the processes your team has for monitoring security logs.
Control 7 focuses on minimizing the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems.
CIS Control 7 is critical because web browsers and email clients are common points of entry and attack. This is due to their technical complexity, flexibility, and their direct interaction with users and with other outside systems and websites. As a result, it’s a critical attack surface for every organization to consider and secure.
Content can be crafted to entice or spoof users into taking actions that threaten the organization and increase overall risk. In most cases, these risks take the form of malicious code, loss of valuable data, and other attacks.
Since these applications are the main means that users interact with untrusted environments, they are therefore potential targets for both code exploitation as well as social engineering.
CIS Control 8 focuses on controlling the installation, spread, and execution of malicious code at multiple points of the organization.
In addition, it focuses on optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.
CIS Control 8 is critical because malicious software is an integral and dangerous aspect of Internet threats, as it is designed to attack your systems, devices, and your data.
Furthermore, it is fast-moving, fast-changing, and enters through any number of points. For example, end-user devices, email attachments, web pages, cloud services, user actions, and removable media.
Unfortunately, modern malware is designed to either avoid defenses or attack and disable them.
As a result, malware defenses must be able to operate in this dynamic environment through large-scale automation, rapid updating, and integration with processes like incident response plans.
Furthermore, defenses must also be deployed at all possible attack vectors in order to detect, stop the spread, and control the execution of malicious software.
Enterprise endpoint security suites provide administrative features to verify that all defenses are active and current on every managed system.
CIS Control 9 focuses on managing (tracking, controlling, and correcting) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize the windows of vulnerability available to attackers.
CIS Control 9 is critical because attackers often search for remotely accessible network services that are vulnerable to exploitation.
For instance, common examples include poorly configured web servers, mail servers, file and print services, and DNS servers. These are often installed by default on a variety of different device types, often without a business need.
Furthermore, many software packages automatically install services and turn them on as part of the installation of the main software package. This can occur without informing a user or administrator that the services have been enabled.
Attackers scan for such services and attempt to exploit these services, usually by attempting to exploit default user IDs and passwords or widely available exploitation code.
As a result, it is critical to limit and control network ports, protocols, and services.
CIS Control 10 focuses on the processes and tools used to properly back up critical information with a proven methodology for a timely recovery.
CIS Control 10 is critical because when attackers compromise machines, they often make significant changes to configurations and software.
Furthermore, they can make subtle alterations to data stored on compromised machines, which can, in turn, jeopardize organizational effectiveness with inaccurate or incomplete data.
When and if attackers are discovered, it can be difficult for organizations to find and remove all aspects of the attacker’s presence and changes made on the machine.
As a result, it is critical to have effective data recovery solutions that you trust.
CIS Control 11 focuses on establishing, implementing, and actively managing (track, report on, and correct) the security configuration of network infrastructure devices. This is done by using rigorous configuration management and a change control process in order to prevent attackers from exploiting vulnerable services and settings.
CIS Control 11 is critical because in most cases, the default configurations for network infrastructure devices and geared towards ease-of-use and ease-of-deployment, not security.
For instance, open services and ports, default accounts (including service accounts) or passwords, support for older (vulnerable) protocols, pre-installation of unnecessary software, can all be exploited in their default state.
As a result, the management of the security configurations for networking devices is not a one-time action, but a process that involves continued analysis and evaluation of not only the configuration items but also the permitted traffic flows.
Oftentimes, attackers take advantage of network devices becoming less secure in their configurations over time as users demand exceptions for specific business needs. In some cases, the security risk of the exception is neither properly analyzed nor measured against the associated business need. Furthermore, both business risk and need can change over time.
Attackers search for vulnerable default settings, gaps, and inconsistencies in firewall rule sets, routers, and switches and use those holes to penetrate defenses.
Furthermore, they exploit flaws in these devices to gain access to networks, redirect traffic on a network, and intercept information while in transmission. Through these actions, the attacker is able to gain access to sensitive data, alter important information, and can even use a compromised machine to pose as another trusted system on the network.
As a result, it is critical to secure the configuration for network devices, such as firewalls, routers, and switches.
CIS Control 12 focuses on detecting, preventing, and correcting the flow of information across networks of different trust levels with a focus on security-damaging data.
CIS Control 12 is critical because attackers often focus on exploiting systems that they can reach across the internet, including not only DMZ systems but also workstations and laptop computers that pull content from the internet via network boundaries.
