The CIS (Center for Internet Security) Critical Security Controls are a prioritized set of actions for cybersecurity that form a defense-in-depth set of specific and actionable best practices to mitigate the most common cyber attacks. A principle benefit of the CIS Controls are that they prioritize and focus on a small number of actions that greatly reduce cybersecurity risk.
While initially developed by the SANS Institute and known as the SANS Critical Controls, the CIS Controls are now managed by the Center for Internet Security and developed by a community of experts who apply their experience as CISOs and security professionals, creating globally accepted security best practices. These experts come from a wide range of sectors including retail, manufacturing, healthcare, education, government agencies and defense.
Why are the CIS Controls Important?
The CIS Controls are important because they minimize the risk of data breaches, data leaks, theft of intellectual property, corporate espionage, identity theft, privacy loss, denial of service and other cyber threats.
As security professionals, we have access to an array of security tools and technologies, security standards, training, certifications, vulnerability databases, best practices, security controls, checklists, benchmarks and recommendations.
To help us understand threats, we've seen the introduction of security ratings, third-party security ratings, data leak detection and the NIST Cybersecurity Framework. Not to mention, we're surrounded by regulatory requirements like HIPAA, GDPR, LGPD, CCPA, FISMA, CPS 234, GLBA, PCI DSS and PIPEDA that require clear third-party risk management frameworks, vendor risk management and robust risk assessment methodologies.
There is not a shortage of information available to keen security practitioners on what to do to secure their organizations. But all this technology, information and oversight has resulted in competing options, priorities, opinions and claims that can distract from the ultimate mission of closing attack vectors and reducing your attack surface.
With businesses growing, dependencies expanding, threats evolving and customers expecting more, robust cybersecurity has never been more important.
The CIS Controls help us answer questions like:
- What are the most critical areas to establish a risk management program?
- Which defensive steps provide the greatest value?
- How can we track our risk management program maturity?
- How can we share our insights into attacks and attackers and identify root causes?
- Which tools are best used to solve which problems?
- Which CIS controls map to my organization's regulatory and compliance frameworks?
Why Do the CIS Controls Work?
The CIS Controls work because they are:
- Informed by common attacks and effective defenses
- Reflect the knowledge of experts from companies, government and individuals, as well as sectors (government, power, defense, finance, transportation, academia, consulting, security, IT)
- From every role (threat responders and analysts, technologists, vulnerability-finders, tool makers, solution providers, defenders, users, policy-makers, auditors, etc.)
The CIS Controls have evolved from the consensus list of security controls that security experts believe are the best defensive techniques to prevent data breaches and mitigate the damage caused by cyber attacks.
Beyond blocking the unauthorized access, the CIS controls also address detecting indicators of compromise and preventing additional attacks.
The defense identified in the CIS controls deal with reducing the initial attack surface by hardening servers, identifying compromised machines, disrupting command-and-control or malicious software and establishing adaptive, continuous defenses that are continually improved.
Additionally, the CIS benchmarks acknowledge the reality that most organization face, in that resources are limited and priorities must be set.
As such, CIS separates controls into three categories, basic, foundational and organizational, regardless of industry. These categories and the prioritization of controls is what makes CIS Controls work so well.
What are the Five Critical Tenets of Effective Cyber Defense?
The five critical tenets of an effective cyber defense system are:
- Offense informs defense: Use actual cyber attacks that have compromised systems to provide the foundations to learn from and to build effective, practical defenses. Avoid defense that haven't been shown to stop real-world attacks.
- Prioritization: Invest in controls that provide the greatest risk reduction and protection from the most dangerous attacks that can be feasibility implemented.
- Measurements and metrics: Use common metrics to provide a shared language for executives, security professionals, auditors and employees to measure the effectiveness of security measures within your organization.
- Continuous diagnostics and mitigation: Continuously monitor your security posture to test and validate the effectiveness of security controls and to help drive next steps.
- Automation: Automate defenses to reliably scale and continuously monitor for adherence to controls. Consider extending this to your third-party vendors and their vendors by continuously monitoring third-party and fourth-party security postures.
What are the 20 Critical Security Controls?
