What are CIS controls?

CIS Controls, or Critical Security Controls, are a set of cybersecurity best practices developed by the Center for Internet Security (CIS). These controls help organizations improve their security and defend against common attacks. They cover areas like hardware devices, software management, administrative privileges, and security updates. By implementing these controls, organizations can reduce vulnerabilities and limit attack opportunities. The CIS Controls also stress the importance of continuous monitoring and improvement to stay ahead of evolving threats. Overall, they offer a comprehensive framework for strengthening security and reducing the risk of breaches.

To streamline the implementation of CIS Controls and automate critical security processes, consider leveraging tools like 6clicks' Hailey AI, which offers advanced automation for controls and policies.

The 5 critical security controls

The first five critical CIS Controls are foundational practices for securing an organization's IT environment. These are the most essential steps for building a strong security posture:

1. Inventory and control of hardware assets

This control aims to maintain a detailed and up-to-date inventory of all hardware devices that connect to your network. By controlling which devices can access the network, organizations can prevent unauthorized devices, such as rogue laptops or IoT devices, from being used to gain access to sensitive systems.

• Create a comprehensive inventory of all hardware assets, including computers, mobile devices, servers, printers, and networking equipment (e.g., switches, routers, and firewalls).
• Classify devices based on criticality, such as distinguishing between critical infrastructure devices and less important ones.
• Use automated asset management tools to continuously discover and track devices on the network.
• Monitor and audit device usage to ensure compliance and detect unauthorized devices.

• Utilize network discovery tools like Nessus or Advanced IP Scanner to detect all devices connected to the network.
• Use asset management software like ServiceNow or Lansweeper to maintain a centralized hardware inventory.
• Example: An organization might discover an unapproved device on its network, like an employee’s personal laptop, and block it from accessing the internal systems until it is reviewed for security compliance.

2. Inventory and control of software assets

The purpose of this control is to ensure that only authorized software is installed and running on systems, which helps reduce the risk of running insecure or unsupported software versions. Unapproved or outdated software can introduce vulnerabilities that hackers can exploit.

• Maintain an up-to-date inventory of all software used in the organization, including operating systems, applications, utilities, and development tools.
• Regularly audit software installations to detect unauthorized or unlicensed software.
• Monitor for unauthorized software by using automated detection tools and enforcing policies that prevent installation without approval.
• Implement software whitelisting to allow only approved software to run on systems.

• Use Microsoft SCCM or ManageEngine Desktop Central to track and manage all installed software.
• Implement application whitelisting with tools like AppLocker (for Windows) or Carbon Black to block unapproved software from running.
• Example: A system might flag the installation of an unapproved version of a media player, which could potentially harbor security vulnerabilities, preventing its use until further review.

3. Continuous vulnerability management

This control involves continuously scanning for vulnerabilities in systems and software and addressing them promptly to prevent exploitation. Vulnerabilities are a common entry point for attackers, so timely patching and vulnerability management are critical to reducing the attack surface.

• Conduct regular vulnerability assessments to identify known weaknesses, both internally and externally.
• Prioritize vulnerabilities based on potential impact, exploitability, and severity, using frameworks like the Common Vulnerability Scoring System (CVSS).
• Apply patches and updates to software and hardware as soon as critical vulnerabilities are identified.
• Automate patch management processes to ensure systems are updated without delay.

• Use vulnerability scanning tools like Qualys, Rapid7 Nexpose, or Tenable Nessus to regularly scan for and identify vulnerabilities.
• Set up automated patch management tools like Windows Server Update Services (WSUS) or Ivanti to ensure systems remain up-to-date.
• Example: After discovering a critical flaw in a widely used web server, an organization might deploy a patch within 24 hours to prevent potential exploitation.

4. Controlled use of administrative privileges

Administrative privileges grant users the ability to modify critical system settings and access sensitive data. Controlling administrative access minimizes the risk of privilege abuse or a breach if an admin account is compromised.

• Restrict administrative privileges to only those who need them to perform job-related tasks (e.g., system administrators, IT support).
• Implement the principle of least privilege (PoLP), ensuring that users are granted only the minimum necessary access for their role.
• Use multi-factor authentication (MFA) for accounts with administrative privileges to add an extra layer of security.
• Regularly review and audit administrative privileges to ensure that they are still necessary and properly managed.

• Tools like CyberArk or BeyondTrust can help manage privileged accounts and ensure that only authorized users have access.
• MFA can be implemented using solutions like Duo Security to protect admin accounts.
• Example: A user in a non-IT role may have temporary admin access to install a specific program. Once the task is completed, the admin privileges are revoked immediately.

5. Secure configuration for hardware and software

This control ensures that systems and software are securely configured to minimize vulnerabilities from the outset. By applying secure configurations, organizations can reduce the likelihood that attackers will be able to exploit default or insecure settings.

• Harden systems by disabling unnecessary services, ports, and features that could create attack vectors.
• Implement security baselines that specify secure configurations for operating systems, applications, and network devices.
• Regularly review and update configurations to adapt to new security requirements and emerging threats.
• Use automated configuration management tools to enforce and maintain secure settings.

• Follow security benchmarks from CIS or NIST to configure systems securely. For instance, configuring a server by disabling unused ports and enforcing strict password policies.
• Use tools like Ansible, Chef, or Puppet to automate secure configuration deployment and monitoring.
• Example: For a Linux server, secure configurations might include disabling SSH root login, setting up firewalls to block unnecessary ports, and enforcing secure file permissions on sensitive directories.

By implementing these five controls, organizations lay a strong foundation for effective cybersecurity. These practices ensure that hardware and software are properly tracked, vulnerabilities are continuously identified and mitigated, administrative access is tightly controlled, and systems are securely configured, all of which help reduce the overall risk of security breaches.

Summary

CIS Controls, or Critical Security Controls, are a set of best practices developed by the Center for Internet Security (CIS) to help organizations strengthen their cybersecurity defenses. These controls focus on managing hardware, software, vulnerabilities, administrative privileges, and secure configurations to reduce the risk of cyberattacks. The first five controls are essential for building a solid security foundation: maintaining an up-to-date inventory of hardware and software assets, continuously identifying and mitigating vulnerabilities, controlling administrative privileges, and securely configuring hardware and software. By implementing these practices, organizations can minimize vulnerabilities, limit attack opportunities, and reduce the overall risk of security breaches.