How to Address Security Compliance Shortfalls Using the CIS Top 20 (Part 2: Foundational Controls)
Security and compliance may not be one and the same, however, the Center for Internet Security (CIS) Top 20 Controls can substantially help organizations achieve both. Strict adherence to CIS’s nearly two dozen cyber security best practices can help organizations ready their defenses for the worst today’s cyber criminals can muster. Additionally, the controls can act as guardrails, keeping followers on the straight and narrow toward staying compliant with hot-button statutes such as GDPR and the California Consumer Privacy Act.
In a blog post from earlier this summer, we detailed the points covered under the first six, or basic level, CIS controls. With the help of experts from the Arraya Cyber Team (ACT), we also outlined some ways in which organizations could begin putting the basic CIS controls to work for them. There’s plenty more to cover and learn from regarding CIS’s guidelines. Let’s move on to controls 7-16, or as they’re also known: the Foundational CIS Controls.
CIS Control #7: Email and Web Browser Protections
What it means: Cyber crooks love email and web browsers. Their targets use these tools throughout the day so opportunity isn’t an issue. All they have to do is trick a user to engage with a malicious webpage or email and they’ve gotten exceptionally good at both. A single stray click from an unsuspecting user can open a ton of doors to attackers.
Where to start: Users can’t engage with what they can’t access and Domain Name System (DNS) filtering tools can essentially wall off known malicious sites. Furthermore, be sure teams are only using the latest and most up to date version of organization-approved email clients and browsers. Doing so makes life easier on IT teams by minimizing the variables they need to support while making life harder on hackers by taking away easily-exploitable known vulnerabilities. This forces them to contend with cutting edge security features.
CIS Control #8: Malware Defenses
What it means: Modern malware can take many forms, making it particularly challenging to defend against. Sometimes it’s designed to lock down systems for ransom, while other times its motivations are more destructive. Some strains prefer stealth, while others seek to facilitate their goals by launching a direct assault on defensive tools. Potential entry points are just as diverse, ranging from email, malicious websites, compromised devices and more.
Where to start: Knowledge and experience are both important tools in the fight against malware. Organizations must prioritize keeping their anti-malware solutions updated. This ensures these solutions are prepared to sniff out the latest threats by continuously drawing on up-to-date vendor insights regarding threat signatures, behavior, etc. An often overlooked baseline step? Flash drives, external hard drives and other forms of removable media should be subject to an anti-malware scan as soon as they’re connected to a network device. They should also be blocked from auto-running any type of content. These steps can cut off another favorite attack vector.
CIS Control #9: Limitation and Control of Network Ports, Protocols, and Services
What it means: Junkware isn’t just a nuisance, it can be a legitimate cyber security hazard. New software solutions often come prepacked with a variety of secondary functions and tools, frequently of dubious value. What’s worse is that these freeloaders may be set to activate themselves while leaving both user and admin alike in the dark. Unfortunately, cyber criminals are all-too-aware of these and other, similar backdoors (poorly configured web servers, faulty email servers, etc.) and are more than happy to exploit them.
Where to start: Firewalls and port-filtering tools can help reduce unwanted traffic moving across the corporate network. These tools can be set to automatically reject any traffic not signed off on by administrators. This can help seal up backdoors, no matter if they stem from misconfigurations or if they opened up by following in the wake of some other, more important, solution. Port-scanning tools can also be used to catalog expected traffic and identify any unwelcomed surprises.
CIS Control #10: Data Recovery Capabilities
What it means: A cyber security incident can leave data inaccessible or potentially compromised in some way. Organizations need to be able to return to their pre-incident state quickly and efficiently. Furthermore, they must be confident that things are exactly as they were previously and that the threat has been effectively contained and vanquished.
Where to start: Full, system-wide backups need to be scheduled to take place on a regular basis. These should include all parts of an organization’s mission critical data and environment. Backups should be executed automatically, relieving time-strapped admins from having to find time in their already-packed workdays. These backups should also be directed to diverse homes, e.g., both online and off, to ensure continued accessibility across a range of possible worst case scenarios. Lastly, wherever they live, backups should be encrypted at rest and in motion to add an extra layer of security.
CIS Control #11: Secure Configuration for Network Devices, Such as Firewalls, Routers, and Switches
What it means: Firewalls, routers and switches are all foundational parts of the organizational network. The out-of-box configuration for these solutions isn’t typically meant to emphasize security. Instead, the focus is usually on making them as admin-friendly as possible. This leads to things like weak default passwords, open ports, and support for outdated technologies – all factors that can make network technology vulnerable to attack.
Where to start: Working alongside a subject matter expert can make sure that devices are configured in a way that emphasizes security as well as usability right out of box. As optimal configurations evolve over time, admins – or a managed services partner – must be ready to regularly review and reset if necessary. This includes deploying the latest patches and security updates.
