Every organization should constantly be striving to improve its cybersecurity posture. The best way to achieve this is to implement a cybersecurity framework.
While there are several cybersecurity frameworks to choose from, following the Center for Internet Security Critical Security Controls (CIS Controls) is an excellent way for an organization of any size to reduce the risk of a cyberattack.
The framework provides a comprehensive set of security controls to help you identify, detect threats, protect against and respond to cyberattacks, and recover from any attacks that may slip through your defenses.
This article will look at the latest version of the CIS Controls and provide a detailed overview of how you can meet the framework’s requirements.
Want to explore other frameworks? Check out this guide, which broadly covers the NIST Framework, ISO 27000 Series, and PCI-DSS, in addition to CIS Controls.
CIS Controls: The basics
The CIS Controls are a framework of 18 different types of security controls you can put in place to improve your company’s information security and cybersecurity; the framework is well-respected and considered a good security baseline for most organizations.
Note: before the latest CIS Controls update (version 8, released May 2021), there were 20 Controls.
It’s worth noting that in a 2016 California Data Breach Report, Kamala Harris (yes, that Kamala Harris, who was California Attorney-General at the time) said that meeting all 20 CIS Controls represents a reasonable level of security.
Each Control is a broad class of security control and comes with several Safeguards (previously called “Subcontrols”) that provide specific means of implementing the Control. There are 153 Safeguards in total—between 5-14 within each Control group.
There are five types of Safeguard:
It is advisable to work through the Safeguards in order of priority starting with Identify.
Because the CIS Control framework is designed for businesses of all sizes, the framework also distinguishes three “Implementation Groups” (IGs)—types of organizations distinguished by company size and level of resources.
Here’s a good way to think of how the IGs differ:
- IG1 companies are typically smaller businesses without much cybersecurity expertise.
- IG2 companies have employees specifically dedicated to looking after cybersecurity
- IG3 companies have employees specializing in different aspects of cybersecurity
However, even if your organization is very large and well-resourced, the Center for Internet Security recommends that “every enterprise should start with IG1.” Get the basics in place (if you haven’t done so already) before moving on to the more complex controls.
The CIS Controls
Now let’s dive in—we’re going to look at the basic requirements of each CIS Control and list three representative Safeguards for each.
Control 1: Inventory and Control of Enterprise Assets
Control 1 requires that you actively manage all enterprise assets (such as workstations, mobile devices, and servers) that are either connected to your infrastructure—physically, virtually, or remotely—or within the cloud.
Having total knowledge and control over your assets might be challenging—particularly in the age of remote-working—but it’s a vital foundation for your security program.
Control 1 Safeguards include:
- Establishing and maintaining an asset inventory (all IGs)
- Using an active discovery tool to detect assets (IGs 2 and 3)
- Using a passive asset discovery tool (IG3 only)
CIS Control 2: Inventory and Control of Software Assets
Control 2 focuses on control of software assets—the operating systems and apps that your company uses—to ensure that only authorized software can operate on your systems.
As with Control 1, Control 2 reinforces the principle that a detailed knowledge of your assets is crucial to protecting your systems. Using reputable software and keeping it patched is an essential part of keeping threat actors at bay.
Control 2 Safeguards include:
- Establishing and maintaining a software inventory (all IGs)
- Using automated software inventory tools (IGs 2 and 3)
- Running an allowlist of authorized scripts (IG 3 only)
CIS Control 3: Data Protection
Control 3 requires organizations to maintain good data protection practices: properly identifying, classifying, securing, storing and deleting data.
Data might be your company’s most important asset—and you have a legal and ethical responsibility to protect the data in your control.
Control 3 Safeguards include:
- Establishing and maintaining a data management process (all IGs)
- Establishing and maintaining a data classification scheme (IGs 2 and 3)
- Deploying a Data Loss Prevention solution (IG 3 only)
The CIS Control framework notes: “While some data is compromised or lost as a result of theft or espionage, the vast majority are a result of poorly understood data management rules, and user error.”
Employing an email security solution is a simple and effective way to prevent data loss through social engineering attacks like phishing, 96% of which are conducted via email.
Read more about why Tessian is a key way of meeting your organization’s data protection requirements.
CIS Control 4: Secure Configuration of Enterprise Assets and Software
Control 4 involves the secure configuration of enterprise assets (such as your company’s devices and servers) and software (the operating systems and applications your company uses).
Your devices and apps might not come fully configured for optimal security. Software developers and hardware manufacturers want their products to be easy to use—but the most convenient settings are rarely the most secure.
