20 May

2019

CIS 20

posted by: William White

By photo by Alan Light, CC BY 2.0

“Hello this is Casey Checksum. Welcome to the CIS Top 20- a countdown of this week’s best practice guidelines for cyber security controls. We have 20 controls ,and 3 new implementation groups, to talk about this week. Let’s get it all started right now. Starting with number 20…’Penetration Tests and Red Team Exercises’”Casey Checksum, cousin of America’s Top 40 host Casey Kasem


The CIS Top 20. Now that’s a radio program I could listen to. The smooth, baritone voice of Casey Checksum, waxing lyrical about the ways a company can protect its brand and bank account. Yup. My kind of programming.

What’s Casey Checksum talking about?

CIS stands for the “Center for Internet Security”. CIS is a non-profit organization that altruistically endeavors to “identify, develop, validate, promote, and sustain best practice solutions for cyber defense and build and lead communities to enable an environment of trust in cyberspace”. In other words, they tell us how to best protect ourselves against cyber criminals and other risks. CIS has played a big part in developing and refining the CIS Top 20 (currently v7.1 as of the date of this post).

The CIS Top 20 (aka CIS 20, CIS Controls, CIS CSC, CIS 20 CSC, CSC 20, SANS 20, SANS Top 20, CAG 20) is a list of 20 security controls that all companies can implement top protect their reputation, finances, and customers from cyber attacks and breaches. From here on out, I’ll refer to them simply as the CIS 20.

This CIS 20 consists of 20 “to-dos”. These are actions that can be taken to build a strong defense against the bad guys. Here’s the list of the 20 things you should be doing (v7.1):

1 Inventory and Control of Hardware Assets
2 Inventory and Control of Software Assets
3 Continuous Vulnerability Management
4 Controlled Use of Administrative Privileges
5 Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
6 Maintenance, Monitoring and Analysis of Audit Logs
7 Email and Web Browser Protections
8 Malware Defenses
9 Limitation and Control of Network Ports, Protocols, and Services
10 Data Recovery Capabilities
11 Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
12 Boundary Defense
13 Data Protection
14 Controlled Access Based on the Need to Know
15 Wireless Access Control
16 Account Monitoring and Control
17 Implement a Security Awareness and Training Program
18 Application Software Security
19 Incident Response and Management
20 Penetration Tests and Red Team Exercises

Each of the 20 actions, or controls, typically have 5 to 10 recommended sub-controls that tell you how to implement the 20. For example:

CIS Control #1 is:
“Inventory and Control of Hardware Assets”

The “to-do”:
“Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.”

The “how to do it” sub-controls are:
1.1 Utilize an active discovery tool to identify devices connected to the organization’s network and update the hardware asset inventory.

1.2 Utilize a passive discovery tool to identify devices connected to the organization’s network and automatically update the organization’s hardware asset inventory.

1.3 Use Dynamic Host Configuration Protocol (DHCP) logging on all DHCP servers or IP address management tools to update the organization’s hardware asset inventory.

1.4 Maintain an accurate and up-to-date inventory of all technology assets with the potential to store or process information. This inventory shall include all hardware assets, whether connected to the organization’s network or not.

1.5 Ensure that the hardware asset inventory records the network address, hardware address, machine name, data asset owner, and department for each asset and whether the hardware asset has been approved to connect to the network.

1.6 Ensure that unauthorized assets are either removed from the network, quarantined, or the inventory is updated in a timely manner.

1.7 Utilize port level access control, following 802.1x standards, to control which devices can authenticate to the network. The authentication system shall be tied into the hardware asset inventory data to ensure only authorized devices can connect to the network.

1.8 Use client certificates to authenticate hardware assets connecting to the organization’s trusted network.

For a detailed look at all 20 controls, and their sub-controls, visit the CIS website by clicking here.

The CIS 20 provides an easy-to-understand framework to use in building your company’s cyber security program. Moreover, it also provides a benchmark for comparing the maturity of your program against a set of best practices.

Implementing all 20 controls, and all sub-controls, is an unrealistic goal. Cost is the number one reason. A lot of organizations look at the list and think, “Great, but where do we start? How should we prioritize their implementation?” The answer isn’t as simple as saying, “Start at number 1, silly.”

Your company’s starting point in the 20 is determined by multiple factors, including:

  • Company size/Projected growth
  • Industry you are in
  • Compliance needs
  • Budget
  • Risk appetite
  • Sensitivity of data
  • Controls in place

Fortunately, the CIS 20 can be grouped two different ways to help your company prioritize the controls: Control Categories and Implementation Groups.

Control Categories group at the control level (eg Control 1). Implementation Groups work at the sub-control level (eg Control 1.1).

Control Categories come in 3 flavors and group at the control level:

  • Basic: Key controls that should be implemented in every organization. Essential for cyber defense readiness. Controls 1 – 6
  • Foundational: Technical best practices for any organization. Controls 7- 16
  • Organizational: Focus on “people and processes”. Controls 17- 20
Control Categories

To learn more about Control Categories, click here.

Implementation Groups also come in 3 flavors, but they focus on the sub-controls:

  • Implementation Group 1: All companies regardless of size start here. The essential protections that must be put into place to defend against common attacks. For example, Sub-control 1.4
  • Implementation Group 2: Companies working with sensitive data or that have compliance requirements. For example, Sub-control 1.5.
  • Implementation Group 3: Larger companies that staff cyber security SMEs or that face advanced threats. For example, Sub-control 1.8
Implementation groups in action.

To learn more about using Implementation Groups, click here.

We will explore individual controls, Control Categories and Implementation groups in more detail in a future blog posts.

“Until then, keep your devices patched and keep reaching for the CIS 20”- Casey Checksum

PREVIOUS

Ooops! My bad!

NEXT

Forklift Operator Training and Evaluations