Effective cybersecurity programs many times utilize a layered approach. Spending a vast sum on advanced protection systems can be pointless if the time is not taken to secure against basic threats.

This is the philosophy espoused by CIS Controls, a set of 20 security best practices developed to help organizations protect against the most common real-world cyber attacks.  In this article, we’ll cover the second tier of the CIS Controls — CIS Foundational Controls — including why each of the controls is important, and how organizations can implement them. You can review the Basic Controls from our previous post.

What are the CIS Foundational Controls?

The CIS Controls are broken down into three tiers:

  • Six Basic Controls
  • Ten Foundational Controls
  • Four Organizational Controls

Once the four Basic Controls are implemented, you’ve met the minimum standards needed for cyber defense. By doing just this, your organization can reduce cyber risk by as much as 85%

However, the remaining 15% of threats still pose a huge risk. As the second and largest tier of the CIS Controls, the Foundational Controls build on the Basic Controls, helping organizations protect against slightly more sophisticated — but still very common — cyber attacks.

Overview of the 10 CIS Foundational Controls

CIS foundational controls

Image Source: cisecurity.org


CIS Control 7. Email and Web Browser Protections

“Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems.”


One of the most common ways threat actors gain access to target networks is through web browsers and email clients. There are two reasons for this:

  1. These assets are complex and can become insecure if not kept rigorously up to date.

  2. They are directly operated by end users, many of whom are non-technical.

While technical exploits of these assets are common, they aren’t the only threat. Web browsers and email clients can be used to serve unsuspecting users with social engineering attacks. These attacks aim to deceive users into taking actions that will compromise the safety of their accounts and their organization’s network.


There are a number of technical controls that can minimize the risk posed by these attacks. Most commonly, organizations ‘lock down’ user permissions to ensure only authorized applications can be executed, and third-party plugins can’t be installed. Beyond this, filters and controls (e.g., DMARC) are typically implemented to block potentially harmful web and email content before it reaches the end user.

CIS Control 8. Malware Defenses

“Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.”


Malicious software (malware) is a common component of cyber attacks and a huge threat. Malware packages vary tremendously in form and function and can threaten any part of an organization’s digital infrastructure. Even when malware isn’t used during the initial compromise of a network, it’s often used to perform follow-up tasks like moving through the network or exfiltrating data.


Most organizations use a combination of barrier and detection technologies to identify and block malware as it attempts to enter the network. The malware landscape evolves so quickly, so it’s crucial that these are kept fully up to date with the latest patches and threat intelligence.

CIS Control 9. Limitation and Controls of Network Ports, Protocols, and Services

“Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers”


Poorly configured servers and services like web servers, file servers, and print services are easy entry points for threat actors. Most software packages enable new services by default during installation, and many don’t inform the administrator. These services are easy to find using freely available scanners, and many contain easily exploitable weaknesses like default usernames and passwords.


Digital assets can have thousands of configuration options, making them extremely difficult to manage manually. Instead, most organizations use automated scanning solutions to keep track of active ports, services, and protocols to ensure that only those with legitimate business needs are enabled.

CIS Control 10. Data Recovery Capabilities

“The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.”


Successful attacks against digital assets often result in substantial changes to the configuration, software, and data. This can be obvious, as in the case of ransomware, or it can be more subtle. Some attackers make minor changes that allow them to retain a presence inside a target network.

Affected organizations must have an effective data recovery capability that enables them to remove all traces of the attack and move forward with trusted, undamaged data.


While most organizations automatically create and store backups, many don’t have strong processes to test and recover from them. It’s not uncommon for organizations to discover at the worst possible moment that their backups are not fit for purpose.

This CIS Foundation Control is about developing an iron-clad process for creating, maintaining, protecting, testing, and restoring backups. Automated solutions are typically used, but there must be a human element to ensure backups will meet the organization’s needs in the event of a breach.

CIS Control 11. Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches

“Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.”


By default, hardware assets come configured for ease of installation and use — not security. Typically, all services are enabled, discretionary applications are installed, and all ports are open. Assets left in this state are easily findable by a threat actor using free scanners and can be compromised almost at will using basic exploits.


Since hardware can have thousands of configuration options, manually setting and maintaining secure configurations for all assets is impossible. To solve this problem, the CIS Foundational Controls documentation recommends that organizations: “Use automated tools to verify standard device configurations and detect changes.”

To identify the best practice secure configuration for assets, organizations can refer to the CIS Benchmarks.

CIS Control 12. Boundary Defense

“Detect/prevent/correct the flow of information transferring across networks of different trust levels with a focus on security-damaging data.”


Often, digital assets that sit at the perimeter of an organization’s network are not secured to the same degree as those closer to the center. For instance, an organization may have a guest WiFi network that offers substantially lower privileges than a recognized user would have. These perimeter systems, while non-critical themselves, are often used by sophisticated threat actors as an entry point into a target network.


A variety of technical controls can (and should) be used to prevent malicious traffic or content from flowing ‘up the chain’ to an organization’s main network or assets.