The 20 Critical Security Controls for effective cyber defense (sometimes called the SANS Top 20) are split into three groups:
- Basic CIS Controls (1-6) are the starting point for any organization's cybersecurity
- Foundational CIS Controls (7-16)
- Organizational CIS Controls (17-20)
For more information about CIS critical security controls and Safeguards (formerly known as sub-controls), download the whitepaper from CIS Security.
1. Inventory and Control of Hardware Assets
Attackers are continuously scanning for new and possibly vulnerable systems to be attacked on a target's network. They are particularly interested in devices that come and go from the enterprise network, such as laptops or Bring-Your-Own-Devices (BYOD), that don't install security updates or may already be compromised.
Once detected, attackers can take advantage of this hardware and gain access to an organization or use it to launch additional cyber attacks.
This control requires organizations to manage hardware devices on their network to ensure only authorized devices have access to sensitive areas. Managed control of all devices also plays a critical role in planning and executing system backup, incident response and recovery.
2. Inventory and Control of Software Assets
When a victim accesses the content on an exploitable machine, attackers can gain access and install unauthorized software or different types of malware.
Without proper knowledge or control of the software deployed in an organization, defenders cannot properly secure their assets leading to data breaches and exposure of sensitive data. Compromised machines within a network can then be used to launch additional cyber attacks.
This control mitigates this risk by requiring organizations to actively manage all software on the network so only authorized software is installed and can execute.
3. Continuous Vulnerability Management
Attackers will use this same information to take advantage of gaps between the appearance of new vulnerabilities and their remediation to attack targets.
To minimize this risk, this control requires organizations to continuously acquire, assess and take action on new information in order to identify vulnerabilities, remediate them and minimize the window of opportunity.
Without scanning for vulnerabilities and proactively addressing issues, organizations face the significant risk of compromise.
4. Controlled Use of Administrative Privileges
The principle of least privilege and other access control methods are designed to create processes and tools to track, control, prevent and correct the use, assignment and configuration of administrative privileges.
This helps to reduce the abuse of administrative privileges, which is a common method of attack to spread inside an organization.
Attackers will often use social engineering to trick victims into opening malicious files that automatically runs.
5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
Default configurations for operating systems and applications are generally geared towards ease of deployment and use, rather than security. Basic controls, open services and ports, default passwords and outdated protocols can be exploited when left in the default state.
To minimize this risk, organizations must establish, implement and actively manage the security configuration of mobile devices, laptops, servers and workstations using configuration management and change control processes to prevent attackers from exploiting vulnerable services and settings.
6. Maintenance, Monitoring and Analysis of Audit Logs
Deficiencies in security logging and analysis allows attackers to hide their location, the installation of malicious software and their activity on a victim's machine.
To mitigate this, organizations must collect, manage and analyze audit logs of events to help the detection, identification and to recover from attacks.
7. Email and Web Browser Protections
Web browsers and email clients are common points of attack because of their technical complexity, flexibility and high use. Content can be crafted to entice or spoof users into taking action, allowing the theft of valuable data or the introduction of malicious code.
This control can minimize the attack surface and opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems.
8. Malware Defenses
Malicious software is designed to attack your systems, devices and data. It can enter through end-user devices, email attachments, web pages, cloud services, user actions and removable media. Sophisticated threats are even designed to circumvent, avoid and disable defenses.
Organizations must control the installation, spread and execution of malicious code, while optimizing the use of automation to enable rapid updating of defense, data gathering and corrective action.
9. Limitation and Control of Network Ports, Protocols and Services
Attackers remotely search for accessible network services that are vulnerable for exploitation. Common examples include poorly configured web servers, mail servers, file and print services and DNS servers installed by default.
This control must manage the ongoing operational use of ports, protocols and services on networked devices in order to minimize windows of vulnerability available to attackers.
10. Data Recovery Capabilities
When attackers gain access to a machine, they can make significant changes to configuration and software. In some situations, they make subtle alterations to data stored potentially damaging the organization's ability to operate. When an attacker is discovered, organizations need to be able to remove all aspects of the attacker's presence from the machine.
This is why organizations must use processes and tools to properly backup critical information with a proven methodology for timely recovery of it.
11. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Default configurations of network infrastructure are designed for ease of deployment and use rather than security. Open services and ports, default passwords, support for older protocols and pre-installed software may be exploitable in default states.
Organizations must establish, implement and actively manage the security configuration of network infrastructure devices by using configuration management and change control processes to prevent attackers from exploiting vulnerable services and settings.
