Start with CIS Basic Controls for Organizational Cybersecurity
The list of this century’s biggest data breaches, which have exposed more than 4.99 billion records, reads like a corporate who’s who: Yahoo, eBay, Equifax, Heartland Payment Systems, Target, TJX Companies and JPMorgan Chase all made the top ten. Equally disturbing is the fact that eight of the top 10 occurred within the last five years.
This begs the question: are we getting any better at protecting our organizations from cyberattacks? HelpNetSecurity answers with a resounding “no”: “Organizations are not where they need to be when it comes to protecting their online ecosystems against attacks and the reality of the situation is troubling.”
But there is good news; it is possible to significantly reduce your risk of cyberattack. Using the Center for Internet Security (CIS) Controls as a framework, organizations can build and maintain a strong cybersecurity posture, even with budget and resource limitations. These controls, considered the gold standard, are purposefully designed to be both user—and budget—friendly.
What Are the CIS Controls?
According to the SANS Institute, the CIS Controls were born out of a public-private partnership that included the Department of Defense (DoD), National Security Administration (NSA), CIS and SANS. Their objective was to “provide the same type of control-prioritization knowledge for civilian government agencies and critical infrastructure” that the NSA had developed for the DoD to help it prioritize its cybersecurity spending.
By 2015, the resulting product of this partnership was published as the CIS Controls, meant to help organizations of all types and sizes prioritize their own cybersecurity spending for maximum effect. The CIS list includes 20 controls, divided into three categories: Basic (1-6), Foundational (7-16) and Organizational (17-20).
With expert input and regular updates, this FFIEC-recommended framework has a proven track record for holistic security and is also budget- and user-friendly. Due to the controls’ straightforward nature and high return on investment, IT security leaders often call upon them to eliminate common attacks and vulnerabilities.
Why Use the CIS Controls as Your Cybersecurity Framework?
There is no regulatory requirement that financial institutions adopt a certain cybersecurity framework or tool. They can choose from a variety of options, including the CIS Controls, the Federal Financial Institutions Examination Council’s (FFIEC) Cybersecurity Assessment Tool and the National Institute of Standards and Technology (NIST) Cybersecurity Framework, or a combination of available frameworks.
For a variety of reasons, many information security experts recommend the CIS Controls:
- Expert input: The CIS Controls were created and continue to be monitored by some of the world’s leading cybersecurity experts from government, law enforcement and private security firms.
- Responsive: The Controls are continually updated based on the changing threat landscape. The latest version, CIS V7.1, was released in April. Among its changes, this version introduced three “Implementation Groups,” which go further in-depth with appropriate sub-controls for organizations based on the level and sophistication of their cybersecurity resources and expertise.
- User-friendly: With each iteration, CIS refines its language to ensure the controls are concise and easy to understand and implement.
- Budget-friendly: As indicated in the press release for V7.1, the goal of the controls is to allow organizations to “create an effective cybersecurity program on a budget,” and to “implement security best practices, regardless of resources.”
- Proven track record: Implementing all 20 CIS controls reduces cybersecurity risk by 94 percent.
What Are the 6 Basic CIS Controls?
For many organizations, cybersecurity has become a cumbersome patchwork of detection systems. Adopting the CIS Controls can both simplify and strengthen cybersecurity at once.
But as concise as the CIS Controls are, the task of implementing them can still be overwhelming. To combat that, start with the first six controls, completing them in order, as they build on each other. Just incorporating these Basic Controls reduces cybersecurity risk by as much as 85 percent.
The following six CIS controls are fundamental to every enterprise’s cybersecurity blueprint. However, the sophistication of that defense posture and whether to proceed to the following two categories must be dictated by your organization’s resource availability, data sensitivity and expected level of technical expertise by staff or contract.
- Overview: Managing hardware devices on the network ensures that only authorized devices gain access and unauthorized or unmanaged ones are kept out.
