With the changing tech landscape, v8 of CIS critical security controls presents a more consolidated approach that replaced CIS Top 20 released a while ago. This topic explores CIS 20 vs CIS 18 controls and what each of the controls is and why are these required. The newer release is known under various names such as CIS top 20 v8, CSC v8, CIS 8 controls.
What do CIS controls stand for?
CIS controls stand for Center for Internet Security Controls (previously known as the SANS Top 20 Critical Security Controls) is the best practices guidelines to combat cybercriminals malicious actions and attack vectors wandering inside the Internet sphere.
Initially, it was designed by the global cyber defenders, leaders and experts of the security industry. They are based on real-world scenarios for effective risk management and regularly update the attack trends, critical security vulnerabilities and human errors.
Center for Internet Security
The CIS Controls (formerly known as Critical Security Controls) are a recommended set of cyber defence actions that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks. CIS is a non-profit organisation developing cyber defence hygiene and best practices to secure and resilient cybersphere.
The CIS critical security controls do not ensure immunity to cyberattacks, but they considerably affect the security controls through standard measures and cyber protection layers. CIS controls are not the necessary standard to follow, nor does it compete with anyone; it is an effort to create a safe cyber realm against the security weaknesses of every business.
On May 18, 2021, the CIS launched the new version of CIS control named- CIS v8 at the global RSA conference. Implementing CIS critical security controls into the business and IT strategy can significantly impact organisational growth as well as helps to protect from common yet most occurring cyberattacks, boosting cyber defence.
What are the latest CIS controls v8?
CIS controls v8 strengthen the list by activities rather than classifying who manages the devices. Physical boundaries, devices and discrete islands of security implementation are less critical with the changing tech landscape, and these elements have been reflected in the CIS essential controls of security v8 release.
CSC 1: Inventory and Control of Enterprise Assets
What is it?
The first CIS critical security control requires the appropriate management and inventory of all assets associated with the enterprise. This includes end-user hardware devices, network appliances, IoT devices, servers, systems, portable devices, etc., connected to the infrastructure either physically, virtually or remotely and those present in the cloud environment.
Attackers are always geared up to break into the organisation’s network and assets to create cyber damage. The accurate inventory is required to keep track of all assets records and issues to monitor, protect, and prevent unauthorised access to enterprise assets or networks.
Why is it required?
Without updated inventory and constant monitoring, it is a massive challenge for an enterprise to track suspicious behaviour, access, and traffic coming to them. An inventory record is also necessary for vulnerability and releases patches updates.
What are the relevant areas, tools or procedures?
–Assets discovery tools
-Regular monitoring and audit
CSC 2: Inventory and Control of Software Asset
What is it?
Like the first CIS control, this control requires active management such as the operating systems and installed applications on the network, servers, systems, etc.
Why is it required?
For robust security, it is vital to keep print and analyse the software asset to ensure no unauthorised software can be installed or executed on the enterprise network. Organisations need to trace software assets and have a mechanism to prevent unauthorised software execution.
What are the relevant tools and procedures?
-Regular monitoring and audit
-SIEM solutions
-IDS
CSC 3: Data Protection
What is it?
This control mandates the organisation implement security measures to develop technical competencies to identify, classify, retain, dispose, and securely handle the data.
Why is it important?
Data is the most integral and critical asset of any enterprise and needs to be protected at any cost. Leaked data can penalise the organisation and play a significant role in losing customers or users’ trust.
What are the relevant tools and procedures?
-United Kingdom GDPR compliance regulations
-Data tracking tools
CSC 4: Secure Configurations of enterprise assets and software
What is it?
The fourth CIS control addresses the enterprise assets and software contributing to the infrastructure foundation. These include network devices, hardware or software firewalls, routers, switches and other devices protection with secure configuration. It emphasises hardening the assets with relevant security computations.
Why is it important?
Often enterprises utilise the products in their environment with the default configuration that comes by the manufacturers. Open ports, default admin and account passwords are the elements that attract attackers to compromise the assets with little effort.
What are the relevant tools and procedures?
-Following security standards for secure configuration
CSC 5: Account Management
What is it?
With this control, organisations are expected to have policies to manage accounts. It includes keeping track of account activity, account creation, etc.
Why is it required?
Unmanaged and open accounts are like a green signal for cybercriminals to hack. The enterprises need to execute processes and tools to manage the authorisation of credentials. Besides this, they must assign the relevant access to users, services and administrative accounts.
What are relevant tools and procedures?
-Implement multi-factor authentication
-Deploy policy for account lifecycle
CSC 6: Access Control Management
What is it?
Apart from account management, this control emphasises having relevant measurements such as the least privilege rule on user access rights to maintain employees or user access as well as reduce the attack surface.
Why is it required?
