Established in 2000, the Centre of Internet Security (CIS) is a global, non-profit community of experts that collectively develops tools, solutions, and best practices for increasing cyber security and mitigating cyber risk.
As well as being renowned for their Benchmarks, which are used to reduce configuration-based vulnerabilities in digital assets, they have developed a cyber risk mitigation framework called the CIS critical security controls.
Arranged into 153 safeguards (previously known as sub-controls) divided across 18 controls, CIS security controls provide organizations with clear best practices and guides for defending against a wide range of cyber attacks.
In this article, we explore the 18 CIS critical security controls, how each enhances your company’s cybersecurity posture, and why they’re effective at mitigating risk.
Why are the CIS critical security controls important?
The CIS critical security controls are important because they provide organizations with a comprehensive and easy-to-follow framework for strengthening their cybersecurity posture.
Because the CIS security controls consist of a prioritized set of best practices that protect against the most common attack vectors, they’re highly instrumental in reducing a company’s exposure to operational, compliance, financial, and reputational risk.
Additionally, with so many cybersecurity tools, frameworks, and methodologies out there, it’s easy for companies to become overwhelmed by the abundance of information. In contrast, by focusing on a select number of actions based on known attack methods, the CIS critical security controls offer organizations a clear path for effective cyber defense.
What Makes the CIS Controls Effective?
Several aspects make the CIS critical security controls so effective:
- Informed by common cyber attacks: the CIS controls are developed from insights gained from actual cyber attacks and the defensive measures that have been proven effective against them.
- Compiled by experts: the controls, and the safeguards that comprise them, are created and maintained by a global community of experts from all sectors, including IT, security, government, defence, finance, academia, consulting, etc.
- Easy to comprehend and communicate: as they hone in on 18 overarching cybersecurity measures, it’s simple to explain the CIS controls to stakeholders, supply chain partners and non-technical personnel. Subsequently, it’s straightforward to report on their implementation and efficacy to management and other invested parties and for them to follow along.
- Measurable progress: the mere fact that there are 18 well-defined controls gives organisations a list to work through to strengthen their cybersecurity posture.
- Better still, however, each CIS control has a series of safeguards divided into three implementation groups (IGs): IG 1, 2, and 3, resulting in 153 total safeguards (referred to as sub-controls in previous versions) across the 18 controls.
- While the safeguards in IG 1 provide basic cyber defence, for companies just starting their cyber security program, IG 3 offers the most comprehensive protection, for larger organisations with more stringent defence and compliance requirements.
- Consequently, the framework enables you to improve your cybersecurity measures as your program matures.
- Mapped against important compliance frameworks: the CIS critical controls have been designed, and are updated, with the most important data privacy regulations and legislation in mind. This makes it easier for organisations to comply with GDPR, HIPAA, PCI DSS, and other frameworks that apply to their industry.
5 Crucial Components of Effective Cyber Defense
The five crucial components of an effective cybersecurity defense plan are:
- Attacks dictate defense: using feedback, i.e., threat intelligence, from actual cyber attacks to provide the information to develop robust, effective defense measures
- Prioritization: developing mechanisms to assess the severity of cyber-attacks and prioritizing actions that most reduce risk exposure- and, preferably, are the most feasible to implement
- Measurements: making use of widely-used metrics to ensure different parts of an organization, whether security personnel, IT teams, C-Suite executives, and other stakeholders, are on the same page in regards to cyber risk mitigation efforts and their efficacy. p
- Continuous monitoring: abandoning static, point-in-time testing for continuous monitoring solutions that provide security teams with constant visibility over the IT infrastructure.
- Automation: utilising automated tools wherever possible to identify and assess cyber threats in an ever-expanding attack surface.
What are the 18 CIS Critical Security Controls?
Here’s an overview of the 18 CIS critical security controls.
1. Inventory Management and Control of Enterprise Assets
The first CIS control centers around creating and maintaining an accurate and up-to-date list of your company’s hardware assets, such as workstations, laptops, mobile devices, servers, and Internet of Things (IoT) and network devices. This also includes hardware not directly under your control, like employee mobile devices and those within a cloud environment.
