Cybersecurity is a formidable and essential task that, to many within information security, may feel as if it can never be 'completed,' but this doesn't have to be the case anymore.
Regardless of budget, it can seem impossible for many organizations to completely protect against every attack vector, and cyber risk can be a challenge. Of course, most organizations have security budgets that are far from limitless. How should they allocate their limited security resources to protect against cyber threats?
This is where the CIS Controls — also known as the CIS Top 18 Security Controls — come in.
What are CIS Security Controls?
The CIS Controls were created to answer a simple question: “What does a typical organization need to do to defend against known attacks?”
The Controls are a set of 18 best practice steps organizations can take to protect against cyber attacks. By focusing on a few highly effective controls, organizations can drastically reduce cyber risk without breaking their budgets.
The CIS Controls are effective for most organizations because they focus on the most common (i.e., highest-risk) attack vectors in current use. These top threats are identified by some of the industry’s most trusted reports — such as Verizon’s annual Data Breach Investigations Report — and vetted by a broad spectrum of cybersecurity experts.
Instead of individual organizations having to interpret and act on these trends themselves, the CIS Controls provide actionable, best-practice guidance on how to protect against the latest threats. Each year, the Controls are updated to reflect the most important current threats.
History of the CIS Controls
The CIS Controls were originally developed by the U.S. National Security Agency (NSA). After several organizations contracted by the U.S. Department of Defense (DoD) suffered major data loss incidents, the DoD asked the NSA to identify the most important security controls to protect against common attacks.
Initially published by the SANS Institute in 2009, the CIS controls were produced through knowledge sharing between a consortium of public and private sector organizations. Before publication, the controls were circulated to hundreds of IT and security organizations, whose comments were used to finalize the first version of the Controls.
Once published, the U.S. State Department reported “remarkable alignment” with the 3,000+ cyber attacks it had experienced during the previous year. From there, the Controls became the standard model for large organizations in both the public and private sectors.
Since their initial publication, the Controls' ownership has been transferred twice — first to the Council on Cyber Security (CCS) in 2013 and finally to the Center for Internet Security (CIS) in 2015.
Using CIS Controls for Security and Compliance
The security advantages of CIS Controls are obvious. The controls represent the lowest-resistance path to protecting against the most common cyber threats. Later in this article, we’ll look at what each of the Top 18 controls covers and which threats it helps to defend against.
However, the Controls significantly benefit any organization that must maintain compliance with an industry framework. Why? Because most (if not all) of the major compliance frameworks map very closely to the CIS Controls, as well as to the CIS Benchmarks.
CIS has continually demonstrated how the Controls map directly to 21 different compliance frameworks, including PCI-DSS, HIPAA, NIST CSF, the ISO 27000 series, and the UK’s Cyber Essentials program. In fact, almost all of the major compliance frameworks directly reference CIS Controls and CIS Benchmarks as the industry standard for secure controls and configuration.
As a result, aligning with CIS resources may be considered a top priority for any organization that needs to minimize cyber risk while maintaining compliance.
CIS Controls: Effective for Reducing Cyber Risk
Modern organizations have no choice but to allocate resources to reduce cyber risk and comply with industry and regulatory requirements. So, when the topic turns to CIS Controls, the most obvious question is: “Will these controls be effective for my organization?”
The answer is a resounding yes.
When the State Department implemented the original version of the Controls in 2009, it quickly achieved an 88% reduction in vulnerability-based risk across its 85,000 systems.
The reason for this tremendous result is simple. The Controls are designed to help organizations protect against the most common attacks. When implemented effectively, the security controls ensure an organization is protected against the overwhelming majority of cyber attacks. For most organizations, this amounts to protection against practically any attack they are likely to be faced with.
Of course, this prompts a second question: “Are the CIS Controls enough?” With so many frameworks and best practices, many often ask which is best and for what reasons.
Almost all of them are very detailed, exhaustive, and descriptive, telling you “what needs to be done.” However, only one is prescriptive in nature. The CIS Controls not only tell you “what needs to be done,” but they also tell you in what order they need to be considered when implementing an effective security framework.
For many, aligning with the CIS Controls and Benchmarks should be the starting point. The next step is to apply additional controls as needed to protect against the more unusual and advanced cyber attacks an organization faces.
Overview of the CIS Controls
The CIS Controls are broken down into three implementation groups:
- IG1 — Termed "Essential Hygiene," these are the critical safeguards for minimum cyber defense for all enterprises. IG1 includes 56 safeguards.