For instance, threats such as organized crime groups and nation-states use configuration and architectural weaknesses found on perimeter systems, network devices, and internet-accessing client machines in order to gain the initial access into an organization.
Then, with a base of operations on these machines, attackers will often pivot to get deeper inside the boundary in order to steal or change information or to set up a persistent presence for later attacks against internal hosts.
Additionally, many attacks occur between business partner networks, sometimes referred to as extranets, as attackers hop from one organization’s network to another, exploiting vulnerable systems and extranet perimeters.
In order to control the flow of traffic through network borders as well as police content by looking for attacks and evidence of compromised machines, boundary defenses should be multi-faceted. This can be obtained by relying on firewalls, proxies, DMZ perimeter networks, and network-based IPS and IDS.
It should also be noted that boundary lines between internal and external networks are diminishing as a result of increased connectivity within and between organizations. Furthermore, the deployment of wireless technologies is also a contributing factor.
These blurring lines often allow attackers to gain access inside networks while bypassing boundary systems. However, even with this blurring of boundaries, effective security deployments still rely on carefully configured boundary defenses that successfully separate networks with different threat levels, sets of users, data, and levels of control.
Despite the blurring of internal and external networks, effective multi-layered defenses of perimeter networks help lower the number of successful attacks, allowing security personnel to focus on attackers who have devised methods to bypass boundary restrictions.
CIS Control 13 focuses on the processes and tools used to prevent data exfiltration in order to mitigate the effects of exfiltrated data and ensure the privacy and integrity of sensitive information.
CIS Control 13 is critical because data resides in many places and protection of it is best achieved through the application of a combination of encryption, integrity protection, and data loss prevention techniques.
As organizations continue their move towards cloud computing and mobile access, it is critical to ensure that proper care is taken to limit and report on data exfiltration while also mitigating the effects of data compromise.
For instance, some organizations do not carefully identify and separate their most sensitive and critical assets from less sensitive, publicly accessible information on their internal networks.
Furthermore, in many environments, internal users have access to all or most of the critical assets.
Sensitive assets may also include systems that provide management of control of physical systems. For instance, Supervisory Control and Data Acquisition (SCADA). Once attackers have penetrated such a network, they can easily find and exfiltrate important information, cause physical damage, or disrupt operations with little to no resistance.
For example, in several high-profile data breaches over the past few years, attackers were able to gain access to sensitive data stored on the same servers with the same level of access to far less important data.
In other cases, attackers were able to use access to the corporate network to gain access to, then control over, physical assets in order to cause damage.
As a result, it is important to manage the process and tools used to protect your data.
CIS Control 13: Procedures and Tools
It is essential that an organization understand what its sensitive information is, where it resides, and what users need access to it.
In order to derive sensitivity levels, organizations should put together a list of the key types of data and the overall importance of said data to the organization.
Then, this analysis can be used to create an overall data classification scheme for the organization.
For instance, organizations should define labels such as “Sensitive”, “Business Confidential”, and “Public.” Afterward, they can classify their data according to those labels.
Once the private information has been identified, further subdivide it based on the impact it would have on the organization if it were compromised.
After the sensitivity of the data has been classified, create a data inventory or mapping that identifies business applications and the servers that house those applications. The network should then be segmented so that systems of the same sensitivity level are on the same network and separated from systems with different trust levels.
If possible, then firewalls should control access to each segment.
Furthermore, access to data should be based on job requirements and only handed out on a need-to-know basis. Job requirements should be created for each user group in order to determine what information the group needs access to. Based on the requirements, access should only be given to the data segments or servers that are needed for each job function.
Finally, detailed logging should be turned on for servers in order to track access and allow for security personnel to examine incidents in which data was improperly accessed.
CIS Control 14 focuses on the processes and tools used to track, control, prevent, correct, and secure access to critical assets. Specifically, control over assets such as information, resources, and systems, according to the formal determination of which users, computers, and applications have a need and right to access critical assets based on an approved classification.
CIS Control 14 is critical because encrypting data provides a level of assurance that even if data is compromised, it is impractical to access the plaintext without access to significant resources. However, controls should be put in place to mitigate the threat of data exfiltration in the first place. Many attacks occur across the network, while others involve physical theft of equipment. If the equipment stores sensitive data on it, then this threatens the organization and its data.
Furthermore, in many cases, the victims are not even aware that sensitive data is leaving their systems because they were not monitoring data outflows. Electronically and physically monitor the movement of data across network boundaries in order to minimize its exposure to attackers.
