The Center for Internet Security (CIS) is a nonprofit organization responsible for developing the CIS Controls® and CIS Benchmarks™, the globally recognized standard and best practices for securing IT systems and data against the most persistent cyber attacks.
The latest version of the CIS Controls, version 7.1, provides a new prioritization scheme to allow organizations to practice good cyber hygiene regardless of resources and expertise. John Gilligan, CEO of the Center for Internet Security states that the majority of security incidents occur when basic controls are lacking or are poorly implemented. He adds that the first six CIS Controls have been assessed at preventing up to 90% of cyber attacks.
As the CIS Benchmarks cover a range of over 100+ different operating systems, applications and network devices, and with thousands of pages of configuration guidelines and best practices, it’s no wonder people often ask – how do I start implementing the CIS Controls in my organization?
Last week, the CIS and NNT hosted a webinar which provided hundreds of attendees with guidance for implementing the most important and 6 CIS Basic Controls that are required to ensure a robust network security posture. To summarize:
- Follow a Best Practice Framework Approach - the 6 Basic CIS Controls are the most important controls to address and can be adopted no matter the size of the organization, expertise or resources available. The smart money is in a framework approach to cyber security, so listen to the experts from the likes of the CIS and their community of leading experts from around the world.
- Achieve More with Less - the CIS Controls map to a variety of security standards and frameworks like NIST 800-53, ISO 27000, and NIST 800-171, with controls expected to map to HIPAA, PCI DSS, and COBIT in the near future.
- Consider CIS Implementation Groups - the new CIS Implementation Groups (IGs) are designed to make it easier for smaller, less well-resourced organizations to achieve their cyber security goals without having to spend a lot of money. Determine which group your organization belongs to based on data sensitivity and critical services offered by your organization (IG 1-3) – but start with IG1 as this group covers basic cyber hygiene. The sub controls in IG1 represent “Cyber Hygiene” – the essential protections that must be put in place to defend against common attacks
- Know What You Have & Monitor for Vulnerabilities - it’s important for organizations to get a solid inventory of what they have. Until you know what you’ve got, you can’t begin to workout how to secure them. Then, once you know what you’re using, closely monitor for exploitable vulnerabilities. A contemporary vulnerability scanner (such as OpenVAS) should report the presence of vulnerabilities and what you need to do about them.
- Control the Use of Admin Privileges - it’s critical to control the usage, availability, scope, and lifespan of admin accounts, as well as regularly change passwords for admin accounts. Employees should only have rights, privileges, and permissions that they need in order to do their job – no more, no less.
- Monitor for Secure Configurations & Change Control - organizations must monitor devices for secure configuration settings and monitor for any configuration drift. Organizations must control configuration changes at each step you make changes to determine if the change is going to adversely affect your security and attack surface. Then, most importantly, take steps to address the changes then and there. Doing so will put you in a far better position to recover security.
- Embrace Audit Logging - logged events provide an audit trail of evidence from a breach. In the event of a breach, these logs allow you to ‘rewind the tape’ and see which devices have been compromised and just how far it spread. Make sure to back up these logs to a log server and review on a regular basis.
- Help is Here - the Basic CIS Controls represent our superheroes here to help us defend against today’s most relentless and advanced cyber-attacks. 90% of attacks can be prevented if just these 6 controls are implemented – so take the leap and get started.
To learn more about how to adopt the 6 Basic CIS Controls, watch our latest webinar on-demand.
Share this post