Cybercrime has become more prevalent since the start of the COVID-19 pandemic. Indeed, 81% of organizations worldwide experienced an uptick in cyber threats and 79% suffered downtime due to cyberattacks during peak season, according to a 2021 report by McAfee Enterprise and FireEye. Attacks have also become more complex. IBM and the Ponemon Institute report that the average time to spot and contain a data breach in 2021 was 287 days, a week longer than in 2020.
Fortunately, the Center for Internet Security (CIS) offers Critical Security Controls (CSCs) that help organizations improve cybersecurity. These best practice guidelines consists of 18 recommended controls that provide actionable ways to reduce risk.
CSC implementation groups
Previously, CSCs were split into the three categories of basic, foundational and organizational. However, the current version the CSC, version 8, divides the controls into three implementation groups (IGs), which take into account how factors like an organization’s size, type, risk profile and resources can affect the process of implementing controls.
- Implementation Group 1 (IG1)defines the minimum standard of cyber hygiene; every company should implement its 56 safeguards. In most cases, an IG1 company is small or medium-sized; has limited cybersecurity budget and IT resources; and stores low-sensitivity information.
- Implementation Group 2 (IG2) is for companies with more resources and moderately sensitive data. Its 74 safeguards build upon the 56 safeguards of IG1 to help security teams deal with increased operational complexity. Some safeguards require specialized expertise and enterprise-grade technology to install and configure. IG2 companies have the resources to employ individuals for monitoring, managing and protecting IT systems and data. They typically store and process sensitive enterprise and client information, so they will lose public confidence if data breaches occur.
- Implementation Group 3 (IG3) is for mature organizations with highly sensitive company and client data. It features an additional 23 safeguards. IG3 companies are much larger than their IG2 counterparts. Accordingly, they tend to employ IT experts who specialize in different aspects of cybersecurity, such as penetration testing, risk management and applicationBecause their IT assets contain sensitive data and perform sensitive functions that are subject to compliance and regulatory oversight, these enterprises must be able to prevent and abate sophisticated attacks, as well as reduce the impact of zero-day attacks.
CIS IG1: Which safeguards are essential for security?
Every IG1 control is essential except for 13 (Network Monitoring and Defense), 16 (Application Software Security), and 18 (Penetration Testing), because their requirements depend on your company’s maturity level, size and resources. All the remaining basic CIS controls have essential safeguards, which comprise IG1. Let’s dive into those essential safeguards now.
CIS Control 1. Inventory and Control of Enterprise Assets
In CIS Control 1, 2 out of 5 safeguards are included in IG1:
1.1 Establish and maintain a comprehensive enterprise asset inventory. To reduce your organization’s attack surface are, you require a comprehensive view of all of the assets on your network.
1.2 Address unauthorized assets. You need to actively manage all hardware devices on the network to ensure that only authorized devices have access. Any unauthorized devices must be quickly identified and disconnected before any damage is done.
CIS Control 2. Inventory and Control of Software Assets
CIS Control 2 features 7 safeguards but only first 3 are included in IG1:
2.1 Establish and maintain an up-to-date software inventory. It’s important to keep a record of all software on the computers in your network, including detailed information: title, publisher, installation date, supported systems, business purpose, related URLs, deployment method, version, decommission date and so on.
2.2 Ensure authorized software is currently supported. Keeping unsupported software, which gets no security patches and updates, increases your organization’s cybersecurity risks.
2.3 Address unauthorized software. Remember to actively manage all software on the network so that unauthorized software cannot be installed or is promptly detected and removed.
CIS Control 3. Data Protection
CIS Control 3 builds on CIS Control 1 by emphasizing the need for a comprehensive data management and protection plan. The following 6 of its 14 safeguards are essential:
3.1 Establish and maintain a data management process. Keep an up-to-date documented process that addresses data sensitivity, retention, storage, backup and disposal.
3.2 Establish and maintain a data inventory. You need to know exactly what data you have and where it is located in order to prioritize your data security efforts, adequately protect your critical data and ensure regulatory compliance.
3.3 Configure data access control lists. Restricting user’s access permissions according to their job functions is vital. Review access rights on a regular schedule, and implement processes to avoid overprovisioning.
3.4 Enforce data retention according to your data management process. Decide how long different types of data is to be kept, based on compliance requirements and other business needs, and build processes to ensure that retention schedules are followed.
3.5. Securely dispose of data and ensure the disposal methods and processes match data sensitivity. Make sure that your data disposal processes are appropriate to the type of data being handled.
3.6 Encrypt data on end-user devices like laptops and phones. Encrypting data makes it unreadable and therefore useless to malicious actors if the device is lost or stolen, and can therefore help you avoid compliance penalties.
CIS Control 4. Secure Configuration of Enterprise Assets and Software
CIS Control 4 outlines best practices to help you maintain proper configurations for hardware and software assets. There is a total of 12 safeguards in this section. However, only the first 7 belong to IG1:
4.1 Establish and maintain a secure configuration process. Develop standard configurations for your IT assets based on best practice guidelines, and implement a process for deploying and maintaining them.
