Critical Security Controls: Part 0 - Introduction

The Top 20 Critical Security Controls help reduce Cybersecurity Risk

Everyone knows that they need to improve the current state of their cybersecurity measures, but to many people this task is a daunting one.  “Where do I start?  What should I focus on first? What security measures will have the greatest impact on the security of my computer systems and network?” Don’t worry, the Center for Internet Security can answer all these questions, and help guide you to a more secure infrastructure.  The Critical Security Controls (CSCs) will be your guidebook to developing and implementing industry standards and best practices, helping you improve your overall security and reducing the overall risk to your organization.  This blog article will be followed up by a series of 20 blog posts, each providing a detailed examination of one of the Controls, to help provide you with ideas of how you can implement each control within your organization.

Where do I start?

The Center for Internet Security (CIS), https://www.cisecurity.org/, is a global non-profit community of IT and security individuals who develop and share resources that help organizations protect themselves from cyber threats and attacks.  They are innovative leaders in cyber defense solutions, and provide information and guidance to private and public companies and organizations from all over the world.

The CIS keeps you up to date on trends in cybersecurity threats, and shows the current alert level for current vulnerabilities and threats that might affect your networks.  The Multi-State Information and Sharing Center (MS-ISAC) supplies the information for the alert levels.  The MS-ISAC is committed to improving “the overall cybersecurity posture of the nation’s state, local, tribal, and territorial governments through focused cyber threat prevention, protection, response, and recovery.” You can read more about the MS-ISAC here: https://www.cisecurity.org/ms-isac/.

The CIS also provides tools and industry best practices that will help improve your security posture, including the Critical Security Controls (CSCs) and CIS Benchmarks.  There are currently 20 Controls, each grouped into a specific category (referred to as “families”).  These families are listed as System, Network, and Application; they exist to assist with prioritization.  The Controls are listed in prioritized order, with Control 1 being the most important to implement.  There are 149 individual security practices that are part of the 20 Controls, and implementing these practices and the 20 Controls will help secure your organization against the everyday threats that might affect your networks.

What should I focus on first?

With 20 Controls and 149 individual practices to implement it can be difficult to know where to start.  Fortunately, the CIS has put the most important Controls at the top of the list.  Controls 1 -5 represent the areas you should focus on first, known as Foundational Cyber Hygiene.  By implementing the first 5 Controls, you can improve your security posture and eliminate 85% or more of your organization’s cybersecurity vulnerabilities.  More information about the CIS Controls can be found here: https://www.cisecurity.org/controls/.  Future blog posts will cover each of the Controls in depth including the Foundational Cyber Hygiene controls.  In case you just can’t wait to read the future blogs, I will list the Foundational Cyber Hygiene Controls for you now.  The first 5 Controls are:

  1. Inventory of Authorized and Unauthorized Devices
  2. Inventory of Authorized and Unauthorized Software
  3. Secure Configurations for Hardware and Software
  4. Continuous Vulnerability Assessment and Remediation
  5. Controlled Use of Administrative Privileges

The Foundational Cyber Hygiene Controls represent some of the most important concepts in security.  How can you protect what is on your network, if you don’t know what is supposed to be there and what isn’t?  All systems should have a documented, secure configuration that can be imaged on all like systems within your network.  This help you recover quickly from viruses and malware, and other unforeseen events that require you to reimage your systems.  Defending your network is a constant arms race against cyberattackers.  You need to continuously monitor and check your systems for vulnerabilities… because the attackers certainly do.  Lastly, a common point of entry into your network is through the use of Admin accounts or privileges.   Always implement the concepts of least privilege, separate accounts for user and administrative duties, and log all activity that comes from your Admin accounts.  If you incorporate the Foundational Cyber Hygiene Controls into your security practices, you will greatly reduce the vulnerabilities within your network, and this is enough to encourage many attackers to seek out companies who may be less secure, known as lower hanging fruit.

What security measures will have the greatest impact on the security of my computer systems and network?

“OK, I have implemented the Foundational Cyber Hygiene Controls.  I still want to do more to improve my network security.  What else can I do?”  Many organizations want to have better security, they just are not sure where to start, or what they can do to improve their current security measures.  The Controls are a great place to start, but sometimes you need to really take a hard look in the mirror first to see if your current practices are helping or hurting your security posture.  This is where an Enterprise Security Audit can help bring you that clarity, and provide you with the answers you seek. 

An Enterprise Security Audit uses the CIS 20 Controls to review and analyze your current security practices.  The Enterprise Security Audit will determine what policies you have in place that cover the 20 Controls.  It will give you a scorecard that shows you which specific controls you are missing, or which ones need to be refined or improved.  An ESA Technical Audit will look at your systems to help identify which controls are actually implemented within your networks, and which ones need to be implemented.  If you are really serious about improving your organization’s security or want to check and see how secure your network might be against todays cyberattacks, then an Enterprise Security Audit is a great place to start.  Contact us to schedule your Enterprise Security Audit and Technical Audit, and let the CIS Controls and Alpine Security help you improve the security of your networks.

Author Bio

Jana, representing the 501st Legion as Captain Phasma

Jana White is a Cybersecurity Engineer and Trainer with Alpine Security.  Her certifications include Security+, CyberSec First Responder (CFR), Certified Ethical Hacker (CEH), Computer Hacking Forensic Investigator (CHFI), and Certified Information Systems Security Professional (CISSP).  Jana’s background experience includes compliance, auditing, loss prevention, penetration testing, project management, and social engineering.  Jana is certified as a Crime Scene Evidence Technician, and incorporates her experiences in banking and Crime Scene Evidence collection into her courses as a trainer for Alpine Security.  In her spare time, Jana is a member of the 501st Legion, an international Star Wars costuming organization that focuses on promoting an interest in Star Wars through screen accurate costuming, and performing charity work and volunteering all over the world.  Her current armor sets include Captain Phasma from The Last Jedi, and a Stormtrooper from A New Hope.  She is working on joining the Rebel Legion, as General Leia Organa.  Jana also studies Japanese, with the hope of passing the JLPT N1 exam someday.