What are the CIS Critical Security Controls?
The Center for Internet Security (CIS) Top 20 Critical Security Controls (previously known as the SANS Top 20 Critical Security Controls), is an industry-leading way to answer your key security question: “How can I be prepared to stop known attacks?” The controls transform best-in-class threat data into prioritized and actionable ways to protect your organization from today's most common attack patterns.
Achievable Implementation of the CIS Critical Security Controls
The interesting thing about the critical security controls is how well they scale to work for organizations of any size, from very small to very large. They are written in easy to understand business language, so non-security people can easily grasp what they do. They cover many parts of an organization, including people, processes and technology. As a subset of the priority 1 items in the NIST 800-53 special publication, they are also highly relevant and complimentary to many established frameworks.
Leveraging Rapid7's expertise to assist your successful implementation
As part of a Rapid7 managed services unit, the Security Advisory Services team at Rapid7 specializes in security assessments for organizations. Using the CIS Critical Security Controls (formerly the SANS 20 Critical Controls) as a baseline, the team assesses and evaluates strengths and gaps, and makes recommendations on closing those gaps.
The Security Advisory Services team will be posting a blog series on each of the controls. These posts are based on our experience over the last two years of our assessment activity with the controls, and how we feel each control can be approached, implemented and evaluated. If you are interested in learning more about the CIS Critical Controls, stay tuned here as we roll out posts weekly. Thanks for your interest and we look forward to sharing our knowledge with you!
The definitive guide of all CIS Critical Security Controls
As the blog series expands, we'll use this space to keep a running total of all the 20 CIS Critical Controls. Check back here to stay updated on each control.
Control 1: Inventory of Authorized and Unauthorized Devices
This control is split into 6 focused sections relating to network access control, automation and asset management. The control specifically addresses the need for awareness of what's connected to your network, as well as the need for proper internal inventory management and management automation. Implementing inventory control is probably the least glamorous way to improve a security program, but if it's done right it reduces insider threat and loss risks, cleans up the IT environment and improves the other 19 controls. Learn more.
Control 2: Inventory of Authorized and Unauthorized Software
The second control is split into 4 sections, each dealing with a different aspect of software management. Much like Control 1, this control addresses the need for awareness of what's running on your systems and network, as well as the need for proper internal inventory management. The CIS placed these controls as the "top 2" in much the same way that the NIST Cybersecurity Framework addresses them as "priority 1" controls on the 800-53 framework; inventory and endpoint-level network awareness is critical to decent incident response, protection and defense. Learn more.
Control 3: Secure Configurations for Hardware & Software
This control deals with Secure Configurations for Hardware & Software. The Critical Controls are numbered in a specific way, following a logical path of building foundations while you gradually improve your security posture and reduce your exposure. Controls 1 and 2 are foundational to understanding what inventory you have. The next step, Control 3, is all about shrinking that attack surface by securing the inventory in your network.Learn more.
Control 4: Continuous Vulnerability Assessment & Remediation
Organizations operate in a constant stream of new security information: software updates, patches, security advisories, threat bulletins, etc. Understanding and managing vulnerabilities has become a continuous activity and requires a significant amount of time, attention and resources. Attackers have access to the same information, but have significantly more time on their hands. This can lead to them taking advantage of gaps between the appearance of new knowledge and remediation activities. Control 4 challenges you to understand why vulnerability management and remediation is important to your overall security maturity. Learn more.
Control 5: Controlled Use of Administrative Privilege
The ultimate goal of an information security program is to reduce risk. Often, hidden risks run amok in organizations that just aren't thinking about risk in the right way. Control 5 of the CIS Critical Security Controls can be contentious, can cause bad feelings, and is sometimes hated by system administrators and users alike. It is, however, one of the controls that can have the largest impact on risk. Discover how reducing or controlling administrative privilege and access can reduce the risk of an attacker comprising your sensitive information. Learn more.
Control 6: Maintenance, Monitoring and Analysis of Audit Logs
This control has six sections which cover everything from NTP configuration, to verbose logging of traffic from network devices to how the organization can best leverage a SIEM for a consolidated view and action points, and how often reports need to be reviewed for anomalies. Learn more.
Control 7: Email and Web Browser Protection
Critical Control 7 has eight sections that cover the basics of browser and email client safety, secure configuration and mail handling at the server level. The control pays specific attention to concepts like scripting and active component limiting in browsers and email clients, attachment handling, configuration, URL logging, filtering and whitelisting. The premise of the control is fairly straightforward: browser and email client security are critically important for low-level risk mitigation. Learn more.
Control 8: Malware Defenses
Control 8 covers malware and antivirus protection at system, network, and organizational levels. It isn't limited to workstations, since even servers that don't run Windows are regularly targeted (and affected) by malware. Control 8 should be used to asses infrastructure, IoT, mobile devices, and anything else that can become a target for malicious software—not just endpoints. Learn more.
Control 9: Limitation and Control of Ports, Protocols, and Services
Control 9 covers management of ports, protocols, and services (PPS) on devices that are a part of your network. This means that all PPS in use within your infrastructure must be defined, tracked, and controlled, and that any corrections should be undertaken within a reasonable timeframe. The initial focus should be critical assets and evolve to encompass your infrastructure in its entirety. By maintaining knowledge of what is running and eliminating extraneous means of communication, organizations reduce their attack surface and give attackers fewer areas in which to ply their trade. Learn more.
Control 10: Data Recovery Capability
Control 10 discusses processes and tools used to properly back up critical information with a proven methodology for timely recovery of it. The control standard consists of four criteria which are labelled as foundational elements to a security program; these focus on system backups and testing. Learn more.
Control 11: Secure Configurations for Network Devices
Control 11 covers secure configurations for network devices, including firewalls, routers, switches, and network IDS setups; many of these concepts can be applied to DHCP/DNS appliances, NAC enforcement appliances, and other solutions, too. The goal is to harden these critical network infrastructure devices against compromise, and to establish and maintain visibility into changes that occur on them—whether those changes are made by legitimate administrators or by an adversary. Learn more.
Control 12: Boundary Defense
Control 12 covers boundary defense, or an organization's first line of protection against outside threats. There are ten subsections to this control that cover your DMZ, firewalls and proxies, IDS/IPS, NetFlow, and remote access. Today, many attackers focus on exploiting systems that they can reach across the internet; they are constantly probing perimeters for vulnerabilities and information needed to build their attack plan. Learn more.
Control 13: Secure Data Management
Data protection is one of the cornerstones of a solid security program, and it is a critical function of the CIA Triad of Confidentiality, Integrity, and Availability. Data protection, as characterized by Critical Control 13, is essentially secure data management. Learn more.
Control 14: Controlled Access Based on the Need to Know
Control 14 covers controlled access of the processes and tools used to track, control, prevent, and correct secure access to critical assets such as information, resources, and systems. It’s important to establish a formal classification of your data types in order to define which persons, computers, and applications have a need and right to access them. Learn more.
Control 15: Wireless Access Control
Control 15 covers the processes and tools used to track, control, prevent, and correct the security use of wireless local area networks (LANs), access points, and wireless client systems. With so many emails, documents, logins, and the like being transmitted around us, we must turn our attention to securing this sensitive data. Learn more.
Critical Control 16: Account Monitoring and Control
Control 16 recommends processes to manage the lifecycle (creation, use, dormancy, and deletion) of system and application accounts. To address this control, companies can implement best practices for account lifecycle management, configuration settings, and two-factor authentication. Learn more.