CIS Critical Security Controls V8: Steps and Template Download

With the changing technological landscape, the CIS Critical Security Controls v8 presents a more consolidated approach that replaces CIS Top 20 (V7), which was released some time ago. This article explains what each control is and why it is required.

What is the Center for Internet Security and the Critical Security Controls?

Critical Security Controls V8 (CSC) is a set of recommended cyber defence actions that provide key aspects of cyber security and actionable ways to stop today’s most prevalent and dangerous attacks. The Center for Internet Security is a non-profit organization dedicated to creating a secure and resilient cybersphere by developing cyber defence hygiene and best practices.

Resources:

• Template Download
• CIS Companion Guides

The CIS critical security controls do not guarantee immunity to cyberattacks.

Still, they significantly impact security controls via standard measures and cyber protection layers. CIS controls are not a required standard and do not compete with any other controls. Instead, they aim to create a safe cyber realm against every business’s security weaknesses.

At the global RSA conference on May 18, 2021, the CIS unveiled the new version of CIS control known as CIS v8. Implementing CIS critical security controls into business and IT strategy can significantly impact organizational growth while also protecting against common cyberattacks and boosting cyber defence.

What are the most recent CIS Critical Security Controls(v8)?

CIS controls v8 expands the list based on activities rather than who manages the devices. With the changing tech landscape, physical boundaries, devices, and discrete islands of security implementation are becoming less important. These elements are reflected in the CIS essential controls of the security v8 release.

CSC 1: Inventory and Control of Enterprise Assets

What is it?

The first CIS critical security control necessitates the proper management and inventory of all enterprise assets. End-user hardware devices, network appliances, IoT devices, servers, systems, portable devices, and so on that are physically, virtually, or remotely connected to the infrastructure, as well as those present in the cloud environment, are included.

Attackers are always ready to break into an organization’s network and resources in order to cause cyber damage. Therefore, an accurate inventory is required to keep track of all resources and issue records to monitor, protect, and prevent unauthorized access to corporate resources or networks.

Why is it necessary?

It’s challenging for an organization to track suspicious behaviour, access and traffic without up-to-date inventory and constant monitoring. An inventory record is also required for patch and vulnerability updates.

What areas, tools, or procedures are relevant?

• Tools for asset discovery
• Ongoing monitoring and auditing of inventory
• Remote Monitoring and Management (RMM)

CSC 2: Inventory and Control of Software Asset

What is it?

Like the first CIS control, this control necessitates active management of network operating systems and installed applications, servers, systems, and so on.

Why is it necessary?

To ensure that no unauthorized software is installed or running on the corporate network, it is essential to keep print and analyze the software asset. In addition, organizations need to keep track of software assets and have a mechanism in place to prevent unauthorized software from running.

What tools and procedures are required?

• Ongoing App inventory monitoring and auditing
• App whitelisting software
• Group Policy Objects (GPOs)

CSC 3: Data Protection

What is it?

This control requires the organization to implement security measures in order to develop technical competencies for identifying, classifying, retaining, disposing of, and securely handling data.

Why is it significant?

Data is the most important and critical asset of any business and must be protected at all costs. Leaked data can penalize the organization and contribute significantly to the loss of customers’ or users’ trust.

What tools and procedures are required?

• Tools for tracking data

CSC 4: Secure Configurations of enterprise assets and software

What is it?

The fourth CIS control focuses on the enterprise assets and software that contribute to the foundation of the infrastructure. These include network devices, hardware or software firewalls, routers, switches, and other devices that need to be protected and configured securely. It emphasizes the importance of hardening assets with relevant security computations.

Why is it significant?

Frequently, enterprises use products in their environments with the default configuration provided by the manufacturers. Open ports, default admin and account passwords are the elements that entice attackers to compromise assets quickly.

What tools and procedures are required?

• Adherence to security standards for secure configuration

Critical Security Controls 5: Account Management

What is it?

Organizations are expected to have policies in place to manage accounts with this control. It entails keeping track of account activity, creation, and so on.

Why is it necessary?

Open unmanaged accounts are a green light for cybercriminals. As a result, organizations need to implement processes and tools to manage credential authorization. In addition, they must grant appropriate access to users, services, and administrator accounts.

What are the necessary tools and procedures?

• Install multi-factor authentication.
• Deploy account lifecycle policy

Critical Security Controls 6: Access Control Management

What is it?

In addition to account management, this control emphasizes having relevant measurements in place, such as the most minor privilege rule on user access rights, to maintain employee or user access while reducing the attack surface.

