CIS 18 Critical Security Controls Version 8

The CIS Security Controls, published by SANS and the Center for Internet Security (SIS) and formerly known as the SANS 20 Critical Security Controls, are prioritized mitigation steps that your organization can use to improve cybersecurity. They include a set of 18 controls that will help you counter common threat pathways and remediate potential vulnerabilities. The CSCs are often used by organizations to develop a comprehensive security information program. 

The CIS Critical Security Controls can be seen as a roadmap for implementing a successful cybersecurity program. SANS is an organization dedicated to information security training and security certification, and the Critical Security Controls effort focuses on prioritizing security controls that have demonstrated real-world effectiveness. The controls advocate for the use of automated information security software. According to SANS, the CIS Controls mitigate 83% of all attack techniques found in the MITRE ATT&CK Framework. 

The New, Consolidated 18 CIS Critical Security Controls

Critical Security Control 1: Inventory and Control of Enterprise Assets

Cyber attackers will typically scan address spaces waiting for new and unprotected IT assets to be added to the system. The first control encourages companies to use an inventory discovery tool to automatically log and track all devices that exist in the company’s IT infrastructure. Many organizations do not have a complete list of all assets that need protection.

Critical Security Control 2: Inventory and Control of Software Assets

SANS encourages companies to include authorized and unauthorized software in their IT asset inventory database. Most cyber attacks are carried out using a combination of social engineering, phishing emails, and vulnerabilities — Java, Adobe Flash and Acrobat, Firefox and Chrome plugins, 0-day client-side / browser vulnerabilities. The vulnerability discovery tool should automatically include both types of software into the scanning process to ensure that these assets are protected as well. 

Critical Security Control 3: Data Protection

Organizations should develop processes and technical controls that enable them to identify, classify, securely handle, retain, and dispose of data. With GDPR, CCPA, and other data protection regulations on the rise, companies must prepare  to meet compliance requirements. 

Critical Security Control 4: Secure Configuration of Enterprise Assets

This  focuses on ensuring companies set up and install the proper security configurations on all workstations, laptops, servers, and mobile devices. Individuals can use a configuration review scanner and authenticated scans to monitor the security of their operating systems automatically and make sure they aren’t affected by malware.

Critical Security Control 5: Account Management

This control talks about the need to protect privileged user and administrative accounts. Automatic scanning tools will automatically identify potential access control vulnerabilities, including expired or weak passwords and outdated lockout policies. 

Critical Security Control 6: Access Control Management

This control deals with an organization’s ability to track and control the use of administrative privileges, user access, and service accounts. It also deals with controlling access to data from people with the appropriate need to know, based on their level in the organization. This can help organizations prevent sensitive information from falling into the wrong hands.

Critical Security Control 7: Continuous Vulnerability Management

The seventh control focuses on the value of continuous vulnerability management and remediation. Many companies will only scan their assets for potential vulnerabilities every three to six months, which may be the bare minimum for compliance purposes. Still, SANS urges companies to monitor their assets continuously. Hackers are waiting for potential vulnerabilities to pop up online. Companies simply can’t afford to wait every few weeks to perform an audit. The latest vulnerability assessment and remediation software will scan assets every few seconds for continuous monitoring. The system will then alert the IT department, so they can remediate vulnerabilities by patching the system as soon as possible.

Critical Security Control 8: Audit Log Management

This control refers to audit logs for firewalls, network devices, servers, and hosts. They are usually the only way to determine whether the host has been compromised. The logs need to be aggregated, safeguarded, and correlated with other relevant security events.

Critical Security Control 9: Email and Web Browser Protections

Social engineering attacks continue to rise in both frequency and sophistication. SANs encourages organizations to put processes and protections in place to prevent successful attacks via email and web. 

Critical Security Control 10: Malware Defenses

Malware remains a dangerous threat to organizations of all sizes. Cybersecurity training is crucial to supplement existing compensating controls, as well as regular vulnerability scans and consistent IT asset management procedures. 

Critical Security Control 11: Data Recovery

Control 11 refers to an organization’s ability to recover data in the event of a breach or attack. This often includes storing a secure backup outside of the company’s IT system.

Critical Security Control 12: Network Infrastructure Management

This control speaks to the importance of securely implementing and actively managing network devices, as well as reporting on these practices. These network devices include gateways (physical and virtual), firewalls, wireless access points, switches, and even routers, which often lack the necessary cybersecurity protections. 

Critical Security Control 13: Network Monitoring and Defense

While you have protections and compensating control in place, you cannot rely on your network defenses to be perfect. Network monitoring and defense is a crucial part of a strong cybersecurity strategy. Creating a Vulnerability Management Program is essential to this control. 

Critical Security Control 14: Security Awareness and Skills Training

This refers to an organization’s ongoing security training program and security skill improvement. Employees need to regularly improve their skills to keep up with the latest trends in cybersecurity. With new threats emerging every day, ensuring your employees have the knowledge and awareness to recognize cybersecurity pitfalls is essential for business continuity. 

Critical Security Control 15: Service Provider Management

Software-as-a-Service and other third party platforms and tools make expanding and scaling your capabilities as an organization much easier. That being said, the convenience of this also comes at a cost — the potential to open your environment up to more vulnerabilities. Organizations need to stay diligent about managing third party access to their infrastructure in order to remain secure.

Critical Security Control 16: Application Software Security

Web and mobile applications can often be the weakest link in the security chain. This control encourages companies to install web application firewalls to protect these applications while including them in the VRM scanning process.

Critical Security Control 17: Incident Response Management

This control  focuses on how companies can prevent potential data breaches, improve their incident response times, and avoid permanent data loss. 

Critical Security Control 18: Penetration Testing

The last control talks about the importance of penetration testing and how companies can hire ethical hackers to conduct simulated attacks on the system without disrupting operations. The organization can then patch the system before a real attack occurs.

See How Other Organizations Approach Vulnerability Management

We recently surveyed 400+ cybersecurity experts to see how they’re approaching Vulnerability Management and identify key trends in 2022. Read the free 2022 State of Vulnerability Management Report here.