In the earlier post, we discussed CIS Security Benchmarks and how it can be useful to public or private organizations. In this post, we will explore some of the CIS Critical Security Controls.
The CIS Critical Security Controls, also known as CIS Controls, are a concise, prioritized set of cyber practices created to stop today’s most pervasive and dangerous cyber attacks. The CIS controls are developed, refined and validated by a community of leading experts around the world. Though it’s widely considered that by applying top 5 CIS controls, an organization should be able to reduce 85 percents of risk related to cyberattack, we will review all 20 CIS controls here for clarity sake.
- CSC # 1: Inventory of Authorized and Unauthorized Device
- CSC # 2: Inventory of Authorized and Unauthorized Software
- CSC # 3: Secure Configurations for Hardware and Software
- CSC # 4: Continuous Vulnerability Assessment and Remediation
- CSC # 5: Controlled Use of Administrative Privileges
- CSC # 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CSC # 7: Email and Web Browser Protections
- CSC # 8: Malware Defenses
- CSC # 9: Limitation and Control of Network Ports
- CSC # 10: Data Recovery Capability
- CSC # 11: Secure Configurations for Network Devices
- CSC # 12: Boundary Defense
- CSC # 13: Data Protection
- CSC # 14: Controlled Access Based on the Need to Know
- CSC # 15: Wireless Access Control
- CSC # 16: Account Monitoring and Control
- CSC # 17: Security Skills Assessment and Appropriate Training to Fill Gaps
- CSC # 18: Application Software Security
- CSC # 19: Incident Response and Management
- CSC # 20: Penetration Tests and Red Team Exercises
Each of these controls has its own sub-control, which has it’s own threshold metrics (from Low Risk, Medium Risk, or High Risk). For example, our first control states that we should have an inventory of authorized and unauthorized devices. First sub-control requires us to deploy an “automated” asset inventory discovery tool and as a part of that our metric should be How many “Unauthorized” Devices present in our network at a given time. If that number is somewhere between 0-1%, that’s considered Low Risk. If that number is between 1-4%, it’s medium risk while anything above 4% is considered High Risk – and appropriate actions should be taken to mitigate such risks!