The enterprises must ensure the right technology and processes are in place to create, assign, manage and revoke access credentials for enterprise assets and software and privileges for a user, administrator and service accounts to keep track of how users are utilising their privileged access. Minimising the internal attack surface is necessary because you never know which user misuses the access rights. In addition, access controls limit the attacker’s access if he successfully compromises any user account.
What are the relevant tools and procedures?
-Implement access control mechanisms such as RBAC, ABAC, etc.
CSC 7: Continuous Vulnerability Management
What is it?
Continuous vulnerability management means implementing necessary security controls that help organisations manage information security threats promptly according to the vulnerability severity. With this control, CIS directs the enterprise to have relevant security technologies and processes that facilitate them in detecting, scanning and prioritising the information security weaknesses.
Why is it required?
The organisation needs to continuously look for vulnerabilities on all enterprise systems and technologies operating within the internal and external environment to timely patch and remediate them. The unpatched vulnerability allows the attacker to penetrate the network and infrastructure, having multiple and consequential effects.
What are relevant tools and procedures?
-SEIM solution
-Regular vulnerability assessment
CSC 8: Audit Log Management
What is it?
Similar to vulnerability management, auditing the log and managing them is necessary for CIS control. This requires having an appropriate log surveillance environment in place to encounter suspicious behaviour.
Why is it required?
Auditing the logs plays a vital role for enterprises in keeping track of system logs and collecting all alerts to review the records to detect malicious traffic that could signify a security attack.
What are relevant roles and procedures?
-Firewalls
-SEIM solution
CSC 9: Email and Web Browser Protections
What is it?
This control directs to enhance the email and web-browsers security to reduce the attack surface and risks.
Why is it required?
Insecure web browsers and emails render multiple opportunities for cybercriminals by tricking the user through social engineering phishing emails. Organisations need to have appropriate mechanisms or solutions to filter out suspicious emails and web traffic.
What are relevant tools and procedures?
-Use an updated browser
-Implement domain-based authentication, DMARC policy
CSC 10: Malware Defense
What is it?
This CIS control address the enterprises to have a defence mechanism to prevent the spread of malware or any other related harmful thing. This includes malware defences to scan, deter and detect the malicious software while upgrading the defences where applicable.
Why is it required?
Attackers often target the network to steal information through malware and malicious attachment, links, etc. The enterprise needs to execute a mechanism to defend against malware.
What are relevant security tools and procedures?
-Install anti-malware, antivirus and anti-spyware
-Deploy Intrusion detection system (IDS)
CSC 11: Data Recovery
What is it?
This control mandates the organisations to have proven methodologies for data recovery processes to avoid data loss in case of mishaps or cyber incidents.
Why is it required?
All enterprises, regardless of their size, with the CIS control no. 11, need data recovery practices. Having a proven data recovery plan can minimise downtime and boost their data restoration process.
What are tools and procedures?
-Implement a backup mechanism
CSC 12: Network Infrastructure Management
What is it?
It refers to effectively managing the complete suite of hardware and software resources that builds the network infrastructure foundation and is responsible for communication, operation and connectivity.
Why is it required?
No infrastructure is immune to cyber threats. Companies need to implement and keep track of their network devices, access point and related infrastructure endpoint to identify vulnerabilities earlier. It is essential to refrain the attackers from exploiting vulnerabilities and gaining access through insecure or flawed network services, ports and access points.
What are the tools and procedures?
-Packet loss supervision tool
-Network assessment
-Network availability tool
CSC 13: Network Monitoring and Defense
What is it?
This control requires the organisation to maintain the network and keep track of all events and activity to protect the organisation’s network against site threats and data breaches.
Why is it required?
The companies need to have an established and operating network monitoring system and an up-to-date defence technology mechanism to combat cyber threats and attack vectors. Through this, they can maintain the security posture across the online, physical, and virtual environments.
What are relevant security tools and procedures?
-Deploy antivirus, anti-malware, anti-spyware
-Intrusion detection system (IDS)
CSC 14: Security Awareness and Skills Training
What is it?
With this control, organisations are bound to involve the human minds in proven security awareness and skillsets to enhance the overall enterprise security posture.
Why is it required?
High-end security products and the system cannot protect the enterprise if they do not have skilled and competent individuals and security awareness to maintain the security culture. The 14th control of CIS v8 focuses on establishing security awareness programs and training to spread security-conscious behaviour among technical and non-technical employees.
What are relevant tools and procedures?
-Staff training with updated security program
CSC 15: Service Provider Management
What is it?
This CIS 15 control requires organisations to actively manage the third-party, vendor and service provider network to prevent threats, supply chain attacks and incidents that can cause massive disruption.
Why is it required?
Cloud technologies are increasing and becoming the need of every business in today’s world of remote work. Often breaches involve the negligence of third-party service providers. Service provider management helps assess and track vendors or cloud service providers engaged with the enterprise’s critical assets or sensitive data.