The loss of control over protected or sensitive data by organizations is a serious threat to business operations and can even be a potential threat to national security. Some data is lost or leaked because of theft or espionage. However, the vast majority of these problems result from ineffective data practices, poor policy architectures, and user error.
Data loss can even occur as a result of legitimate activities such as e-Discovery during litigation, particularly when records retention practices are ineffective or nonexistent.
As a result, the adoption of data encryption, both in transit and at rest, reduces the risk of data compromise. However, take proper care of the processes and technologies associated with the encryption operations. An example of this is the management of cryptographic keys used by the various algorithms that protect data. The process for the generation, use, and destruction of keys should be based on proven processes as defined in standards such as NIST SP 800-57.
Furthermore, take care to ensure that products used within an enterprise implement well-known and vetted cryptographic algorithms, as identified by NIST. Re-evaluation of the algorithms and key sizes used within the enterprise on an annual basis is also recommended to ensure that organizations are not falling behind in the strength of protection applied to their data.
For organizations that are moving data to the cloud, it is critical to understand the security controls applied to data in the cloud multi-tenant environment and determine the best course of action for encryption controls and security of keys. When possible, keys should be stored within secure containers such as Hardware Security Modules (HSMs).
Data loss prevention (DLP) refers to a comprehensive approach covering people, processes, and systems that identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage) through deep content inspection and with a centralized management framework.
Over the last several years, there has been a noticeable shift in the attention and investment from securing the network to securing systems within the network, and to securing the data itself. DLP controls are based on policy and include classifying sensitive data, discovering that data across an enterprise, enforcing controls, and reporting and auditing to ensure policy compliance.
CIS Control 14: Procedures and Tools
There are several commercial tools available to support enterprise management of encryption and key management. Furthermore, many of them include the ability to support the implementation of encryption controls within the cloud and mobile environments.
Organizations should define life cycle processes, roles, and responsibilities associated with key management.
There are Data Loss Prevention (DLP) solutions available to monitor exfiltration attempts as well as to detect other suspicious activities associated with a protected network holding sensitive information.
Organizations deploying such tools should carefully inspect their logs and closely examine discovered attempts, even those that are successfully blocked, to transmit sensitive information out of the organization without authorization.
CIS Control 15 focuses on the processes and tools used to track, control, prevent, correct, and secure the use of wireless local area networks (WLANs), access points, and wireless client systems.
CIS Control 15 is critical because major thefts of data have been initiated by attackers who have gained wireless access to organizations from outside the physical building. In most cases, bypassing organizations’ security perimeters and connecting wirelessly to access points inside the organization.
Wireless clients accompanying travelers are infected on a regular basis through remote exploitation while on public wireless networks found in airports and cafes. Exploited systems are then reconnected to the network and used as backdoors.
Other organizations have reported the discovery of unauthorized wireless access points on their networks, planted and sometimes hidden for unrestricted access to an internal network. Since they do not require direct physical connections, wireless devices are a convenient vector for attackers to maintain long-term access into a target environment.
CIS Control 15: Procedures and Tools
Organizations should perform effective wireless scanning, detection, and utilize discovery tools such as wireless intrusion detection systems.
Additionally, the security team should periodically capture wireless traffic from within the borders of a facility. Then, use analysis tools to determine whether the wireless traffic was transmitted using weaker protocols or encryption than the organization mandates. When devices relying on weak wireless security settings are identified, they should be found within the organization’s asset inventory and either reconfigured more securely or denied access to the organization’s network.
Finally, the security team should employ remote management tools on the wired network to pull information about the wireless capabilities and devices connected to managed systems.
CIS Control 16 focuses on actively managing the life cycle of system and application accounts. For instance, their creation, use, dormancy, and deletion, in order to minimize opportunities for attackers to leverage them.
CIS Control 16 is critical because attackers frequently discover and exploit legitimate but inactive user accounts to impersonate legitimate users. As a result, discovering the attacker can be difficult for security teams. Accounts of terminated contractors and employees, or accounts set up for penetration testing (but not deleted after) have been misused in this way.
Furthermore, these can also be access points for malicious insiders and former employees to gain access to accounts left behind in a system long after contract expiration. Attackers can maintain access to an organization’s computing system as well as sensitive data for unauthorized or malicious purposes.
CIS Control 16: Procedures and Tools
Most operating systems are capable of logging information about account usage. However, sometimes these features are disabled by default. Furthermore, even when such features are present and active, they often do not provide specific detail about access to the system by default. Therefore, security personnel should configure systems to record more detailed information about account access, and use home-grown scripts or third-party log analysis tools to analyze this information and profile user access of systems.