It’s important to ensure your assets are appropriately configured to offer the best protection against threats.
Control 4 Safeguards include:
- Establishing and maintaining a secure configuration process (all IGs)
- Enforcing automatic device lockout on mobile devices (IGs 2 and 3)
- Separate enterprise workspaces (i.e. work profiles) on mobile devices (IG 3 only)
CIS Control 5: Account Management
Control 5 is all about managing your user accounts, such as by controlling access and ensuring good password hygiene.
Admin accounts are a particularly significant target for cyberattacks. If a malicious actor gains access to an admin account, they could get control over large portions of your systems and assets.
Control 5 Safeguards include:
- Establishing and maintaining an inventory of accounts (all IGs)
- Using unique passwords (all IGs)
- Centralizing account management (IGs 2 and 3)
CIS Control 6: Access Control Management
Control 6 is closely linked to Control 5 (Account Management), but it focuses on your ability to create, assign, manage, and revoke access to different types of accounts.
Managing access to accounts is crucial, but so is assigning specific roles to each type of account. You also need to be able to easily provision and de-provision access in the event of a cyber incident.
Control 6 Safeguards include:
- Establishing an access-granting process (all IGs)
- Establishing and maintaining an inventory of authentication and authorization systems (IGs 2 and 3)
- Defining and maintaining role-based access control
CIS Control 7: Continuous Vulnerability Management
Control 7 helps you develop a plan to monitor and address security vulnerabilities, minimizing the opportunities for attackers.
Attackers are often one step ahead of security teams and can utilize “zero-day vulnerabilities” to take organizations by surprise. However, a diligent approach to monitoring, assessing and tracking vulnerabilities makes life a lot harder for threat actors.
Control 7 Safeguards include:
- Establishing and maintaining a vulnerability management process (all IGs)
- Performing automated vulnerability scans of internal enterprise assets (IGs 2 and 3)
- Remediating detected vulnerabilities (IGs 2 and 3)
CIS Control 8: Audit Log Management
Control 8 is about logging events to help you better understand your security posture.
Logging and analyzing events allows you to better anticipate threats. Proper log management will help ensure attackers can’t access or erase your logs to hide their tracks.
Control 8 Safeguards include:
- Establishing and maintaining an audit log management program (all IGs)
- Standardizing log time synchronization (IGs 2 and 3)
- Collecting service provider logs (IG 3 only)
CIS Control 9: Email and Web Browser Protections
Email clients and web browsers are extremely common points of entry for attackers. Social engineering attacks remain among the most common causes of data breaches, and 96% of social engineering occurs via email. Of increasing concern is the growing sophistication of email based threats that make static and rule-based approaches to detecting these threats increasingly ineffective.
According to Tessian platform data, nearly 2 million malicious emails slipped past customers’ Secure Email Gateways (SEGs) and other existing controls.
That’s why locking down your users’ email clients and web browsers is one of the most fundamental steps you can take toward better cybersecurity.
Control 9 Safeguards include:
- Using DNS filtering mechanisms (all IGs)
- Implementing DMARC (IGs 2 and 3)
- Deploying and maintaining email server anti-malware protections (IG 3)
Many of the protections outlined in the CIS Control 09 can be realized, and in fact be taken to a new level of protection, through the use of next-gen, behavioral-based and adaptive email security solutions such as Tessian.
Unlike the static rule based approaches of legacy email security providers such as SEGs, which rely on DNS filtering and DMARC, Tessian’s algorithm is able to map your users’ normal communication patterns to detect and prevent email-based attacks from occurring, in real-time
CIS Control 10: Malware Defenses
Malware (malicious software) includes threats such as viruses, ransomware, and spyware.
In addition to securing your organization’s entry points (such as email and web browsers), you should be scanning your networks and devices for evidence of malware infection.
Control 10 Safeguards include:
- Deploying and maintaining anti-malware software (all IGs)
- Configuring automatic scanning of removable media (IGs 2 and 3)
- Using behavior-based anti-malware software (IGs 2 and 3)
CIS Control 11: Data Recovery
Effective security means maintaining access to critical data. If your organization is attacked, you must be able to recover your IT systems and data quickly.
Control 11 Safeguards include:
- Establishing and maintaining a data recovery process (all IGs)
- Protecting recovery data (IGs 2 and 3)
- Testing data recovery (IG 3 only)
CIS Control 12: Network Infrastructure Management
Network infrastructure includes gateways, firewalls, wireless access points (WAPs), and routers.
