Implement CIS Top 18 Controls in Your Organization
Introduction to the Center of Internet Security(CIS)
The CIS Critical Security Controls (CSCs) are a set of best practices that help organizations protect their networks and systems from cyber threats. They are designed to provide a comprehensive, prioritized approach to security, focusing on the most common and critical threats.
The CSCs can be used in conjunction with other industry standards, such as NIST 800-53, PCI DSS, FISMA, ISO 27001, and HIPAA, to ensure organizations are meeting their compliance requirements.
The CIS's controls are organized into three categories
Basic Controls
These are the most important and should be implemented first. They cover the fundamentals of security, such as access control, asset management, and vulnerability management.
Foundational Controls
These build on the Basic controls and provide more detailed guidance on protecting data, networks, and applications. Organizational controls: These provide guidance on how to manage security across the organization, such as developing policies and procedures, and conducting security awareness training.
Organizational Controls
These controls focus on the broader organizational practices needed to maintain and enhance the security posture of an organization.
CIS V7 vs V8
CIS V7 had 20 controls but CIS latest V8 include only 18 controls
The 18 CIS Critical Security Controls
BASIC CONTROLS(1-6):
Inventory and Control of Enterprise Assets
Inventory and Control of Software Assets
Data Protection
Secure Configuration of Enterprise Assets and Software
Account Management
Access Control Management
Foundational controls(7-16):
Continuous Vulnerability Management
Audit Log Management
Email and Web Browser Protections
Malware Defenses
Data Recovery
Network Infrastructure Management
Network Monitoring and Defense
Security Awareness and Skills Training
Service Provider Management
Application Software Security
Organizational controls(17-18):
Penetration Testing
incident response management
CIS Controls Importance
CIS Controls are an important set of security guidelines that can help organizations protect their IT assets from cyber threats. By following the CIS Controls, organizations can be sure that their IT assets are secure against the latest threats, benchmark their security posture, identify areas for improvement, and train their employees on basic cyber security best practices.
IMPLEMENTATIONS OF CIS CONTROLS
CIS Control 1: Inventory and Control of Enterprise Assets
PURPOSE: Actively manage (inventory, track, and correct) all enterprise assets (including hardware and software) so that only authorized devices are given access.
SOLUTION: Angry IP Scanner, ImmuniWeb Discovery, Qualys, Virima, Asset Panda, Asset Tiger etc.
Practically, when we document and audit, it looks like the following diagram, which represents the CIS Dashboard:
The CIS Dashboard provides a comprehensive overview of your compliance with the CIS Controls, highlighting areas that require attention and helping you track your progress over time.
However, if you don't have access to this dashboard, you can also use templates like the following to document and audit your controls manually:
These templates allow you to systematically record your compliance efforts, track the status of each control, and ensure that all necessary actions are documented.
Using either the CIS Dashboard or these templates helps maintain a clear and organized approach to managing and auditing your CIS Controls, ensuring that you can effectively detect, manage, and recover from security incidents.
CIS Control 2: Inventory and Control of Software Assets
PURPOSE: Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute.
SOLUTION: NetStock, Inventory Cloud,
CIS Control 3: Data Protection
PURPOSE: Protect organizational data through measures such as encryption, integrity protection, and data loss prevention.
SOLUTION: AES Encryption, DLP Tools (Symantec, Digital Guardian, SolarWinds, ForcePoint)
CIS Control 4: Secure Configuration of Enterprise Assets and Software
PURPOSE: Establish and maintain secure configurations for hardware and software.
SOLUTION: SolarWinds, CFEngine, SaltStack, JUJU, Bamboo by Jira, Chef, Ansible, Puppet, AWS System Manager
CIS Control 5: Account Management
PURPOSE: Manage the lifecycle of user accounts, including their creation, use, and deletion.
SOLUTION: Principle of Least Privileges, Micro-Segmentation,
CIS Control 6: Access Control Management
PURPOSE: Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrative, and service accounts.
SOLUTION: Arcon, BeyondTrust, Centrify, CyberARK, JumpCloud
CIS Control 7: Continuous Vulnerability Management
PURPOSE: Continuously acquire, assess, and take action on information regarding new vulnerabilities to minimize the window of opportunity for attackers.
SOLUTION: Nexpose Vulnerability Scanner(Rapid7), SCAP extension for Microsoft system center configuration manager, ThreatGuard, Qualys, SAINT, openscap by REDHAT, and tripwire etc
CIS Control 8: Audit Log Management
PURPOSE: Collect, alert, and review audit logs to understand and detect attacks.
SOLUTION: SIEM, SOC, Amazon CloudWatch
CIS Control 9: Email and Web Browser Protections
PURPOSE: Improve security for the primary tools employees use to access the internet and communicate with each other.
SOLUTION: TripWire, Anti-Spam Gateway
CIS Control 10: Malware Defenses
PURPOSE: Control the installation, spread, and execution of malicious code.
SOLUTION: Sophos, Amazon Inspector, Malwarebytes
CIS Control 11: Data Recovery
PURPOSE: Ensure the ability to recover and restore data in the event of an incident.
SOLUTION: Backups, RPO, RTO
CIS Control 12: Network Infrastructure Management
PURPOSE: Securely manage network devices, such as firewalls, routers, and switches.
SOLUTION: TripWire, Rapid7
CIS Control 13: Network Monitoring and Defense
PURPOSE: Manage and monitor all logs of your network devices, such as firewalls, routers, and switches.
SOLUTION: WAF by imperva, Network Firewalls, NetBrain
CIS Control 14: Security Awareness and Skills Training
PURPOSE: Develop security awareness programs and conduct training to educate employees on security practices.
SOLUTION: Training Workshops For Employees
CIS Control 15: Service Provider Management
PURPOSE: Maintain and assess security controls, processes, and services provided by third parties.
SOLUTION: Compliance and Audit Reports, Service level agreements(SLA)
CIS Control 16: Application Software Security
PURPOSE: Manage the security lifecycle of all software used within the organization.
SOLUTION WAF, TripWire
CIS Control 17: Incident Response Management
PURPOSE: Establish and maintain an incident response capability to detect, manage, and recover from security incidents.
SOLUTION Splunk, ThreatConnect, FireEye Helix
CIS Control 18: Penetration Testing
PURPOSE: Regularly test the effectiveness of security controls through simulation of real-world attacks.
SOLUTION Nmap, Metasploit, Wireshark, BurpSuite, Nessus