Implementing the actions outlined by this control not only reveals the total number of hardware assets within an organization’s IT infrastructure that require monitoring and protection but also highlights unauthorized and/or unmanaged assets that could be removed to reduce the size of the attack surface.
2. Inventory and Control of Software Assets
A comprehensive inventory of your company’s software enables you to consistently monitor the applications running on your network for security breaches. Tracking all software assets also alerts security teams to unpatched and unsupported applications with known vulnerabilities that hackers could exploit. This is especially vital as malicious actors rely on the gap between an organization becoming aware of a vulnerability and patching it to breach network security.
Additionally, because you can’t manage applications that you can’t monitor, the safeguards within this control prevent the installation of unauthorized software, i.e., shadow IT, and highlight instances found on the network. As well as providing insight into the true extent of a company’s attack surface, it reduces the risk of malware finding its way onto the network because an employee downloaded a compromised application without permission.
3. Data Protection
As companies integrate more digital solutions into their IT ecosystem, data protection becomes increasingly crucial. This is especially true regarding cloud technology, which necessitates that data is transferred over the internet and stored offsite – which means it’s no longer confined within a company’s conventional network perimeters.
CIS control 3 provides essential guidelines for identifying, classifying, tracking, storing, and disposing of data. This includes setting up and maintaining systems data management, securing data on endpoints (including mobile devices) and encrypting sensitive data while in transit or at rest.
Plus, while a lot of data loss results from malicious action, it can also occur from lax security practices or human error. Because of this, the safeguards in this control also focus on detecting data loss detection and mitigating all other forms of data compromise.
4. Secure Configuration of Enterprise Assets and Software
In their default state, I.e., “out of the box”, hardware and software often come with settings that can leave your network vulnerable to cyber threats. Hackers can exploit default passwords, basic controls, and insecure configurations if left unchanged – and even a single unchecked error can create security risks that disrupt business continuity.
With this in mind, this control focuses on establishing secure and maintaining configurations for hardware and software assets.
5. Account Management
Alarmingly, unauthorized network access is more likely to occur from using valid user credentials – whether from inside or outside an organization – as opposed to hacking. Consequently, CIS critical security control 5 concerns managing user access permissions, password policies, and monitoring account activity.
This includes:
- Create and maintain an inventory of user accounts
- Enforcing strong password hygiene, e.g., ensuring passwords are a certain length, are changed regularly, etc.
- Deactivating unused accounts
- Limiting admin privileges to a small number of accounts
It’s particularly important to protect admin accounts because cybercriminals can use them to modify assets or create additional accounts with special privileges. They can then use them to make their way further into your network, better cover their tracks and implement subsequent steps in their plans.
6. Access Control Management
While control 5 concerns user account management, this series of safeguards centers around user accounts – or access control management, i.e., user privileges.
Granting overly broad permissions increases insider risk, i.e., intention or accidental data compromise by employees or supply chain partners, as well as the severity of a security breach if a hacker gains control of a user account. Limiting a user’s access rights to what they need to perform their role job (the principle of least privilege) reduces an organization’s cyber risk exposure.
As well as best practices for implementing and maintaining access control systems, this control provides guidelines on granting and revoking permissions with privileged access management (PAM) tools and enabling multi-factor authentication (MFA).
7. Continuous Vulnerability Management
Companies that fail to proactively identify and address IT security flaws are more likely to suffer security breaches and business disruptions. Continuous vulnerability management emphasizes the critical importance of regularly assessing your organization’s cybersecurity posture.
This includes implementing measures to consistently identify, prioritize, and mitigate vulnerabilities within your IT network, whether open ports and misconfigured services or unpatched software and unused user accounts. To achieve this, security teams should follow the prescribed guidelines to establish policies and controls for vulnerability scanning and ensure they consistently obtain up-to-date threat intelligence.
