By Ron Temske, Vice President of Security Solutions, Logicalis US
In an earlier blog post, I discussed the importance of a Common Security Framework (CSF) to enterprise security https://logicalisinsights.com/2017/04/07/what-is-a-common-security-framework-csf/ . In this blog post, I want to dive a little deeper into one specific framework – the SANS 20 / CIS 20 Critical Security Controls (CSC) security framework. CIS stands for Center for Internet Security (www.cisecurity.org) which is a non-profit that leverages the global IT community to safeguard private and public organizations against cyber threats. CIS has no corporate affiliations or ties that would create any conflicts of interest and provides an excellent security framework in Logicalis’ opinion.
Every organization should leverage a security framework. CIS is certainly not the only framework available, but it is the most accessible. For companies that may be intimidated by the level of effort required to pursue some of the frameworks I discussed earlier https://logicalisinsights.com/2017/04/07/what-is-a-common-security-framework-csf/ such as NIST, HITRUST and ISO 27001, the CIS framework represents a great opportunity to address the most common areas of security and provide a blueprint for success. Many large consulting firms offer a proprietary framework, but the challenge with a proprietary framework is the inability to benchmark yourself against similar organizations and the lack of public scrutiny. The CIS framework, which we prefer, has been heavily scrutinized and perfected over time. You can find additional information about the CIS 20 and its Critical Security Controls at https://www.cisecurity.org/critical-controls/Library.cfm.
A commonly abused term in the technology industry is “best practices.” The challenge is that there often is no reference body for best practices. For security, however, CIS is that reference body. The CIS 20 CSC provides a framework of 20 high-level areas of security that organizations should pursue. We can make this even easier by focusing on the Top 5 CIS controls. By just implementing the top 5 CIS controls, an organization can reduce the efficacy of an attack by up to 85 percent.
Before we look at the top five controls, let’s review the five key areas of an effective cyber defense system, according to CIS, are:
- Offense Informs Defense. You must leverage information from actual attacks to build your defense and apply controls that are known to stop real-world threats.
- Prioritization. You must prioritize your controls in areas that will produce the greatest results and/or protect the largest assets.
- Metrics. You must be able to measure the efficacy of your security controls – Guesswork is not good enough.
- Continuous diagnostics and validation. Security changes rapidly and you must measure and test your systems and provide constant improvement.
- Automation. You can’t rely on human labor to stop all attacks. It’s too expensive and doesn’t produce consistent results. Automation is the key to stopping current attacks, many of which are themselves automated.
With that backdrop in mind, the Top 5 CIS Controls are:
- CSC 1: Inventory of Authorized and Unauthorized Devices
- CSC 2: Inventory of Authorized and Unauthorized Software
- CSC 3: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- CSC 4: Continuous Vulnerability Assessment and Remediation
- CSC 5: Controlled Use of Administrative Privileges
The Top 5 is a great set of “best practice” areas to review when performing a gap assessment for your enterprise security and ultimately implementing the Top 5 or 20 CIS Critical Security Controls.
Learn More
Read a blog post about Common Security Frameworks (CSC) and why they are important to your enterprise security. Review a two-part article exploring what an umbrella approach to security can look like in your enterprise – Part One: Potential DNS Vulnerabilities (http://ow.ly/Gd7Q307SBUE) and Part Two: A Secure DNS (http://ow.ly/kSuT307SCnY). Then, download an infographic displaying the benefits of Taking an Umbrella Approach to Security and one displaying the benefits of Transforming Internet Security with Big Data.