Why is it necessary?

Enterprises must ensure that the appropriate technology and processes are in place to create, assign, manage, and revoke access credentials for enterprise assets and software, as well as privileges for users, administrators, and service accounts, in order to track how users use their privileged access. Because you never know who will abuse their access rights, reducing the internal attack surface is essential. Furthermore, if the attacker successfully compromises any user account, access controls limit his access.

What tools and procedures are required?

• Utilize access control mechanisms such as RBAC, ABAC, and others.

CSC 7: Continuous Vulnerability Management

What is it?

Continuous vulnerability management entails implementing the necessary security controls to assist organizations in managing information security threats in accordance with the severity of the vulnerability. CIS directs the enterprise to have relevant security technologies and processes that assist in detecting, scanning and prioritizing information security flaws.

Why is it necessary?

The organization must continuously search for vulnerabilities in all enterprise systems and technologies operating in the internal and external environments in order to patch and remediate them in a timely fashion. The unpatched vulnerability allows the attacker to penetrate the network and infrastructure, resulting in various negative consequences.

What are the necessary tools and procedures?

• Managed Detection and Response or SIEM solution
• Continual vulnerability assessment
• Vulnerability scanning

CSC 8: Audit Log Management

What is it?

Auditing and managing logs, like vulnerability management, is essential for CIS control. An appropriate log surveillance environment must be in place to detect suspicious behaviour.

Why is it necessary?

Auditing logs is critical for enterprises in keeping track of system logs and collecting all alerts to review the records in order to detect malicious traffic that could indicate a security attack.

What are the pertinent roles and procedures?

• Firewalls
• A SIEM solution

Critical Security Controls 9: Email and Web Browser Protections

What is it?

This control instructs you to improve the security of your email and web browsers to reduce the attack surface and risks.

Why is it necessary?

Insecure web browsers and emails provide cybercriminals with numerous opportunities to trick users through social engineering phishing emails. Therefore, organizations must have adequate mechanisms or solutions in place to filter out suspicious emails and web traffic.

What are the necessary tools and procedures?

• Limit the use to only a few browsers (ex: MS Edge, Chrome and Firefox only)
• Install domain-based authentication and DMARC policy
• DNS filtering

CSC 10: Malware Defense

What is it?

This CIS control addresses the need for businesses to have a defence mechanism in place to prevent the spread of malware and other potentially harmful items. This includes malware defences to scan, deter, and detect malicious software, as well as defence upgrades where applicable.

Why is it necessary?

Attackers frequently target networks to steal information via malware, malicious attachments, links, etc. Therefore, the enterprise must implement a malware defence mechanism.

What are the appropriate security tools and procedures?

• Install anti-malware, antivirus, and anti-spyware software.
• Endpoint Detection and Response (EDR)
• Extended Detection and Response (XDR)
• Intrusion Detection Systems (IDS)
• Managed Detection and Response (MDR)

Critical Security Controls 11: Data Recovery

What is it?

This control requires organizations to have proven methodologies for data recovery processes to avoid data loss in the event of a mishap or a cyber incident.

Why is it necessary?

With the CIS control no. 11, all enterprises, regardless of size, require data recovery practices. A tested data recovery plan can reduce downtime and speed up data restoration.

What are tools and procedures?

• Install multiple backup mechanisms
• Follow backup and disaster recovery procedures

CSC 12: Network Infrastructure Management

What is it?

It refers to the effective management of the entire suite of hardware and software resources that comprise the network infrastructure foundation and are in charge of communication, operation, and connectivity.

Why is it necessary?

Cyber threats do not spare any infrastructure. Companies must implement and monitor their network devices, access points, and related infrastructure endpoints to detect vulnerabilities earlier. It is critical to prevent attackers from exploiting vulnerabilities and gaining access via insecure or flaky network services, ports, and access points.

What are the instruments and procedures?

• A tool for monitoring packet loss
• Assessment of the network
• Network accessibility tools

Critical Security Controls 13: Network Monitoring and Defense

What is it?

This control requires the organization to maintain the network and keep track of all events and activities to protect the organization from site threats and data breaches.

Why is it necessary?

To combat cyber threats and attack vectors, businesses must have an established and operational network monitoring system and an up-to-date defence technology mechanism. This allows them to maintain a secure posture across online, physical, and virtual environments.

What are the appropriate security tools and procedures?