This is a continuous process as hardware and software configuration is not a one-time event, attackers can take advantage of slipping configuration over time as users demand exceptions for legitimate business needs. These exceptions can be left open when the business need is no longer, opening up potential attack vectors.
12. Boundary Defense
Attackers focus on exploiting systems that are Internet accessible. Organized crime groups and nation-state actors can abuse configuration and architectural weaknesses found in perimeter systems, network devices and client machines to gain initial access to organizations.
Boundary defense controls detect, prevent and correct the flow of information transferring across networks of different trust levels with a focus on security-damaging data.
13. Data Protection
Data protection controls are processes and tools designed to prevent data exfiltration, mitigate the effects of exfiltrated data and ensure the privacy and integrity of sensitive information.
14. Controlled Access Based on the Need to Know
Encrypting data provides a level of assurance that even if a data breach occurs, it's impractical to access the plaintext without significant resources. That said, controls should be put in place to mitigate the threat of data breaches in the first place.
Organizations must have processes and tools to track, control, prevent and correct secure access to critical assets according to access control rights of people, computers and applications based on a need or right previously classified.
15. Wireless Access Control
Many data breaches are initiated by attackers who have gained wireless access to organizations from outside the physical building, connecting wirelessly to access points.
Public Wi-Fi networks can be fertile grounds for man-in-the-middle attacks and can install backdoors that reconnect to the network of a target organization.
Wireless access controls are processes and tools to track, control, prevent and correct the secure use of wireless local area networks (WLANs), access points and wireless client systems.
16. Account Monitoring and Control
Attackers frequently discover and exploit legitimate but inactive user accounts to impersonate legitimate, inactive user accounts to impersonate users making it harder for security personnel to detect them.
This control requires active management across the life cycle of system and application accounts - their creation, use, dormancy and deletion - to minimize opportunities for attackers.
17. Implement a Security Awareness and Training Program
While it's tempting to think of cybersecurity as primarily a technical challenge, the actions of employees play a critical part in the success or failure of even the most automated cybersecurity program, whether it be in the design, implementation, operation, use or oversight.
This means for all functional roles, prioritizing for mission-critical functions or security, organizations must identify the specific knowledge, security skills and abilities needed to support the defense of the organization, develop and execute a plan to assess, identify gaps and remediate through policy, planning, training and awareness programs.
Creating a culture of good cyber hygiene will increase your baseline of cyber threat resilience.
18. Application Software Security
Attackers often take advantage of vulnerabilities found in web-based and other application software. These vulnerabilities can stem from coding mistakes, logic errors, incomplete requirements and failure to test for unusual or unexpected conditions.
To mitigate this attack vector, organizations must manage the security of all in-house and acquired software over its life cycle.
19. Incident Response and Management
Organizations must protect their information and reputation by developing and implementing an incident response infrastructure (e.g. plans, defined roles, training, communications, management oversight) to quickly discover attacks and then contain the damage, eradicate the attacker's access and restore the integrity of the network and systems.
Security incidents are now part of every organization. Even large, well-funded and technically sophisticated organizations can struggle to keep up with cybercriminals, just look at Yahoo at the top of the world's biggest data breaches.
When an incident occurs, it's too late to develop the right procedures, reporting, data collection, management, legal procedures and communication strategy. This is why incident response planning is important to develop prior to a successful attack.
20. Penetration Tests and Red Team Exercises
Organizations must test their overall defense (technology, processes and people) by simulating the objectives and actions of an attacker.
Attackers often exploit the gap between good defensive design and actual implementation. A good example is the window of time between when a vulnerability is discovered and when it is remediated on every vulnerable machine.
Successful defensive posture requires a comprehensive program with effective information security policies, strong technical defenses and appropriate action by people.
Red Team exercises take a comprehensive approach at the full spectrum of organization policies,processes, and defenses in order to improve organizational readiness, improve training for defensive practitioners, and inspect current performance levels.
How UpGuard Can Improve Your Organization's Cybersecurity
UpGuard helps businesses improve security postures internally and across the entire service provider network.
With a suite of features improving incident response management, including security questionnaires mapping to industry standards (like ISO 27001, NIST CSF, and SIG), automation technology, and remediation impact projections, UpGuard helps businesses increase their data breach resilience against internal and third-party cyber risks.