The CIS (Center for Internet Security) Controls, formerly known as the SANS Top 20, are a set of 20 security controls designed from analyzing attack and breach data to help organizations protect themselves. The CIS Controls have been emphasized by many business organizations and government agencies as an important toolkit in protecting and preventing cyber threats. NIST, National Institute of Standards and Technologies, stated the CIS 20 was used as a reference in their 2014 document “Framework for Improving Critical Infrastructure Cybersecurity”.
More recently in 2016 the California Attorney General endorsed the CIS Controls as the minimum level of security measured in security. She went as far as insinuating that companies that do not conform or work with those controls may be liable for “Lack of Reasonable Security”.
What are the CIS Controls and why are they so important?
Over the next several weeks I will write about each control, all 20 of them, and try to break them down into a comprehensive summary of what they are, some steps an organization can do to work toward those controls and how cybercriminals can use and exploit the lack of controls to their benefit. These controls are not to be taken lightly. Studies have shown and the CIS Control are built around the Pareto 80/20 Principle. Simply it states that 80% of your effects come from 20% of your causes. Taking the Pareto Principle and applying it to the CIS Controls, implementing or working on 20% of the 20 controls, 4 of them, will increase your protection exponentially.
Any organization that has fully 100% implemented every aspect of the CIS Control is lying. In my opinion it’s not possible, nor is it your goal. The larger the organization there are far too many moving parts, dynamic fluidity within the business units and employees and limited money to try to implement them all. However, lack of resources does not give you the excuse to not work toward it. Compensating controls can be just as effective as the direct solution. Doing nothing in security is an option but never a good one to make.
Another reason that it’s not reasonable to expect full compliance to all the controls is that the CIS updates the controls to meet what the world is doing. In the recent update, version 6, the CIS removed one category and changed the priorities of some others. But that’s the beauty and horror of working in security, it’s not static, ever.
Here are the current Top 5 CIS Controls from version 6 in order of their prioritization –
- CSC 1: Inventory of Authorized and Unauthorized Devices
- CSC 2: Inventory of Authorized and Unauthorized Software
- CSC 3: Secure Configurations of Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- CSC 4: Continuous Vulnerability Assessment and Remediation
- CSC 5: Controlled Use of Administrative Privileges
There are 15 more after these. How are you doing on the Top 5?
In my experience working with clients from all industries and varying sizes I found one common theme when it comes to security assessments and frameworks. They know how they rate against the controls – an audit report. They have engineers that can install tools that supposedly help protect them. It’s the middle part where they struggle. After the audit how to you build a successful, operational security program that functions every day after the auditors and installer leave. How to I make these controls work for me without turning the security department into a “Checkbox” zombie.
I fixed it.
Check the box and move on.
That’s not security, that’s going to get you in to trouble unless you can answer a few simple questions –
- What does this control actually do?
- Who are the risks if I don’t?
- How do I make this work day after day?
- How do I know if my controls are actually doing anything?
Through a simplistic, practical approach to the CIS Controls, one by one, I will attempt to make it clearer and emphasize the importance no matter your company’s size and capabilities.
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.