The modern world of information security can often be a confusing one. Security practitioners are continually inundated with a barrage of data coming from reports, alerts, security tools, threat feeds, and more. At the same time, they are trying to align this data with the multiple security requirements, regulatory mandates, best practices, and frameworks that define their environment. Unchecked, the sheer volume of information can easily paralyze an organization from taking action when necessary. The ‘Fog of More’ can essentially become the larger threat to the environment.
These are some of the issues that lead to the development of what we now know as the Center for Information Security (CIS) Controls. The CIS Controls are an attempt to weed through the apparently infinite number of solutions available today and bring the focus back to security fundamentals. What are the first steps an organization should take to mature their risk management program? What are the critical areas that need to be addressed? What defensive steps have the greatest value? These are the questions that the CIS Controls are attempting to answer.
The original development of the CIS Controls, formerly known as the Critical Security Controls (CSC), was started by the National Security Agency (NSA) in 2008 as a project requested by the Department of Defense (DoD). The goal was to prioritize the multiple cybersecurity controls that existed based upon the prevalence of attack methods and frequency. While initially started as a government project, it was quickly opened up to the private sector for input and collaboration.
Through a partnership between the NSA, the CIS, and the SANS Institute, a consortium was established to share knowledge and information. As the project progressed, additional members were added to the consortium—expanding to the base of data used to develop the list of controls. Through this tight collaboration between the public and private sectors, they were able to publish an initial draft in early 2009. The draft was circulated to several hundred IT shops for evaluation, and more than 50 organizations provided comments on the draft. These comments were then used to provide additional refinements to the document.
When validated by the United States State Department, the list of controls was found to have remarkable alignment with the 3,085 real-world attacks experienced by the State Department in FY2009. A project was then launched to implement the controls across the entire State Department’s cyber environment, which resulted in great success. With a very rapid achievement of a more than 88% reduction in vulnerability-based risk across 85,000 systems, the State Department's program became a model for large government and private sector organizations.
CSC 1 through CSC 5 are often referred to as “Foundational Cyber Hygiene,” and are the basic controls that should be deployed to create a strong foundation for any cybersecurity program. According to CIS, a number of studies have shown that implementation of the first five CIS Controls provides an effective defense against the most common cyber-attacks (~85% of attacks). Through additional blog postings, we will take a deeper look at each of the first five CIS controls, but to be thorough, here is a look at the complete list of 20 CIS Controls.
CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 2: Inventory of Authorized and Unauthorized Software
CSC 3: Secure Configurations for Hardware and Software
CSC 4: Continuous Vulnerability Assessment and Remediation
CSC 5: Controlled Use of Administrative Privileges
CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
CSC 7: Email and Web Browser Protections
CSC 8: Malware Defenses
CSC 9: Limitation and Control of Network Ports, Protocols, and Services
CSC 10: Data Recovery Capability
CSC 11: Secure Configurations for Network Devices, Firewalls, Routers, and Switches
CSC 12: Boundary Defense
CSC 13: Data Protection
CSC 14: Controlled Access Based on the Need to Know
CSC 15: Wireless Access Control
CSC 16: Account Monitoring and Control
CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
CSC 18: Application Software Security
CSC 19: Incident Response and Management
CSC 20: Penetration Tests and Red Team Exercises
While security is never a one-size-fits-all proposition, the CIS Controls can offer a relatively small number of prioritized, well-vetted actions that organizations can take to improve their current security posture. But only through a thorough understanding of their business, data, network, and infrastructure can organizations develop a proper plan to implement long-term success.
ePlus provides assessments that help gauge the effectiveness of your current security program, and help you better protect your organization. We create custom, integrated security programs through a unique holistic approach centered on culture and technology. For more information about how you can implement the recommendations of the CSC1 sub-controls, visit https://www.cisecurity.org/controls/ or contact us at firstname.lastname@example.org. You can also contact your ePlus Account Executive directly.