What are the CIS controls?

The CIS controls, also known as the basic controls, are a set of security practices developed by the Center for Internet Security (CIS) to help organizations protect their systems and data against common cyber threats. These controls serve as a roadmap for implementing effective security measures to mitigate risk and protect against a wide range of attacks. By following the CIS controls, organizations can enhance their security posture, reduce vulnerabilities, and minimize the impact of potential security incidents. From securing hardware and software assets to managing access controls and monitoring audit logs, these controls provide a comprehensive framework for ensuring the security and integrity of an organization's information systems.

Purposes of the basic CIS controls

The basic CIS (Center for Internet Security) controls are a set of minimum cybersecurity defense measures that organizations should implement to protect against a wide range of cyber attacks. These controls are essential for every organization's cybersecurity program as they provide specific benefits and protection against common security risks.

The purposes of the basic CIS controls are as follows:

1. Control of hardware and software assets: This control helps organizations maintain an inventory of their hardware and software assets, ensuring that they are aware of what devices and software are present in their environment. This allows for effective management and control of these assets, preventing unauthorized access or installation of software and reducing the risk of security incidents.
2. Secure configuration: This control focuses on implementing secure configurations for end-user devices, network devices, and mobile devices. It ensures that these devices are properly set up, reducing the potential for security weaknesses and providing a secure posture against various attack vectors.
3. Continuous vulnerability management: Organizations need to actively manage vulnerabilities in their systems to protect against potential exploits. This control helps identify and remediate vulnerabilities, reducing the window of opportunity for cyber threats to exploit them.
4. Control of software assets: Unauthorized software can pose significant security risks to organizations. This control ensures that only authorized and properly licensed software is installed and used, protecting against potential malware and ensuring compliance with software licensing requirements.

By implementing these basic CIS controls, organizations can significantly enhance their security posture and protect against a wide range of cyber attacks. These controls provide tangible security benefits and are essential for effective cyber defense in today's threat landscape.

Control 1: inventory and control of hardware assets

Effective cybersecurity begins with having a comprehensive understanding of an organization's hardware assets. Control 1 of the CIS Controls focuses on inventorying and maintaining control over hardware assets. By maintaining an inventory, organizations can ensure that they are aware of all the devices present in their network, whether they are laptops, servers, or other connected devices. This control allows organizations to track and manage these assets effectively, reducing the risk of unauthorized access or infiltration by unauthorized devices. By implementing strong access control management and ensuring the security configurations of hardware assets are up to date, organizations can strengthen their overall security posture. Additionally, maintaining control over hardware assets allows organizations to quickly identify and respond to any vulnerabilities or security incidents that may arise. By implementing Control 1, organizations can significantly enhance their cybersecurity defenses and minimize their exposure to potential cyber threats.

Asset discovery and mapping

Asset discovery and mapping is a critical process in the inventory and control of hardware assets for any organization. It involves identifying and tracking all devices within the environment, ensuring that no unauthorized devices are present and that all necessary security measures are implemented.

The process of asset discovery begins with conducting network scans that help identify all connected devices, including computers, servers, routers, switches, and mobile devices. These scans provide an inventory of hardware assets present within the organization's network. Additionally, asset management tools can be employed to collect and consolidate information about the devices, including their physical location, IP addresses, operating systems, software installed, and their connection to other devices.

By conducting asset discovery and mapping, organizations gain greater visibility into their network infrastructure and can effectively track all devices. This process helps identify any unauthorized or rogue devices that may pose security risks or opportunities for attackers to exploit. It also aids in maintaining an accurate inventory of hardware assets, enabling effective control and management.

By regularly updating and maintaining the asset inventory, organizations can better understand their risk profile and security posture. This information is crucial for implementing appropriate security measures, identifying vulnerabilities, and ensuring that proper security configurations are in place. It also helps in promptly responding to security incidents and investigating any breaches by providing comprehensive logs of events.

Device identification and tracking

Device identification and tracking is a critical aspect of implementing effective wireless access controls within organizations. With the increasing use of mobile devices and the proliferation of wireless networks, it is crucial for organizations to have protocols and tools in place to identify and track these devices.