8. Audit Log Management
Malicious actors know that while some organizations maintain audit logs for compliance purposes, they don’t analyze them consistently. Armed with this knowledge, they can hide within your network for extended periods without detection – and can cover their tracks more effectively.
CIS security control 8 details actions concerning the review and retention of event logs of your network. Regularly analyzing audit logs enables security teams to better identify suspicious activities and quickly respond to mitigate their impact.
This includes:
- Developing and maintaining an audit log management system
- Regularly reviewing audit logs
- Keeping logs for a specified period
- Obtaining logs from service providers
9. Email and Web Browser Protections
Browsers and email clients are common targets for hackers because of their large user bases and the high frequency with which they’re used. They’re especially susceptible to malware infections and social engineering attacks, which provide cybercriminals with an entry point into networks.
Consequently, the safeguards that comprise this control are designed to prevent phishing, downloading malware, phishing, and other web-based cyber attacks. This includes only using fully supported browsers and email applications, setting up filters to block malicious (and suspicious) web addresses and file extensions, and maintaining secure domain name system settings.
10. Malware Defenses
Control 10 provides best practices for preventing the installation and spread of malicious software and code, such as viruses and ransomware. It emphasizes the use of anti-malware solutions to regularly scan your IT ecosystems to detect, contain, and eliminate malware found in endpoints, websites, applications, and network devices.
However, one of the reasons malware is so dangerously effective is that malicious actors are constantly devising new strains – including polymorphic malware that can alter its signature to prevent detection. Because of this, the safeguards in this control call for behavior-based anti-malware tools, which look for patterns indicative of malicious code, as well as signature-based detection, which recognizes known malware.
11. Data Recovery
An essential part of effective incident response is quickly restoring your systems to a secure state after a cyber attack – which requires a reliable data backup and recovery process. The actions laid out in this control help companies implement automated backups, protect and isolate backup data, and test their recovery procedures.
An effective data recovery process helps protect your organization from cyber attacks where hackers gain access to your network and modify settings, create illegitimate user accounts, and install malicious software. Such actions can be difficult to detect and require reverting your ecosystem to a time before the security breach. This control also guards against accidental data deletion, modification, and other human error, which can be rectified with up-to-date backups.
12. Network Infrastructure Management
Network devices, such as switches, routers, and firewalls, are typically initially configured for an easy setup – instead of for security. Consequently, hackers search for vulnerabilities in network infrastructure, like weak configurations and default passwords, and exploit them to breach a company’s defensive measures.
To mitigate this, control 12 provides guidelines for setting up, evaluating, reconfiguring, and managing network devices. This begins with clearly documenting all aspects of your network infrastructure and continually monitoring it for modifications that could indicate a security risk.
13. Network Monitoring and Defense
Cybersecurity controls are most effective when part of a continuous monitoring process that allows security personnel to receive and receive alerts that enable them to promptly contain and mitigate the effects of security incidents.
CIS critical security control 13 covers processes and tools for continuous monitoring and defense, which allow organizations to collect and analyze data on network traffic, manage access control, and perform alerts. Additionally, the safeguards in this control provide best practices on how to filter and control the flow of traffic between sections of your network – making it easier to both manage access to assets and data, as well as contain cyber attacks if they occur.
14. Security Awareness and Skills Training
Because employees are the difference between whether a company’s cyber risk mitigation efforts succeed or fail, it’s critical that they’re educated on how their actions can compromise security.
This could be through:
- Using weak passwords or reusing them too often
- Mishandling sensitive data
- Falling for phishing attempts
- Losing a mobile device
- Installing compromised applications
- Visiting compromised sites
For this reason, it’s essential for companies to invest in cybersecurity awareness training that engenders a security-conscious mindset and reduces risk exposure.
A key aspect of this is educating your employees on common cyber attacks – and how and who to report them to if they occur. It’s also imperative to teach the causes of unintentional data exposure and, by extension, how to handle data securely. Additionally, for those within your company who handle the most sensitive data, it’s prudent to provide them with role-specific training to enhance their situational awareness and skillset.
