With the Center for Internet Security (CIS) recently releasing version eight of its controls, consolidating the previous 20 controls into 18, let’s dive into the second set of six controls together to make it more digestible.
To simplify things, we’ll describe each control briefly along with why it is important and how you can easily weave each control into your cybersecurity program. Find a recap of controls 1-6 here.
Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure to remediate and minimize the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.
Cybersecurity information is constantly evolving with new trends, software updates, security advisories, and more. It’s critical to continue to stay abreast of new vulnerabilities because the attackers have access to the same information your organization does. As such, it is critical to have vulnerability scanning tools and procedures in place to identify, triage, track, and remediate as soon as possible.
Establish and maintain a vulnerability management process that includes both technical controls such as vulnerability scanners and procedures to remediate identified vulnerabilities. You should perform scans on both internal enterprise assets and externally exposed assets, including software and applications. Perform automated patch management to applications and operating systems whenever possible.
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
Log collections and analysis is critical to detect and prevent malicious activity on an organization’s network and assets within. It’s also imperative for incident response activities in the event of a breach. This includes logging both at the system level and to identify user-level events.
Establish a robust process to collect, analyze, retain, and alert on audit logs. Ensure logs include sources such as DNS queries, command-line, and URL request logs. Logging systems should be synchronized to a centralized time source. Your teams should also implement procedures to review audit logs when necessary or, in some cases, on a defined cadence (e.g., monthly, quarterly).
Improve protections and detections of threats from email and web vectors, as there are opportunities for attackers to manipulate human behavior through direct engagement.
Web browsers and email services are one of the most prevalent vectors used by attackers to compromise systems, networks, and data. Users can be easily tricked into clicking a bad link, providing sensitive data, or disclosing credentials. Implementing as many automated protection mechanisms as possible helps users as they go about their daily activities and may not be focused on security 100 percent of the time.
There are many controls inherently designed into SaaS- based office products such as Google Workspace and Office 365. Review your configurations against the CIS Benchmarks to ensure your organization’s account is hardened. For example:
Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.
Malware, including viruses or Trojans, are one of the most commonly used attacks. Cybercriminals use them to steal credentials, exfiltrate data, encrypt or destroy data, and more. At times, it’s as easy as a user clicking a link, opening an attachment, installing an external drive, or software. As such, it’s critical to install malware protection at strategic points within the network, and on servers and workstations within the organization.
Deploy and maintain anti-malware software on all company assets. You should also configure the software with automated signature updates and apply the appropriate anti-malware protections to removable media devices. Consider leveraging tools such as Mobile Device Management (MDM) to monitor and/or enforce configurations, patching, and antivirus software on machines.
Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.
Availability of data is a critical aspect of the cybersecurity triad, particularly for cloud services such as SaaS providers. Whether you need to restore after a ransomware attack or an outage at the primary data center, it’s important to have the ability to restore the data and systems required to achieve business objectives, comply with laws and regulations, and satisfy customer requirements.
Establish and maintain a formal data recovery process that includes automated backups, encryption for recovery data, and a multi-location data storage strategy. You should also periodically perform test restorations of recovery data.
Establish, implement, and actively manage (e.g., track, report, correct) network devices to prevent attackers from exploiting vulnerable network services and access points.
Attackers can exploit flaws, gaps, and inconsistencies in devices such as firewalls, routers, and switches. Improper configuration of these devices gives attackers access to networks, the ability to redirect traffic on a network, intercept information in transmission, or use the network entrance to gain access to more sensitive systems and data. It’s crucial to protect both physical network devices and virtualized networks such as those in public clouds like AWS, GCP, and Azure.
Establish a baseline network security architecture and configuration standards. Continuously monitor your network infrastructure configurations to ensure they are up-to-date, in line with the company baseline requirements, and the CIS Benchmarks for each applicable network component.
Check back next Monday, Oct. 25, for a deep dive into the final CIS controls 13-18. And remember you’re not in this alone. Working with a cybersecurity partner, like BARR Advisory, can help ensure your organization is secured from top to bottom. Contact us if you need assistance in understanding or implementing any of these controls within your own organization.