Blog | Sept. 17, 2020 | 6 min read 10 Foundational CIS Controls: Building on the Basics TwitterFacebookLinkedInEmailMessengerWaves of cybercriminals infiltrating networks and stealing sensitive information is a perennial problem. But implementing the Foundational CIS Controls to strengthen your organization’s security posture can keep you ahead of the risk and prevent minor security leaks from becoming a flood. The Center for Internet Security (CIS) Controls is a cybersecurity framework developed by a public-private partnership between CIS, the SANS Institute, the Department of Defense and the National Security Administration to help organizations of all types and sizes prioritize their cybersecurity. So, whether your organization employs veteran IT staff or uses outsourced cybersecurity and IT experts, these controls can guide IT strategy and decision making in all circumstances. Implementing the Foundational CIS Controls A recommended set of actions for cyber defense, the CIS Controls provide a concise, FFIEC-recommended framework that organizations can use to safeguard operating systems, software and networks. CIS Controls deliver an actionable and affordable way to defend against common attacks. The CIS list consists of 20 controls divided into three categories: Basic (1-6), Foundational (7-16) and Organizational (17-20). The Basic Controls are considered the base for a strong cybersecurity posture, but many institutions will need a more advanced approach. The following Foundational Controls build on and work alongside the basics to strengthen defenses and protect networks and sensitive data. 7. Email and Web Browser Protections Overview: Minimize the potential attack surface by limiting supported web browsers and using email and web filtering tools to prevent attackers from spoofing users or manipulating behavior. Why It Matters: User error is one of the greatest risks to organizations. Web browsers and email are easy targets for social engineering and code exploitation because of their flexibility, complexity and common interaction with all levels of users. How It Works: Organizations can decrease risk by using email and content filtering solutions to block malware, phishing sites, popups, controlled plug-ins and spam. Take protections a step further and implement a DNS based solution that extends these filters to off network devices. 8. Malware Defenses Overview: Centrally managed and continuously updated anti-malware software on configured devices can prevent the installation, reach and execution of harmful code. Why It Matters: Modern malware is designed to avoid or attack defenses through a range of entry points. Once inside, malware can travel from a single point in your network and infect multiple systems. How It Works: Block malware with managed systems that deploy anti-virus, anti-spyware and host-based intrusion prevention system (HIPS) features that detect and prevent attacks. Automate system updates to ensure the most up-to-date protections. 9. Limitation and Control of Network Ports, Protocols and Services Overview: Tracking, controlling and correcting ongoing use of ports, protocols and services on a network minimizes vulnerabilities available to attackers. Why It Matters: Attackers often exploit overlooked services such as web servers, mail servers or default network device services that are installed automatically. How It Works: Ensure your organization only runs necessary ports, protocols and services through port and network scans. Use firewall rules such as default- deny rules to block unwanted traffic. 10. Data Recovery Capabilities Overview: Implementing a proven methodology for backing up information with a regular cadence ensures true recovery in the event of compromise, loss or damage. Why It Matters: Cybercriminals can encrypt or alter data stored on compromised machines. Multiple backups allow for easy data recovery in a disaster scenario and avoid the need to pay for encryption keys or risk of restoring contaminated information or systems that can cause later issues. How It Works: Automated backup solutions offer multiple recovery points in the event of data loss or compromise. Backup solutions should be held offsite, tested regularly, and be protected by physical security or encryption. Image-based backup solutions offer quick and easy restores in the event of a major disaster or cyber-attack. 11. Secure Configuration for Network Devices such as Firewalls, Routers and Switches Overview: Establish network security through secure initial configuration management and change control to protect devices both upon installation and over time. Why It Matters: A lack of the routine evaluation of configured devices and allowed traffic is necessary to prevent exploits. Default settings, support for older protocols, and unneeded or unpatched software present points of entry for hackers. How It Works: Prevent exploitation of services and settings by configuring devices using approved security configurations, diligently updating and patching devices and continuously scanning for vulnerabilities. Network device management should be secured by multi-factor authentication and encryption. 12. Boundary Defense Overview: Network boundaries have become blurred due to the adoption and integration of cloud hosting and SaaS applications. Organizations must find a balance to allow for necessary access while protecting the perimeter from unwanted access. Why It Matters: As internal and external network boundary lines blur, gaps in perimeter defenses may allow for infiltration of an internal network or extranet, which can then be exploited for further access. How It Works: Successful perimeter defense requires a layered approach, Networks should allow access to trusted IPs only and block any unknown, unused or known malicious IPs. Organizations should deploy network-based IDS solutions to monitor and report on unusual activity, harmful activity or policy violations. Remote access should require multifactor authentication and report failed login attempts. 13. Data Protection Overview: Data must be protected from both internal and external threats. Organizations should use encryption, integrity protection and loss prevention techniques to prevent data exfiltration, mitigate the damage from compromised data and ensure the privacy and integrity of sensitive information. Why It Matters: Attackers or malicious employees may exfiltrate sensitive data and can negatively leverage that information to disrupt operations, harm reputations or even cause physical damage. How It Works: Take inventory of sensitive information and critical assets, and segregate from publicly available information. Use tools that monitor the network for unauthorized or unusual information transfers and can automatically block alerted transfers. Limit or deny use of external storage devices such as USBs. 14. Controlled Access Based on the Need to Know Overview: Instead of granting universal access, analyze business purposes to determine which persons, computers and applications need to access critical assets or sensitive data. Why It Matters: Risk of data loss increases with the number of users who have access to said data. With encryption, exfiltrated data is much more difficult to convert to plaintext and leverage against an organization. How It Works: Utilize group policy and access controls to define and control user access rights. Encrypt all sensitive data at rest and all data in transit. 15. Wireless Access Control Overview: Unsegmented or open wireless networks can allow unauthorized devices to access internal networks. Why It Matters: Devices accessing public wireless networks can unknowingly be infected and in turn used as entry points to internal unsegmented networks. How It Works: Protect internal networks by creating secure wireless policies and separate wireless segments for untrusted devices such as BYOD or guests. Use Advanced Encryption Standard (AES) to encrypt data in transit. 16. Account Monitoring and Control Overview: Actively manage the life cycle of user accounts to ensure that impersonators can’t use legitimate, but inactive, accounts to access systems or applications. Why It Matters: User accounts originally created for former contractors and employees that are no longer active can be misused by hackers or disgruntled employees/contractors. How It Works: Create a process to disable accounts upon contract completion, employee termination, or employee resignation. Periodically review and disable dormant accounts as a check and balance on the process. Require multifactor authentication for access and lock workstation sessions after a period of inactivity. The above list is meant as a high-level introduction to the Foundational CIS Controls. It is important that your organization understand the Basic CIS Controls, in addition to gathering insight from CIS and experienced IT professionals. Equipped with this knowledge, you can successfully reduce the risk of cyber threats at your organization. Uncover More About the Foundational CIS Controls Watch our on-demand webinar to learn more about identifying your institution’s cybersecurity gaps and gaining maximum utility from the CIS Controls.