The Center for Internet Security (CIS) recently released version eight of its controls, consolidating the previous 20 controls into 18 (more on this here). Let’s dive into the first six controls together to make it more digestible.
To simplify things, we’ll describe each control briefly along with why it is important and how you can easily weave each control into your cybersecurity program.
Establish and maintain an accurate, detailed, up-to-date inventory of all assets that have the potential to store or process data. This can include devices like servers, end-user devices, network devices, and non-computing/IoT devices. Your company needs to ensure the inventory records the network address, hardware address, machine name, enterprise asset owner, and department of each asset, and whether it is approved to connect to the network. Review and update the inventory of all enterprise assets at least biannually.
Preventing unauthorized devices from gaining access to your network, systems, and sensitive data helps ensure the security of hardware devices and assets.
Maintain a spreadsheet in Microsoft Excel or Google Sheets of all hardware assets, including laptops, servers, firewalls, etc. Consider leveraging tools like Vanta, Asset Panda, Axonius, and Divvycloud to facilitate the management of hardware.
Actively manage (e.g., inventory, track, and correct) all software (e.g., operating systems and applications) on the network so only authorized software is installed and executed, and unauthorized and unmanaged software is found and prevented from installation or execution.
Cybercriminals target and scan vulnerable software that can be remotely exploited through easy-to-deploy applications or clickable links. All it takes is one click or vulnerable application and the whole network could be compromised.
Maintain a spreadsheet in Microsoft Excel or Google Sheets of all software, including software installed on endpoints, software installed on servers, and Software as a Service (SaaS) solutions. Consider a tool such as those mentioned in Control No. 1 to inventory, track, and manage software.
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
It is critical to protect your organization’s data whether it resides within a corporate network or in the cloud. Protection of customer data is even more important if international regulations and laws apply. It is critical for organizations to have processes and technical controls to manage data through its entire lifecycle, including retention, disposal, and encryption. Data should be protected based on its classification or sensitivity level and some data may require more stringent controls than others.
Document a data classification and handling policy in which sensitive information is defined. Policy should include, but is not limited to, limiting production data from non-production environments, encrypting workstations, etc.
Establish and maintain the secure configuration of enterprise assets (e.g., end-user devices, network devices, non-computing/IoT devices, and servers) and software (e.g., operating systems and applications).
Default configurations for devices, operating systems, and applications can be vulnerable in the original state when delivered from a seller or manufacturer. It’s critical to develop robust configuration settings with sound security properties to ensure the system and software are secure. Once initial configurations are implemented, it is critical to monitor and ensure those configurations do not drift from an organization’s hardening baseline.
Review your baseline hardening configurations against the CIS benchmarks to ensure devices, operating systems, and software are hardened according to best practices. Consider leveraging tools to monitor and enforce policies on enterprise assets.
Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator and service accounts, to enterprise assets and software.
It’s much easier to gain unauthorized access to systems, data, and networks using valid credentials than through a traditional form of “hacking.” Whether it’s a weak password, dormant account, unchanged service account password, or a service account included in a script, using valid credentials is the easiest and most efficient way for an attacker to gain unauthorized access. Attackers will typically try to target administrative-level accounts, which places an even greater importance on these accounts.
Implement robust and centralized account management controls such as period account reviews, separate administrator accounts, and regular rotations of service and shared account passwords. Use strong and unique passwords, including multi-factor authentication (MFA) whenever possible.
Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.
Some user activities, while required for consistent operation of the business, are inherently higher risk. As such, it is critical to ensure only authorized users can perform activities such as configuration changes to operating systems and applications, the ability to add, change, and remove users, and accessing sensitive data or applications. Ensuring these permissions are assigned based on role and have strict authentication controls is critical to protecting sensitive systems and data.
Implement role-based access controls, including provisioning processes to ensure user access permissions are assigned according to the least-privilege principle. Require multi-factor authentication for cloud services systems, remote network access, and administrator accounts.
Check back next Monday, Oct. 18, for a deep dive into CIS controls 7-12. And remember you’re not in this alone. Working with a cybersecurity partner, like BARR Advisory, can help ensure your organization is secured from top to bottom. Contact us if you need assistance in understanding or implementing any of these controls within your own organization.