One way to achieve this is by implementing a device identification protocol that requires all wireless devices to be registered and authenticated before being granted access to the network. This ensures that only authorized devices are allowed to connect, reducing the risk of unauthorized access and potential security breaches.

Organizations can also utilize device tracking tools that provide real-time visibility into the devices connected to the network. These tools enable continuous monitoring of device activity, allowing organizations to detect and respond to any suspicious or unauthorized devices. They can also help in identifying potential security risks and vulnerabilities.

By implementing such protocols and tools, organizations can effectively track and control the use of wireless devices on their networks. This enhances security by ensuring that only authorized devices are granted access and preventing the use of unauthorized or rogue devices. Additionally, it enables organizations to better manage and mitigate security risks associated with wireless access.

Physical security measures

Physical security measures play a crucial role in enhancing an organization's cybersecurity posture. These measures help to protect the physical infrastructure, assets, and sensitive information from unauthorized access, theft, and damage. By implementing robust physical security controls, organizations can create a solid foundation for effective defense against cyber threats.

The CIS Controls provide a comprehensive framework for organizations to establish and maintain their security posture. Within these controls, specific physical security measures are recommended, each serving a unique purpose and providing specific benefits. Some of these recommended measures include:

1. Perimeter Security: Implementing physical barriers such as fences, gates, and surveillance cameras around the organization's premises helps to deter unauthorized access and enhance overall security.
2. Access Control: Utilizing access control systems, such as key cards or biometric scanners, for entry into the facility ensures that only authorized individuals can enter restricted areas, reducing the risk of physical and cyber breaches.
3. Secure Storage: Storing sensitive information and assets in secure locations, such as locked cabinets or restricted-access areas, safeguards them from theft or unauthorized access.
4. Video Surveillance: Installing surveillance cameras throughout the facility helps to monitor and record activities, providing evidence in the event of security incidents or breaches.
5. Physical Asset Management: Maintaining an inventory of all physical assets, including computers, servers, and mobile devices, helps in tracking their location, ensuring they are properly secured, and reducing opportunities for theft or unauthorized access.

By implementing these physical security controls, organizations can significantly enhance their cybersecurity defenses. These measures contribute to effective defense against cyber threats by minimizing the risk of physical breaches, unauthorized access to sensitive information, and theft of critical assets. Additionally, they create a deterrent effect, mitigating the window of opportunity for attackers and reducing the overall risk profile of the organization.

Control 2: inventory and control of software assets

To effectively manage and secure an organization's software assets, it is crucial to have a comprehensive inventory of all software and a robust control process in place. Control 2 of the CIS Controls focuses on maintaining an accurate and up-to-date inventory of software assets and implementing controls to manage them effectively. This control is essential as it helps organizations identify potential security risks, maintain compliance with licensing agreements, and reduce the attack surface for cyber threats.

By creating an inventory of software assets, organizations can gain visibility into all installed software, including authorized and unauthorized applications. This allows them to track software usage, identify vulnerabilities, and ensure that software patches and updates are applied promptly. Additionally, it helps in identifying any unauthorized or unlicensed software, addressing potential security risks and reducing the opportunity for attackers to exploit vulnerabilities.

Implementing control processes for the management of software assets ensures that unauthorized software is prevented or removed from the system. It includes processes for reviewing and approving software installations, monitoring software usage, and regularly updating the inventory with new installations and decommissioned software.

Software development methodology/change management

Software development methodology and change management play a critical role in effectively implementing the basic CIS control of inventory and control of software assets.

A solid software development methodology provides a structured approach to developing and managing software throughout its lifecycle. It ensures that software is developed in a consistent and controlled manner, reducing the risk of introducing vulnerabilities or unauthorized software into the environment. By adhering to a well-defined development process, organizations can establish clear requirements, perform thorough testing, and implement proper quality assurance measures. This helps in minimizing the potential for security weaknesses and ensures that only authorized and secure software is deployed.

