Dale Hobbs //
The Center for Internet Security (CIS) Controls are a recommended set of highly effective defensive actions for cyber defense that provide specific and actionable methods to prevent the most dangerous and pervasive cyber-attacks. They were initially developed by the SANS Institute and were originally known as the SANS Critical Security Controls. They are the combined knowledge of a variety of industry experts from every market into what is effectively a “must-do” starting point for any organization, large or small.
The CIS Controls provides a prioritized path to help organizations improve their cybersecurity program. In May 2021, the Center for Internet Security released the latest iteration of the CIS Controls Version 8 (v8).
After re-assessing the Controls and how they matched up against the modern threat landscape, they are now task-focused and grouped by activity as opposed to which group(s) in an organization manage the devices relevant to each control. As a result, the CIS Controls have been reduced from 20 down to 18. These 18 Controls contain 153 safeguards (formerly known as sub-controls), as opposed to 171 in v7.1, and they have done a much better job at incorporating both Cloud and Mobile technologies. This was an area that was lacking in v7.1, so this is a big step in the right direction.
V8 still makes use of the three Implementation Groups (IGs) that were introduced in v7.1. In case you are not familiar with these groups, let’s recap.
IG1 is aimed at small to medium-sized organizations with limited in-house IT and security staff whose primary concern is to keep the business running and who have little tolerance for any downtime and/or disruption. The goal with IG1 is that the safeguards can be implemented with limited expertise, can be implemented with commercial off-the-shelf hardware and software, and are generally aimed at your run-of-the-mill, non-targeted attacks.
IG2 includes all of the safeguards from IG1 but is aimed at organizations that have dedicated IT and security staff whose primary goal is to protect the organization’s IT infrastructure. These organizations are usually able to tolerate short periods of downtime and/or disruption and are primarily concerned with reputational damage should a breach occur. The safeguards for IG2 will generally require enterprise-grade technology and specialized expertise in order to effectively implement these technologies.
IG3 includes all of the safeguards from IG1 and IG2. Organizations at this level will usually have security staff with a specialized skillset such as Penetration Testing, Incident Response, or Digital Forensics, to name a few. These organizations are generally subject to specific regulatory or compliance requirements. The safeguards for IG3 are aimed at mitigating targeted attacks from today’s sophisticated adversary.
Let’s dive in and take a high-level look at v8 of the CIS Controls. The first thing you will notice (aside from there now only being 18 controls) is that some of the names have changed from v7.1 and the ordering of some of the controls has changed as well. This was done to align with the “task-based grouping by activity” approach that the CIS has taken with v8.
|1||Inventory and Control of Enterprise Assets||Inventory and Control of Hardware Assets|
|2||Inventory and Control of Software Assets||Inventory and Control of Software Assets|
|3||Data Protection||Continuous Vulnerability Management|
|4||Secure Configuration of Enterprise Assets and Software||Controlled use of Administrative Privileges|
|5||Account Management||Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers|
|6||Access Control Management||Maintenance, Monitoring, and Analysis of Audit Logs|
|7||Continuous Vulnerability Management||Email and Web Browser Protections|
|8||Audit Log Management||Malware Defenses|
|9||Email and Web Browser Protections||Limitation and Control of Network Ports, Protocols, and Services|
|10||Malware Defenses||Data Recovery Capabilities|
|11||Data Recovery||Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches|
|12||Network Infrastructure Management||Boundary Defense|
|13||Network Monitoring and Defense||Data Protection|
|14||Security Awareness and Skills Training||Controlled Access Based on the Need to Know|
|15||Service Provider Management||Wireless Access Control|
|16||Application Software Security||Account Monitoring and Control|
|17||Incident Response Management||Implement a Security Awareness and Training Program|
|18||Penetration Testing||Application Software Security|
|19||Incident Response and Management|
|20||Penetration Testing and Red Team Exercises|
Control 1: Inventory and Control of Enterprise Assets.
This was formerly called “Inventory and Control of Hardware Assets”. The key to this control is that it focuses on ALL enterprise assets. This includes IoT, mobile, and those assets located within Cloud environments. The traditional network borders no longer exist and knowing what assets are in your ENTIRE environment is crucial in order to protect the organization. After all, you can’t protect what you don’t know exists.
Control 2: Inventory and Control of Software Assets.
