The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

The 153 Safeguards, which are found in the 18 controls, are a foundation to protecting your technology and data. They are not rocket science and the majority you can start to implement today.

Follow along as I outline and simplify the safeguards as we work together and SecureIT.

Yesterday we reviewed Safeguard 1.1 on establishing a detailed asset inventory, today let's review 1.2 "Addressing Unauthorized Assets".

For all 3 Implementation Groups, we need to ensure that a process exists to address unauthorized assets on at minimum a weekly basis. You can choose to remove the asset from the network, deny the asset from connecting remotely, or quarantine it.

Shadow IT assets or those assets that are unknown pose serious risks to your network security and data security.

This is the first safeguard that is a documented process. As long as you are maintaining a log of manual weekly review of DHCP leases you probably can check this off. But manual processes equate to likely mistakes or missing something.

First, I would ensure that any live network jacks are disabled if they are not being used. Second, ensure only work owned devices are permitted access to the wireless corporate networks (any personal devices should always access the guest network). If you have every MAC address documented you could maintain a whitelist of MAC address's allowed on the network.

I've also seen Liongard's Network Discovery inspector used to scan the network every 8 hours and notify when a change occurs. Enterprise network infrastructure like switches and firewalls also may have discovery tools to help identify Shadow IT assets.

Once you know and have the process of identifying when new devices are connected then you identify if it's removed, denied, or quarantined. If you're doing MAC address filtering at the infrastructure level you build that into the policy where if it's not one of these addresses, it's denied access. If you're doing it manually then it's how you locate and remove the asset is what you need to document.

Need help getting started with your Policy?  Download a Asset Management Template here!

Join the conversation on LinkedIn - https://www.linkedin.com/posts/scottrdavispa_ciscontrols-safeguards-secureit-activity-7067523468942008320-M8QS?utm_source=share&utm_medium=member_desktop 

The Center for Internet Security Controls or CISControls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.

The 153 Safeguards, which are found in the 18 controls, are a foundation to protecting your technology and data. They are not rocket science and the majority you can start to implement today.

Follow along as I outline and simplify the safeguards as we work together and SecureIT.

CIS Control 1 is Inventory and Control of your assets, so it makes sense that Safeguard 1.1 is "Establish and Maintain a Detailed Asset Inventory".

This is calling for you to maintain a current inventory of all of your assets that have the potential to store or process data. So that includes endpoints, network devices, IoT devices, servers, hard drives, usb devices, and in some cases even backup storage devices or drives.

You should maintain at minimum the hardware address, machine name, owner, operating system, and what type of data does the user have access to. I would assume that any asset can be used within the network as well as outside the network with today's modern workspace.

You know what you have to store, but how you store it is also critical. There are tools like Hudu, IT Glue, Confluence, Microsoft Sharepoint, ManageEngine's AssetExplorer, and other documentation tools that allow you to manually manage this. Integrations and tools like Liongard or your Remote Monitoring and Management (RMM) tools can automate some of the inventory pieces as well, but you have to have a solution that allows for the manual entry of devices to meet this compliance piece.

You want to automate what you can, because manual documentation will be outdated and no matter how good the techs are, it's never going to be updated right away.

If you don't have access to any of the above tools you can utilize a shared Microsoft Excel or Google Sheets to list your objects in a spreadsheet format, but you'll learn as we go thru this you'll want to go with a tool that has integrations with the assets you utilize - again when you can automate it, then you'll find it always to be more accurate.

CIS Safeguard 1.1 is required for Implementation Groups 1, 2, and 3.

Need help getting started with your Policy?  Download a Asset Management Template here!

Join the conversation on LinkedIn - https://www.linkedin.com/posts/scottrdavispa_ciscontrols-secureit-activity-7067238255586365440-jg9g?utm_source=share&utm_medium=member_desktop 

CIS Controls have become an industry standard to help businesses and organizations of all sizes to maintain an industry standard of Cybersecurity controls.  

The latest release of the CIS Controls is version eight, which was published in 2021. The list is still prioritized in order of importance, but there are some notable changes to the controls and their order. The controls are now task-focused and combined by activities broken down into 18 Controls within three implementation groups.

Implementation Groups

An Implementation Group 1 (IG1) enterprise is small to medium-sized with limited IT and cybersecurity expertise to dedicate towards protecting IT assets and personnel. The principal concern of these enterprises is to keep the business operational, as they have a limited tolerance for downtime. The sensitivity of the data that they are trying to protect is low and principally surrounds employee and financial information.

CIS Control 1: Inventory and Control of Enterprise Assets

A comprehensive view of the devices on your network is the first step in reducing your organization’s attack surface. Use both active and passive asset discovery solutions on an ongoing basis to monitor your inventory and make sure all hardware is accounted for.

