CIS 18 Critical Security Controls Version 8
- Aug 16, 2022
- Michelangelo Sidagni
The CIS Security Controls, published by SANS and the Center for Internet Security (SIS) and formerly known as the SANS 20 Critical Security Controls, are prioritized mitigation steps that your organization can use to improve cybersecurity. They include a set of 18 controls that will help you counter common threat pathways and remediate potential vulnerabilities. The CSCs are often used by organizations to develop a comprehensive security information program.
The CIS Critical Security Controls can be seen as a roadmap for implementing a successful cybersecurity program. SANS is an organization dedicated to information security training and security certification, and the Critical Security Controls effort focuses on prioritizing security controls that have demonstrated real-world effectiveness. The controls advocate for the use of automated information security software. According to SANS, the CIS Controls mitigate 83% of all attack techniques found in the MITRE ATT&CK Framework.
Cyber attackers will typically scan address spaces waiting for new and unprotected IT assets to be added to the system. The first control encourages companies to use an inventory discovery tool to automatically log and track all devices that exist in the company’s IT infrastructure. Many organizations do not have a complete list of all assets that need protection.
SANS encourages companies to include authorized and unauthorized software in their IT asset inventory database. Most cyber attacks are carried out using a combination of social engineering, phishing emails, and vulnerabilities — Java, Adobe Flash and Acrobat, Firefox and Chrome plugins, 0-day client-side / browser vulnerabilities. The vulnerability discovery tool should automatically include both types of software into the scanning process to ensure that these assets are protected as well.
Organizations should develop processes and technical controls that enable them to identify, classify, securely handle, retain, and dispose of data. With GDPR, CCPA, and other data protection regulations on the rise, companies must prepare to meet compliance requirements.
This focuses on ensuring companies set up and install the proper security configurations on all workstations, laptops, servers, and mobile devices. Individuals can use a configuration review scanner and authenticated scans to monitor the security of their operating systems automatically and make sure they aren’t affected by malware.
This control talks about the need to protect privileged user and administrative accounts. Automatic scanning tools will automatically identify potential access control vulnerabilities, including expired or weak passwords and outdated lockout policies.
This control deals with an organization’s ability to track and control the use of administrative privileges, user access, and service accounts. It also deals with controlling access to data from people with the appropriate need to know, based on their level in the organization. This can help organizations prevent sensitive information from falling into the wrong hands.
The seventh control focuses on the value of continuous vulnerability management and remediation. Many companies will only scan their assets for potential vulnerabilities every three to six months, which may be the bare minimum for compliance purposes. Still, SANS urges companies to monitor their assets continuously. Hackers are waiting for potential vulnerabilities to pop up online. Companies simply can’t afford to wait every few weeks to perform an audit. The latest vulnerability assessment and remediation software will scan assets every few seconds for continuous monitoring. The system will then alert the IT department, so they can remediate vulnerabilities by patching the system as soon as possible.
This control refers to audit logs for firewalls, network devices, servers, and hosts. They are usually the only way to determine whether the host has been compromised. The logs need to be aggregated, safeguarded, and correlated with other relevant security events.
Social engineering attacks continue to rise in both frequency and sophistication. SANs encourages organizations to put processes and protections in place to prevent successful attacks via email and web.
Malware remains a dangerous threat to organizations of all sizes. Cybersecurity training is crucial to supplement existing compensating controls, as well as regular vulnerability scans and consistent IT asset management procedures.
Control 11 refers to an organization’s ability to recover data in the event of a breach or attack. This often includes storing a secure backup outside of the company’s IT system.
This control speaks to the importance of securely implementing and actively managing network devices, as well as reporting on these practices. These network devices include gateways (physical and virtual), firewalls, wireless access points, switches, and even routers, which often lack the necessary cybersecurity protections.
While you have protections and compensating control in place, you cannot rely on your network defenses to be perfect. Network monitoring and defense is a crucial part of a strong cybersecurity strategy. Creating a Vulnerability Management Program is essential to this control.
This refers to an organization’s ongoing security training program and security skill improvement. Employees need to regularly improve their skills to keep up with the latest trends in cybersecurity. With new threats emerging every day, ensuring your employees have the knowledge and awareness to recognize cybersecurity pitfalls is essential for business continuity.
Software-as-a-Service and other third party platforms and tools make expanding and scaling your capabilities as an organization much easier. That being said, the convenience of this also comes at a cost — the potential to open your environment up to more vulnerabilities. Organizations need to stay diligent about managing third party access to their infrastructure in order to remain secure.
Web and mobile applications can often be the weakest link in the security chain. This control encourages companies to install web application firewalls to protect these applications while including them in the VRM scanning process.
This control focuses on how companies can prevent potential data breaches, improve their incident response times, and avoid permanent data loss.
The last control talks about the importance of penetration testing and how companies can hire ethical hackers to conduct simulated attacks on the system without disrupting operations. The organization can then patch the system before a real attack occurs.
We recently surveyed 400+ cybersecurity experts to see how they’re approaching Vulnerability Management and identify key trends in 2022. Read the free 2022 State of Vulnerability Management Report here.