As today’s cyber threats continue to evolve in scale and sophistication, and more security tools and mandates continue to hit the market at a record rate, it can seem overwhelming trying to figure out where to start when trying to keep IT systems safe.
The vast array of compliance and security mandates out there can leave many organizations confused on where to even start, but NNT believes the best place to start is with the CIS Controls. Published by the Center for Internet Security (CIS), these controls help organizations defend against known attacks by condensing key security concepts into actionable controls to achieve better overall cybersecurity defense.
The CIS Controls provide clarity on what organizations really need to be focusing on in terms of security best practices to help prioritize actions that must be taken to defend against cyber threats. CIS Controls V7 keeps the same 20 controls that businesses and organizations around the world already depend upon to stay secure; however, the ordering has been updated to reflect the current threat landscape. The latest version breaks down the 20 controls into three specific categories: basic, foundational, and organizational.
- Basic (CIS Controls 1-6): Key controls which should be implemented in every organization for essential cyber defense readiness.
- Foundational (CIS Controls 7-16): The next step up from basic – these technical best practices provide clear security benefits and are a smart move for any organization to implement.
- Organizational (CIS Controls 17-20): These controls are different in character from 1-16; while they have many technical elements, CIS Controls 17-20 are more focused mainly on people and processes involved in cybersecurity.
Let’s Get Back to the Basics
The vast majority of security incidents occur when basic controls are lacking or are poorly implemented. A study of the previous version of the CIS Controls showed that 85% of cyber-attacks can be prevented by adopting the first five CIS Controls alone. NNT solutions alone can help you satisfy the first six CIS Controls.
CIS Controls 1 – 6 represent well known, cybersecurity basics and focus on the fundamentals of securing the infrastructure and monitoring it regularly for changes, including Configuration Management, Vulnerability Assessment, and Continuous Monitoring to know when a new critical vulnerability surfaces or an asset becomes exposed. By implementing CIS Controls 1 – 6 as continuous and evolving processes, organizations significantly reduce their risk while also adapting to today’s continuously changing cyber threats and shifting business needs.
Controls 1 – 6 Explained
Control #1 and #2 focus on visibility – understanding what devices are in your enterprise, what software are you running, and how is it being operated (patched and configured?). Without knowing what you have, it’s impossible to defend it. Control #3 focuses on continuous vulnerability management, meaning all configurations must be monitored for changes that introduce vulnerabilities or the availability of patches or upgrades needed to maintain security. Knowing this information will provide your organization with the basic operational foundation for understanding your IT environment and where it’s most vulnerable, spotting malicious actors, and deploying security defenses.
Control #4 focuses on the controlled use of administrative privileges. This control is incredibly important as administrative credentials can be used by hackers and malicious insiders to access your organization's most sensitive data. To minimize this threat, maintain the principle of least privilege and ensure all users with administrative account access use a dedicated or secondary account for elevated activities. Also, configure systems to issue a log entry and alert when an account is added or removed from any group assigned administrative privileges.
Control #5 focuses on establishing, implementing, and actively managing the security configurations of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process to prevent attackers from exploiting vulnerabilities. When using NNT’s Closed Loop Intelligent Change Control technology, your organization is able to track and analyze changes to your systems’ integrity using self-learning whitelisting technology and threat intelligence. NNT then uses dynamic baselining to ensure your systems align to the most up-to-date, secure, and compliant state possible based on checked, approved, and authorized changes.
The last control in the basic category, Control #6, focuses on the maintenance, monitoring, and analysis of audit logs to help detect, understand or recover from a cyber-attack. Deficiencies in security logging allow attackers to hide; without solid audit logs, an attack can go unnoticed and irreversible damage could result as a consequence. To avoid this, ensure that all local logging is enabled on all systems and network devices. Also, ensure appropriate logs are being aggregated to a central log management system for analysis and review.
Time and time again the first six CIS Controls have proven to help organizations jump start to rapidly reducing the risk of business impact due to real-world cyber threats. These controls represent a solid base for any organizations cyber defense strategy, but can also be used as a stepping stone to compliance with PCI DSS, HIPAA, GDPR, etc. In fact, the National Institute of Standards and Technology (NIST) reference these controls as a recommended implementation approach for its Cybersecurity Framework. For organizations left unsure where to start in their IT Security strategy, refer to the CIS Critical Security Controls.