Issued by the Center for Internet Security (CIS), the so-called Critical Security Controls for Effective Cyber Defense present 20 effective actions an organization can take to reduce its risk, strengthen its security posture and lower operational costs. A security control is a safeguard or countermeasure to avoid, detect, counteract or minimize “security” risks to a company’s assets.
Although organizations have a variety of tools and best practices at their disposal when it comes to securing their infrastructure against intrusions, many are still at a loss of what to prioritize and where to focus on. In this context, the 20 Critical Security Controls can be helpful to provide organizations with a starting point. We’ve gathered them all down below and included some guidance on each control. Note that the order in which the 20 CIS security controls are listed is not arbitrary – they are listed logically and follow a specific path from building the foundation, gradually improving your security posture to reducing your risk exposure.
Control #1 is one of the most basic protection mechanisms against cyberattacks, yet still represents a challenge for organizations. Basically, it recommends creating a list of all devices that are present and allowed on your network to identify what’s on the network, which device belongs to whom, and prevent unauthorized devices from entering the network. Ideally, organizations should not only maintain an accurate inventory of devices but also be able to discover unknown devices and track changes made to existing devices.
Similar to control #1 explained above, control #2 emphasizes the need for developing and maintaining a comprehensive inventory of what’s on an organization’s network – software in this case. Any organization should know what software has been installed on their systems, who installed it in the first place and what its functionalities are. By maintaining an accurate inventory of authorized software (whitelisting) and unauthorized software (blacklisting), organizations can acquire the necessary knowledge about their internal environment to respond to potential security incidents better and faster.
After developing and maintaining an accurate inventory of authorized and unauthorized devices and software (see controls #1 and #2), it’s time to secure your network and minimize your attack surface with control #3. By configuring hardware and software properly, organizations can strengthen their security posture and avoid their applications and operating systems from being exploited. Examples of insecure configurations include default passwords and accounts, out-of-date or vulnerable protocols, open ports, irrelevant software etc.
Related post: Vulnerability Scan vs Vulnerability Assessment
95% of all damaging cyberattacks are the result of exploiting well-known vulnerabilities. Control #4 addresses this risk and encourages organizations to perform regular vulnerability scans in their environments.
A vulnerability assessment will not only identify an organization’s key information assets but also highlight the vulnerabilities that threaten their security provide actionable recommendations for remediation – an activity that is crucial to evaluate your security posture and monitor the health of your environment. In addition to demonstrating due diligence and a proactive approach to risk management, organizations are leveraging vulnerability assessments to meet their compliance requirements, such as PCI DSS, and take action towards a comprehensive vulnerability management program.
Control #5 is about reducing administrative privileges to reasonable levels. This means that admin privilege is heavily restricted and only granted to employees who require this level of access to perform their tasks effectively. By restricting admin level privilege to only a limited number of employees, organizations can reduce the likelihood of being affected by some of the most common cyberattacks relying on human error, for example tricking a user with admin privilege into opening a malicious file or cracking the password of an admin-level user to access a target machine.
Control #6 is all about collecting and analyzing evidence that can provide relevant information about your environment in case of a security incident. An organization that neither monitors nor analyses its security audit logs will probably have a hard time detecting, understanding or recovering from an attack. While many organizations keep their audit logs to meet corporate compliance requirements, only few have the necessary time or in-house expertise to examine these logs thoroughly for potential intrusions or breaches. A Managed Security Service Provider can help organizations monitor their logs on a 24/7 basis, correlate them and identify potential security incidents.
A large number of cyberattacks are executed through web browsers and email clients – two mediums that are often directly interlinked with the targeted users, systems or applications. Control #7 recommends protecting web browsers and email systems to minimize the attack surface and the opportunities for hackers to manipulate human behavior. By allowing only fully supported, updated and approved email clients and web browsers, organizations can prevent employees from becoming victims of malicious code, data loss and other types of attacks.
Malicious software or malware is one the most dangerous aspects of cyberattacks and was designed to purposefully attack systems, data or devices. Control #8 is about defending today’s increasingly complex environments against malware that can enter through a variety of points such as email attachments, web pages, removable media, end-user devices, cloud services etc. Anti-malware solutions are able to monitor and detect malicious software such as ransomware and enable effective defenses with anti-virus, anti-spyware, firewalls or intrusion detection capabilities.
Today’s sophisticated attackers are constantly looking out for exploitable network services to penetrate their target environment. Control #9 recommends the proper configuration and control of network ports, such as mail servers, web servers or domain name system (DNS) servers in order to decrease the number of vulnerabilities that attackers can exploit. By limiting the installation of default network services for employees, organizations can prevent attackers from attempting intrusions with default user names or passwords.