CIS Control #12: Boundary Defense
What it means: Cyber attacks often start at the network edge, targeting internet-connected laptop and workstations. Once they’ve managed to establish that initial network foothold, attackers may then begin burrowing deeper, in pursuit of high-value targets. Attackers may also pivot, turning their attention instead to a compromised organization’s business partners. Say, for example, an impacted organization is a key vendor for a much larger corporation. In this instance, cyber crooks may begin looking for ways to leverage the breached vendor against the more desirable target.
Where to start: It sounds simple enough, however, organizations need to understand just where their network borders lie. It’s impossible to defend what isn’t defined. An inventory should be created and kept updated in order to bring an organization’s boundaries into sharp relief. Additionally, organizations will need a way to closely monitor and restrict the flow of traffic across their borders. This can be done by blocking any and all unauthorized TCP or UDP traffic to ensure the only data coming and going from a network is meant to be doing so.
CIS Control #13: Data Protection
What it means: To put it mildly, data is everywhere in some organizations. In worst case scenarios, sensitive data may be stored right alongside publicly available information. Anyone, from any level of the organization, may be able to access that critically important data, even if it’s something that should fall well beyond their paygrade. Loose, or even non-existent, data protection policies can not only allow cyber criminals to gain access to sensitive data, but empower them to take that data with them when they decide to pull up stakes.
Where to start: As is so often the case, it helps for an organization to know what sensitive data it is storing, where it lives, and even who has access to it. Cataloging these items will make it far easier for an organization to begin properly defending its mission critical information. Any sensitive data not regularly accessed via the network should be moved off it, into a more secure residence. Doing so won’t interrupt anyone’s regular work functions and it can help prevent the wrong people from stumbling upon that data. Finally, encryption should be part of every organization’s approach to data storage, including on mobile devices.
CIS Control #14: Controlled Access Based on the Need to Know
What it means: It sounds simple enough but access to critical data or systems shouldn’t be issued in blanket fashion. Instead, it should be doled out on a case-by-case basis, specifically to those whose job functions depend upon that level of access. The same basic idea is true for the entry points and devices used to gain access to a key resource.
Where to start: Admins need to audit data and resource access across their organizations. Care should be taken to remove access privileges to a data set or a technology from those for whom it is not an essential part of their job. Access control lists can be used to define who and what devices are able to reach file shares, specific applications, or any other part of the network that doesn’t benefit from having a universal audience.
CIS Control #15: Wireless Access Control
What it means: Wireless access has become almost indispensable to the average workday. At the same time, it can also be a significant cyber security liability. By their very nature, wireless routers can be exploited by cyber criminals to gain access to a company’s data without ever stepping foot in a building. Additionally, business travelers leveraging, say a company laptop connected to airport Wi-Fi, can bring home a souvenir in the form of a nasty malware infection. Once reconnected to the corporate network, that malware can wreak havoc.
Where to start: Not all wireless-connectable devices are equal, nor should they be treated as such. Instead, a separate, untrusted wireless network should be created for devices that fall outside of an organization’s strict security controls, e.g., personal smart phones or tablets. Company-issued and managed devices like laptops should be allowed to inhabit their own wireless network. Tight controls should be developed and enforced restricting what can be accessed via that untrusted network. Additionally, encryption standards should always be applied to data on the corporate network, whether it’s on the go or at rest.
CIS Control #16: Account Monitoring and Control
What it means: Contractors and employees may come and go but their user accounts? Sometimes those tend to linger. Dormant user accounts are very appealing for hackers as they can add an air of false credibility to their nefarious movements while providing a nice entry point to a system. This attack style isn’t only exploitable by outsiders looking in. Those who were once inside – like say a recently terminated employee or a contractor whose contract just ended – may also seek to re-access their still-active old accounts for their own gain.
Where to start: Admins should take an inventory of the user accounts currently inhabiting their network. Any that can’t be tied to a specific, active user or a clear business purpose should be disabled to prevent any malicious takeovers. From there, accounts should be set to automatically deactivate after predetermined period of inactivity. Workstations should also be set to lock themselves if they sit unused for a given length of time. All of these steps can reduce opportunities for attackers.
Next Steps: Security through compliance – Leveraging the CIS Top 20 Controls
We’ve now covered 16 of the CIS Top 20 Controls. Our next post will look at the final four, or as CIS refers to them, the organizational level controls. Want a more in-depth discussion of the CIS Top 20 Controls and how they can help your organization refine its security posture? Need an assist with diving into another framework you can use to help your organization begin or further its compliance journey? Arraya’s Cyber Team can help. Our experts can not only walk you through these various compliance frameworks, but they can help you accurately interpret them to your unique use case.
Visit https://www.arrayasolutions.com/contact-us/ to connect with our team.
Follow us to stay up to date on our industry insights and unique IT learning opportunities.