Jeramy Kopacko, security consultant and solutions architect at Sophos, weighs in on Center for Internet Security controls that are crucial components to an effective cyber security strategy. This post is in follow-up to Jeramy’s March guest post on Proactive Cyber Security Measures.
We just witnessed the first major attack on our infrastructures when Colonial Pipeline shut down for six days. The company was forced to pay the ransom of 75 bitcoin or $5 million. While it is still unclear how the attack gained entry, it is a reminder to us to constantly review our security controls. But do you know what those controls are?
The Center for Internet Security, or CIS, is a non-profit group that drives CIS Controls and Benchmarks that are globally recognized for their best practices for security IT systems and data. They have existed since 2000 and home to the Multi-State Information Sharing and Analysis Center (MS-ISAC) and Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC).
CIS has developed their top 20 CIS Controls to implement or at least review for your organization. The recommendations of how many controls you should implement vary based on your company size and budget. Generally speaking, the more controls you can implement or at least discuss with your IT team or service provider, the better.
CIS breaks down their controls into three section: Basic, Foundational, and Organizational. Let’s review and use our examples from the prior blog in line.
The first group of controls are often the ones most are familiar with. They can be referred to as your “cyber hygiene” by different communities in the cybersecurity space. They largely deal with people, software, or devices that access your company data.
- Inventory and Control of Hardware Assets
- Inventory and Control of Software Assets
- Continuous Vulnerability Management
- Controlled Use of Administrative Privileges
- Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- Maintenance, Monitoring and Analysis of Audit Logs
The suggestions from my prior blog are all covered under this basic control principle.
The second group is intended to be built on-top of the basic controls above. While many organizations will skip the basic controls, the true value of this group comes from mastering your previous control set. It focuses on dealing with the technical aspects of security—by protecting assets your company is using, such as: emails, computers, and more.
- Email and Web Browser Protection
- Malware Defenses
- Limitation and Control of Network Ports, Protocols and Services
- Data Recovery Capabilities
- Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
- Boundary Defense
- Data Protection
- Controlled Access Based on the Need to Know
- Wireless Access Control
- Account Monitoring and Control
Now that you have an understanding of a good cyber cybersecurity program, let’s discuss the final control set: Organization Controls. This will deal with cybersecurity best practices, such as your employee awareness, internal preparation, and incident response procedures. In recent years, many cybersecurity insurance providers require some or all of these for liability protection.
- Implement a Security Awareness and Training Program
- Application Software Security
- Incident Response and Management
- Penetration Tests and Red Team Exercises
If curious, reference the comprehensive CIS breakdown of each control mechanism. As a rule of thumb, SMBs should have a strong implementation of Basic Controls and Foundation Controls. As midmarket and enterprise companies look at these controls, they should have sets from all groups. Your resources available play a significant role in determining the best path forward.