First circulated in 2009, the CIS Critical Controls are used by both the U.S. and U.K. governments as the preeminent framework for securing critical infrastructures. Consisting of 20 security controls that cover areas from malware defense to incident response and management, the CIS Critical Controls offers a prioritized set of security measures for assessing and improving a firm's security posture. Though not a cybersecurity panacea, the controls help to address the vast majority of security issues faced by organizations today.
About The 20 CIS Critical Controls
The 20 CIS Critical Controls for Effective Cyber Defense were developed in 2008 by the NSA at the request of the Office of the Secretary of Defense. The goal was to prioritize cybersecurity controls for combating cyber attacks based on the NSA's deep knowledge of cyber attack patterns and security compromises.
The CIS 20 Critical Security Controls. Source: Sans.org.
20 controls may seem like a low number, but in actuality each control consists of several subcontrols. For example, CSC 1 consists of several subcontrols that deal with managing systems inventory and authorized assets.
CSC 1 subcontrols. Source: Sans.org.
Full adherence to the CIS Critical Security Controls assumes that all subcontrols have been satisfied accordingly.
CSC 1: Inventory of Authorized and Unauthorized Devices
Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
UpGuard's automatic tracking and monitoring of node configurations in your infrastructure satisfies many of CSC 1's subcontrols. For example, our platform can validate that all systems use updated client certificates when connecting to the network ( CSC 1. 6.
CSC 2: Inventory of Authorized and Unauthorized Software
Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
UpGuard's policy-based scanning and monitoring ensures that all software in your environment is authorized, patched, and free from vulnerabilities.
CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
UpGuard's continuous security monitoring capabilities ensure that critical security gaps are identified before they reach production environments. Our platform not only ensures that computers are configured correctly, but that late-breaking vulnerabilities are caught and remediated quickly.
CSC 4: Continuous Vulnerability Assessment and Remediation
Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
UpGuard's OVAL-backed vulnerability scanner constantly monitors your infrastructure for vulnerabilities. CSR gives your firm a pragmatic measure for continuously improving your firm's security posture.
CSC 5: Controlled Use of Administrative Privileges
Track, control, prevent, and correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
UpGuard tracks and monitors the configurations and changes to your systems, letting you know what was changed, who the made the alterations, and when they occurred. The platform can also monitor security groups to make sure only authorized users are members of privileged groups.
CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.
UpGuard validates that your logging services/processes and/or 3rd party log management software is configured and working as expected.
CSC 7: Email and Web Browser Protections
Minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and e-mail systems.
UpGuard provides continuous security monitoring for all node types: web servers, application servers, and email systems, among others.
Additionally, our platform can verify that local software like web browsers are configured correctly and free from vulnerabilities.
CSC 8: Malware Defenses
Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.
UpGuard ensures that your malware solutions are running as expected, patched, and free from vulnerabilities.
CSC 9: Limitation and Control of Network Ports, Protocols, and Services
Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers.
UpGuard's policies can ensure that critical ports and services are accessible or blocked, notifying appropriate staff immediately if an unauthorized change is detected.
CSC 10: Data Recovery Capability
Properly back up critical information with a proven methodology for timely recovery.
UpGuard can monitor backup devices and services, ensuring that business continuity mechanisms such as data backups never experience outages.
CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
UpGuard's scans and monitors all network devices: firewalls, routers, switches, and more. The platform's out-of-the-box policies and robust custom policy features make getting started with the platform a trivial affair.
CSC 12: Boundary Defense
Detect, prevent, and correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.
UpGuard scan and monitors perimeter defenses such as firewalls for misconfigurations and security flaws as well as endpoint devices (e.g., servers, laptops, mobile devices).
CSC 13: Data Protection
Prevent data exfiltration, mitigate the effects of exfiltrated data, and ensure the privacy and integrity of sensitive information.
UpGuard can ensure that critical data protection controls such as browser, web server, and file-level encryption are working as expected.
CSC 14: Controlled Access Based on the Need to Know
Track, control, prevent, correct, and secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.
UpGuard ensures that only authorized staff members have access to privileged data and IT resources through policy-based monitoring and integrity validation.
CSC 15: Wireless Access Control
Track, control, prevent, and correct the security use of wireless local area networks (LANS), access points, and wireless client systems.
UpGuard can automatically scan wireless network devices such as access points, routers, and hubs to ensure they are configured correctly with the proper permissions.
CSC 16: Account Monitoring and Control
Actively manage the lifecycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them.
UpGuard can ensure that all accounts in your environment are properly configured and that unauthorized accounts are detected and blocked automatically.
CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
Identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify and remediate gaps, through policy, organizational planning, training, and awareness programs for all functional roles in the organization.
CSC 18: Application Software Security
Manage the security lifecycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.
UpGuard can scan and validate all node types: web application servers, homegrown software, and off-the-shelf solutions for known vulnerabilities and configuration errors that could lead to data breaches.
CSC 19: Incident Response and Management
Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, defined roles, training, communications, management oversight).
Data breaches are both expensive and brand damaging. UpGuard provides measures for digital resilience that help organizations more effectively understand, quantify, and mitigate inevitable data breaches.
CSC 20: Penetration Tests and Red Team Exercises
Test the overall strength of an organization’s defenses (technology, processes, and people) by simulating the objectives and actions of an attacker.
UpGuard's policy-driven monitoring and testing makes it easy to incorporate the platform into an organization's broader penetration testing framework and methodologies.
In short, the 20 CIS Critical Security Controls for Effective Cyber Defense are a tested means to bolster organization's security posture per the NSA's recommendations for strong security. UpGuard's platform for cyber resilience satisfies virtually all of the 20 controls. UpGuard comes pre-loaded with the CIS 20 Critical Security Controls as an editable policy, allowing firms to quickly assess and improve their security postures.
Sarbanes-Oxley (SOX) compliance—it’s like checking for holes in your favorite pair, but with consequences beyond public embarrassment.
When it comes to IT security, how do you roll? Many tools exist, but the fact is that in most cases, to do it right— you have to roll your own.