Because network infrastructure is an essential element of your defense against cyberattacks, it’s crucial that you ensure the network devices themselves are secure and properly configured.
Control 12 Safeguards include:
- Ensuring network infrastructure is up-to-date (all IGs)
- Centralizing network Authentication, Authorization, and Auditing (AAA) (IGs 2 and 3)
- Establishing and maintaining dedicated computing resources for all administrative work (all IGs)
CIS Control 13: Network Monitoring and Defense
Despite your best efforts, network security controls can fail. You must be able to detect and defend against any attacks that break through your network defenses.
Network monitoring and defense is a relatively advanced control and does not contain any Safeguards recommended for IG1 organizations.
Control 13 Safeguards include:
- Centralizing security event alerting (IGs 2 and 3)
- Deploying a host-based intrusion detection solution (IGs 2 and 3)
- Deploying a network intrusion detection solution (IGs 2 and 3)
CIS Control 14: Security Awareness and Skills Training
Everyone in your organization is responsible—to some extent—for security. Getting your whole team on the same page through security awareness training is a necessary (but insufficient) step toward better security.
Control 14 Safeguards include:
- Establishing and maintaining a security awareness program (all IGs)
- Training workforce members to recognize social engineering attacks (all IGs)
- Conducting role-specific security awareness and skills training (IGs 2 and 3)
Note that, while vital, security awareness training is not enough to protect your organization from cyberattacks. Increasingly organizations are understanding that context aware and in-the-moment security awareness training is essential to improving cybersecurity culture.
CIS Control 16: Application Software Security
If your organization develops software applications—either for commercial distribution or in-house use—you must ensure these apps are secure.
Application software security is a relatively advanced control and does not contain any Safeguards recommended for IG1 organizations.
Control 16 Safeguards include:
- Establishing and maintaining a secure application development process (IGs 2 and 3)
- Performing “root cause” analysis on security vulnerabilities (IGs 2 and 3)
- Conducting threat modeling (IG 3 only)
CIS Control 17: Incident Response Management
Your security program must cover all bases—protection and detection of threats is crucial, but so is responding and recovering from successful attacks.
Control 17 Safeguards include:
- Designating personnel to manage incident handling (all IGs)
- Establishing and maintaining an incident response process (IGs 2 and 3)
- Establishing and maintaining security incident thresholds (IG 3 only)
CIS Control 18: Penetration Testing
Penetration testing (or “pen-testing”) puts your defenses to the test.
Conducting independent assessments of your security posture is an important way to identify gaps and weak points that could let “real world” attackers through.
Penetration testing is a relatively advanced control and does not contain any Safeguards recommended for IG1 organizations.
Control 18 Safeguards include:
- Establishing and maintaining a penetration testing program (IGs 2 and 3)
- Performing periodic external penetration tests (IGs 2 and 3)
- Performing periodic internal penetration tests (IG 3 only)
Email and CIS Controls
While organizations have dozens of threats and entry points to consider, and must have a well-rounded security stack to prevent attacks and breaches, email is mentioned in at least three controls. Control 9 specifically calls for the hardening of email and web browser protections, and underscores the susceptibility of falling victim to successful social engineering attacks.
But email remains a significant threat vector.
In spite of mature email security vendor offerings, breaches continue to proliferate. Phishing, Business Email Compromise (BEC) and account takeover (ATO) incidence are growing year-over-year and are responsible for 70 to 90% of all cybersecurity breaches. Malicious emails were also responsible for 54% of successful ransomware attacks in 2020. A further cybersecurity threat vector that has until recently been unaddressed, is unauthorized data exfiltration, either accidental or malicious – seen as a leading reported incident.
Given the increasing sophistication of email-based attacks, the importance of having industry leading email security protection in place must be reemphasized. Tessian can help
How can Tessian help you lock down email?
This is why enterprises are replacing legacy email security solutions for the next-generation of intelligent email security protection from Tessian. By using industry leading machine learning the dynamic real time protection is enhanced with each threat mitigated, guaranteeing unparalleled protection against all email-based attack vectors, including insider threats.
Key features include:
- Advanced Spear Phishing Protection
- Advanced Attachment and URL Protection
- Internal Impersonation & CEO Fraud
- Advanced Spoof Detection
- Counterparty & Vendor Impersonation
- Brand Impersonation
- External Account Takeover
- Invoice Fraud
- Bulk Remediation
- Automated Quarantine
- Threat Intelligence
- Insider Threat Management
- Accidental & Malicious DLP