In our previous blog post, “Vulnerability Management is Critical to Good Cyber Hygiene” we suggested that Vulnerability Management best practices were critical to good Cyber Hygiene and Pillar 1 in improving an organization’s overall Cyber Hygiene. In part 3 of our 4-part blog post we are going to focus on measuring and improving an organization’s security posture and dig deep into the first 6 controls of the CIS 20; the simplest and easiest to implement security posture framework. In our opinion, measuring and implementing a cyber security posture framework is Pillar 2 in improving an organization’s overall Cyber Hygiene.
First, information security posture assessments using one of the industry accepted control frameworks such as NIST, ISO 27001, or CIS 20 provides organizations a strategic view of their overall security health and resilience. The assessment provides a baseline from which to evaluate the effectiveness of current security processes and allows IT security teams to set objectives and priorities. Ultimately, the further organizations move up the CIS 20 maturity curve the more likely it will be that they will protect their organization from cyber criminals, both from the outside as well as insider threats.
Security assessments are diverse in how they are conducted; and in terms of what is assessed and how that assessment is leveraged to improve security processes and resilience. Using established control frameworks such as NIST, ISO 27002 and CIS 20 has become a best practice in terms of measuring the confidentiality, integrity, and availability of an organization’s assets across critical domains.
Baselining your security program is critical to starting the journey of understanding where you are, where you want to be and how to get there from a security health or posture perspective. The gap assessment is critical to improving your processes and controls efficiently.
As we touched on in the opening paragraph, ‘CIS 20’ is the name given to “The Center for Internet Security Critical Security Controls for Effective Cyber Defense.” It provides a set of controls or standards which has become a ‘best practice’ guide for information security controls.
CIS 20 is not law, and it is not usually a compliance requirement. In this sense, it is not like the Payment Card Data Security Standard (PCI DSS), which is a compulsory information security standard for branded credit cards or HIPAA for health care organizations or even Sarbanes-Oxley or SOX for financial institutions.
The CIS Controls align with top compliance frameworks such as NIST, PCI, ISO, HIPAA, COBIT
and others. CIS has been downloaded more than 65,000 times across the globe, and the majority of CIS Controls adopters use more than one framework to improve their security.
CIS 20 also stands in contrast to ISO/IEC 27001 Information Security Management. This standard also provides a set of controls for developing an information security strategy. However, ISO 27001 is a more complex (114 controls, rather than 20) standard, is part of a larger security framework and relies on each organization carrying out its own risk assessments. Because ISO is so complex, we chose CIS 20 as it is a bit more user friendly for organizations implementing their first cyber security posture framework.
CIS 20 is divided into three prioritization categories: basic, foundational, and organizational. In this article we only look at the ‘basic’ controls; the first six controls that every organization should have in place for its remote workforce. Multiple studies including one study conducted by CIS itself have demonstrated that implementing only the first five basic controls is enough to protect organizations against 85% of all cyber-attacks. Implementing all 20 CIS controls reduces cybersecurity risk by 94 percent.
The six basic controls are a ‘bare minimum’ for protecting your organization from cybersecurity risks. But implementing CIS 20 doesn’t just make good business sense - an additional advantage is that it goes a long way towards satisfying the legal requirements of Europe’s General Data Protection Regulation (GDPR), the United States’ California Consumer Protection Act (CCPA) and other data protection laws, which require that robust processes be in place for the protection of customer personal data.
Below we examine each of the six basic CIS 20 controls in sequence and describe how they can be used to enhance the cybersecurity of your organization.
CIS Control #1: Keep an Inventory of Hardware Assets
Covid and the “work at home” movement has increased the focus on CIS Control #1 substantially. According to Pew Research, Most workers who say their job responsibilities can mainly be done from home say that, before the pandemic, they rarely or never teleworked. Only 20% say they worked from home all or most of the time. Now, 71% of those workers are doing their job from home all or most of the time.
Even in the normal working environment, it is common for staff to use unauthorized devices, such as their personal smart phones and devices, to access workplace systems. Now, with workers primarily based in their own homes, this practice has increased dramatically.
