The CIS Controls – An Overview of What They Are and What’s New in Version 8
The events of 2020 accelerated many organizations’ plans for digital transformation, compelling them to adopt cloud computing and virtualization in support of remote work. It appears that those changes will last long after 2020. In April 2020, for instance, Gartner revealed that 74% of CFOs and finance leaders intended to move at least 5% of previously on-site workforce to permanently remote positions following the pandemic. Several months later, Forbes reported that the percentage of permanent remote workers was expected to double in 2021. Such growth is expected to continue over the next few years, eventually resulting in 70% of the workforce working remotely at least five days a month by 2025.
Change Reflected in the CIS Controls
The changes discussed above have complicated digital security for many organizations. Remote work means new types of devices are connecting to the corporate network in ever-increasing growing numbers. The ways in which organizations are pursuing their digital security are naturally changing in response.
This reality is evident in the release of the Center for Internet Security’s Critical Security Controls (CIS Controls) v8. As articulated on the Center for Internet Security’s website, the CIS Controls are a set of actions that organizations can use to defend themselves against some of the most prevalent types of digital attacks today. The security measures do this by providing infosec personnel with a starting point for their digital defenses. Using built-in prioritization, the CIS Controls then help professionals to focus on actions that will have the greatest impact in alleviating digital risk in the organization. They also include additional actions that security teams can use to further reduce sources of digital risk confronting their employers.
Version 8 of the CIS Controls breaks with the past by taking the events of 2020 into account. It does this by including requirements around the management of cloud and mobile technologies. (The version even comes with an entirely new security measure, CIS Control 15: Service Provider Management, as a means of helping organizations to manage their service providers.) It also represents a streamlined set of security recommendations, as it includes fewer top-level Controls and Safeguards (formerly Sub-Controls) at 18 and 153, respectively.
Some Things Stayed the Same
Not everything in Version 8 is new, however. The most recent version keeps with a recent trend of organizing the CIS Controls “by activity vs. how things are managed,” as the Center for Internet Security explained it in a blog post. This effort specifically involves grouping each security measure into one of three Implementation Groups (IGs) as a means of helping organizations to prioritize the implementation of the CIS Controls. IG1 consists of basic hygiene that security personnel can use to defend their organizations against some of the most common types of attacks. This category precedes IG2, which includes even more security recommendations, and IG3, which encapsulates all Controls and Safeguards.
These different levels of priority are evident in the CIS Controls themselves. Provided below is a list of all 18 measures included in Version 8:
- CIS Control 1: Inventory and Control of Enterprise Assets – Organizations need to know what hardware is connected to the network if they want to protect it. Simultaneously, they need to figure out if there are any unauthorized or unmanaged assets in their environments.
- CIS Control 2: Inventory and Control of Software Assets – This Control carries the same security functionality as CIS Control 1. The only difference is that it applies to all software (operating systems and applications) on the network.
- CIS Control 3: Data Protection – This measure requires security professionals to develop processes and technical controls for protecting their organization’s data. It involves identification, disposal, and everything else in between.
- CIS Control 4: Secure Configuration of Enterprise Assets and Software – It’s imperative that organizations establish a secure configuration as a baseline for each of their enterprise assets. They can then use those baselines to detect and respond to instances of configuration drift.
- CIS Control 5: Account Management – Using this Control, infosec personnel can develop processes and tools around assigning and managing authorization for admin accounts and other types of accounts that are in use.
- CIS Control 6: Access Control Management – Building off Control 5, security teams need a formal way of creating, assigning, managing, and revoking access credentials and privileges for whatever types of accounts are used by the organization.
- CIS Control 7: Continuous Vulnerability Management – Organizations need a way to track and prioritize known vulnerabilities on their enterprise assets. With those processes, security teams can then develop a patching schedule for those weaknesses.
- CIS Control 8: Audit Log Management – With this Control, security teams can detect and respond to an attack by collecting, reviewing, and analyzing audit logs of potential security issues and events.
- CIS Control 9: Email and Web Browser Protections – Some malicious actors use email and web browsers as their attack vectors. It’s therefore important that organizations have protections against these types of threats.
- CIS Control 10: Malware Defenses – Protecting against malware goes beyond just preventing the execution of a malicious file. It also involves controlling the installation and spread of malicious applications, code, and scripts.
- CIS Control 11: Data Recovery – Organizations can lose data in natural disasters like fires or other events like ransomware attacks. Acknowledging that reality, organizations need a way to restore their data to a trusted state.
- CIS Control 12: Network Infrastructure Management – Some attackers have broadened their gaze to the network. In response, organizations can use this Control to prevent malicious actors from misusing network services and access points.
- CIS Control 13: Network Monitoring and Defense – Along a similar vein as CIS Control 13, security teams need to monitor their network for anomalous activity that could be indicative of an attack that’s in progress.
- CIS Control 14: Security Awareness and Skills Training – Many attackers use social engineering techniques to prey upon the “human element” in employees. Organizations can counteract this with ongoing awareness training around security best practices.
- CIS Control 15: Service Provider Management – The purpose of this Control is to help organizations develop processes for evaluating service providers who hold sensitive data and ensuring that they’re taking steps to protect that information.
- CIS Control 16: Application Software Security – It’s imperative for organizations to emphasize security in every stage of an application that’s been internally developed. The same goes for hosted and acquired software.
- CIS Control 17: Incident Response Management – In the event they suffer an incident, organizations need to have policies, plans, and procedures for responding to the security event and for minimizing the damages of whatever happened.
- CIS Control 18: Penetration Testing – Finally, organizations can use penetration testing to evaluate the resiliency and effectiveness of whatever security measures they implemented in accordance with the preceding 17 Controls.
To build on this overview, I will be going into more depth regarding how ReliaQuest and our GreyMatter platform enabling Open XDR-as-a-Service delivers outcomes mapped to these Controls over the next few months.
In the meantime, for more information about the CIS Controls, click here: https://www.cisecurity.org/controls/.