- IG2 — ‘Next step’ controls that provide clear security benefits; ideal for organizations with more resources and moderately sensitive data. IG2 adds 74 additional safeguards.
- IG3 — Additional controls that cover the people and processes involved in an organization’s cybersecurity function; ideal for enterprises with highly sensitive information or functions subject to regulatory and compliance oversight. IG3 adds 23 safeguards.
For optimal security, every organization should aim to align its security program with all 18 CIS Controls. The following table contains a brief overview of each Control and what it’s designed to protect against.
|
Control |
Purpose |
|
1. Inventory and Control of Hardware Assets |
Track all hardware devices attached to your network and ensure only authorized devices are allowed access. |
|
2. Inventory and Control of Software Assets |
Manage all software running on your network and ensure only authorized software can be installed and executed. |
|
3. Data Protection |
Develop processes and technical controls to identify, classify, securely handle, and dispose of data. |
|
4. Secure Configuration of Enterprise Assets and Software |
Establish and maintain the secure configuration of enterprise assets (end-user devices; network devices, non-computing/IoT devices; & servers) and software (operating systems and applications). |
|
5. Account Management |
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. |
|
6. Access Control Management |
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. |
|
7. Continuous Vulnerability Management |
Continuously assess and track vulnerabilities on all enterprise assets to remediate and minimize the window of opportunity for attackers. |
|
8. Audit Log Management |
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack. |
|
9. Email and Web Browser Protections |
Prevent social engineering attacks via email and web vectors. |
|
10. Malware Defenses |
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets. |
|
11. Data Recovery |
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state. |
|
12. Network Infrastructure Management |
Manage (track, report, correct) network devices in order to prevent hackers from exploiting vulnerable network services and access points. |
|
13. Network Monitoring and Defense |
Defend against security threats across the enterprise's network infrastructure and user base with comprehensive network monitoring |
|
14. Security Awareness and Skills Training |
Establish and maintain a security awareness program to educate the employee workforce on security consciousness and skills to reduce cybersecurity risks. |
|
15. Service Provider Management |
Evaluate service providers who hold sensitive data or are responsible for an enterprise's critical IT platforms or processes to ensure these providers are protecting those platforms and data appropriately. |
|
16. Application Software Security |
Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise. |
|
17. Incident Response Management |
Establish a program to develop and maintain an incident response capability to prepare, detect, and quickly respond to an attack. |
|
18. Penetration Testing |
Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology) and simulating the objectives and actions of an attacker. |
Implementing CIS Security Controls may reduce cyber risk by as much as 85%. You can find more information about all of the controls on the CIS Controls website.
Align with CIS Controls Using CimTrak
CimTrak is an IT integrity, security, and compliance toolset that helps any organization align its security program with the CIS Controls. CimTrak provides a CIS-certified solution set that includes full or partial coverage for 12 of the 18 controls — and more than 70 CIS Benchmarks.
CimTrak continuously monitors your environment and detects changes to assets, files, and accounts. When specified changes occur, CimTrak raises an alert and a report, making it easy to identify and eliminate any vulnerabilities introduced.
Some of the top security benefits of CimTrak include:
CIS Controls Powered By CIS Benchmarks
CimTrak will utilize CIS Benchmarks to continuously assess your infrastructure for vulnerabilities and to ensure that systems are in a hardened state. The results of these CIS Benchmark tests are mapped to the CIS Controls. This provides you with powerful evidence that you have implemented a CIS Control or CIS sub-control. CimTrak's advanced reporting makes it easy to understand where you stand in your CIS Controls implementation journey.
Continuous Vulnerability Management
CimTrak will continuously acquire, assess, and act on information to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
Control all hardware and software assets
CimTrak’s discovery scans make it easy to track your network's assets to ensure they are known, understood, and permitted.
Ensure secure asset configuration
Integrity Verification and Assurance is the process of continuous detection, interpretation, and management of change and deviations from and to a correct or expected state of operation. CimTrak eliminates the overwhelming change noise to pinpoint unwanted, unauthorized, and unexpected activity in real time to create and establish a trusted and resilient infrastructure to help mitigate identified CIS vulnerabilities. If a change introduces a vulnerability, CimTrak immediately raises an alert and provides guidance on how to remediate the risk.
Recover critical data
If data is compromised, e.g., by a ransomware attack, CimTrak can quickly restore critical files back to their baseline state.
See a full listing of the controls CimTrak is aligned with and how CimTrak can help your organization align its security strategy and processes with CIS Controls — Download the solution brief today.
