Explaining the Critical Security Controls (CSC) by the Center for Internet Security (CIS)

If you’re not a professional mechanic, you likely aren’t a car expert. However, with the help of guides, instructionals, and frameworks vetted by industry experts, you can complete some basic repairs and conduct a fair amount of regular maintenance yourself.

They are not a replacement for a comprehensive cybersecurity strategy with experts monitoring your system. But by implementing the tools and security protocols outlined in the CIS Critical Security Controls, your organization will be in a better position to detect and defend against modern cyber threats.

More often than not, you need to understand your cyber risk before you can reduce it effectively. Start your security journey with DOT Security by getting a cybersecurity risk assessment to help identify the largest gaps in your security posture.

The Center for Internet Security Critical Security Controls

The Critical Security Controls published by the Center for Internet Security were designed by a group of volunteers back in 2008 who were attempting to address significant issues in network security while educating organizations on crucial cybersecurity tactics.

Regularly updated, these Controls are practical and proven, and can drastically lower an organization’s cyber risk factor.

What Are the 18 CIS Controls?

The Center for Internet Security Critical Security Controls are regularly updated to match industry best practices and meet the needs of the modern cybersecurity space. The most recent version of the Controls, V8, features 18 Critical Security Controls, which is two fewer than versions past.

This reduction is due to a regrouping of the Controls based on activity and function rather than the party responsible for specific device management.

Let’s take a closer look at each of the 18 CIS Critical Security Controls.

Summarizing the Differences Between CSC Version 8 and 8.1

The Critical Security Controls (CIS Controls) Version 8.1, released in October 2023, builds upon Version 8, which was published in May 2021. Here's a summary of the key differences between the two versions:

1. Updates on Controls and Safeguards

• Version 8 had 18 controls with a total of 153 safeguards (formerly called sub-controls). Version 8.1 keeps the 18 controls but updates the safeguard count to 154, adding a new safeguard to address emerging cybersecurity challenges.
• The added safeguard in Version 8.1 focuses on Application Software Security to enhance protection against specific vulnerabilities that have become more prominent.

2. Enhanced Guidance for Implementation

• Version 8.1 includes expanded implementation guidance, particularly on prioritizing safeguards based on threat modeling and business context. This helps organizations apply the controls in a more context-driven manner.
• It also improves alignment with international standards and frameworks, making it easier for organizations that adhere to multiple standards to integrate the CIS Controls.

3. Refinement of Terminology

• Some language and definitions have been refined in Version 8.1 to provide clearer guidance. This includes improvements in the phrasing of controls and safeguards, aimed at reducing ambiguity in their application.

4. Stronger Focus on Cloud and Remote Work

• While Version 8 introduced enhanced cloud security considerations, Version 8.1 further strengthens recommendations for securing cloud infrastructure and remote work environments, recognizing their increasing importance in modern IT landscapes.
• In short, Version 8.1 refines the framework laid out in Version 8, adding one additional safeguard, improving guidance on implementation, and enhancing its focus on cloud and remote security needs.

1. Inventory and Control of Enterprise Assets

The first of the Controls is focused on tracking and managing enterprise hardware inventory. This includes end-user devices, network devices, anything that’s considered a part of the Internet of Things (IoT), servers, and anything connected to the IT infrastructure.

By keeping track of this full inventory, you’ll be able to identify both known and unknown/unauthorized assets that staff is using regularly. With this information in hand, you can properly support, restrict, or eliminate assets as appropriate.

2. Inventory and Control of Software Assets

Similar to the first Control, the second CSC focuses on tracking and managing software-based assets. You want to have full visibility over the programs and operating systems being used across the network and this Control allows you that.

With this more comprehensive vision, you can ensure that only authorized software is being used and you can eliminate or block any unauthorized programs.

3. Data Protection

Data protection is achieved through the combination of data privacy and data security tactics.

More specifically, data protection is made up of the practices, policies, and protocols that an organization puts in place to maintain data confidentiality, integrity, and availability. This can involve user verification and authentication, detection and response plans, and implementing a backup and recovery strategy.

Emphasizing the importance of data privacy and data security in your network defense strategy will help you handle, store, and use data with proper security protocols that keep you, your staff, and your clients safe.

4. Secure Configuration of Enterprise Assets and Software

After identifying all of your assets, both hardware and software, you’ll need to implement proper configurations to maintain network security and supplement authorization protocols.

In simpler terms, you don't want the devices or programs you’re relying on to be using default settings. Instead, your IT and cybersecurity team will work together to customize device and software settings to the specific network environment.

Further, security configuration will require the identification of open ports across your network. Any open ports that exist need to be assigned a set of strict rules that will effectively deny any unknown or unauthorized connections to these ports.

Even something as simple as maintaining a Secure Sockets Layer (SSL) certification that encrypts communications between users and websites is a crucial aspect of secure configuration.

5. Account Management

Account management is rooted in the principles of identity and access management which works to authenticate and verify users as they access various levels of data throughout the network. One major aspect of account management is in security clearance assignment.

In order to mitigate unauthorized access to data, accounts, and the network as a whole, organizations can create user accounts that only have so much security clearance. In other words, their credentials, if compromised, would only take a threat actor so far. This greatly reduces the amount of damage an unauthorized user could inflict.

A good rule of thumb to follow when thinking about account management is that employees should only have access to data if they absolutely need it.

6. Access Control Management

Another core principle in identity access management involves access control on top of account management. While account management focuses on assigning the appropriate level of security clearance to accounts across the network, access management emphasizes user authorization and verification protocols.

