Implement CIS Top 18 Controls in Your Organization

Introduction to the Center of Internet Security(CIS)

The CIS Critical Security Controls (CSCs) are a set of best practices that help organizations protect their networks and systems from cyber threats. They are designed to provide a comprehensive, prioritized approach to security, focusing on the most common and critical threats.

The CSCs can be used in conjunction with other industry standards, such as NIST 800-53, PCI DSS, FISMA, ISO 27001, and HIPAA, to ensure organizations are meeting their compliance requirements.

The CIS's controls are organized into three categories

Basic Controls

These are the most important and should be implemented first. They cover the fundamentals of security, such as access control, asset management, and vulnerability management.

Foundational Controls

These build on the Basic controls and provide more detailed guidance on protecting data, networks, and applications. Organizational controls: These provide guidance on how to manage security across the organization, such as developing policies and procedures, and conducting security awareness training.

Organizational Controls

These controls focus on the broader organizational practices needed to maintain and enhance the security posture of an organization.

CIS V7 vs V8

CIS V7 had 20 controls but CIS latest V8 include only 18 controls

Image description1

The 18 CIS Critical Security Controls

BASIC CONTROLS(1-6):

  • Inventory and Control of Enterprise Assets

  • Inventory and Control of Software Assets

  • Data Protection

  • Secure Configuration of Enterprise Assets and Software

  • Account Management

  • Access Control Management

Foundational controls(7-16):

  • Continuous Vulnerability Management

  • Audit Log Management

  • Email and Web Browser Protections

  • Malware Defenses

  • Data Recovery

  • Network Infrastructure Management

  • Network Monitoring and Defense

  • Security Awareness and Skills Training

  • Service Provider Management

  • Application Software Security

Organizational controls(17-18):

  • Penetration Testing

  • incident response management

CIS Controls Importance

CIS Controls are an important set of security guidelines that can help organizations protect their IT assets from cyber threats. By following the CIS Controls, organizations can be sure that their IT assets are secure against the latest threats, benchmark their security posture, identify areas for improvement, and train their employees on basic cyber security best practices.

IMPLEMENTATIONS OF CIS CONTROLS

CIS Control 1: Inventory and Control of Enterprise Assets

PURPOSE: Actively manage (inventory, track, and correct) all enterprise assets (including hardware and software) so that only authorized devices are given access.

SOLUTION: Angry IP Scanner, ImmuniWeb Discovery, Qualys, Virima, Asset Panda, Asset Tiger etc.

Practically, when we document and audit, it looks like the following diagram, which represents the CIS Dashboard:

Image descriptionz

The CIS Dashboard provides a comprehensive overview of your compliance with the CIS Controls, highlighting areas that require attention and helping you track your progress over time.

However, if you don't have access to this dashboard, you can also use templates like the following to document and audit your controls manually:

Image descriptionl

These templates allow you to systematically record your compliance efforts, track the status of each control, and ensure that all necessary actions are documented.

Using either the CIS Dashboard or these templates helps maintain a clear and organized approach to managing and auditing your CIS Controls, ensuring that you can effectively detect, manage, and recover from security incidents.

CIS Control 2: Inventory and Control of Software Assets

PURPOSE: Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute.

SOLUTION: NetStock, Inventory Cloud,

CIS Control 3: Data Protection

PURPOSE: Protect organizational data through measures such as encryption, integrity protection, and data loss prevention.

SOLUTION: AES Encryption, DLP Tools (Symantec, Digital Guardian, SolarWinds, ForcePoint)

CIS Control 4: Secure Configuration of Enterprise Assets and Software

PURPOSE: Establish and maintain secure configurations for hardware and software.

SOLUTION: SolarWinds, CFEngine, SaltStack, JUJU, Bamboo by Jira, Chef, Ansible, Puppet, AWS System Manager

CIS Control 5: Account Management

PURPOSE: Manage the lifecycle of user accounts, including their creation, use, and deletion.

SOLUTION: Principle of Least Privileges, Micro-Segmentation,

CIS Control 6: Access Control Management

PURPOSE: Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrative, and service accounts.

SOLUTION: Arcon, BeyondTrust, Centrify, CyberARK, JumpCloud

CIS Control 7: Continuous Vulnerability Management

PURPOSE: Continuously acquire, assess, and take action on information regarding new vulnerabilities to minimize the window of opportunity for attackers.

SOLUTION: Nexpose Vulnerability Scanner(Rapid7), SCAP extension for Microsoft system center configuration manager, ThreatGuard, Qualys, SAINT, openscap by REDHAT, and tripwire etc

CIS Control 8: Audit Log Management

PURPOSE: Collect, alert, and review audit logs to understand and detect attacks.

SOLUTION: SIEM, SOC, Amazon CloudWatch

CIS Control 9: Email and Web Browser Protections

PURPOSE: Improve security for the primary tools employees use to access the internet and communicate with each other.

SOLUTION: TripWire, Anti-Spam Gateway

Image descriptionj

CIS Control 10: Malware Defenses

PURPOSE: Control the installation, spread, and execution of malicious code.

SOLUTION: Sophos, Amazon Inspector, Malwarebytes

CIS Control 11: Data Recovery

PURPOSE: Ensure the ability to recover and restore data in the event of an incident.

SOLUTION: Backups, RPO, RTO

CIS Control 12: Network Infrastructure Management

PURPOSE: Securely manage network devices, such as firewalls, routers, and switches.

SOLUTION: TripWire, Rapid7

CIS Control 13: Network Monitoring and Defense

PURPOSE: Manage and monitor all logs of your network devices, such as firewalls, routers, and switches.

SOLUTION: WAF by imperva, Network Firewalls, NetBrain

CIS Control 14: Security Awareness and Skills Training

PURPOSE: Develop security awareness programs and conduct training to educate employees on security practices.

SOLUTION: Training Workshops For Employees

CIS Control 15: Service Provider Management

PURPOSE: Maintain and assess security controls, processes, and services provided by third parties.

SOLUTION: Compliance and Audit Reports, Service level agreements(SLA)

CIS Control 16: Application Software Security

PURPOSE: Manage the security lifecycle of all software used within the organization.

SOLUTION WAF, TripWire

CIS Control 17: Incident Response Management

PURPOSE: Establish and maintain an incident response capability to detect, manage, and recover from security incidents.

SOLUTION Splunk, ThreatConnect, FireEye Helix

CIS Control 18: Penetration Testing

PURPOSE: Regularly test the effectiveness of security controls through simulation of real-world attacks.

SOLUTION Nmap, Metasploit, Wireshark, BurpSuite, Nessus