Framework Friday – 18 CIS Critical Security Controls (CIS 18)

For today’s “Framework Friday” let’s discuss CIS 18 (also known as the Center for Internet Security Critical Security Controls). The CIS 18 framework is a good starting place for organizations just getting started with framework implementation. Within the control set, there are 18 measures. In order to help understand, I’ll list them, along with an example of how to comply with each control.

Inventory and Control of Enterprise Assets
- What this means
  - Have a concise list of every device that is connected to the network, and have the ability to manage them, including the removal of unauthorized devices.
- Risk if ignored
  - Unauthorized devices can be connected to the network and used as entry points. This can be done by an internal threat (shadow IT) or a true cyber criminal.
Inventory and Control of Software Assets
- What this means
  - Ensure that only approved software is in place. Maintain a concise list of all approved software as well as license information. Unauthorized software that is discovered is prevented from executing and removed.
- Risk if ignored
  - Malware could be introduced and used as an attack vector.
Data Protection
- What this means
  - All data (but especially sensitive data – such as Personally Identifiable Information, Protected Health Information, etc.) must be guarded to prevent compromise. These data must also be disposed of in a secure manner when necessary.
- Risk if ignored
  - The bad guys love this information – it can be used for blackmail, identity theft, or simply offered up for sale.
Secure Configuration of Enterprise Assets and Software
- What this means
  - When setting up a new system, whether on-premise or cloud based ensure that security is the primary mindset when configuring. Never release a new system to the public without thoroughly checking for security vulnerabilities.
- Risk if ignored
  - One of the primary issues with insecure configurations is that a system may be left in a state in which all users have full access. This is an open invitation to the bad guys to come in and take over.
Account Management
- What this means
  - Ensure user accounts are disabled/removed when employees leave the company. Pay very close attention to service accounts, as many of these have administrative credentials.
- Risk if ignored
  - One of the best ways a bad guy can infiltrate an organization is by using a valid user account. If an unused or forgotten account is found, and the criminal compromises it, it is highly likely that their behavior will go unnoticed.
Access Control Management
- What this means
  - Only allow access to what is needed to do the job – also called “least privilege“. Additionally, have processes in place to create, assign, manage, and revoke access credentials for user, administrator, and service accounts.
- Risk if ignored
  - If every user has access to every resource, the opportunity for compromise is high. Imagine an intern having access to all of the financial data for a company and accidentally (or purposefully) deleting, stealing, or obfuscating it.
Continuous Vulnerability Management
- What this means
  - Ensure that the entire infrastructure is scanned regularly for unpatched systems, security gaps, and other security risks that are present.
- Risk if ignored
  - The bad guys’ favorite thing to find is an unpatched system with known exploits. Patching systems is not a fun exercise, and many organizations put it off. There are many Managed Security Providers that provide “patching as a service” to ensure that all systems are up to date.
Audit Log Management
- What this means
  - Audit logs are records of all activity occurring on a particular system. This activity can be access, changes, etc.
- Risk if ignored
  - Audit logs are records to show all activity – if it is suspected that a system has been compromised, without appropriate auditing, there is no way to track this.
Email and Web Browser Protections
- What this means
  - Email and web browsers are among the most popular applications for users. Also, the vast majority of malware (including ransomware) is delivered via email (phishing) and malicious web sites.
- Risk if ignored
  - Phishing attacks are the #1 reported cybercrime, . Using software like mimecast or proofpoint (among others) is a strong way to prevent these attacks. Additionally, passwordless authentication has made huge strides in recent years.
Malware Defenses
- What this means
  - In recent times, malware defense simply meant having an anti-virus solution. Because malware has become increasingly more complex, the need for stronger defenses has become necessary. The term EDR (endpoint detection & response), coupled with MDR (managed detection & response) has become a priority in todays world.
- Risk if ignored
