Understanding the Basic CIS Controls: CSC 1-6
As data breaches continue to increase in severity and scale, more than ever organizations need to ensure they have the basic security controls in place to keep their data safe from attack.
In response to today’s growing threat landscape, the SANS Institute, together with the Center for Internet Security (CIS) have developed the 20 Critical Security Controls (CSC) to give organizations clarity on what really needs to be focused on in terms of security best practices.
The CSCs are a set of prioritized actions that set out to answer the most fundamental question in cybersecurity – what do we need to do to stop known attacks? These controls help organizations defend against today’s most dangerous attack methods by combining key security concepts into a set of actionable controls to achieve better overall cybersecurity defense.
The latest version, CIS Controls V7, was recently updated to reflect the current threat landscape and breaks down the 20 controls into three distinct categories:
- Basic (CSC 1-6): key controls which should be implemented in every organization for essential cyber defense readiness
- Foundational (CSC 7-16): these technical best practices provide clear security benefits and are a smart move for any organization to implement
- Organizational (CSC 17-20): these remaining controls are more focused on people and process involved in cybersecurity
The basic controls are a must for every organization, regardless of the size or the industry in question. A study of the previous of the CIS Controls found that 85% of cyber incidents can be prevented by implementing only the first five controls. NNT solution alone can help you satisfy the first six CIS Controls.
Here's a quick break down the Basic CIS Controls, including what each control covers and what needs to be done to satisfy each control:
CIS Control 1: Inventory and Control of Hardware Assets
Reducing your organization’s attack surface starts by having a comprehensive view of all the devices on the network. Organizations must actively manage all the hardware devices on the network to ensure that only authorized devices are given access and unauthorized devices can be quickly identified and disconnected before any damage is done.
CIS Control 2: Inventory and Control of Software Assets
The next step is focused around asset discovery – organizations must actively manage all software on the network so only authorized software is installed. Hackers are constantly looking for vulnerable software to exploit, but organizations lacking a complete software inventory are unable to find systems running vulnerable or malicious software to mitigate problems or stop attackers.
CIS Control 3: Continuous Vulnerability Management
This next control emphasizes an organization’s need to continuously scan the network for vulnerabilities and to stay up to date with the latest software updates and patches. The same information about vulnerabilities discovered and patches available to remediate the issue are available to both the organizations that are looking to protect their data and also the hackers who are looking to capitalize on any gaps in security. Organizations must run automated scans of the entire IT environment to stay ahead.
CIS Control 4: Controlled Use of Administrative Privileges
It should come as no surprise that for years the misuse of administrative privileges has been a primary method of attack for hackers. To gain administrative credentials, hackers use sophisticated phishing techniques, crack or guess the password of an admin user, or elevate the privileges of a normal user into an admin account. With administrators using default passwords and without a detailed inventory of admin accounts, attackers can easily gain full control of systems.
CIS Control 5: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Control #5 focuses on the need to establish, implement, and manage the security configurations of laptops, servers, and workstations using Configuration Management and Change Control processes to prevent attackers from exploiting vulnerable services and settings. Device manufacturers design default configurations for ease of use, not strong security. In response, your organizations must implement real-time File Integrity Monitoring to maintain documents, standard security configuration standard for all authorized operating systems and software, and be alerted when unauthorized changes occur in your environment.
CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
The last basic control emphasizes the need to collect, managed, and analyze event logs to detect suspicious activity, investigate possible security incidents, and recover from an attack. Without proper logs, attackers are able to mask their location and activities within the network. While most organizations store audit records for compliance reasons, many never look at the audit logs, and they have no clue that their systems have been compromised for sometimes even months. The right log management tool should provide your organization with all the data you need to know about the who, what, where, when, and how of the event being investigated.