The Top 20 Cybersecurity Controls: How Many are in Your Security Toolkit?
When it comes to staying up-to-date on cybersecurity compliance requirements, technology trends and best practices, do you find yourself in information overload? It’s no small task to keep on top of the onslaught of data from all directions: regulatory agencies, industry organizations, cyber news reports, solution vendors and more.
But there are some organizations that help cut through the clutter. Two organizations with content from which you can benefit: The Center for Internet Security (CIS) and the SANS Institute. Both are non-profit associations consisting of a collaborative, global community of experienced IT professionals with the mission of providing actionable tools to safeguard private and public organizations against cyberthreats. The CIS is best known for its Controls and Benchmark guidelines, while SANS is a leading source for information security training worldwide, including a number of resources geared toward the implementation of CIS Controls.
These controls—sometimes referred to as the “Top 20”—are a set of prioritized actions that serve as a guide for protecting organizations from known cyberattack vectors. In addition, the controls align with compliance frameworks such as NIST, PCI, ISO, HIPAA, COBIT and others.
The First Five are Fundamental Building Blocks
Research has shown that implementing the “first five” controls are the most fundamental to effectively defending against 85% of attacks that threaten your organization. So, if you’re looking to get more ROI from your security priorities, consider going back to the basics by reviewing these critical controls:
- Inventory all Authorized and Unauthorized Devices
- Inventory all Authorized and Unauthorized Software
- Secure Configurations for Hardware and Software
- Continuous Vulnerability Assessment and Remediation
- Controlled Use of Administrative Privileges
Priority One: Inventory All Authorized and Unauthorized Devices
Let’s take a deeper dive into this first action, which provides a baseline of what must be defended. The CIS states that the inventory process should be as comprehensive and accurate as possible. Given the number of unmanaged and connected devices that have significantly overtaken traditional smart endpoints—especially within industries such as Healthcare, Financial Services, Industrial Controls and Manufacture—this is an exceptionally critical control. It’s essential that you have the ability to discover, identify and monitor all IoT endpoints, particularly when they are being deployed outside your traditional IT channels and management software. After all, you cannot secure a device if you cannot see it. And in fact, many InfoSec teams are not aware of IoT devices on their network. Imagine the risks when there are thousands of endpoints without any protection from botnets, ransomware and other malicious attacks.
In order to achieve a complete inventory of all managed and unmanaged assets, consider these best practices:
- Discover: Automatically identify and locate every connected device regardless of type. This includes the ability to see traditional endpoints, such as laptops, tablets and printers, as well as unmanaged IoT devices such as sensors, IP cameras, heart monitors, infusion pumps and more.
- Profile: Create a detailed identity for each device, including what it is, its expected behavior, location and access authorization.
- Monitor: Track activity in real time to maintain an accurate view of all connected devices, including profile changes, abnormal behavior, new devices and location.
- Authenticate: Enforce access policies, prevent unauthorized devices from joining a network and disable access based on abnormal behavior.
- Manage: Monitor this inventory by building and maintaining a single, automated database. Transition from manual processes or multiple discovery tools to streamline audits.
The initial goal of the first CIS Control is not to prevent attackers from joining the network, as much as it is to understand what is on the network so it can be defended. With the first control accomplished, you’ll be ready to move on to controls two through five—and rest easier knowing you’re following best practices for safeguarding your organization from cyberthreats.
Still looking for more information? Check out the on-demand webinar, What's On Your Network, to get four steps to deliver a practical, resilient and scalable endpoint security strategy.