Understanding CIS Security Controls: How to Implement Robust Cyber Defense

We’ve talked a lot about cyber security in our past articles – in particular, we discussed the biggest cybersecurity threats (and recommend best practices for preventing them), best practices for secure coding, and ISMS aka Information Security Management System. Now it’s time we talk about CIS controls and why they matter for any organization despite its size and domain.

The definition and the brief history behind CIS controls

The CIS controls were first developed by the U.S. National Security Agency (NSA) in response to a request from the U.S. Department of Defense (DoD). Several organizations contracted by DoD fell victims to significant data loss incidents so DoD asked for the core security controls that would help organizations protect themselves from cyber-attacks.

So in 2008, a consortium of government agencies, institutions, companies, and individuals came up with a list of basic security controls that became known as CIS security controls. Before being published, the list was shared with hundreds of IT organizations for verification and finalization. Since then, the ownership of controls was first transferred to the Council on Cyber Security (CCS) in 2013 and in 2015, to the Center for Internet Security (CIS).

According to the official definition, CIS controls are “a recommended set of actions for cyber defense that provide specific and actionable ways to thwart the most pervasive attacks”. To add to this, in 2016, Kamala D. Harris (then California Attorney General) said during her speech on the data breach that CIS controls are a minimum level of security that any organization that processes personal data should meet. 

In simple words, CIS controls are a must-have for any organization that cares about the security of its data and these controls cover the most basic security needs.

Can CIS controls replace other standards like NIST or ISO?

No, they can’t – but CIS controls facilitate the implementation of other security standards and frameworks and are cross-compatible. That means an organization must implement CIS controls to ensure basic security as a starting point. And then you can proceed to implement NIST Cybersecurity Framework, ISO 27000 series, and similar standards as well as comply with regulations like HIPAA.

Categorization of CIS controls

The list of CIS controls is updated every year and in May 2021, the latest version aka CIS controls v8 was released. While version 7 contained 20 controls, version 8 now has 18 controls since some of them were merged into one and some were deprecated. According to experts, version 8 now reflects a more modern approach to cybersecurity and is more comprehensive.

Now, it is important to note the following. In version 7, all 20 controls fell under three categories:

• Basic (1-16): key controls that every organization (despite its size and domain) should implement;
• Foundational (7-16): security best practices that are highly recommended for implementation;
• Organizational (17-20): these controls focus on people and processes involved in cybersecurity (i.e. incident management or penetration testing).

Since all organizations differ in size and resources, it’s clear that some will have more difficulties with implementing the needed controls than others. Thus, CIS defined three implementation groups that categorize organizations and help them understand what controls should be implemented and how. These groups are:

• Implementation group 1: small and mid-sized businesses (family businesses, startups) that have limited resources and expertise in terms of cybersecurity.
• Implementation group 2: mid-sized and big organizations with moderate resources and expertise in terms of cybersecurity. Includes organizations that are outside the IT sector and established businesses.
• Implementation group 3: mature big companies with extensive resources and expertise in terms of cybersecurity.

Changes in the categorization of CIS controls v8

As you can see, CIS is very flexible when adapting its practices for the needs of every organization. For example, if we look at control 1 (Inventory and Control of Hardware Assets), it includes several recommended actions and all of them are divided by the corresponding implementation groups.

In version 8, however, controls are no longer categorized as basic, foundational, and organizational. Instead, they now fall under the IG1 (Implementation Group 1) and IG2 categories. IG1 contains almost all controls (except for 13, 16, and 18) and they are considered the basic cybersecurity hygiene controls for any organization.

The list of CIS controls in version 8

For you to clearly understand what areas CIS controls cover and what they focus on, we list down all controls of the latest version 8.

1. Inventory and Control of Enterprise Assets
2. Inventory and Control of Software Assets
3. Data protection
4. Secure Configuration of Enterprise Assets and Software
5. Account Management
6. Access Control Management
7. Continuous Vulnerability Management
8. Audit Log Management
9. Email and Web Browser Protections
10. Malware Defenses
11. Data recovery
12. Network Infrastructure Management
13. Network Monitoring and Defense
14. Security Awareness and Skills Training
15. Service Provider Management
16. Application Software Security
17. Incident Response Management
18. Penetration Testing

How to implement CIS controls

Even though the implementation of CIS security controls will be different for every organization, CIS defined several main steps that can help you get started and are applicable to any company. For more details, please see the official documentation by CIS on all controls and the best ways to implement them for each Implementation Group.

Know and understand your environment

The first two CIS controls are “Inventory and Control of Enterprise Assets” (1) and “Inventory and Control of Software Assets” (2). These controls perfectly reflect the “know your environment” concept.

As CIS put it, in order to set up efficient protection, you need to have a clear understanding of what exactly you are going to protect. Therefore, before implementing any security practices, you’ll have to do a bit of “inventory” aka:

• Know what’s connected to your environment: identify and take an inventory of the data that your organization processes and stores.
• Know which devices are connected to your network in order to validate them and ensure there are no possible weak areas. For device identification, you can use a network scanner and you can also use a device tracker to always keep an eye on the connected devices.
• Know your software: you’ll need to assemble a full inventory of all apps that run on your system. You will also need to identify all external services that your employees might use.
• Configure the levels of access and admin rights.

As you can see, the first step towards better security is identifying and validating all used hardware and software. While it may sound mundane, it is an absolute must if you want to solidify your current state of cybersecurity.

Protect your assets

The next step is quite comprehensive and involves many steps, directed at protecting both your network and educating employees on cybersecurity. Almost all controls fall under this stage and all of them are aimed at helping you create a more secure environment.

Here are several recommended practices to follow:

• Timely apply necessary configuration changes;
• Always update your software and regularly implement security patches;
• Enable multi-factor authentication and ensure all users use strong passwords;
• Use encryption for both software and hardware;
• Educate your employees on cybersecurity and ensure they understand it;
• Limit user access and constantly control it.

Of course, this is a rather general list of actions to take – if you check the list of CIS controls, you will get more specific guidelines on recommended actions.

Prepare your organization

Once you’ve set up a robust security foundation, you can come up with a list of actions to take in case an incident occurs. That means you need to think about a response and recovery strategy so you can get back on track as soon as possible.

The first thing to take into account is managing your backups. You need to make sure that the backups are completed and tested and that all critical files are backed up. It is recommended to perform weekly backups if possible. As well, try placing at least one backup destination outside of the network – in case of a ransomware attack, you will still maintain access to it since it won’t be accessible through the network.

Second, you need to have a detailed plan that will outline how to act in case an incident happens. This includes defining roles and responsibilities (i.e. who will serve as a lead and who should be contacted first), preparing a list of external contacts (i.e. insurance agents, legal counsels), and getting ready to contact an IT consultant in case your own knowledge and skills are not enough.

Summing up

The implementation of CIS controls will solely depend on your organization and available resources so you need to familiarize yourself with the list of controls and figure out the best ways to implement them. As you can see, all CIS controls cover the basic cybersecurity aspects and do not require excessive resources or expertise. But their implementation can significantly reduce the risk of attacks and establish the first level of defense that most organizations tend to overlook.