How to Address Security Compliance Shortfalls Using the CIS Top 20 (Part 1: Basic Controls)
Those in fields such as healthcare and financial services are no strangers to finding ways to live in harmony with data privacy and cyber security regulations. However, with the passage of statutes like GDPR and the California Consumer Privacy Act, those headaches are now being felt more acutely across all industries. What’s more, they’re also being shared up and down supply chains, sending vendors of all sizes in search of relief.
Regulatory compliance looks different from industry to industry. While the specific provisions vary, there are some general tools organizations can use, and tweak, to get closer to their goals. One option comes from the Center for Internet Security (CIS). The CIS Top 20 Controls list provides a compliance framework organizations can use to gauge their adherence to cyber security and data privacy best practices as well as their readiness to defend against some of the most common attack vectors.
CIS’s list is divided into three subgroups – Basic CIS Controls (1-6), Foundational CIS Controls (7-16) and Organizational CIS Controls (17-20). Rather than try to tackle all 20 of these controls in one sprawling post, we decided to devote a single post to each of those subgroups, starting with the Basic CIS Controls. We’ll also cover how Arraya’s security team can help bring CIS compliance within reach and expand those principles to address more industry-specific concerns.
CIS Control #1: Inventory and Control of Hardware Assets
What it means: Hardware can be a pretty substantial blind spot and not just in terms of the solutions that permanently call an organization’s network home. BYOD programs that allow smart phones, tablets, or laptops to travel in and out of a network represent a juicy target for attackers on the watch for an easy in. As for those rooted in a data center, solutions left unpatched or new deployments that haven’t been properly configured are also at risk. The onus is on organizations to understand what hardware is on their network, track what it does and regulate its access.
Where to start: IT must map out an organization’s hardware footprint. According to CIS, this should include any asset capable of processing or storing data, whether it stays on the network or not. Additionally, IT should include hardware that the organization controls even if it doesn’t connect to the internet as these can still provide a foothold for cyber crooks already inside a system. A process should be created to deal with any unexpected network occupants, e.g., booting them from the network, quarantining and attempting to validate them, and/or updating the inventory. Depending on the size and maturity of an organization, it may be possible to do this manually or by leveraging active/passive discovery solutions. Processes should be enacted to make this a living document that is updated as an environment grows.
CIS Control #2: Inventory and Control of Software Assets
What it means: Hackers are also fond of using software to let themselves into an organization’s network. They typically do this using a few different tactics. Many will scan for and exploit unpatched or no-longer-supported software solutions. Others will blindside organizations through the use of zero day vulnerabilities. In other cases, attackers will use vectors like email or compromised websites to install malicious software inside an organization’s perimeter. In each of these cases, software is used to create a backdoor into a network and through which attackers can funnel sensitive corporate data.
Where to start: IT should start by compiling a catalog of all software instances installed on their network and, again, implement a process to keep this document up to date. Those authorized for business purposes should be noted as should those still receiving regular updates from their developer. Any that don’t fall under both of those labels should be looked at more closely. Wherever possible, plans should be made to modernize away from any that aren’t authorized or don’t provide meaningful value. More mature organizations should automate this process, using a software inventory system to discover and record details such as software version number, publisher, and its install date. Whitelisting can also be used to restrict the use of software within a network (Note: These capabilities may already be built in to an existing security solution and may just need to be turned on.).
CIS Control #3: Continuous Vulnerability Management
What it means: Information is everything in cyber security. The best way to stay safe is with a constant flow of advisories and bulletins to inform decisions. Patches and updates also fall under this umbrella. Organizations need to stay in the loop about what their vendors and developers are doing to improve their own offerings. Another element of this is threat and vulnerability scanning. Organizations should keep a weather eye out for the threats attempting to breach their perimeter as well as any gaps that exist with those defenses. All of this data can keep organizations from being caught flat-footed.