- Why It Matters: Attackers scan for devices that are not properly configured with security updates, including employees’ personal devices, to gain internal access and pivot to next victims.
- How It Works: Organizations identify devices connected to the network and respond to unauthorized assets with removal or quarantine. Additional protections, such as an authentication system, can protect the network further.
- Overview: Like hardware management, there should be inventory, tracking and correction of all software installed to prevent unauthorized or unmanaged software to install or execute.
- Why It Matters: Seemingly innocuous software can be vulnerable to exploitation. Or worse, sometimes it can come pre-equipped with tools for an attacker to compromise the system, which in turn can become a launchpad to compromise others.
- How It Works: Organizations maintain inventory of authorized software, ensure vendor support, track information and address unapproved software. Further protective measures include whitelisting and physically or logically segregated systems to run higher risk software.
- Overview: Rather than a quarterly check or semi-regular one, continuously identifying vulnerabilities and remediation shrinks the window of opportunity for attackers.
- Why It Matters: Attackers take advantages of gaps between new knowledge and remediation, and institutions that do not constantly scan for vulnerabilities and proactively face weaknesses are far more likely to suffer system compromise.
- How It Works: Organizations use automated vulnerability scanning tools to find weaknesses as well as automated operating systems and software patch tools to mitigate them.
- Overview: Special administrative privileges on computers, networks and applications must be tracked, controlled and corrected if misused.
- Why It Matters: This is the primary method for attackers to infiltrate a target. Often a privileged user is fooled into opening a malicious email or attachment. Similarly, if passwords are loosely or widely distributed, they can more easily be guessed or cracked.
- How It Works: Organizations change default passwords, record administrative privileges and install secondary accounts for administrative activities. In addition, institutions can use multi-factor authentication, dedicated administrative workstations, limited access and alerts for changes or unsuccessful logins to further strengthen this area.
- Overview: Active implementation and management of the security configuration and controls process prevents attackers from exploiting vulnerable services and settings.
- Why It Matters: Most default configurations are geared toward convenience, not security. And even if the default is strong, it can decay over time and create openings.
- How It Works: Organizations document security configuration standards for all authorized operating systems and software. Next, they work to maintain secure images or templates for all systems based on their approved configuration standards and deploy configuration monitoring programs.
- Overview: Collection, management and analysis of audit logs can help detect, understand or recover from an attack.
- Why It Matters: Without comprehensive documentation, an attack may go unnoticed indefinitely and create irreversible damages.
- How It Works: Organizations ensure sufficient storage, activate audit logging to all systems and devices, use a central log management system and regularly review.
CIS Controls Advance Good Cyber Hygiene
Information security experts often talk about the importance of practicing good cyber hygiene. Just as washing your hands limits the spread of the common cold, flu and other viruses, practicing good cyber hygiene limits your exposure to cyber threats. The CIS Controls provide an actionable and affordable way to incorporate such hygiene throughout your organization.
Implementing and maintaining a strong cybersecurity framework is an intentional and ongoing process. Even the basic CIS controls require effort, planning and command of appropriate tools. Many institutions would also benefit by continuing onto the next 14 controls. And remember, your cybersecurity goes beyond your own walls. Talk to functional third-party vendors to make sure they are practicing good cyber hygiene themselves and ask information security vendors what cybersecurity framework they incorporate into their solutions.
Building on the Basics: Watch the CIS Controls Webinar
It’s wise to further research all of the CIS controls and even consult with IT professionals when developing a strategy. Watch our CIS Controls webinar for a deeper dive into the practical applications of the framework and how your organization can use seasoned IT staff to implement them.
Rachael Schwartz has more than nine years of experience in advising financial firms. Prior to joining CSI, she worked with some of the largest hedge funds and private equity funds in New York City as an IT and cybersecurity consultant. In her current role at CSI, she lends her expertise to community banks, helping them maximize their technology investments and increase security while reducing their operational burdens.