Especially in the wake of increasingly damaging ransomware attacks, organizations are struggling to recover critical data assets needed to continue their usual operations. Control #10 recommends to have data recovery capabilities in place to facilitate restoring data that may have been compromised, altered or deleted. By performing regular backups of critical information and including relevant systems in the backup procedure, organizations can recover from security incidents more quickly and meet corporate compliance requirements.
Too many organizations keep the default configurations of network infrastructure devices as delivered by resellers and manufacturers, which tend to be in place for ease-of-use and not for security purposes. Control #11 recommends implementing secure configurations for all network devices, including proper configuration management and change control processes, in order to minimize the number of vulnerabilities that attackers may be able to exploit. Especially open ports and services, default user names and passwords or irrelevant but preinstalled software may have a negative impact on an organization’s security posture.
Control #12 addresses the danger of systems that can be exploited via the Internet, such as DMZ systems, workstations and laptop computers. To prevent attackers from gaining access into the internal environment, organizations are best advised to implement boundary defense mechanisms such as traffic flow control, firewalls, proxies, DMZ perimeter networks as well as intrusion detection and prevention (ID/PS) solutions. One of the most effective methods of boundary defense is 24/7 monitoring solution with log monitoring, intrusion detection and incident response capabilities.
For most organizations, data has become the most critical asset and at the same time the most easily exploitable target for hacker. Especially in today’s cloud environments, data protection in the cloud has become a priority. Control #13 emphasizes the need for proper data protection techniques and recommends a variety of methods to ensure that corporate data is protected at all times, in line with today’s strict compliance regulations such as NIST or HIPAA. By adopting a combination of data encryption, data loss prevention (DLP) and integrity protection strategies, organizations can limit the risk of data compromise and exfiltration.
Unfortunately, many organizations are still not careful enough when it comes to restricting access levels to their most critical and sensitive data. In too many case, employees can easily access even the most sensitive information, such as financial, operational or human resources-related data. Control #14 enforces controlled access based on the principle of what information employees are required to know to perform their job as opposed to what it is not necessary. By implementing network segmentation, encrypted communications and other types of access control, organizations can prevent attackers from easily accessing sensitive assets, perform malicious activities and disrupt operations.
One of the easiest ways for an attacker to exploit an environment is to gain access to an organization’s wireless network through a back door, e.g. from the parking lot, the building staircase or the reception area. Control #15 addresses wireless access control as an effective means to protect organizations from intrusion, data theft and malware infiltration. By implementing authorized configurations and security profiles for wireless devices, denied access for unauthorized devices and targeted network vulnerability scanning to detect authorized and unauthorized wireless access points, organizations can greatly enhance their wireless security posture.
Now more than ever, organizations are struggling to keep with the increasing employee turnover rate and forget to deactivate the user accounts of former employees – a dangerous oversight that is often exploited by attackers who exploit formerly legitimate accounts for their own benefit. Control #16 prescribes account monitoring and control as an effective strategy to decrease the number of opportunities for hackers to leverage inactive system or application accounts. By constantly monitoring accounts, irrelevant or inactive accounts can be removed and malicious intruders or former employees have less changes to accessing critical corporate data.
According to a Harvard Business Review publication, “the biggest cybersecurity threats are inside your company”. Control #17 advocates for regular security skills assessments and security awareness trainings to educate employees about the potentially negative impact that their actions on the corporate network may have. Regardless of whether the root cause is an honest mistake, carelessness or malicious intent, organizations need to ensure that all their employees are trained to acquire and apply the necessary knowledge and skills to help defend their employer from sophisticated phishing attacks, intrusions and data theft. If gaps are identified amongst the workforce, a comprehensive security policy and a thorough security awareness training are recommended.
Hackers tend to leverage the most easily exploitable targets to execute their attack, and this often includes in-house or acquired application software. Control #18 was developed to prevent, detect and correct security weaknesses in applications, such as coding mistakes, logic errors, outdated software versions, etc. By securing their applications with software updates, patch management and firewall deployments, organizations can prevent application vulnerabilities from being exploited by attackers.
Control #19 addresses the growing need for properly executed response and management mechanisms when security incidents occur. With cyber attacks on the rise, organizations need to have defined processes and procedures in place to detect incidents, respond accurately and mitigate the incidents to prevent considerable damage to their data, financial standing or reputation. Ideally, organizations should have a dedicated team in place to monitor logs on a 24/7 basis or outsource their incident response management to a trusted security provider.
Last but not least, control #20 covers penetration testing, which has become as an essential part of modern security practice. By simulating an attack, penetration testers can expose weaknesses in an organization’s core attack vectors, such as operating systems, network devices or application software. The result of a thoroughly executed penetration test is deeper insight into the business risks of various vulnerabilities. By regularly performing internal and external penetration tests, organizations can evaluate their preparedness for potential attacks, meet compliance requirements and fix vulnerabilities before attackers can exploit them.