• Install antivirus, anti-malware, and anti-spyware software, EDR, XDR
• Managed Detection and Response (MDR)

CSC 14: Security Awareness and Skills Training

With this control, organizations are obligated to involve human minds in proven security awareness and skill sets to improve the overall enterprise security posture.

Why is it necessary?

High-end security products and systems cannot protect the enterprise if skilled and competent individuals and security awareness are not present to maintain the security culture. Therefore, the 14th CIS v8 control focuses on establishing security awareness programs and training to instill security-conscious behaviour in both technical and non-technical employees.

What are the necessary tools and procedures?

• Updated security program for staff training

Critical Security Controls 15: Service Provider Management

What is it?

This CIS 15 control requires organizations to actively manage the network of third-party vendors and service provider partners in order to prevent threats, supply chain attacks, and incidents that can cause widespread disruption.

Why is it necessary?

In today’s world of remote work, cloud technologies are growing in popularity and becoming a necessity for all businesses. Unfortunately, third-party service providers’ negligence is frequently at the root of breaches. Service provider management aids in the evaluation and tracking of vendors or cloud service providers who interact with the enterprise’s critical assets or sensitive data.

What tools and procedures are required?

• Third-party risk evaluation
• Vendor Policies

Critical Security Controls 16: Application Software Security

What is it?

This control addresses the need for in-house developed or acquired application software to be secure.

Why is it necessary?

Companies must handle the security life cycle in software to detect and prevent risk, whether the application is developed in-house, hosted, or acquired. Furthermore, performing the necessary tests and checks on the application’s security health aid in minimizing threats and quickly patching them.

What tools and procedures are required?

• Secure coding techniques
• Dynamic and static testing
• Safe SDLC

CSC 17: Incident Response and Management

What is it?

This control refers to having an incident recovery and management infrastructure that has been developed and implemented to detect attacks efficiently.

Why is it necessary?

A well-planned incident response program with defined policies, procedures, roles, and communication aids in the detection and rapid management of security incidents in order to counter the attack with as little downtime as possible.

What tools and procedures are required?

• A separate incident handling, recovery, and reporting plan was documented and outlined.

Critical Security Controls 18: Penetration Testing

What is it?

CIS control number 18 is all about directing businesses to ensure asset and enterprise resiliency by testing infrastructure, networks, and systems with attacker tactics to understand how they can be breached.

Why is it necessary?

To validate the effectiveness, penetration testing must be performed. The organization must simulate web threats through penetration testing from the attacker’s perspective in order to identify vulnerable endpoints and potential weaknesses.

What are the necessary tools and procedures?

• Application of appropriate white-box, grey-box, or black-box penetration testing methodologies

Why are there only 18 CIS controls rather than 20?

The updated CIS controls have improved on the previous 20 controls in modern solutions and technologies by incorporating new rules with emerging IT and security industry adaptations such as cloud computing, virtualization, outsourcing, and remote working, among others.

The new version combines the controls based on the activities and attack techniques. As a result, the rules are reduced from 20 to 18 in order to be applicable in the cloud, hybrid, and activities-based environments.

What are CIS subcontrols?

The CIS controls provide all enterprises with security best practices and guidelines to protect their critical assets using proven methodologies. The CIS essential security controls are divided into three subcontrols based on asset type, functionality, and security requirements.

The subcontrols are divided into three implementation groups, which are listed below.

Basic

This sub-control includes implementing simple and basic controls to improve the security of the organization’s assets.

Foundational

As the name implies, this sub-control serves as a baseline and contains advanced security guidance to improve the organization’s overall security posture.

Organizational

These controls provide guidance on developing or changing organizational policies to assist businesses in improving and maintaining cyber security hygiene in the face of an evolving cyber landscape.

Who employs CIS controls?

Many legal, regulatory, policymakers, and frameworks refer to and adopt critical CIS security controls. For example, as previously stated, the Center for Internet Security controls are a set of prioritized cyber defence recommendations for enterprises. Ranging from startups to Fortune 500, to reduce the attack surface and prevent cybercriminals from gaining access to or breaching the companies.

Thousands of global organizations rely on it, including Boeing, Citizen Property Insurance, the Federal Reserve Bank of Richmond, and all businesses. In addition, CIS controls have been implemented by a number of US states and Canadian province agencies and cities.

Today’s businesses and online activities necessitate protection against intrusion, which is only possible if security is viewed as a necessity rather than an elite lifestyle. As a consultant and provider of cybersecurity services, we feel it is our responsibility to provide you with comprehensive defence services that enable your business to grow without fear of cyberattacks.

About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cyber Security Awareness Training Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.