Change management, on the other hand, focuses on managing changes to the software environment, including additions, modifications, or deletions. It provides a framework and processes for evaluating, approving, and implementing changes. By implementing effective change management practices, organizations can assess the impact of software changes on security and ensure that proper controls, such as testing, validation, and documentation, are in place before any updates are made. This helps in maintaining the integrity and security of the software assets, minimizing the risk of introducing vulnerabilities or unauthorized software.

Source code analysis and testing

Source code analysis and testing are critical components of application software security. They play a crucial role in identifying vulnerabilities and security flaws in software, ensuring that organizations can effectively manage the security of both in-house and acquired software over its lifecycle.

Source code analysis involves reviewing the actual code of an application to identify potential security vulnerabilities. This process aims to uncover flaws such as insecure coding practices, improper input validation, or weak authentication mechanisms. By analyzing the source code, organizations can gain insight into potential weaknesses that attackers could exploit.

Testing is another important aspect of application software security. It involves running various tests to evaluate the behavior and performance of the software. Security testing focuses specifically on identifying security vulnerabilities and potential exploits. This can include conducting penetration tests, running automated scans, or simulating real-world attack scenarios.

To effectively manage the security of software over its lifecycle, organizations should incorporate source code analysis and testing practices. This can be done by integrating security assessments into the development and release processes. The steps involved in this process typically include:

1. Identifying vulnerabilities: Conducting a thorough analysis of the source code to identify potential vulnerabilities and security weaknesses.
2. Reviewing code for security flaws: Manually reviewing the code to identify patterns or coding practices that could lead to security issues.
3. Running automated tests: Using specialized tools and techniques to automatically test the software for security vulnerabilities. This can involve scanning the code for known vulnerabilities or simulating attacks to identify potential weaknesses.

By following these steps and incorporating source code analysis and testing into the software development lifecycle, organizations can ensure the security and integrity of their software assets. This helps minimize the risk of exposing sensitive information and protects against potential cyber threats.

Application whitelisting

Application whitelisting is a security practice that allows organizations to control which applications are allowed to run on their systems. It works by creating a list of approved software applications, also known as a whitelist, and blocking any unauthorized or unknown programs from executing.

For custom-developed software, application whitelisting becomes particularly important in ensuring its security. Custom-developed software is often unique to an organization and may have security weaknesses that attackers can exploit. By implementing application whitelisting, organizations can prevent unauthorized access to their custom-developed software and protect against common attacks such as buffer overflows, SQL injection attacks, cross-site scripting, and code click-jacking.

Buffer overflows, for example, occur when an application tries to write more data into a buffer than it can handle, resulting in potential security vulnerabilities. By whitelisting only trusted and approved applications, organizations can minimize the risk of buffer overflow attacks, as any unauthorized application attempting to exploit this vulnerability would be blocked from running.

Similarly, application whitelisting helps prevent SQL injection attacks, where malicious actors attempt to manipulate or exploit a web application's database. By whitelisting only the necessary database management software, organizations can significantly reduce the risk of SQL injection attacks.

Moreover, application whitelisting protects against common web-based attacks like cross-site scripting and code click-jacking by ensuring that only trusted applications with secure coding practices are allowed to execute.

Control 3: continuous vulnerability management

Continuous vulnerability management is a crucial control in maintaining a strong cybersecurity posture. Organizations must regularly and methodically identify, assess, and mitigate vulnerabilities in their systems and software to protect against potential cyber threats. This control involves conducting frequent vulnerability scans and assessments to identify any weaknesses or security risks in the organization's network, applications, and infrastructure. By continuously monitoring for vulnerabilities, organizations can promptly apply security updates and patches, ensuring that their systems are protected against the latest known vulnerabilities. This control also involves prioritizing and addressing vulnerabilities based on their severity and potential impact on the organization's security. By implementing continuous vulnerability management practices, organizations can proactively mitigate vulnerabilities and reduce their exposure to potential cyber attacks. This control is particularly important in today's ever-evolving threat landscape, where new vulnerabilities are continuously discovered, and attackers are constantly seeking opportunities to exploit them.