Track accounts closely. Disable and remove any account that is dormant from the system. Trace all active accounts back to authorized users and enable multi-factor authentication.
Finally, log out users after a period of inactivity to minimize the possibility of an attack. Attackers can use their system to extract information from the organization.
CIS Control 17 focuses on identifying the specific knowledge, skills, and abilities needed to support the defense of the enterprise, specifically focusing on all functional roles in the organization but prioritizing those mission-critical to the business and its security. It also focuses on developing and executing an integrated plan to assess, identify gaps, and remediate risks through policy, organizational planning, training, and awareness programs.
CIS Control 17 is critical because the actions of people play a critical part in the success or failure of an enterprise. Cyber defense is far more than a technical challenge. People fulfill important functions at every stage of system design, implementation, operation, and oversight.
For instance, system developers and programmers, who may not understand the opportunity to resolve root cause vulnerabilities early in the system life cycle; IT operations professionals, who may not recognize the security implications of IT artifacts and logs; end-users, who may be susceptible to social engineering schemes such as phishing; Security analysts, who struggle to keep up with a plethora of new information; and executives and system owners, who struggle to quantify the role that cyber security plays in the overall operational/mission risk, and therefore have no reasonable way to make relevant investment decisions.
Unfortunately, attackers are conscious of these issues and exploit them. For instance, carefully crafted phishing messages that looked like routine and expected traffic to an unwary user. Or, by exploiting the gaps between policy and technology (Policies that have no technical enforcement.) Or, by exploiting the time window of patching or log review and using nominally non-security-critical systems as jump points or bots. And that is only to list a few.
As a result, empowering people with adequate cyber defense habits can significantly decrease your risk and increase your readiness if an attack were to occur.
CIS Control 17: Procedures and Tools
An effective enterprise-wide training program should take a holistic approach. It should consider policy and technology throughout the training. Design policies with not only technical measurement but enforcement. Furthermore, reinforce policies by training to fill gaps in understanding. Implement technical controls to protect systems and data in order to minimize the opportunity for mistakes. With technical controls in place, training can focus on the concepts and skills that cannot be technically managed.
An effective cyber defense training program is more than an annual event; it is an ongoing process of improvement that combines the following key elements:
CIS Control 18 focuses on managing the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.
CIS Control 18 is critical because attacks often take advantage of vulnerabilities found in web-based and other application software. Vulnerabilities arise for several reasons. For instance, coding mistakes, logic errors, incomplete requirements, and failure to test for unusual or unexpected conditions.
Examples of specific errors include failure to check the size of user input; failure to filter out unneeded but potentially malicious character sequences from input streams; failure to initialize and clear variables; and poor memory management that allows flaws in one part of the software to affect unrelated (and more security-critical) portions.
Furthermore, there is a plethora of public and private information about such vulnerabilities available to both attackers and defenders. There is also a robust marketplace for tools and techniques that weaponize vulnerabilities into exploits.
CIS Control 18: Procedures and Tools
The security of applications (in-house developed or acquired off-the-shelf or from external developers) is a complex activity. It requires a complete program that considers enterprise-wide policy, technology, and people.
Regularly test all software for vulnerabilities before putting it into production. Application vulnerability scanning is consolidated within CIS Control 3: Continuous Vulnerability Management. However, the most effective approach is to implement a full supply chain security program for externally acquired software and a Secure Software Development Life Cycle for internally developed software. This control addresses such aspects.
For software developed in-house or custom software developed externally under contract, an effective program for application software must address security throughout the entire life cycle. It should embed security as a natural part of establishing requirements, training, tools, and testing.
Modern development cycles and methods do not allow for sequential approaches. Acceptance criteria should always include requirements for running application vulnerability testing tools. Document all known vulnerabilities. It is safe to assume that software will not be perfect, so a development program must plan up-front for bug reporting and remediation as an essential security function.
For acquired software(commercial, open-source, etc.), application security criteria should be part of the evaluation criteria. Furthermore, take efforts to understand the source’s software practices, testing, and error reporting and management. Whenever possible, require suppliers to show evidence that they used standard commercial software testing tools or services and that no known vulnerabilities are present in the current version.
CIS Control 19 focuses on protecting the organization’s information, as well as its reputation, by developing and implementing incident response infrastructure. For instance, plans, defined roles, training, communications, and management oversight. Such areas allow organizations to quickly discover an attack and effectively contain the damage so it can eradicate the attacker’s presence and restore the integrity of the network and systems.
