How to Address Security Compliance Shortfalls Using the CIS Top 20 (Part 3: Organizational Controls)
Cyber security, and by extension security compliance, isn’t just about having the right tools. Nor is it only the concern of dedicated security teams or IT in general. True security and compliance are organization-wide efforts and they tie together proven tools with sound processes and an engaged, vigilant user base. Without all of these different elements working in concert, an organization can’t claim to be either secure or meaningfully compliant.
The Center for Internet Security (CIS) Top 20 Controls are an excellent starting point for any organization looking to strengthen its security posture or move toward compliance with regulations such as GDPR or the California Consumer Privacy Act. So far this summer, with the help of the Arraya Cyber Team (ACT), we’ve covered the first 16 controls on CIS’s list. In our first post in this series, we looked at the Basic Controls (1-6). After that, we moved into the Foundational Controls (7-16). That brings us to the subject of this, our final post in our CIS series, the Organizational Controls (17-20).
The Organizational Controls differ from the earlier levels in that they are less technically-oriented. Instead, controls 17-20 are meant to complete that ideal, holistic approach we described earlier. The following controls emphasize people and process as well as the role in which entire organizations must play in security and compliance.
CIS Control #17: Implement a Security Awareness and Training Program
What it means: Plenty of organizations boast that their people are their greatest asset. They are, of course, also their greatest liability from a cyber security perspective. Think of a financial analyst who falls victim to a phishing scheme or the member of the app dev team who fails to properly identify or address a security vulnerability early on in the development process. Cyber criminals are aware of the fallibility of their fellow humans and are keen to try to exploit it. They’ve refined their tactics to ruthlessly target these weak points, forcing businesses to adjust accordingly.
Where to start: Security starts with awareness. Generating awareness requires implementing an ongoing educational program that instructs users about, and tests their ability to act in accordance with, proven security best practices. As part of their training, users should be made aware of how to:
- identify warning signs that an email or message may not be from a legitimate source
- properly store, transfer, and delete sensitive data
- avoid accidental security exposures (e.g., something as basic as relying on autocomplete when entering a recipient’s email address)
- recognize warning signs of unfolding cyber security incident and where to turn for help
- craft secure passwords and the importance of backing them up with techniques such as multi factor authentication
CIS Control #18: Application Software Security
What it means: Applications are an essential part of most modern workdays. Those tools, much like the people who use them, also have become a favorite target of cyber criminals. Attackers hone in on app construction vulnerabilities such as coding errors, logical inconsistencies, etc. Information on these vulnerabilities and how to exploit them has become common knowledge in certain circles, making this attack vector easier and thus more frequently attempted. While criminals may have ready access to this knowledge, defenders may often be left in the dark as apps often fall outside of the purview of scanning utilities. One final note on this issue, risk exists for apps designed and built in-house as well as those purchased from an outside supplier. The risk is lessened for apps purchased from large, industry-leaders due to rigorous testing and routine updates, but not fully eliminated.
Where to start: As was outlined in the previous section regarding CIS Control #17, humans are not perfect. That inherent imperfection will inevitably come through, even in the work of the best app dev teams. How can organizations respond? For software solutions designed and built in-house or purchased from a third party, an organization must be committed to making security part of the long-term lifecycle of that technology. Plans must be made to thoroughly test these solutions when possible as well as to swiftly execute any necessary updates or patches.
CIS Control #19: Incident Response and Management
What it means: Cyber attacks happen. Unfortunately, they’re an ongoing reality that all organizations must face. While resources should always be devoted to prevention, organizations can’t overlook the other piece of the equation: how to respond when an incident occurs. The chaotic moments after an attack is discovered is the worst time to try to outline a strategic response. Furthermore, a lack of a tuned and ready response strategy can afford attackers extra time and space in which to work, amplifying the severity of the attack or the volume of impacted data. It can also complicate remediation as well as clean-up efforts after the fact.
Where to start: Organizations will want to make sure they have an incident response game plan close at hand. This should include designating key roles like, for example, who will be tasked over overseeing and coordinating the totality of response efforts as well departmental offshoots responsible for managing their individual focus areas. Backups should be designated for all roles in order to keep a response effort from being derailed by an unfortunately timed vacation or sick day. Also, the various phases and steps that will be taken should be outlined and organized, starting with the discovery of an incident and carrying on through the elimination of the threat. It’s also important to preemptively gather and make accessible any necessary third party contact information – law enforcement, vendors, PR firms, cyber insurance carrier, etc. Lastly, end users should understand what to do and who to turn to if they believe they’ve spotted a possible red flag.
CIS Control #20: Penetration Tests and Red Team Exercises
What it means: A defensive scheme might look good on the page, but on paper and in practice are two totally different worlds. Organizations need to be confident that a response effort will be up to the task when, not if, an attack happens. Additionally, they must do their best to get out in front of attackers, catching and addressing weak points before the bad guys have a chance to do so. These information-finding endeavors should look for more than technological exposure, hunting for preparedness gaps among the people and processes in an environment as well.
Where to start: Penetration tests are a great way to weed out gaps in a cyber security posture. They function as a controlled attack, asking usually third party testers to assume the role of cyber criminals. Using real world tactics and motivations, testers will put an environment through the ringer in the hopes of exposing risks. A full pen test of an entire environment might be too big of an ask for an organization with limited resources or exposure. Instead, an organization may choose to put its people to the test by working with an outside firm to conduct a faux phishing campaign or table top exercise. The idea remains to look for ways to see an environment from the other side and make any corrections this picture reveals.
Next Steps: Better security through the CIS Top 20 – and beyond
This concludes our trek through the CIS Top 20 Controls. Even over the course of three posts, we’ve still only managed to scratch the surface of what’s covered by these controls and how organizations can use them to build and evolve their program. If you’d like to cover the CIS Top 20, or another framework, in greater detail, Arraya’s Cyber Team can help. Our experts can guide you through the nuances of compliance frameworks such as the CIS Top 20 and help you accurately interpret them to your unique use case.
Visit https://www.arrayasolutions.com/contact-us/ to connect with our team.
Follow us to stay up to date on our industry insights and unique IT learning opportunities.