A multi-layered approach is always best, including controls such as firewalls, proxies, network-based Intruder Detection and Protection Systems (IDS/IPS), and filtering of inbound and outbound traffic.

CIS Control 13. Data Protection

“The processes and tools used to prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.”


Data is among an organization’s most valuable and sensitive assets, and a large proportion of cyber attacks are motivated by data theft. Having sensitive data stolen — known as a data breach — is one of the worst outcomes of a cyber attack, and can result in huge regulatory fines and loss of reputation. If internal or proprietary data is stolen or damaged, these attacks can also have a significant impact on an organization’s ability to operate effectively.


Most organizations have data stored in many locations, so the first step is protecting data is to maintain an up-to-date inventory of all sensitive information that is stored, processed, or transmitted. Beyond this, strict policies must be in place to control the movement of data via mobile devices, laptops, USB drives, and other transportable data storage devices. Encryption is critical to keep data secure in transit.

CIS Control 14. Controlled Access Based on the Need to Know

“The processes and tools used to track/control/prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.”


While encryption helps to ensure that stolen data can’t be used by threat actors, there should still be measures in place to prevent the loss or theft of data. Many cyber attacks aim to steal data in some form, but there are also two other major threats:

  1. Loss or theft of hardware devices containing sensitive data.

  2. Loss of data caused by poor data practices and/or user error.

Loss or theft of sensitive data can be harmful to an organization, as well as its partners and customers. This CIS Foundational Control advises organizations to implement rigorous processes and policies to ensure sensitive data is only accessible by individuals who have a recognized business need.


This Control requires a mixture of technical controls and operational policies to enact successfully. Common technical controls include network segmentation and disabling workstation-to-workstation communication to help minimize the risk of data being transmitted between user accounts of different access levels.

The Controls documentation also advises the use of a File Integrity Monitoring solution to identify sensitive data and monitor attempts to access or change files.

CIS Control 15. Wireless Access Control

“The processes and tools used to track/control/prevent/correct the secure use of wireless local area networks (WLANs), access points, and wireless client systems.”


Wireless networks are an attractive target for threat actors because they can be readily accessed without needing a direct physical connection to a target network. There have been many cases where threat actors have successfully stolen data after gaining wireless access to a target network from outside a building.

Similarly, many mobile devices are infected with malware while connected to public WiFi networks such as those at airports and cafes. These devices can subsequently be used by threat actors as a ‘backdoor’ once they are reconnected to an organization’s network.


The first step in protecting against these attacks is to have automated tools in place to detect and monitor all authorized wireless access points connected to an organization’s wired network. Where unauthorized wireless access points are detected, an alert should be raised and immediate action is taken to remove them.

Beyond this, a variety of technical controls can be used to limit access to trusted devices, and prevent devices that hold sensitive data from connecting to unsecured wireless networks. Many of these controls concern the correct configuration of hardware assets. Organizations should once against consult the CIS Benchmarks, which are the industry standard for secure configuration.

CIS Control 16. Account Monitoring and Control

“Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them.”


Inactive user accounts are a needless risk to an organization’s security. Threat actors often aim to compromise these accounts, enabling them to conduct their activities while posing as legitimate users. This type of attack is hard to detect as activities often appear legitimate, and can be hugely damaging.


Simply, organizations must have control over the full life cycle of user accounts. There must be a process in place to immediately close accounts that are no longer needed (e.g., when a user leaves the organization) and all accounts should have an expiration date that is monitored and enforced.

Basic controls should be in place to prevent account takeovers. These include encrypting stored user credentials, locking workstations after a set period of inactivity, and — at the higher end — setting up alerts for unusual user behavior.

Implement CIS Foundational Controls with CimTrak

CimTrak is an IT integrity, security, and compliance toolset that helps any organization implement and maintain the CIS Foundational Controls.

CimTrak continuously monitors your environment and detects changes to assets, files, and accounts. When specified changes occur, CimTrak raises an alert and a report, making it easy to identify security issues in hardware and software assets.

Using CimTrak your organization can:

  • Control and inventory network ports, protocols, and services, while monitoring the output of any command or script. (CIS Control 9)

  • Ensure the secure configuration of network devices (e.g., firewalls, routers, and switches) and roll back to trusted configurations if needed. (CIS Control 11)

  • Maintain an inventory of all network devices. (CIS Control 12)

  • Maintain an inventory of sensitive information and shutdown systems experiencing unauthorized changes or integrity-related anomalies.  (CIS Control 13)

  • Provide detailed auditing for access/changes to sensitive data. (CIS Control 14)

  • Identify if new nodes were added to a network. (CIS Control 15)

  • Monitor attempts to access and change user accounts in real-time through hashing algorithms and audit logging capabilities. (CIS Control 16)

To see how CimTrak can help your organization align its security strategy and processes with CIS Controls, schedule a demo today.



Jacqueline von Ogden
Post by Jacqueline von Ogden
July 15, 2020
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".

About Cimcor

Cimcor’s File Integrity Monitoring solution, CimTrak, helps enterprise IT and security teams secure critical assets and simplify compliance. Easily identify, prohibit, and remediate unknown or unauthorized changes in real-time