In many ways, IT security is flying blind. Assets, configurations and vulnerabilities are out of sight, hidden in plain sight or about to change.
It’s easy to see why IT security is facing an unprecedented challenge. Systems are set up on networks without approvals from procurement and IT. Code changes go live throughout the day without much thought given to security. Employees connect their devices and get duped by phishing and ransomware. Change? It’s continuous.
Is it any wonder why cybersecurity is a major concern at organizations? Or that firms struggle with the number of choices and complexity of cybersecurity tools? It’s why the Center for Internet Security (CIS) came into existence. Who is CIS and what do they do? As the About Us page states, CIS is "a community-driven nonprofit, responsible for the CIS Controls and CIS Benchmarks, globally recognized best practices for securing IT systems and data.”
Similar to NIST guidance, these best practices include a set of controls that encompass 20 foundational and advanced cybersecurity actions. You can download all 20 controls for free. If you’re new to CIS, why not start with the first five? According to CIS, applying 20% of its controls can stop 80% of cyberattacks.
Here we’ll look at CIS’s first five controls and examine what each control addresses:
Inventory of Authorized and Unauthorized Devices
CIS Control 1 defines a baseline of all devices that you need to protect from malicious activity, including servers, laptops, scanners and other assets. It entails a comprehensive inventory process to detect and catalog all known and unknown assets on your networks. By bringing everything into the known, you can shore up any weaknesses and monitor for change.
Inventory of Authorized and Unauthorized Software
CIS Control 2 stipulates that only authorized software is in use at your organization. Your challenge is two-fold: one, take inventory of all software on servers, desktops and laptops. Two, whitelist applications, so only approved applications run on your networks. It’s the unauthorized software that can led to vulnerabilities in security. Allowing only approved addresses this favored hacker entry point.
Secure Configurations for Hardware and Software
CIS Control 3 requires organizations to configure systems to a secure standard. By default, most systems are configured for ease-of-use first, security second. Misconfigurations can be exploited by bad actors. Configuration against an industry standard benchmark helps lower the risk of this occurring.
Continuous Vulnerability Assessment and Remediation
CIS Control 4 calls for implementing a patch management system that covers both the operating system and third-party vulnerabilities. Such a system installs updates to address software vulnerabilities on a schedule that’s automatic, continuous and systematic. Implementing this control helps ensure incidents like WannaCry don’t happen.
Controlled Use of Administrative Privileges
CIS Control 5 mandates that individual employees have rights, privileges and permissions to use systems. Many organizations allow any employee to access local systems or even domains that usually require administrator rights. Open access creates "insider threats" that can lead to wrongdoing. By restricting access, you fix that.
There is a total of 20 CIS best practices that organizations can implement to improve their cyber defenses. You can download the first five CIS Controls or all 20 for free.
These controls can and should be used to inform your own IT security policies. When paired with training, comprehensive cybersecurity awareness efforts such as Information Security and Acceptable Use policies, awareness posters, and sample phishing attempts can help you reduce your risk by educating your employees.