How to Use the CIS Controls Framework for Your Business
If you are having trouble deciding on the best practices to use in your company’s cybersecurity defense, making use of CIS Controls is a good place to start. Deploying CIS Controls helps to reduce the risk of a hacker completing a successful cyberattack against your business.
We’ll walk through the steps you can take to implement each of the 20 controls. We’ll discuss the benefits of using each of the CIS Controls frameworks for your business too. (You do not have to deploy all 20 unless they all make sense for your particular business, but they are a good starting point.)
1. Inventory and Control of Hardware Assets
The first of the CIS Controls involves having a full inventory of all hardware assets that are part of your network. You cannot create cybersecurity defense strategies for pieces of hardware if you don’t know they exist.
Once you know exactly what devices are part of the network, you then have the ability to manage those devices as they connect to the network.
Deploying an SCCM (System Center Configuration Manager) is the best way to manage the inventory of hardware assets. Taking a full inventory of your network’s hardware assets is time-consuming the first time you do it, but it will pay significant dividends for years to come.
2. Inventory and Control of Software Assets
Having an inventory of your network’s software assets is equally as important as inventorying and controlling the hardware assets. When you find unauthorized software running on the network, you can isolate it and determine whether it has malicious intentions.
Your IT team may want to deploy a whitelisting and blacklisting strategy to determine which software assets should be running. Additionally, make sure that only those who truly need to install new software have administrator-level privileges. This step should prevent someone from inadvertently installing unauthorized software.
Again, an SCCM can help you create the inventory list, as well as manage it.
3. Continuous Vulnerability Management
Through this CIS Control, you can implement steps that prevent attackers from gaining access to your network through weak spots.
You will need to have a plan in place that continuously monitors the network for any weaknesses or vulnerabilities in its security measures. You can accomplish this step through the development and implementation of an Incident Response Plan.
By implementing continuous vulnerability management processes, you can show that you have a compliance program to meet regulations, such as HIPAA, that require having safeguards in place for customer data.
4. Controlled Use of Administrative Privileges
This CIS Control option focuses on determining exactly which members of your organization should have administrative privileges. Ideally, as few people on the network as possible should be able to make network changes by being an administrator.
Make a list of the tasks that all the people who currently hold administrative privileges do during a normal week. If the person could do many of the tasks without administrative-level access, you may want to remove administrative privilege for that person.
For those who maintain administrative-level controls, make sure they are using complex passwords and two-factor authentication.
You may receive some pushback when you begin limiting the administrative privileges of certain members of your organization. However, this is one of the safest ways to guard against phishing attacks or stolen password attacks.
5. Secure Configuration for Hardware and Software
This CIS Control deals with securing hardware on the network, including servers, workstations, laptops, and mobile devices, as well as any software used on the network.
The idea behind this control is that the majority of users will select the lowest possible security settings when installing new hardware and software. Using these low settings minimizes hassles associated with stringent security measures. Such settings may place your network at risk, however.
To implement this control, you will need to track all the security settings for hardware and software on the network. For any settings that don’t meet the demands set forth in your cybersecurity defense plan, force changes in the settings to limit vulnerabilities.
6. Maintenance, Monitoring, and Analysis of Audit Logs
When deploying this control, you need to determine whether you want a quick implementation or a full configuration.
To make use of a quick implementation, try using NTP (Network Time Protocol) to monitor the system. You then can find the information you need about problems after the fact, helping you track down the source.
For a full implementation, your team members will need to set up a system through which they will review any log data for the system. They can monitor the logs for oddities and problems with the network gear, including servers, workstations, and routers.
7. Email and Web Browser Protections
User error represents the biggest threat to your cybersecurity defense plans. It just takes one end user to inadvertently or purposefully ignore your security protocols to allow malware onto the network or to place your data at risk.
When implementing this CIS Control, making use of SPF (Server Policy Framework) can cut down on spam and potentially malicious email messages. Setting up filtering processes that provide extra scrutiny on email messages that contain attachments or links also can help to prevent these potentially dangerous messages from reaching your end users.
For browser security, consider disabling all plugins. Only allow scripts to run in the browser that your security team authorizes.
8. Malware Defense
This is one of the easiest CIS Controls to understand. Simply put: Keep malware off the network.
Any cybersecurity plan you will be implementing must account for taking every precaution possible to prevent malware from entering the network. You will want to install an antivirus software package that also can prevent malware and spyware from installing itself on your network. This package should involve constant monitoring of the system for any malware.
9. Limitation and Control of Network Ports, Protocols, and Services
This control requires that your security team performs constant monitoring and management of any ports, protocols, and services that are part of your network.
Hackers may learn about vulnerable ports on certain server operating systems, and they may then attempt to exploit these items through an attack.
Make sure that you install any security patches for the server OS as quickly as possible after they become available to limit your vulnerabilities. Additionally, your team should run scans regularly on the system’s ports, protocols, and services, seeking any vulnerabilities.
10. Data Recovery Capabilities
As ransomware attacks become more frequent, your team needs to have a plan in place for data recovery.
This control requires that you have processes and tools in place that allow you to regularly back up the information that’s part of your network. It also requires that you have a plan to recover the backup data as quickly and safely as possible, so your organization can be up and running soon after an attack.
To implement this CIS Control, follow these four principles.
- Perform regular backups at least weekly.
- Run regular tests on your data restoration capabilities.
- Use encryption to protect the data as it goes to and comes from the backup source.