4.2 Establish and maintain a secure configuration process for network infrastructure. Establish standard settings for network devices and continuously watch for any deviation or drift from that baseline so you promptly remediate changes that weaken your network security.
4.3 Configure automatic session locking on enterprise assets after defined periods of inactivity. This safeguard helps mitigating the risk of malicious actors gaining unauthorized access to workstations, servers and mobile devices if the authorized user steps away without securing them.
4.4 Implement and manage firewalls on servers. Firewalls help protect servers from unauthorized access via the network, block certain types of traffic, and enable running programs only from trusted platforms and other sources.
4.5 Implement and manage firewalls on end-user devices. Add a host-based firewall or port-filtering tool on all end-user devices in your inventory, with a default-deny rule that prohibits all traffic except a predetermined list of services and ports that have explicit permissions.
4.6 Securely manage enterprise software and assets. This safeguard suggests managing your configuration through version-controlled infrastructure-as-code. It also recommends accessing administrative interfaces over secure network protocols such as SSH and HTTPS, and avoiding insecure management protocols like Telnet and HTTP, which do not have adequate encryption support and are therefore vulnerable to interception and eavesdropping attacks.
4.7 Manage default accounts on enterprise software and assets. Default accounts are easy targets for attackers, so it is critical to change preconfigured settings and disable default accounts wherever possible.
CIS Control 5. Account Management
CIS Control 5 provides strategies for ensuring that your user, administrator and service accounts are properly managed. In this control, 4 of 6 safeguards are essential:
5.1 Establish and maintain a list of accounts. Regularly review and update the inventory of all accounts to ensure that accounts being used are authorized. Every detail, including the purpose of the account, should be documented.
5.2 Use unique passwords. The best practice for password security is to build your password policy and procedures using an appropriate and respected framework. A great option is Special Publication 800-63B from the National Institute of Standards and Technology (NIST). Its guidelines are helpful for any business looking to improve cybersecurity.
5.3 Disable dormant accounts (accounts that haven’t been used for at least 45 days). Regularly scanning for dormant accounts and disactivating them reduces the risk of hackers compromising them and getting into your network.
5.4 Restrict admin privileges to dedicated admin accounts. Privileged accounts should be used only when needed to complete administrative tasks.
CIS Control 6. Access Control Management
Control 6 establishes best practices for managing and configuring user access and permissions. 5 of its 8 safeguards are included in IG1:
6.1 Establish an access-granting process. Ideally, the process of granting and changing privileges should be automated based on standard sets of permissions for each user role.
6.2 Establish an access-revoking process. Keeping unused or excessive permissions raises security risks, so it’s necessary to revoke or update access rights as soon as employee leaves the company or changes roles.
6.3 Require multi-factor authentication (MFA) for externally-exposed accounts. With MFA, users must supply two or more authentication factors, such as a user ID/password combination plus a security code sent to their email. It’s necessary to enable MFA for accounts used by customers or partners.
6.4 Require MFA for remote network access. Whenever a user tries to connect remotely, the access should be verified with MFA.
6.5 Require MFA for administrative access. Admin accounts require extra security, so it’s important to enable MFA for them.
CIS Control 7. Continuous Vulnerability Management
CIS Control 7 focuses on identifying, prioritizing, documenting and correcting vulnerabilities in an IT environment. Continuous vulnerability management is recommended because attacks are increasing in sophistication and frequency, and there’s more sensitive data than ever before.
4 of the 7 safeguards are included in Implementation Group 1:
7.1 Establish and maintain a vulnerability management process. Companies need to decide how they will identify, evaluate, remediate and report on possible security vulnerabilities.
7.2 Establish and maintain a remediation process. Companies need to decide how they will respond to an identified vulnerability.
7.3 Perform automated operating system patch management. It’s important to keep all operating systems patched in a timely manner.
7.4 Perform automated application patch management. Keeping applications patches is just as important as patching operating systems.
CIS Control 8. Audit Log Management
CIS Control 8 provides guidelines for collecting, alerting, reviewing and retaining audit logs of events that can help you detect, understand and recover from attacks.
Here are essential safeguards of this control:
8.1 Establish and maintain an audit log management process. A company needs to decide who will be collecting, reviewing and keeping audit logs for enterprise assets, and when and how the process will occur. This process should be reviewed and updated annually, as well as whenever significant changes could impact this safeguard.
8.2 Collect audit logs. Log auditing should be enabled across enterprise assets, such as systems, devices and applications.
8.3 Ensure adequate audit log storage. Decide where and for how long audit log data is kept based on applicable compliance requirements and other business needs, and make sure you allocate enough storage to ensure no required data is overwritten or otherwise lost.
CIS Control 9. Email and Web Browser Protections
CIS Control 9 features 7 safeguards for web and email browsers, 2 of which are essential:
9.1 Ensure only fully supported email clients and browsers are used. Email clients and browsers need to be updated and have secure configurations.
9.2 Use Domain Name System (DNS) filtering services. These services should be used on all enterprise assets to block access to known malicious domains, which can help strengthen your security posture.