The goal of this control remains unchanged from v7.1, with the intent of knowing and maintaining an inventory of all software within the organization. Like Control 1, you can’t manage what you do not know exists. Having an accurate software inventory allows you to ensure ALL software is managed. And by software, we are not just referring to applications like Adobe Reader and Microsoft Office. Software also includes the Operating Systems, not just of your servers, desktops, and laptops, but also your firewalls, routers, and switches. Oh, and don’t forget that Smart TV in the lunchroom.
Control 3: Data Protection
This control brings some welcome changes and extends to the data stored in the Cloud. Our physical borders no longer exist so it stands to reason that borders no longer apply to our data either. Your data is not only valuable to your organization but it’s also valuable to a criminal so classifying and protecting ALL of your company data should be a high priority for any organization, that includes your data that lives in the Cloud.
Control 4: Secure Configuration of Enterprise Assets and Software.
This is another control where non-traditional computing devices such as IoT devices have finally been taken into consideration. Not only is it critical to have secure configurations for laptops, servers, and workstations but we also need to factor in configurations for non-computing/IoT devices such as factory equipment, inventory tracking devices, and medical equipment, to name a few. Having a secure and standardized configuration significantly improves the security and reduces the management overhead of these assets.
Control 5: Account Management
Criminals have shifted a lot of their focus from traditional malware-based attacks to attacks against user credentials, whether in phishing attacks or utilizing stolen credentials. All accounts, including administrative and service accounts, need to be treated with the same due diligence as hardware and software-based assets. This means knowing what accounts are active and which are dormant and ensuring that no two accounts have the same password. Password re-use is a no-no and easily managed with tools such as Microsoft LAPS.
Control 6: Access Control Management
You might wonder why Controls 5 and 6 are treated as separate controls. Control 5 deals with the account management itself, whereas Control 6 deals with the management of what access these accounts have. Accounts should only have the minimum level of access required in order to perform their desired function. An Identity and Access Management (IAM) solution provides the foundation for access management. Performing this manually is a tedious task and can lead to mistakes in configuration. Automating this with an IAM solution is critical to successfully implementing this control.
Control 7: Continuous Vulnerability Management
This control previously lived at the #3 spot in the Controls. Why was it moved to #7? That’s a good question! You’d have to ask the CIS for an official answer, but the fact is that exploiting vulnerabilities, while still important, has taken a bit of a back seat to user-based attacks, according to the 2020 Verizon Data Breach Investigations Report (DBIR). That said, this is still a never-ending game of cat and mouse, so it’s important to have an effective vulnerability management program in your environment that can provide timely access to known unmanaged or unmitigated vulnerabilities within your organization. Just because it moved from #3 to #7 doesn’t mean you should reduce its focus and attention.
Control 8: Audit Log Management
You wouldn’t drive your car with your eyes closed, so why would you operate your infrastructure with no visibility? Without proper logging, it’s very difficult to detect a potential compromise or attack. Not only will having the right logs help your Incident Response (IR) team determine what happened during an investigation, it will also aid your Security Team in detecting an attack quicker. The sooner we can discover an attack, the sooner it can be managed and the more likely it becomes that the damage can be minimized. There are generally two types of logs: System logs and Audit logs. Security incidents are not always discovered from Audit logs. In many cases, it’s a sudden decrease in system performance that triggers an investigation so it’s crucial that both System and Audit logs are appropriately configured for your environment.
Control 9: Email and Web Browser Protections
Email and Web Browsers are typically how your users interact with the world outside your environment. They are how a user interacts with a website or accesses their email and, as such, they’re common points of entry for an adversary, not only through the use of malicious code but also through social engineering. Ensuring that appropriate protection mechanisms are in place for these tools is crucial. Things like URL filtering to restrict the types of sites a user can visit, disabling unauthorized and unvetted browser plugins, Multi-Factor Authentication (MFA), are just a few examples of things you can do to reduce the attack surface on Email and Web Browsers.
Control 10: Malware Defenses
While malware-based attacks have fallen to #7 under the top threat action varieties according to the 2020 Verizon DBIR, cybercriminals are still attempting to entice your users to click on links or open attachments containing malware. Therefore, Malware Defenses are still a critical layer in your overall Defense in Depth Strategy. And, contrary to popular belief, Macs do get viruses, so make sure your implementation includes all Windows, Mac, and Linux-based systems in your environment.