• 1.1 - Establish and Maintain Detailed Enterprise Asset Inventory [IG1] [IG2] [IG3]
• 1.2 - Address Unauthorized Assets [IG1] [IG2] [IG3]
• 1.3 - Utilize an Active Discovery Tool [IG2] [IG3]
• 1.4 - Use Dynamic Host Configuration Protocol (DHCP) Logging to update Enterprise Asset Inventory [IG2] [IG3]
• 1.5 - Use a Passive Asset Discovery Tool [IG3]

CIS Control 2: Inventory and Control of Software Assets

Another one of the top controls also deals with asset discovery, making network inventorying the single most critical step you can take to harden your system. After all, you can’t keep track of assets that you don’t know you have on your network.

• 2.1 - Establish and Maintain a Software Inventory [IG1] [IG2] [IG3]
• 2.2 - Ensure Authorized Software is Currently Supported [IG1] [IG2] [IG3]
• 2.3 - Address Unauthorized Software [IG1] [IG2] [IG3]
• 2.4 - Utilize Automated Software Inventory Tools [IG2] [IG3]
• 2.5 - Allowlist Authorized Software [IG2] [IG3]
• 2.6 - Allowlist Authorized Libraries [IG2] [IG3]
• 2.7 - Allowlist Authorized Scripts [IG3]

CIS Control 3: Data Protection

A comprehensive data management plan incorporates the answers to these questions with policy decisions and incident response procedures. Knowing what data an enterprise produces or consumes as well as being able to classify it based on sensitivity are the keystones of such a plan. Despite its simple name, this is one of the more complex and difficult controls to put into practice thanks to ongoing processes like inventorying sensitive information.

• 3.1 - Establish and Maintain a Data Management Process [IG1] [IG2] [IG3]
• 3.2 - Establish and Maintain a Data Inventory [IG1] [IG2] [IG3]
• 3.3 - Configure Data Access Control Lists [IG1] [IG2] [IG3]
• 3.4 - Enforce Data Retention [IG1] [IG2] [IG3]
• 3.5 - Securely Dispose of Data [IG1] [IG2] [IG3]
• 3.6 - Encrypt Data on End-User Devices [IG1] [IG2] [IG3]
• 3.7 - Establish and Maintain a Data Classification Scheme [IG2] [IG3]
• 3.8 - Document Data Flows [IG2] [IG3]
• 3.9 - Encrypt Data on Removable Media [IG2] [IG3]
• 3.10 - Encrypt Sensitive Data in Transit [IG2] [IG3]
• 3.11 - Encrypt Sensitive Data at Rest [IG2] [IG3]
• 3.12 - Segment Data Processing and Storage Based on Sensitivity [IG2] [IG3]
• 3.13 - Deploy a Data Loss Prevention Solution [IG3]
• 3.14 - Log Sensitive Data Access [IG3]

CIS Control 4: Secure Configuration of Enterprise Assets and Software

Leverage file integrity monitoring (FIM) to keep track of configuration files, master images, and more. This control speaks to the need for automating configuration monitoring systems so that departures from known baselines trigger security alerts. The systems in scope under this control include mobile devices, laptops, workstations, servers, and other devices.

• 4.1 - Establish and Maintain a Secure Configuration Process [IG1] [IG2] [IG3]
• 4.2 - Establish and Maintain a Secure Configuration Process for Network Infrastructure [IG1] [IG2] [IG3]
• 4.3 - Configure Automatic Session Looking on Enterprise Assets [IG1] [IG2] [IG3]
• 4.4 - Implement and Manage a Firewall on Servers [IG1] [IG2] [IG3]
• 4.5 - Implement and Manage a Firewall on End-User Devices [IG1] [IG2] [IG3]
• 4.6 - Securely Manage Enterprise Assets and Software [IG1] [IG2] [IG3]
• 4.7 - Manage Default Accounts on Enterprise Assets and Software [IG1] [IG2] [IG3]
• 4.8 - Uninstall or Disable Unnecessary Services on Enterprise Assets and Software [IG2] [IG3]
• 4.9 - Configure Trusted DNS Servers on Enterprise Assets [IG2] [IG3]
• 4.10 - Enforce Automatic Device Lockout on Portable End-User Devices [IG2] [IG3]
• 4.11 - Enforce Remote Wipe Capability on Portable End-User Devices [IG2] [IG3]
• 4.12 - Separate Enterprise Workspaces on Mobile End-User Devices [IG3]

CIS Control 5: Account Management

In order to keep valid credentials out of hackers’ hands, you must have a system in place to control authentication mechanisms. Administrative credentials are a prime target for cybercriminals. Luckily, there are several steps you can take to safeguard them, such as keeping a detailed inventory of admin accounts and changing default passwords. Monitoring and controlling accounts makes it much harder for malicious actors to successfully attack a company and steal or damage assets.