One way organizations can maintain regular user authentication and verification checkpoints is by establishing a multi-factor authentication policy. Additionally, zero trust security frameworks that operate on a “never trust, always verify” model are becoming more popular as a cybersecurity solution for the modern work environment.

7. Continuous Vulnerability Management

The cybersecurity space is advancing at breakneck speeds and the burden of keeping pace is on your shoulders.

This is why it’s vital to conduct regular vulnerability and cyber risk audits so you can identify new gaps in your security, pinpoint threats, and roll out software patches as necessary.

8. Audit Log Management

Audit logs contain records of events and activities that occur within the systems, applications, and network devices that operate across an organization’s IT infrastructure. Analyzing these logs provides valuable information to cybersecurity professionals in detecting and investigating security incidents, as well as ensuring compliance with regulations.

Audit log management is all about continually improving your cybersecurity strategy as it can reveal insights into your network activity and uncover both concerning and noteworthy patterns.

9. Email and Web Browser Protections

Your employees are your biggest asset. However, they’re also very likely your largest cybersecurity vulnerability. By implementing tools that help catch and halt threats that come through emails or web browsers, you’ll give your employees a better chance at staying secure while completing their work.

A few examples of email and web browser protections include things like:

• Spam filtering
• Phishing detection and reporting
• Attachment scanning
• Safe browsing warnings
• Malicious website blocking
• Custom privacy controls

Though they aren’t fool-proof, these tools take at least some of the guesswork out of protecting employees from cybersecurity threats and greatly improve your cybersecurity posture as a whole. It's important to note that these tools will have to continue to improve as both cybersecurity professionals and malicious actors are integrating more and more AI into their processes and programs.

10. Malware Defenses

Malware defense as a Critical Security Control helps organizations prevent the installation, spread, and execution of malicious applications, programs, or scripts.

When thinking about malware defense, the most common examples are antivirus programs, firewalls, and malware scanners. Antivirus and malware scanners work together to regularly look for and identify computer viruses or hidden malware living in the background of your network while firewalls guardrail the transmission of data.

These are critical tools in guarding your network against external threats that attempt to infiltrate your network.

11. Data Recovery

A major emphasis in the modern cybersecurity space is on disaster recovery planning. One pillar of disaster recovery specifically focuses on data recovery procedures in the face of a cyber incident. This means ensuring that you can quickly regain access to your information in a safe manner.

With a proper data recovery plan in place, you can drastically reduce how long it will take your organization to recover operations in the wake of a cyberattack, and in turn, how much damage is done in total.

12. Network Infrastructure Management

Network infrastructure management is all about data flow. Think about network infrastructure management the same way you think about airport controllers directing airplanes, managing traffic, and maintaining a cadence that reduces bottlenecks.

At the airport, this is all designed to avoid major accidents and delays, but in network infrastructure, managing data flows aims at avoiding network crashes, eliminating data loss, and ensuring data availability.

13. Network Monitoring and Defense

If you’re not watching your attack surface closely, you won’t have any warning of incoming threats. This is where network monitoring shines in the context of cybersecurity. Network monitoring allows you to identify potential threats by abnormal user and device behavior, data patterns, or event anomalies.

With proper network monitoring in place, you’ll be able to detect and predict malicious activity with more accuracy and speed.

14. Security Awareness and Skills Training

Employee cybersecurity awareness training is essential in combatting cyberattacks that manipulate individuals into giving away sensitive information.

By educating your staff on phishing scams, pig butchering scams, and other common social engineering schemes, you’ll greatly reduce the risk of a user-based cybersecurity incident.

15. Service Provider Management

If you’re going to work with a service provider to handle any or all of your cybersecurity needs, it’ll be important for you to establish an evaluation and audit process. This process helps to ensure that your data is being properly protected, your organization is adhering to applicable compliance regulations, and that you’re getting comprehensive coverage in the areas you need it most.

By conducting a thorough evaluation of available providers, you’ll be able to partner with the security provider that makes the most sense for your organization.

16. Application Software Security

Application software security is such a simple aspect of cybersecurity that it often gets overlooked. Think about the last time you installed a security patch for your office’s smart thermostat.

However, keeping any software acquired, downloaded, or even developed in-house up to date with security protocols will help you address any security vulnerabilities that develop before they can be exploited.

17. Incident Response and Management

If a significant cyber incident should occur, it’s crucial that organizations have an action plan in place that they can begin executing immediately. Incident response and disaster recovery plans form the backbone of a powerful cybersecurity strategy that can get your business back up and running in even the worst of scenarios.

18. Penetration Testing

Penetration testing is a service offered by white-hat hackers who use their hacking skills to help businesses improve their cybersecurity strategies. It involves programmers launching their own cyberattacks against an established business to discover vulnerabilities and defense tactics for the newest and most sophisticated cyberattacks available.

White hat hackers operate in contrast to black hat hackers who are generally after personal or financial gain.

Penetration testing is an excellent way for organizations to test their cybersecurity strategy against real-world threats while uncovering opportunities for continual improvement.

Wrapping Up on the CIS Critical Security Controls

If you want to up your cybersecurity and network defense systems, but don’t know where to start, the Critical Security Controls published by the Center for Internet Security will walk you through a series of practical tools and protocols to start implementing.

Modern businesses need to be prepared for modern cyberattacks and that all starts with implementing the proper tools, protocols, and processes, many of which are outlined in the 18 CIS Critical Security Controls.

If you haven’t already, it’s time to start seriously considering your cybersecurity posture and how it can be improved. Take the first step today with a DOT Security cybersecurity risk assessment.