- Have at least one backup option that is not continuously addressable.
11. Secure Configuration for Network Devices
Through this control, you need to set up processes that protect network devices like firewalls, routers, and switches from compromise. Should any of these items suffer a compromise in a hacker attack, your entire network becomes vulnerable. Some of the ways you can secure these items include the following.
- Monitor these network devices for any deviations from normal expectations.
- Take note of any changes to the configuration rules and management files for these devices.
- Deploy two-factor authentication and encryption for your network infrastructure devices.
- If possible, give the network devices their own communication network that’s separate from the remainder of the network.
- Install any security patches for the network devices as soon as they are available.
- Isolate the computer you and your team will use to perform elevated administrative tasks on network devices. This computer should have no access to the internet.
12. Boundary Defense
Because hackers are always looking for the weakest point in the network security, they often start with the perimeter systems. It can be challenging for a security team to monitor these items successfully.
Use this CIS Control (which goes a step further than the ninth CIS Control) to detect any issues and to protect sensitive information as it travels through these systems.
You may want to create internal segmentation on the network, limiting the ability of a hacker who penetrates the perimeter systems to penetrate the full network.
Additionally, consider installing packet sniffers and IDS (intrusion detection systems) on the network at boundary points to catch any oddities or potential attacks before they can gain a foothold.
13. Data Protection
Nearly all networks contain a variety of types of data in storage, ranging from basic data to highly sensitive data. Rather than using the same level of data protection for all data you are storing, this CIS Control calls for using stricter levels of protection for more sensitive data.
By applying higher levels of protection for sensitive data, you protect your network from hackers trying to steal the data from the outside and from hackers who are trying to run internal attacks to steal sensitive data.
Consider using encryption and data tracking services on any data you label as sensitive. Deploying an automated data tracker on this sensitive data will alert you any time this data moves to a new location or whenever someone accesses the data. You then can track any unwanted intrusions.
14. Controlled Access Based on the Need to Know
Building on the 13th CIS Control, this control requires that you and your security team set up a plan for defining the processes used to monitor and protect sensitive data.
Start this process by having a policy that clearly defines basic data, highly sensitive data, and any other data classifications you want to use. Then place the sensitive data on a separate, private VLAN.
Implement ACLs (account control lists) to limit access to this sensitive data to only those network users who actually need it. You also may want to make use of RBAC (role-based access control) to provide access to sensitive data based on the job functions of your team members, rather than assigning privileges to individuals.
15. Wireless Access Control
If you are using wireless LANs, or WLANs, as part of your network, this CIS Control spells out the methods by which you can maintain the security of the wireless LAN.
- Keep your SSID (or wifi network’s name) protected by not broadcasting its name.
- Make use of TLS (Transport Layer Security) certificates to increase your security levels.
- Force users to authenticate themselves through WPA-2 Enterprise protocols.
- Limit the strength of your wireless signal broadcast, so it doesn’t go outside your building.
- Set up a guest network, keeping any visitors separate from your network and its data.
- Find a way to continuously monitor who is logging in to your wireless network.
16. Account Monitoring and Control
Through this CIS Control, you should set up a plan or system for tracking all accounts on your network. As employees leave the company, the plan should call for deactivating their network access and accounts as quickly as possible.
Additionally, it’s important that the plan spells out how to track and monitor the creation of any new accounts. Someone trying to initiate an insider attack may create a new account to perform the hack in an effort to try to remain anonymous. If you are uncertain why a new account is appearing, it requires additional scrutiny.
17. Implement a Security Awareness and Training Program
This control spells out the importance of making security a priority for the entire organization. Your security team cannot successfully perform the security measures alone. You need other members of the organization to take cybersecurity just as seriously.
Any training measures should emphasize the importance of security and the dangers of what can happen when employees try to cut corners and to skirt security protocols.
Start by assessing the experience level regarding cybersecurity for different members of the organization. Then tailor your training sessions to match the various experience levels, which will keep everyone in the training more engaged.
18. Application Software Security
Use this control to manage the software in use on the network, ensuring software packages always have the latest security patches and the greatest levels of protection.
If your organization makes use of in-house coding, it is especially important to have security standards in place. Because in-house coding doesn’t go through the same security testing as commercial software, it could have unknown vulnerabilities. Hackers, especially those involved in insider attacks, may be able to exploit these vulnerabilities without your knowledge.
19. Incident Response and Management
Developing an IRP (Incident Response Plan) is the key aspect of this CIS Control. By having a plan in place, you and your team will be able to respond to any emergencies more efficiently. Some of the steps you can follow in this control include the following.
- Either create an IRP or review the IRP you currently have in place.
- Define roles for each member of your security team through the IRP.
- Run a real-world test that forces you to see how the team performs and whether the IRP is comprehensive enough.
- Include steps that everyone should follow to report an odd incident that could be evidence of a compromised network.
20. Penetration Tests and Red Team Exercises
As part of this 20th and final CIS Control, you should run regular testing and real-world exercises that simulate network vulnerability problems and attacks.
You can run tests that only focus on the level of response and performance of your security team. You also can run organization-wide testing that determines whether employees and others using the network are following your organization’s security rules.
Some organizations will choose to run additional testing on a regular basis that searches for vulnerabilities in the network. Tests can also focus on a particular aspect of the network, such as your WLAN performance.
All testing procedures should be beneficial to your team and to your organization, as long as everyone takes the testing seriously.