• 5.1 - Establish and Maintain an Inventory of Accounts [IG1] [IG2] [IG3]
• 5.2 - Use Unique Passwords [IG1] [IG2] [IG3]
• 5.3 - Disable Dormant Accounts [IG1] [IG2] [IG3]
• 5.4 - Restrict Administrator Privileges to Dedicated Administrator Accounts [IG1] [IG2] [IG3]
• 5.5 - Establish and Maintain an Inventory of Service Accounts [IG2] [IG3]
• 5.6 - Centralize Account Management [IG2] [IG3]

CIS Control 6: Access Control Management

The first step in implementing this control is inventorying your network’s wireless access points. From there, the control takes a deep dive into mitigating all types of wireless access risks. By encrypting information in transit and disabling communication between workstations, you can also start to limit potential security incidents that can occur when data privileges are overly lax.

CIS Control 7: Continuous Vulnerability Management

A major challenge in cybersecurity involves keeping up with all the common vulnerabilities and exposures (CVEs) identified in real time around the world. Effective security programs have to keep up with a plethora of new vulnerabilities every day. CIS lists continuous vulnerability assessment and remediation as a key part of risk and governance programs.

CIS Control 8: Audit Log Management

System logs provide an accurate account of all activity on your network. This means that in the event of a cybersecurity incident, proper log management practices will give you all the data you need about the who, what, where, when, and how of the event in question. Security teams must pay attention to logs and use them in conjunction with tools that are designed to analyze log information and generate actionable management guidance.

CIS Control 9: Email and Web Browser Protections

There are more security threats in email and web browsers than phishing alone. Even a single pixel in an email image can give cybercriminals the information they need in order to carry out an attack. Attackers frequently use web browsers and email clients as entry points for code exploitation and social engineering, and controls need to be implemented to protect against interactions with untrusted environments.

CIS Control 10: Malware Defenses

Increasing ransomware attacks necessitate that organizations bolster their malware defenses. Make sure your antivirus tools integrate well with the rest of your security toolchain. Implement anti-malware software and ensure that it is kept regularly updated. This control also involves disabling certain functions, such as autorun and autoplay for removable media.

CIS Control 11: Data Recovery

Organizations must have a strong plan for dealing with the recovery of lost data should preventive controls fail. Are you performing regular, automated backups? Are you protecting your backed-up data? Ensuring proper data recovery capabilities will protect you from threats like ransomware. It’s also important to practice and test restoring your data so you will be prepared in the event of actual data loss.

CIS Control 12: Network Infrastructure Management

Implementing this control will help you reduce your attack surface by way of tactics like automated port scanning and application firewalls. Network devices can be viewed as the gateways to your enterprise, whether physical or virtual. Proper administration and secure configuration of routers, switches, firewalls, and other network devices is essential to managing ingress and egress filtering rules for enterprise policy-based protection.

CIS Control 13: Network Monitoring and Defense

This control involves centralizing security event alerting, deploying host-based intrusion detection systems, using a network intrusion detection system, and more. Network monitoring and defense must be viewed as an ongoing process that is given substantial attention by security teams. Safeguards such as network segmentation and application layer filtering will help ensure that networks stay hardened against attacks.

CIS Control 14: Security Awareness and Skills Training

Security training should be a bigger priority at most organizations, due in part to the widening cybersecurity skills gap. This control also emphasizes the need for ongoing security training rather than one-time engagements. When employees understand how to practice stringent cyber hygiene, they are much harder to exploit by way of phishing and social engineering attacks.

CIS Control 15: Service Provider Management

Most organizations entrust certain processes and functions to third-party service providers who frequently have access to sensitive data. Unfortunately, service providers have become an attack vector for cybercriminals, so managing the security of your organization’s service providers is now a necessity. And this isn’t just for security’s sake; many compliance standards, HIPAA and PCI for example, require compliance to cover third-party service providers.

CIS Control 16: Application Software Security

Code developed in-house needs security assessments through processes like static and dynamic security analysis to uncover hidden vulnerabilities. The most popular target for hackers is your application base, so it’s essential to implement a comprehensive program of application security controls. This should include scanning, testing, and software development lifecycle (SDLC) controls.

CIS Control 17: Incident Response Management

This control helps you put strategies in place to plan and test for cybersecurity incidents so that you’re not left scrambling when they occur. Know who at your organization is responsible for handling incidents and what processes they’ll use to mitigate them. It’s also crucial to conduct post-incident reviews to understand what happened and how to prevent a repeat occurrence.

CIS Control 18: Penetration Testing

Regular penetration testing helps you identify vulnerabilities and attack vectors that would otherwise go unknown until discovered by malicious actors. It’s an important aspect of discovery and identifying potential critical vulnerabilities within your organizations external network, internal network, applications, or systems.

Need help implementing?

The 18 security controls can create a framework that will help you protect your organization and data from cyber attack.  Scott has utilized the CIS Controls framework to create the foundational cybersecurity programs at more than 50 organizations across the globe.  Message This email address is being protected from spambots. You need JavaScript enabled to view it. to learn more how Scott can help your organization implement CIS Controls today.