This control means that you need to keep track of all devices, whether they have been authorized to have access to the organization’s assets, or not. To comply with this control, it is recommended that organizations implement an automated inventory tool which keeps track of all devices connected to organization networks.
Pay particular attention to any new equipment issued to staff (such as laptops issued ahead of the lockdown): All equipment acquisitions should have resulted in an automatic update to the inventory.
Inventory listings should include:
We all have our favorite apps for things like email, messaging, and note-taking, however, employees should not simply be using whichever software they prefer while handling employer work. With so many employees working from their own homes, there may not be the same level of natural oversight to ensure that employees are only using organization-sanctioned software.
The use of non-sanctioned software presents a significant security risk due to software vulnerabilities and other flaws that may be a security gap in the software. In addition, the organization has a legal responsibility to protect customer personal data which means ensuring that any organizational software will protect that information.
As its control, the organization should have an authorized set of software and versions that are permitted in the organization. This software should be continuously monitored to ensure that it has not been modified. Organizations might also consider ‘Whitelisting’ technology which can be used to ensure that only authorized software can run, or the use of virtual machines for higher risk business operations.
Our Pillar #1 in creating good Cyber Hygiene happens to be CIS Control #3 which is significant, however because we dedicated an entire blog post to VM, we’ll keep it brief here. Thus, in tandem with CIS Control #2, Control #3 deals with managing and fixing vulnerabilities that inevitably expose organizations to attacks. The way in which cyber-attacks, such as malware, ransomware and phishing attacks continue to increase relies on the increasing amount of software used and the corresponding number of vulnerabilities that are discovered.
Thus, there must be a comprehensive program in place for identifying and managing any vulnerabilities before they are exploited by attackers: ‘Vulnerability management’ needs to be a continuous project.
As well as having a vulnerability scanning tool in place to identify these vulnerabilities, you also need to make sure automated security updates are in place to continuously update software for new threats.
Administrative privileges are the set of abilities certain users are provided to make major changes to a system or even simply access systems. In the COVID-19 working environment there may be a temptation to hand out administrative privileges rather liberally. Administrators are stretched trying to get dozens, if not hundreds of workers set up and productive in their new work environment and security has become a lower priority.
However, administrative privileges constitute a major potential vulnerability of an organization, so they need to be carefully managed. If a cybercriminal manages to get a privileged user to download malware the power of administrative accounts means the attacker can escalate credentials to do untold damage.
To guard against this threat, organizations must keep a tight rein on administrative accounts, providing access to staff only when necessary. Staff should be reminded that those with administrative privileges should only log into their administrator account as and when required. They should not be logged in while working on other activities.
The ‘factory pre-set’ for operating systems and applications is usually optimized for ease-of-use rather than security. The organization needs to ensure that any default configurations are replaced by security configurations appropriate to the risks faced by the organization. Basic configurations such as open ports might be exploitable under default settings.
Furthermore, once secure configurations are in place, they must be continuously updated to account for the continuous stream of security threats that an organization faces.
As part of secure configuration, a monitoring system should be in place. This will check the configuration settings and keep track of any exceptions and alert when unauthorized changes occur.
You cannot protect your organization from what you do not know about. All attacks and threats need to be logged in order to allow for investigation. This is the purpose of an “audit log.”
However, this audit log can’t simply be treated as a compliance exercise - criminals rely on the tendency of organizations not to check these logs; meaning that threats can go undetected for a long time.
With the proliferation of devices in the remote work environment, it is crucial to have software in place that sends all threat log information to a centralized audit log which is continuously monitored.
Conclusion
The CIS Controls were born out of a public-private partnership that included the Department of Defense (DoD), National Security Administration (NSA), CIS and SANS. The controls continue to be monitored by some of the world’s leading cybersecurity experts from government, law enforcement and private security firms.
The latest version, CIS V7.1, was released recently and among its changes, the version introduced three “Implementation Groups,” which go further in-depth with appropriate sub-controls for organizations based on the level and sophistication of their cybersecurity resources and expertise.
Dealing with the threat of cyber-attack to your organization might feel overwhelming, however, the CIS 6 for our purposes will provide a useable framework for most organizations.