What are the relevant tools and procedures?
– Third-party risk assessment
– Compromise assessment before merger and acquisition
CSC 16: Application Software Security
What is it?
This control addresses the need for security consideration for in-house developed or acquired application software.
Why is it required?
Whether the application is developed in-house, hosted or acquired, the companies need to handle the security life cycle in the software to detect and prevent risk. In addition, doing the necessary test and checking on the application security health help minimise the threats and patch them promptly.
What are the relevant tools and procedures?
-Secure coding practices
– Static and dynamic testing
-Secure SDLC
CIS Control 17: Incident Response and Management
What is it?
This control refers to having a developed and implemented incident recovery and management infrastructure to efficiently detect attacks.
Why is it required?
A prepared incident response program with defined policies, procedures, roles, and communication facilitate detection and rapidly management of the security incidents to counter the attack with minimum downtime.
What are the relevant tools and procedures?
-Separately documented and outlined a plan for incident handling, recovery and reporting.
CIS Control 18: Penetration Testing
What is it?
CIS control no 18 is all about directing companies to assure assets and enterprise resiliency by testing the infrastructure, network, a system with attacker tactics to understand how they can be breaches.
Why is it required?
Conducting penetration testing is critical to verify the effectiveness; the organisation must simulate the web threats through penetration testing with the attacker perspective to identify vulnerable endpoints and potential weaknesses.
What are relevant tools and procedures?
-Appropriate white-box, grey-box or black-box penetration testing methodologies
Why are there 18 CIS controls, not 20?
The updated CIS controls have enhanced the previous 20 controls relative to modern solutions and technologies by incorporating new rules with emerging IT and security industry adaptation such as cloud computing, virtualisation, outsourcing, remote working, etc.
The controls are combined according to the activities and attack techniques in the new version. Thus, the rules are simplified from 20 to 18 in relevance with cloud, hybrid and activities-based environments.
What are the CIS top 20 controls?
The outdated version v7 of Center for Internet Security (CIS) controls addressed the 20 controls with detailed account to the organisation to implement them for the robust and solid cyber defence of their assets and enterprises.
CIS 20 Controls
Version 7.1 was released April 4, 2019, that included the following CIS 20 controls:
Control 1: Inventory and Control of Hardware Assets
Control 2: Inventory and Control of Software Assets
Control 3: Continuous Vulnerability Management
Control 4: Controlled Use of Administrative Privileges
Control 5: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
Control 7: Email and Web Browser Protections
Control 8: Malware Defenses
Control 9: Limitation and Control of Network Ports, Protocols, and Services
Control 10: Data Recovery Capabilities
Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
Control 12: Boundary Defense
Control 13: Data Protection
Control 14: Controlled Access Based on the Need to Know
Control 15: Wireless Access Control
Control 16: Account Monitoring and Control
Control 17: Implement a Security Awareness and Training Program
Control 18: Application Software Security
Control 19: Incident Response and Management
Control 20: Penetration Tests and Red Team Exercises
What are CIS sub controls?
The CIS controls serve security best practices and guidelines to all enterprises to assist them in protecting their critical assets with proven methodologies. The CIS essential controls of security are categorised into three sub controls based on assets types, functionality and security necessities.
The sub controls are classified into three implementation groups listed below.
Basic
This sub-control includes the simple and basic control implementation to improve the organisation assets security.
Foundational
As the name suggests, this sub-control works as a baseline and contain advanced security guidance to improve the overall organisational security posture.
Organisational
These controls have guidance on making or changing the organisational policies to help businesses improve and maintain cyber security hygiene by the evolving cyber landscape.
Who uses CIS controls?
The critical CIS security controls are referred to and adopted by many legal, regulatory bodies, policymakers, and frameworks. As stated earlier, the Center for Internet Security controls is a set of prioritised cyber defence recommendations for enterprises, including startups to fortune 500, to reduce the attack surface and prevent cybercriminals from gaining access or breaching the companies.
It is used by thousands of global organisations, including Boeing, Citizen Property Insurance, Federal Reserve Bank of Richmond and all businesses. Various US state government agencies and cities have incorporated the CIS controls, such as Arizona, Idaho, Colorado, Portland, San Diego, etc.
In addition to it, security services consultants and vendors like Rapid 7, Tenable supports the CIS controls and educational institutes like the University of Massachusetts have implemented CIS controls into their security processes.
Today’s businesses and online actions demand protection against invasion, and it is only possible if security is considered proper hygiene rather than an elite lifestyle. As a cyber security service provider and consultant, we take it as our responsibility to provide you with in-depth defence services to help your business grow without the fear of cyberattacks.
Get in touch with us to schedule your CIS compliance assessment or discuss your primary security concerns.
