Computer Services : CIS Controls, the Building Blocks of Organizational Cybersecurity

Actionable Steps that Significantly Mitigate Cyber Risk

The list of this century's biggest data breaches, which have exposed more than 4.99 billion records, reads like a corporate who's who: Yahoo, eBay, Equifax, Heartland Payment Systems, Target, TJX Companies and JPMorgan Chase all made the top ten. Equally disturbing is the fact that eight of the top 10 occurred within the last five years.

This begs the question: are we getting any better at protecting our organizations from cyberattacks? HelpNetSecurity answers with a resounding 'no': 'Organizations are not where they need to be when it comes to protecting their online ecosystems against attacks and the reality of the situation is troubling.'

But there is good news; it is possible to significantly reduce your risk of cyberattack. Using the Center for Internet Security (CIS) Controls as a framework, organizations can build and maintain a strong cybersecurity posture, even with budget and resource limitations. These controls, considered the gold standard, are purposefully designed to be both user-and budget-friendly.

What Are the CIS Controls?

According to the SANS Institute, the CIS Controls were born out of a public-private partnership that included the Department of Defense (DoD), National Security Administration (NSA), CIS and SANS. Their objective was to 'provide the same type of control-prioritization knowledge for civilian government agencies and critical infrastructure' that the NSA had developed for the DoD to help it prioritize its cybersecurity spending.

By 2015, the resulting product of this partnership was published as the CIS Controls, meant to help organizations of all types and sizes prioritize their own cybersecurity spending for maximum effect. The CIS list includes 20 controls, divided into three categories: Basic (1-6), Foundational (7-16) and Organizational (17-20).

Why Use the CIS Controls as Your Cybersecurity Framework?

There is no regulatory requirement that financial institutions adopt a certain cybersecurity framework or tool. They can choose from a variety of options, including the CIS Controls, the Federal Financial Institutions Examination Council's (FFIEC) Cybersecurity Assessment Tool and the National Institute of Standards and Technology (NIST) Cybersecurity Framework, or a combination of available frameworks.

For a variety of reasons, many information security experts recommend the CIS Controls:

• Expert input: The CIS Controls were created and continue to be monitored by some of the world's leading cybersecurity experts from government, law enforcement and private security firms.

• Responsive: The Controls are continually updated based on the changing threat landscape. The latest version, CIS V7.1, was released in April. Among its changes, this version introduced three 'Implementation Groups,' which go further in-depth with appropriate sub-controls for organizations based on the level and sophistication of their cybersecurity resources and expertise.

• User-friendly: With each iteration, CIS refines its language to ensure the controls are concise and easy to understand and implement.

• Budget-friendly: As indicated in the press release for V7.1, the goal of the controls is to allow organizations to 'create an effective cybersecurity program on a budget,' and to 'implement security best practices, regardless of resources.'

How to Implement the CIS Controls?

For many organizations, cybersecurity has become a cumbersome patchwork of detection systems. Adopting the CIS Controls can both simplify and strengthen cybersecurity at once.

But as concise as the CIS Controls are, the task of implementing them can still be overwhelming. To combat that, start with the first six controls, completing them in order, as they build on each other. Just incorporating these Basic Controls reduces cybersecurity risk by as much as 85 percent.

CIS Basic Controls

Inventory and Control of Hardware Assets: Until organizations have a comprehensive and up-to-date inventory of all of their hardware assets, they cannot fully be cyber secure. As CIS explains, attackers are relentlessly seeking out organizations that have not secured their hardware, so that they can exploit it. Particularly vulnerable areas include:

• Installed new hardware not yet properly configured or appropriately patched

• Devices that go on and off the network, i.e., laptops and bring-your-own-devices (BYOD)

• Obsolete hardware not properly removed and disposed of

To effectively accomplish this task, CIS recommends that organizations 'utilize an active discovery tool to identify devices connected to the organization's network and update the hardware asset inventory.' Such device management software helps maintain hardware security controls, by discovering and identifying unknown devices and blocking access to the network without permission.

