The CIS 20 Foundational - Beyond the Basics
Robert Bond
?? VP of Marketing | Digital Growth Strategist | Leader in Product Marketing Management | Helping Brands Scale with Data-Driven Marketing, Compelling Storytelling & Revenue-Focused Strategies
Beyond the Basics — CIS 20 Part Two
All organizations need a roadmap for their cybersecurity defense. Piecemeal or fragmented defense strategies, in response to the latest cyberthreat, leave gaps for attacker exploitation. The Center for Internet Security 20 (‘CIS 20’) formerly the SANS 20 is a rigorous set of controls, developed by security professionals and continuously updated in light of new threats and cyber defense enhancements.
We previously discussed the importance of the basic CIS 20 controls (controls 1-6) in How Companies Use CIS 20 to Secure Remote Workers. But they are just the bare minimum. In this article we look at the next step, implementing the CIS 20 ‘foundational’ controls to ensure that your organization is well-protected.
Why go beyond the basic controls?
The basic controls are a great place to start. John Gilligan, The CEO of CIS observed that ?up to 90 per cent of cyberattacks can be prevented by implementing those controls.
Up to 90 per cent of cyberattacks can be prevented by implementing the SIX CIS 20 basic controls!
So, why go any further? Why go beyond the basic? Two important considerations include:
The foundational controls go beyond the ‘bare minimum’ to ensure that your organization employs a cybersecurity best practice. The diagram below from CIS shows how the different levels of control are categorized.
Below we dig into each of the CIS 20 controls 7-16 and suggest steps to take in your organization to comply with these controls.
CIS 7 - Email and Web Browser Protections
A central concept for cybersecurity is minimizing the ‘attack surface’: that is, minimizing the total number of points or gaps where the organization is vulnerable to a cyber attack, or, ‘attack vector’.
The core attack surface in many workplaces is web browsers and email clients: These are the primary gateways for users to engage with untrusted environments. So, what should you do to enhance the security of email clients and web browsers? CIS 7 recommends that you:
CIS 8 - Malware Defenses
This control is about the prevention and rapid response to the deployment of ‘malware’. The sheer number and variety of ways in which malware can infect your systems, means that organizations need to have an automated detection and response system in place. This should include:
?automatic verification that each system has received essential updates
CIS 9 Limitation and Control of Network Ports, Protocols and Services
Just as email clients and web browsers are a key source of security vulnerability, so too are network ports, protocols, and services.
Default settings for servers are not usually configured to maximize security of the network. This might include automatic enabling of network access, without user or administrator awareness. Attackers are able to scan for, and exploit these servers. The organization needs to respond to this threat by:
CIS 10 - Data Recovery Capability
After an incident or outright attack, it can be difficult to know exactly which parts of your information systems have been compromised. This means that robust data recovery mechanisms must be in place. This must include:
领英推荐
CIS 11 - Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
As with servers, network devices are not usually configured to maximize system security. All organizations need a process to continuously monitor configurations, and the traffic that is permitted to flow through devices . In particular, watch out for exceptions that are applied for business needs, at a particular point in time, that are never corrected. Steps to take include:
CIS 12 - Boundary Defense
Boundary defenses are used to separate and control different networks, with varying degrees of trust. Common boundary defenses include firewalls, web content filtering, routers, and switches. It is recommended that organizations manage this threat by:
CIS 13 - Data Protection
We recently looked at the importance of following new personal data protection laws. But all organizations need to take seriously the need to protect all of their data (i.e. not just the personal). This is all the more important, given the continual uptake in cloud solutions. Important mechanisms for protecting data include:
CIS 14 - Controlled Access based on the Need to Know
Organizational assets (e.g., information, systems, and resources), usually have varying levels of sensitivity/importance to the organization. Often, however, organizations do not distinguish between these assets when it comes to access. For example, it is unfortunately very common to store sensitive personal information on the same servers, and with the same security settings, as publicly available information.
The organization should have a classification system for access to critical assets to ensure that only those who require that access, have it.
It is recommended that organizations:
CIS 15 - Wireless Access Control
Thefts of data have often occurred through access to organization wireless networks from individuals physically located outside the building. To avoid this, it is recommended that organizations:
CIS 16 - Account Monitoring and Control
Organizations need to ensure they take an active role in the status of accounts, their creation, use and deletion. This reduces the chance that unused/dormant accounts will be exploited by attackers. This can be a major risk with ex-employees or ex-contractors. To deal with this, consider:
Conclusion
Building your cybersecurity strategy need not happen all at once. However, once you have the most basic ‘cyber hygiene’ in place by implementing the CIS 20 basic controls (1-6), best practice requires implementing the foundational controls 7-16. Doing this is the best way of ensuring an organization is protected from all of the most common cyber threats.
For recent guidance on implementing cyber hygiene in windows 10 systems see CIS Controls Microsoft Windows 10 Cyber Hygiene Guide. ?
To Learn More About How to Protect Your Organization through a Cybersecurity Strategy Please Call Us – as Always We Are Happy to Help - 1 (888) 982-0678??