Control 11: Data Recovery
What good are backups if they don’t work when you need them? Not only is a solid backup strategy important, it’s crucial that your strategy includes the often overlooked task of performing test restores. With ransomware on the rise, it’s more critical than ever that you’re able to successfully restore to a pre-incident state.
Control 12: Network Infrastructure Management
Like the nervous system in the human body, the network infrastructure is the backbone of your environment. As data is transmitted, it traverses through the various components that make up the network infrastructure. As such, having an accurate network diagram and ensuring that all network devices are running the latest software versions is key. Much like Control 1, if network devices or paths exist that you’re unaware of, then you have a blind spot and can’t realistically expect to protect all paths that an adversary could utilize.
Control 13: Network Monitoring and Defense
This control is closely related to Control 12, discussed above. Expecting your network defenses to be perfect is unrealistic, therefore continuous monitoring of your network infrastructure is crucial in order to monitor for both attacks against the network itself as well as the detection and/or prevention of lateral movement. Capabilities such as Intrusion Prevention and Intrusion Detection Systems (IDS/IPS), threat hunting, and network segmentation are just some examples of controls that will help reduce the impact of a network-based attack.
Control 14: Security Awareness and Skills Training
While it’s often stated that users are your weakest link, I’ve never been fond of that statement. The fact remains, however, that the human element is a critical part in the success or failure of an organization’s security program. It’s generally much more difficult to find an exploit than it is to manipulate a user into opening an email attachment and installing malware. According to the 2020 Verizon DBIR, phishing is the top threat action taken by adversaries to gain access to an environment. Why? Because it works! You change the oil in your car! You patch your operating systems! So why would you not “maintain and patch” your users?
Control 15: Service Provider Management
As we rely more and more on vendors and other third parties to manage our data or provide infrastructure for our core applications, this is a new and welcome control. Therefore, a process to ensure these vendors are adequately protecting these platforms and data is crucial. With more and more third-party breaches occurring, a provider’s security and vulnerabilities have direct consequences to your organization.
Control 16: Application Software Security
This is another control that has been extended to include Hosted environments. Software applications are the interface that allows users to interact with an application or database. As these applications become more and more complex, they are rarely created from scratch, but rather tend to be assembled from a mixture of new and existing code and libraries. Vulnerabilities, such as buffer overflows, cross-site scripting, and command injection are often utilized by adversaries as entry points into our environments. This means that our traditional approaches to security are no longer as simple as they once were because the vulnerabilities introduced along with these new complexities are not always sufficiently understood.
Control 17: Incident Response Management
Companies don’t usually end up on the front-page news because they were breached, but rather because the breach was poorly managed. Having an effective Incident Response plan makes all the difference between a small security incident and a full-scale front-page breach. An effective program includes protection, detection, response, and recovery capabilities. It’s unreasonable to think our security protections are going to be effective 100% of the time and, statistically speaking, a security incident IS going to happen! How comprehensive your Incident Response plan is will determine the extent of the damage and whether you’re front-page news or just another statistic.
Control 18: Penetration Testing
In today’s complex environments with constantly evolving technologies, and ever-emerging attacker tradecraft, controlled testing of our environments is a crucial but often overlooked component of a well-rounded and comprehensive security program. Penetration Testing and Vulnerability Testing are often confused, and the terms are often misused interchangeably. Vulnerability Testing is just that, testing for known vulnerabilities, nothing more, whereas Penetration Testing takes it further and attempts to exploit these vulnerabilities and misconfigurations of systems with the desired outcome of seeing how far an attacker could get and what business processes or data would be impacted in the event an attacker was able to abuse these vulnerabilities. The ultimate goal with Penetration Testing is to discover the vulnerabilities and misconfigurations, and then remediate or mitigate them before an attacker does.
While the aim here was to provide a high-level overview for CIS Controls v8, a more in-depth exploration of the Controls would be a worthwhile investment for any company, especially for one looking to improve the maturity of its cybersecurity program.
A previous study found that by adopting just the first five controls, roughly 85% of attacks could be prevented while adopting all of the controls would prevent more than 97% of all attacks. So, whether you’re a small chain of grocery stores, a large multi-national bank, or somewhere in between, if you’re looking to bolster your security but don’t know where to begin, the CIS Controls v8 is an excellent place to start.
The full details of the Controls are on the Center for Internet Security’s website.
Check out our Cyber Range, not just a place to work through challenges and play, but also an open direct/hands-on training environment.