Our acquaintance in cyber security, Ken Mungar, told us that there is no excuse for businesses not to implement cyber security measures. He explained that the NEWS plasters horror stories about the consequences of not being proactive every single day. As a result, he believes companies who are not protected, choose not to be protected. And to some degree we do agree with Mr. Mungar. However, we also speak to CIOs and IT Directors every week. We see how the cyber security space can be confusing. It’s not easy to know where to start. So in this article, we take a look at an up and coming framework people are talking about – the CIS Critical Security Controls. We also identify the type of technology you need to be searching for when meeting each control.
Security methodologies are popping up in the cyber space as more companies succumb to ransomware and malware attacks. At Assurance IT, we developed the PPR Methodology to help our clients protect their enterprise and build cyber resilience. It’s a simple 3 pronged approach to bulletproof an organization from losing data. Our methodology seems simple in comparison to CIS Critical Security Controls. At a glance, the CIS Critical Security Controls offer a do-it-yourself approach to cyber security. Assurance IT’s PPR Methodology works with the assistance of one of our experts. Overall, there are many frameworks that exist in the cyber space. Each one takes a slightly different approach to protect your enterprise. As a result, the one you choose to follow depends on your needs and available resources.
The Center for Internet Security (CIS) have recently updated their Critical Security Controls. The non-profit organization is on a mission to help public and private sectors improve their cyber hygiene. Their emerging minimum standard of information security for all enterprises is becoming more and more widespread. In the previous version, there were 20 controls based on who manages the devices. In the current eighth version, the controls are divided by activities. Another big change is the inclusion of remote working. There are 18 controls in the most recent version - version 8. Within each control are specific safeguards they recommend. In total, version 8 has 156 safeguards. CIS Security further divides the safeguards into what they call implementation groups (IGs). There are three implementation groups, starting with the first one which is considered the “minimum” every enterprise should follow to fight off the most common attacks. The first IG has 56 safeguards.
Let’s not review all 153 safeguards. You can download them from the CIS website here. Instead, let’s review the 18 controls recommended by CIS and advice on how to approach each control.
Manage: Track inventory, track and make necessary corrections
Enterprise assets: end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers
Software: operating systems and applications
CIS defines this control as, “Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.”
In practice, we would define this as endpoint management. It includes knowing how many assets you have, who is using them and having access to them. For example, being able to patch software if need be.
“Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution,” is how CIS defines Inventory and Control of Software Assets
Similar to the first control, we would define this as endpoint management. An example: the ability to patch software if need be.
Data protection is defined as “ Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.”
Considering data is the most valuable commodity, we were expecting more emphasis on data protection. If you’re interested in protecting your data, you need to follow the 3-2-1 backup rule and have a disaster recovery system in place. Developing processes and technical controls around your data includes policy making and compliance regulations in your province or state. For example, Quebec is implementing very strict compliance surrounding data protection. Therefore, Quebec enterprises need to develop processes and technical controls based on the regulations put in place by the province.
“Establish and maintain the secure configuration of enterprise assets and software)” – CIS.
There are many devices connected to your enterprise network and software that lives within your organization. Each one of these assets represent a potential risk if not managed properly. Having a clear inventory and managing those devices and software in a consistent manner throughout their lifecycle. Having a proper commission and decommission strategy as well as keep them up to date with security patches will help reduce risk of breach from external parties. This is referred to as asset management.
CIS defines account management as “use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.”
As most of us use Sharepoint or Google Drive daily, it’s so easy to give everyone access to all enterprise files, but this is not recommended. This control requires a little bit of extra time to determine who gets access to what. If you’re not sure why this is important, consider how an IKEA employee with access to files they shouldn’t have had access breached the company and compromised the information of 95,000 customers.
“Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.” – CIS.
Developing consistent access rights for each role and assigning roles to users is a best practice. Developing a program for complete provision and de-provisioning access is also important. Centralizing this function is ideal.
CIS defines Continuous Vulnerability Management as, “Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.”
In practice, you’re looking for managed detection and response – a tool that is looking out for any threats and are proactively trying to mitigate them.
CIS defines audit log management as “Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.”
In practice, we would also consider this managed detection and response.
CIS defines email and web browser protections as “Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.”
Email and web browsing is where most users spend most of their time, thus posing the biggest area of risk. Be sure to properly protect those applications though various tools like antivirus, endpoint detection and response , web filtering solutions and of course security awareness training for employees so they can increase their vigilance.
CIS defines malware defenses as “Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.”
In practice, this is an antivirus, spyware and managed detection and response.
CIS defines data recovery as “Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.”
In practice, you’re looking for disaster recovery. You can do this by setting up a secondary facility to store data or you can get it done “as-a-Service.” The primary objective is to get continuous data protection which is also known as zero-trust. This means a near perfect RPO and RTO.
CIS defines network infrastructure management as, “Establish, implement, and actively manage network devices, in order to prevent attackers from exploiting vulnerable network services and access points.”
The network is the foundation of the infrastructure often interfacing with various subsystems to interconnect hardware with hardware and transmit traffic internally and externally. Ensure a proper inventory of your network infrastructure and maintain it regularly. When manufactures publish known vulnerabilities, be sure to immediately address hos issues.
CIS defines network monitoring and defense as, “Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.”
Your network infrastructure can be seen as the backbone to your enterprise. Often networking equipment are complex to manages and could leave gaping holes for external parties to exploit. Be sure to monitor the security logs routinely in order to identify any threats or anomalies that could pose risk to your infrastructure.
CIS defines security awareness and skills training as, “Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.”
In practice, you are looking for security training programs for your employees.
CIS defines service provider management as, “Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.”
In practice, rarely anyone vets their third parties. We blindly trust that everyone is secure. However, more third party vendors are being held responsible for compromising their customers’ data. Third party threats are being more and more common. We are coming out with a checklist on how to vet third party vendors to help you with this. Coming soon!
CIS defines application software security as, “Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.”
In short, no software is perfect! Software sometimes come with unknown bugs or vulnerabilities which are not known to the developers or users of the software. Hackers attempt to exploit software in order to penetrate enterprise or user data. Theses unknown vulnerabilities are otherwise known as zero day vulnerabilities. Be sure to regularly patch software and get notified by the manufacturer or SaaS provider if any vulnerabilities are published so you can address those risks accordingly.
CIS defines incident response management as, “Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.”
This control depends on the compliance regulations in your province or state. For example, going back to the previous example about Quebec’s privacy landscape. It’s regulations dictate how incident response management must be done.
CIS defines penetration testing as, “Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.”
Penetration testing is ethical hacking in your systems to try to find the flaws. It’s a snapshot in time of what needs to be fixed. It is recommended do conduct a penetration text every year – but only if you make improvements from the previous report. Find free pentest resources here.
There are many ways to address your cyber posture. If you want a free consultation to assess your cyber posture, schedule one today.
Access monthly conversations with IT & Tech Leaders about the hottest cyber security topics in the industry.