Vulnerability scanning and assessment tools

Vulnerability scanning and assessment tools play a crucial role in continuous vulnerability management for organizations. These tools are designed to identify and assess potential vulnerabilities in both internal and external company assets, helping to enhance the overall security posture.

The primary purpose of vulnerability scanning tools is to scan networks, systems, and applications for vulnerabilities that may be exploited by attackers. By conducting regular scans, organizations can identify weaknesses and potential points of exploitation before adversaries do. This proactive approach allows for timely remediation and reduces the window of opportunity for cyber threats.

Assessment tools, on the other hand, provide in-depth analysis and evaluation of vulnerabilities. These tools gather detailed information about potential security weaknesses, such as misconfigurations and unpatched software, providing organizations with a comprehensive understanding of their risk profile. With this knowledge, security teams can prioritize and implement effective defenses to mitigate the identified vulnerabilities.

Vulnerability scanning and assessment tools are not limited to internal company assets only. They also help organizations assess vulnerabilities in external-facing assets such as websites, servers, and network devices. By scanning these external assets, organizations can identify potential security weaknesses that could be exploited by attackers.

Patching deficiencies in a timely manner

Patching deficiencies in a timely manner is crucial for maintaining a strong security posture. Regularly updating and patching systems and applications is essential to address vulnerabilities and prevent exploitation by attackers.

Automated tools play a significant role in keeping operating systems and applications up to date. These tools can scan for and detect vulnerabilities, making it easier for organizations to identify areas that need attention. By automating the patch management process, organizations can streamline the task of applying updates, ensuring that systems are always protected against emerging threats.

Taking immediate action to fix any vulnerabilities discovered is essential. Attackers are constantly evolving their tactics, and any delay in patching deficiencies can give them a window of opportunity to exploit security weaknesses. Organizations must prioritize and schedule patches based on their criticality and potential impact to minimize the risk of exploitation.

Adopting an efficient patch management process that includes regular updates and swift action to address vulnerabilities is vital for maintaining a strong security posture. By addressing patching deficiencies in a timely manner, organizations can significantly reduce their exposure to potential cyber threats and ensure the ongoing protection of their systems and applications.

Control 4: controlled use of administrative privileges

The controlled use of administrative privileges is a critical component of an effective cybersecurity strategy. Administrative privileges provide users with elevated access and control over computer systems and networks. Organizations must implement measures to ensure that these privileges are only granted to authorized personnel and that they are used judiciously. This control helps mitigate the risk of unauthorized access to sensitive information and reduces the potential for malicious activities. By limiting access to administrative privileges and implementing strict access management protocols, organizations can significantly reduce the attack surface and minimize the likelihood of security incidents. Additionally, implementing strong authentication mechanisms, such as two-factor authentication, can further enhance security by providing an additional layer of verification for privileged accounts. Regular monitoring and auditing of administrative activities are also crucial to detect any unauthorized or suspicious activities and take prompt action to mitigate the risks. By effectively controlling the use of administrative privileges, organizations can bolster their security posture and protect against a wide range of cyber threats.

Access management rules and policies

Access management rules and policies play a crucial role in maintaining the security of an organization's systems and data. By effectively controlling administrative privileges, these rules and policies help to prevent unauthorized access and minimize the risks associated with insider threats.

To ensure proper control of administrative privileges, organizations need to establish a clear and well-defined process for granting and revoking access. This process should include the proper vetting and approval of requests, as well as periodic reviews to ensure that access privileges are still needed and appropriate.

One important aspect of access management is the implementation of multi-factor authentication (MFA). MFA adds an extra layer of security by requiring users to provide multiple forms of identification, such as a password and a verification code sent to their mobile device. This significantly reduces the risk of unauthorized access, even if passwords are compromised.

Another critical component of access management is maintaining an inventory of systems and the access control rules associated with each. This inventory helps organizations track who has access to what systems, making it easier to identify and address any potential security issues. It also ensures that access privileges are appropriately assigned and revoked when necessary.