For out-of-control cyber threats, there’s CIS Controls

In many ways, IT security is flying blind. Assets, configurations and vulnerabilities are out of sight, hidden in plain sight or about to change.

It’s easy to see why IT security is facing an unprecedented challenge. Systems are set up on networks without approvals from procurement and IT. Code changes go live throughout the day without much thought given to security. Employees connect their devices and get duped by phishing and ransomware. Change? It’s continuous.

Is it any wonder why cybersecurity is a major concern at organizations? Or that firms struggle with the number of choices and complexity of cybersecurity tools? It’s why the Center for Internet Security (CIS) came into existence. Who is CIS and what do they do? As the About Us page states, “CIS is a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats.”

CIS offers cybersecurity best practices, including a set of controls that encompass 20 foundational and advanced cybersecurity actions. You can download all 20 controls for free. If you’re new to CIS, why not start with the first five? According to CIS, applying 20 percent of its controls can stop 80 percent of cyberattacks.

Here we’ll look at CIS’s first five controls and examine what each control addresses:

Inventory of Authorized and Unauthorized Devices
CIS Control 1 defines a baseline of all devices that you need to protect from malicious activity, including servers, laptops, scanners and other assets. It entails a comprehensive inventory process to detect and catalog all known and unknown assets on your networks. By bringing everything into the known, you can shore up any weaknesses and monitor for change.

Inventory of Authorized and Unauthorized Software
CIS Control 2 stipulates that only authorized software is in use at your organization. Your challenge is two-fold: one, take inventory of all software on servers, desktops and laptops. Two, whitelist applications, so only approved applications run on your networks. It’s the unauthorized software that can led to vulnerabilities in security. Allowing only approved addresses this favored hacker entry point.

Secure Configurations for Hardware and Software
CIS Control 3 requires organizations to configure systems to a secure standard. By default, most systems are configured for ease-of-use first, security second. Misconfigurations can be exploited by bad actors. Configuration against an industry standard benchmark helps lower the risk of this occurring.

Continuous Vulnerability Assessment and Remediation
CIS Control 4 calls for implementing a patch management system that covers both the operating system and third-party vulnerabilities. Such a system installs updates to address software vulnerabilities on a schedule that’s automatic, continuous and systematic. Implementing this control helps ensure incidents like WannaCry don’t happen.

Controlled Use of Administrative Privileges
CIS Control 5 mandates that individual employees have rights, privileges and permissions to use systems. Many organizations allow any employee to access local systems or even domains that usually require administrator rights. Open access can lead to wrongdoing. By restricting access, you fix that.

There is a total of 20 CIS best practices that organizations can implement to improve their cyber defenses. You can download the first five CIS Controls or all 20 for free. The argument for the first five controls is clear. They go a long way in helping your organization boost its cyber defenses and preventing attacks.

Related Articles