  - Malware takes on many forms, all of them primarily destructive. Ransomware, for instance, is a form of malware. Catching malware prior to infection is key to building cyber resilience.
Data Recovery
- What this means
  - Being able to recover data from accidental (or purposeful) deletion or encryption is highly important. While most organizations have a backup strategy, and, in fact back up data regularly, few actually test that they are able to restore the data properly.
- Risk if ignored
  - If there is a problem with the restoration of data, and it is needed, that data – which is typically the lifeblood of any organization – is gone forever.
Network Infrastructure Management
- What this means
  - Ensure that the devices needed to maintain the usability of your network (routers, switches, firewalls etc.) are properly secured.
- Risk if ignored
  - If essential network gear isn’t secured, and is easily accessible, the bad guys have the opportunity to take over control or simply intercept traffic.
Network Monitoring and Defense
- What this means
  - The approach of CIS in this control is shifting to more of a “meshed” approach to monitoring and defense that adopts to modern processes.(source: https://blog.netwrix.com/2023/01/19/cis-control-13-network-monitoring-and-defense/) This includes alerting, intrusion detection and prevention, segmentation, access control, log aggregation, and filtering. The majority of this is performed using external tools to ensure that a single department/individual isn’t overwhelmed by the sheer amount of data.
- Risk if ignored
  - If this control isn’t implemented, or implemented only partially, this gives the bad guys ample opportunity to infiltrate an organization without alerting anyone that they are there. Many criminals spend days/weeks/months inside an infrastructure without actually causing harm. This is called dwell time They will wait for the opportune time before launching an attack.
Security Awareness and Skills Training
- What this means
  - All employees must be trained on how to spot and avoid potential cyber attacks – especially phishing
- Risk if ignored
  - There’s a saying “we don’t hack machines – we hack people”. This is very true. Phishing attacks are still the #1 attack vector, and training users to be able to spot them and know what to do in the event they are targeted is a key element in building a secure cyber environment.
Service Provider Management
- What this means
  - This control focuses on managing risks associated with 3rd party vendors/service providers. This is especially key for those that handle sensitive data or IT services – cloud providers, payroll processors, credit card processing, etc. Policies should be in place to ensure that these vendors/suppliers have adequate security practices in place, along with the option to audit and review on a regular basis.
- Risk if ignored
  - Vendors, a lot of times, can be the weak link. Recent notable cyber attacks have shown this – Target, MGM Casino were all attacked via a 3rd party vendor. Cybercriminals will attack these points knowing that this is the easiest entry.
Application Software Security
- What this means
  - This control ensures that application software is developed with a “security first” mindset. Code reviews are critical, as is constant and consistent security testing during the development phase. Secure DevOps is also a part of this to ensure that there is a true segregation of duties.
- Risk if ignored
  - Without effective security implementation in the development phase, the risk of attackers being able to exploit flaws goes up exponentially.
Incident Response Management
- What this means
  - When (not IF) a cyber attack occurs, you must have a concise plan to outline the steps to take. This plan outlines the who, what, when, and where of incident response – (Who does what/what do they do/when do they do it/and where is it done).
- Risk if ignored
  - If an Incident Response Plan is not in place, and exercised on a regular basis, when a true incident occurs the result will be chaos. Nobody will know what to do and the resulting confusion will cost precious time, resulting in the loss of more money.
Penetration Testing
- What this means
  - Testing the effectiveness of countermeasures on a regular basis – ideally any time a material change takes place in an infrastructure. Note that while penetration testing is a necessary control, it should not take the place of vulnerability scanning and security assessments. All three of these are necessary components to an effective cybersecurity architecture.
- Risk if ignored
  - You will not know the vulnerabilities / holes in your security program that the bad guys will be able to exploit.

Note that the above is a very simplistic explanation of a very robust framework. There is much more detail to the implementation of CIS 18 into an organization, but this should give a strong understanding of the controls it recommends.

Post Views: 1,149

Leave a Reply Cancel reply