CIS Control 10. Malware Defenses
CIS Control 10 outlines ways to prevent and control the installation and spread of malicious code, apps and scripts on enterprise assets. 3 of its 7 safeguards are essential:
10.1. Deploy and maintain anti-malware software. Enable malware defenses at all entry points to IT assets.
10.2. Configure automatic anti-malware signature updates. Automatic updates are more reliable than manual processes. Updates can be released every hour or every day, and any delay in installation can leave your system open to bad actors.
10.3. Disable autorun and auto-play for removable media. Removable media are highly susceptible to malware. By disabling auto-execute functionality, you can prevent malware infections that could cause costly data breaches or system downtime.
CIS Control 11. Data Recovery
CIS Control 11 highlights the need for data recovery and backups. This control has 5 safeguards; the first 4 are essential:
11.1. Establish and maintain a data recovery process. Establish and maintain a solid data recovery process that can be followed across the organization. It should address the scope of data recovery and set priorities by establishing which data is most important.
11.2. Implement an automated backup process. Automation ensures that system data is backed up on schedule without human intervention.
11.3. Protect recovery data. Backups need adequate security as well. This may include encryption or segmentation based on your data protection policy.
11.4. Establish and maintain isolated copies of backup data. To protect backups from threats like ransomware, consider storing them offline or in cloud or off-site systems or services.
CIS Control 12. Network Infrastructure Management
Control 12 establishes guidelines for managing network devices to prevent attackers from exploiting vulnerable access points and network services. Its only safeguard in IG1 requires you to establish and maintain a secure network architecture and keep your network infrastructure up to date.
CIS Control 14. Security Awareness and Skills Training
CIS Control 14 focuses on improving employees’ cybersecurity awareness and skills. The frequency and types of training vary; often organizations require employees to refresh their knowledge of security rules by passing brief tests every 3–6 months.
8 of the 9 safeguards are considered essential:
14.1 Establish and maintain a security awareness program. Establish a security awareness program that trains workforce members on vital security practices.
14.2 Train workforce members to recognize social engineering attacks. Examples include tailgating, phishing and phone scams.
14.3 Train workforce members on authentication best practices. It’s important to explain why secure authentication should be used, including the risks and consequences of failing to follow best practices.
14.4 Train workforce on data handling best practices. This safeguard is particularly important for sensitive and regulated data.
14.5 Train workforce members on causes of unintentional data exposure. Examples include losing a portable device, emailing sensitive data to the wrong recipients, and publishing data where it can be viewed by unintended audiences.
14.6 Train workforce members to recognize and report potential security incidents. Develop a detailed guide that answers questions such as: What could be the signs of a scam? What should an employee do in case of a security incident? Who should be informed about an incident?
14.7 Train your workforce on how to identify and report if their enterprise assets are missing software patches and security updates. Your employees need to know why updates are important and why refusing an update might cause a security risk.
14.8 Train your workforce on the dangers of connecting to and transmitting data over insecure networks. Everyone should be aware of the dangers of connecting to insecure networks. Remote workers should have additional training to ensure that their home networks are configured securely.
CIS Control 15. Service Provider Management
CIS Control 15 highlights the importance of evaluating and managing service providers who hold sensitive data. It requires you to keep an inventory of all service providers associated with your organization, create a set of standards for grading their security requirements, and evaluate each provider’s security requirements.
Only the first of the 8 safeguards is essential. It requires you to establish and maintain a list of service providers.
CIS Control 17. Incident Response Management
Finally, CIS Control 17 concerns developing and maintaining an incident response capability to detect, prepare and quickly respond to attacks. It requires you to designate personnel for managing incidents, and establish and maintain a process for incident reporting. You should also create and maintain contact information for reporting security incidents.
3 of its 9 safeguards are essential:
17.1 Designate personnel to manage incident handling. This person needs to be well-versed in managing incidents, and they need to be a known primary contact who gets reports on potential issues.
17.2 Establish and maintain contact information for reporting security incidents. Employees need to know exactly how to contact the right employees about possible incidents, and the team responsible for incident handling needs to have contact information for those with the power to make significant decisions.
17.3 Establish and maintain an enterprise process for reporting incidents. This process needs to be documented and reviewed regularly. The process should explain how incidents should be reported, including the reporting timeframe, mechanisms for reporting and the information to be reported (such as the incident type, time, level of threat, system or software impacted, audit logs, etc.).
Next Steps
CIS Critical Controls Implementation Group 1 provides basic guidance for a sound cybersecurity posture. The safeguards of IG1 are essential cyber hygiene activities, shaped by years of collective experience of a community dedicated to enhancing security via the exchange of concepts, resources, lessons learned and coordinated action.
Ready to implement the IG1 safeguards? Netwrix products can help. They offer a holistic approach to cybersecurity challenges by securing your organization across all the primary attack surfaces: data, identity and infrastructure.
Learn more about our top solutions:
- Data access governance — Reclaim control over access to sensitive data.
- Active Directory security — Secure your AD, on premises and in the cloud, from end to end.
- Ransomware protection — Mitigate the risk of ransomware infections and catch attacks in progress.
- Privileged access management — Slash the risk from privileged activity.
- Information governance — Make your data organized, discoverable and more secure.