15. Service Provider Management
This control recommends assessment, management, and monitoring of third-party service providers that have access to your assets and data – with particular emphasis on protecting sensitive data.
It includes best practices for creating and maintaining an up-to-date inventory of service providers, assessing suppliers to determine their security posture, and how to securely end your association (e.g., ensuring they securely dispose of your data) if necessary. The safeguards in CIS security control 15 also include provisions for monitoring the security practices of your third party providers and how to co-operate with them to help them improve their cyber risk mitigation strategies and ensure compliance.
16. Application Software Security
While control 2 is concerned with the cataloguing of software assets and control 15 addresses third-party applications, CIS critical security control 16 details safeguards for custom software development. It provides guidelines on implementing secure application development practices and processes to ensure the ongoing security of bespoke software and systems within your IT ecosystem. This includes creating standardized configuration templates for robust application architecture and mechanisms for identifying, prioritizing, and remediating software vulnerabilities.
Additionally, as development teams integrate third-party components into custom applications, from frameworks, code libraries, etc., it’s vital to catalogue them so they can be continuously monitored for vulnerabilities. Better still, companies should only use trusted components from reputable vendors with high, independently verified security ratings.
17. Incident Response Management
Despite an organization’s best cyber risk mitigation efforts, attacks will still take place. Consequently, CIS critical security control 17 is about developing and implementing a comprehensive incident response plan (IRP) – also known as a Playbook – that outlines the steps to follow during and after a security event.
Best practices include assigning specific roles and responsibilities to employees in the event of a security incident and establishing protocols for reporting suspected malicious activity. Similarly, you need to have processes in place for how to communicate in regards to security events – namely, when employees are allowed to discuss a breach and who with.
It’s also vital to establish a robust process concerning what your staff do after a security event as well as during it. This should include a thorough analysis of the incident to determine how to best prevent it from recurring and learning as much about the nature of the attack to add to your threat intelligence.
18. Penetration Testing
With the consistent emergence of new technology and malicious actors consistently developing new attack methods, it’s not enough for organizations to look for known vulnerabilities or rely on their existing defense measures.
The final CIS critical security control accounts for this by providing guidelines on performing penetration tests: a proactive cyber risk mitigation strategy that sees security teams attempt to breach, or penetrate, their own security measures to test their effectiveness. In essence, penetration testing requires you to think like a hacker – exploiting the same attack vectors they would.
In addition to testing your implemented cybersecurity measures and fixing those that prove ineffective, penetration tests allow organizations to acquire new threat intelligence and devise ways to reduce their attack surface.
How RiskXchange can help enhance your organization’s cybersecurity posture
Through a thorough analysis of your company’s attack surface, we can determine where you’re most vulnerable to cyber threats. From there, we’ll help implement the CIS critical security controls that best protect your IT infrastructure from cyber attacks.
Contact us to schedule your free trial.
CIS critical security controls FAQs
What is the meaning of CIS Critical Security Controls?
The CIS critical security controls are a risk mitigation framework that provides organizations with a series of best practices for implementing measures to protect against the most common cyber attacks.
There are 18 CIS security controls, each comprising a series of actionable safeguards (153 in total). Part of the simplicity of the CIS controls is that companies don’t have to implement every safeguard – just those that correspond to their level of risk.
What is an example of a CIS cybersecurity control?
Each CIS control is numbered from 1 – 18, so CIS security control 1, for instance, is called Inventory and Control of Enterprise Assets. It details best practices for cataloguing, classifying, and monitoring an organization’s hardware assets so any vulnerabilities can be discovered and mitigated by security teams.
What is the difference between CIS critical security controls and NIST?
While the Center for Internet Security (CIS) is a global, nonprofit organization composed of a wide range of experts, the National Institute of Standards and Technology (NIST) is a part of the U.S. government (under the Department of Commerce.
Additionally, while CIS controls specifically cover cybersecurity, there are different NIST frameworks with varying scopes – with the NIST Cybersecurity Framework (CSF) designed for cyber risk mitigation.