1. Inventory and Control of Software Assets: In addition to searching for vulnerable hardware, attackers 'continuously scan target organizations looking for vulnerable versions of software that can be remotely exploited.' The first step in protecting against this threat is conducting and maintaining a thorough inventory of all of the software installed on organizational hardware or accessible via the organizational network. Software inventory tools can automate this process.

   'Less is more' is a good rule of thumb for both hardware and software assets. Management and staff should only have access to what is necessary for them to do their jobs.

2. Continuous Vulnerability Management: The next step is continuously monitoring new information about identified hardware and software vulnerabilities and fixing them as soon as possible in order to 'minimize the window of opportunity for attackers.'

   Unfortunately, most data breaches involve a known vulnerability that an organization has failed to patch. The Equifax breach is a prime example. The credit bureau's former chief information officer admitted to Congressional investigators that, 'the whole incident could have been prevented had the company updated the vulnerable Struts system within two days of the patch's release.'

   The days when it was acceptable and even reasonable to scan and patch on a quarterly or monthly basis are history. Although continuous vulnerability management is time consuming, it is also necessary and can be facilitated through automated vulnerability scanning tools. These help you stay on a routine scanning schedule; complete patches in a timely manner, especially for critical systems; and keep detailed documentation of all scans and patches.

3. Controlled Use of Administrative Privileges: Too often, organizations provide full or significant administrative rights to general users. This allows those users to install any software they want on your hardware or unknowingly download malware. Removing administrative rights from everyone except appropriate technology staff goes a long way in limiting unnecessary and/or unapproved software from being installed, thereby limiting your vulnerability to cyberattack.

   As for those who retain administrative privileges, information security experts recommend that they have two accounts: one privileged password for system administration tasks and a non-privileged one for all other tasks, i.e., email, internet browsing, etc.

   Organizations should also evaluate C-suite privileges. Senior leaders likely have full administrative access, but, in truth, do not need it and are likely too busy to follow the two-account suggestion above. According to Verizon's 2019 Data Breach Investigations Report, cybercriminals know this and are 'increasingly and proactively' targeting executives through social engineering.

   Further, the report notes, 'A successful pretexting attack on senior executives can reap large dividends as a result of their-often unchallenged-approval authority, and privileged access into critical systems.'

4. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers: New hardware and software arrives with factory default settings, which CIS notes, 'are normally geared towards ease-of-deployment and ease-of-use-not security.' When deploying new assets, it is critical that they be reconfigured based on an organization's documented security configuration standards for things like encryption, password usage, etc.

   CIS recommends using a 'Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalog approved exemptions, and alert when unauthorized changes occur.'

Maintenance, Monitoring and Analysis of Audit Logs: The final Basic CIS Control calls on organizations to 'collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.' Otherwise, 'an attack may go unnoticed indefinitely and the particular damages done may be irreversible.' To help facilitate this task:

• Enable local logging on all systems and network devices

• Aggregate the logs into a central repository for correlation

• Routinely review and analyze them using software-it is not feasible for a human to accurately comb through hundreds of thousands of logs

CIS Controls Advance Good Cyber Hygiene

Information security experts often talk about the importance of practicing good cyber hygiene. Just as washing your hands limits the spread of the common cold, flu and other viruses, practicing good cyber hygiene limits your exposure to cyber threats. The CIS Controls provide an actionable and affordable way to incorporate such hygiene throughout your organization.

The Basic Controls are just the start. Once they have been adopted, move on to the Foundational and Organizational Controls. And remember, your cybersecurity goes beyond your own walls. Talk to functional third-party vendors to make sure they are practicing good cyber hygiene themselves and ask information security vendors what cybersecurity framework they incorporate into their solutions.

Rachael Schwartz has more than nine years of experience in advising financial firms. Prior to joining CSI, she worked with some of the largest hedge funds and private equity funds in New York City as an IT and cybersecurity consultant. In her current role at CSI, she lends her expertise to community banks, helping them maximize their technology investments and increase security while reducing their operational burdens.