CIS Control 19 is critical because even enterprises that are large, well-funded, and technically sophisticated struggle to keep up with the frequency and complexity of attacks. The question of a successful cyber attack against an enterprise is not “if” but “when.”
After an incident occurs is not the right time to develop effective procedures, reporting, data collection, management responsibility, legal protocols, and communication strategy. And, it is these things that will enable your organization to successfully understand, manage, and recover.
Without an incident response plan, an organization may not even discover an attack in the first place. Or, if detected, the organization may not effectively follow procedures to contain damage, eradicate the attacker’s presence, and recover in a secure fashion. Thus allowing the attacker to have a far greater impact and cause more damage. For instance, infecting more systems, and potentially exfiltrating more sensitive data than would have otherwise been possible.
CIS Control 19: Procedures and Tools
After defining detailed incident response procedures, the incident response team should engage in periodic scenario-based training. For instance, working through a series of attack scenarios catered to the threats and vulnerabilities the organization faces. Scenarios help ensure that team members understand their role on the incident response team. They also help prepare them to handle incidents. It is inevitable that exercise and training scenarios will identify gaps in plans and processes as well as unexpected dependencies.
The actions in CIS Control 19 provide specific, high-priority steps that can improve enterprise security, and should be a part of any comprehensive incident and response plan.
CIS Control 20 focuses on testing the overall strength of an organization’s defense. Specifically, the technology, processes, and users, by stimulating the objectives and actions of an attacker.
CIS Control 20 is critical because in most cases attackers exploit the gap between good defense designs/intentions and implementation/maintenance. For instance, the time window between the announcement of a vulnerability, the availability of a vendor patch, and actual installation on every machine. Other examples include: well-intentioned policies that have no enforcement mechanism (especially those intended to restrict risky human actions); failure to apply good configurations to machines that come on and off of the network; and failure to understand the interaction among multiple defensive tools, or with normal system operations that have security implications
A successful defensive posture requires a comprehensive program. This should include effective policies and governance, strong technical defenses, and appropriate action by people. In a complex environment where technology is constantly evolving, new attacker methods appear regularly. As a result, organizations should periodically test their defenses to identify gaps and to assess their readiness by conducting penetration testing.
Penetration testing starts with the identification and assessment of vulnerabilities. Next, tests are designed and executed to demonstrate how an attacker can either subvert the organization’s security goals (e.g., the protection of specific Intellectual Property) or achieve specific adversarial objectives (e.g., the establishment of a covert Command and Control infrastructure.)
The results provide deeper insight, through demonstration, into the business risks of various vulnerabilities.
Red Team exercises take a comprehensive approach to the full spectrum of organization policies, processes, and defenses in order to improve organizational readiness. Furthermore, it improves training for defensive practitioners and inspects current performance levels. Independent Red Teams can provide valuable and objective insights about the existence of vulnerabilities and the efficiency of defenses and mitigating controls.
CIS Control 20: Procedures and Tools
Historically, penetration tests and Red Team exercises are for specific purposes:
In general, these kinds of tests are expensive, complex, and can potentially introduce their own risks. However, when basic defensive measures are already in place, they can provide significant value. And, when these tests are a part of comprehensive, ongoing security management and improvement program.
Test events are a very expensive way to discover that your enterprise does a poor job with patching and configuration management, for example.
Each organization should define a clear scope and rules of engagement for penetration testing and Red Team exercises. The scope of such projects should include, at a minimum, systems with the organization’s highest value information and production processing functionality. Test other lower-value systems to see if they can be used as pivot points to compromise higher-value targets. Furthermore, the rules of engagement should define specific times of day for testing, the duration of tests, and the overall test approach.
The actions in CIS Control 20 provide specific, high-priority steps that can improve enterprise security, and should be a part of any penetration testing and Red Team program.
Before your organization begins to implement CIS controls, it is important to find out where you stand and which security controls you already have in place.
Furthermore, it is important to benchmark your current security posture so that you, your team, and those who you report to can track your progress.
NIST cyber security framework is a popular and robust tool that draws on the controls for several of their best practices.
As a result, a NIST cyber security assessment is a great place to start before you begin diving deeper into the controls.
If you have already taken a security assessment and are looking for assistance working through CIS controls, then please contact us.
aNetworks will walk through the controls with you and assist you with implementing the solutions needed to strengthen your security. We can help you better understand CIS controls as a framework and take some of the heavy lifting off your shoulders.
If you are looking for more resources, then please check out our resource center.