Where to start: Organizations should put a procedure in place prioritizing patches and updates. Operating system and software patches and updates are easy to shift to the back burner in favor of more pressing projects, but the risk of doing so is great. If possible, these processes should be automated – or entrusted to a managed services provider. Additionally, more mature organizations should expand automation to include vulnerability scanning. The results of these scans should be compared against earlier iterations to gauge the effectiveness of remediation efforts, giving IT access to even more valuable data. Software and hardware assets discovered should be compared to current inventories to assist in keeping the inventory accurate.
CIS Control #4: Controlled Use of Administrative Privileges
What it means: Cyber criminals eager to secure access to “the keys to the kingdom” know to set their sights on administrative privileges. With this kind of access, criminals can increase their reach and the scope and severity of their attack. Attackers favor a few tactics to try to gain access to administrative privileges. The first is to set a trap – either in the form of a malicious email attachment, download or website – and tricking an admin into engaging with it. They may also try a more direct approach: breaking into an admin account, usually due to a weak or repeatedly-used password. Properly protecting administrative accounts and privileges can help keep a breach from getting out of hand should one occur.
Where to start: New deployments represent new opportunities for cyber criminals. IT pros should change any default passwords on new solutions to something more fitting, particularly in the case of administrative credentials. Additionally, administrative activities should be restricted to dedicated accounts. Administrators should use separate, user-level accounts for any non-managerial tasks, e.g., answering or sending emails. From there, organizations should also audit their running processes in search of any instances of administrative accounts being used for more mundane tasks. Some level of this may be acceptable and even necessary, however, routine usage should be stopped.
CIS Control #5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
What it means: Tools like mobile devices, laptops and workstations are all typically designed with something other than security in mind. This is evident in default operating system or application configurations that make a device very usable right of out the box. Little regard is usually given to securing open services and ports, implementing modern protocols, or requiring password resets. Meanwhile, built-in applications allow manufacturers to force potentially unnecessary and unsafe pet technologies into the hands of end users. Even if a product comes off the production line with security ingrained in its DNA, it can fall on individual users to keep their devices updated and to avoid inadvertently compromising them in any way.
Where to start: Once again, the first steps toward compliance involve documentation. Admins should gather together the base security configuration standards for any operating systems and/or software solutions their users leverage (Note: Both CIS and the National Institute of Standards and Technology offer pre-baked tools organizations can use to avoid building out this document from scratch). These tools can be modified to suit the needs of a given organization or the demands of an industry. Adjustments should be documented to ensure consistency within an environment and in case of any future audits.
CIS Control #6: Maintenance, Monitoring and Analysis of Audit Logs
What it means: Security logs are a treasure trove of insights. They can alert organizations during the early stages of an attack, giving in-house security teams a chance to respond before a situation snowballs. Once an incident has been thwarted or contained, security logs provide a real time account of exactly what happened. They can show how attackers got in and what they did while inside. Without these details, security teams may be left guessing as to whether or not they truly eradicated the threat from their network. Too often, however, logs become an afterthought if they are even saved and reviewed at all. Instead, attackers’ actions are left uninvestigated or worse, unnoticed.
Where to start: The simplest and most effective place to start is by ensuring activity logging is occurring throughout the organizational network. This should be an easy bar to clear as logging comes standard with many of the technologies organizations may have already deployed. It may only need to be turned on if it isn’t already. From there, IT will want to consider having those logs feed into a centralized spot where they can be easily accessed and regularly reviewed. At this point, larger organizations may want to consider incorporating a security information and event management (SIEM) solution as well as enlisting the help of a trusted technology partner to help analyze the resulting data.
Next Steps: Furthering your journey through the CIS Top 20 Controls
Incredibly, this really only scratches the surface of what’s covered under the first six items on the CIS Top 20 Controls list. In our next post on the subject, we’ll go into the Foundational CIS Controls (numbered 7 through 16).
Want a proper deep dive into the CIS Top 20 Controls or another framework you can use to help your organization begin or further its compliance journey? Arraya’s Cyber Team can help. Our experts can not only walk you through these various compliance frameworks, but they can help you accurately interpret them to your unique use case.
Visit https://www.arrayasolutions.com/contact-us/ to connect with our team.
Follow us to stay up to date on our industry insights and unique IT learning opportunities.