This is the beginning of a five-part series all about the CIS 20 critical controls (+ their subcontrols). A few different talking heads in the world of cybersecurity recommend this as one of the foundational frameworks that most companies should follow when aspiring to stand up a security program. 

Before I introduce this framework we’re going, to begin with, one of my favorite quotes.

All models are wrong, but some are useful” – George Box 

Most facts are not facts, most answers are never completely correct, and all frameworks are flawed, including the one I’m sharing now.

As a reader I want you to be skeptical, taking everything I say with a grain of salt. The 20 critical controls are useful, but it’s up to each person to tailor this framework to their situation (e.g. network, company size, assets you’re protecting, and budget). 

Now… Let’s dive in! 

The CIS 20 critical controls were created roughly 12ish years ago due to a few government groups hoping to prioritize their own security controls. 

There’s no shortage of security frameworks in the realm of cybersecurity, but the downfall of most of these frameworks is that they’re either too specific or too complicated. The majority of companies that attempt to implement these frameworks are quickly overwhelmed, eventually giving up and reverting back to their old insecure ways. 

This is a major failure on behalf of the security community and is a problem that the 20 critical controls are aiming to fix. 

The focus of this security framework is simplicity and practicality. 

CIS stands for “Center of Internet Security“, which is a group of security experts from different industries, companies, and locations all around the world. The 20 controls in this security framework have been constantly updated over the past 12 years, reflecting actual attacks and defense strategies.

The beauty of this framework is that any company no matter its security maturity can apply a few security controls. The CIS team considered three different levels of the company (e.g. implementation group), which are based on specific criteria. 

  • Implementation Groups: IG1 (beginner), IG2 (intermediate), and IG3 (advanced)
  • Criteria: How sensitive is your data? How critical is your service? What level of tech talent does your company have? What level of resources do you have set aside for cybersecurity?

Control 1 & 2 – Know thyself

The first two controls are aimed at understanding what hard and soft things are sitting on your network. A.K.A, mapping and maintaining an inventory of all the hardware and software within the network. 

This step seems obvious to most, but it’s often done poorly or skipped altogether, which is surprising. We’re all aware of attackers constantly scanning and monitoring our networks, so why shouldn’t we do the same? Think about it… If you don’t know what’s on your network how are you supposed to protect it?!

Even though it seems obvious, mapping and maintaining a network is no easy task. Today, most networks have a variety of devices and software being created and removed constantly. 

Without mapping and maintaining an inventory of the hardware and software on your network, then you’re opening yourself up to the world of attackers. Unauthorized hardware and software can bring security vulnerabilities by being unpatched, out of date, or no longer maintained by the provider. 

Enough chatter about the problems, let’s dive into the subcontrols or my integration of the subcontrols in the CIS recommendations. Each subcontrol I list below will have an IG1 (beginner), IG2 (intermediate), or IG3 (advanced) next to it, showing the complexity. Keep in mind that each level is additive, so IG2 will include IG1 and IG3 will include IG2 and IG1. 

  • Hardware subcontrols
    • Discover (IG2 – active, IG3 – passive) > Use an active/passive discovery tool to map all the devices on your network and this can be as simple as Nmap. If you’re running “critical infrastructure” like a hospital, nuclear power plant, or Chipotle, then sticking with passive discovery is a safer bet, so you’re not messing up operations. 
    • Discover (IG2) > Capture the DHCP logs constantly updating your inventory.
    • Maintain (IG1) > Keep track of all the assets and asset info (e.g. IP, MAC, machine name, owner, and department). 
    • Bad cookies (IG1) > Keep track of unauthorized devices either removing, quarantining, or updating the inventory. 
    • Access (IG2) > Put in place port-level access authentication (802.1X), which basically means whenever someone attempts to connect to your network they need to authenticate first. 
    • Client Certs (IG3) > Whenever a client connects to your network make sure you’re authenticating their certificates too.
  • Software subcontrols 
    • Happy list (IG1) > Keep a list of authorized software that is allowed and helps the business function.
    • Vendors (IG1) > Do your best to ensure that all software on your network is actively maintained by the vendor and that they’re pushing updates/patches.
    • Automate, Automate, Automate (IG2) > All the tracking and updating of your inventory list should be automated, including the name, version, publisher, install date, O/S, and department using it. 
    • Combine hard/soft (IG3) > Your inventory system should be able to map what hardware is using what software
    • Bad cookies (IG1) > Same as hardware… Any unauthorized software should be removed, quarantined, or update in the inventory. 
    • Whitelisting (IG3) > Any third-party libraries or scripts that are needed for the business to function should be whitelisted, but everything else can take a hike! 
    • Separation (IG3) > High-risk apps should be either physically (airgap) or logically (VLAN) separated from the rest of the network, depending on how paranoid you are. 

It’s ok to be vulnerable

Every company has vulnerabilities, it’s the price we all pay for connecting to the internet. Being vulnerable is acceptable as long as you’re constantly patching and mitigating the number of vulnerabilities on your network. 

Managing vulnerabilities comes down to one simple thing… Risk. Not all vulnerabilities are equal, some vulnerabilities are risker than others, based on their impact and exploitability. The term “exploitability” is an important one that many companies seem to overlook. 

So what is “exploitability”? 

It’s how likely a vulnerability will be exploited based on easily accessible exploits for each vulnerability. There’s a thing called the “vulnerability timeline” that summarizes the evaluation of a vulnerability, which starts out as a discovery by researchers or vendors and ends with either an exploit or hopefully a patch, depending on who’s faster (defender or attacker). 

Without solid vulnerability management controls in place, your network is susceptible to known exploits, which is an attacker’s best friend. 

Our goal is to reduce the delta time between when a vulnerability is discovered and our patch for it. Not everything is in our control (e.g. patches being ready), but let’s see what is in our control based on the critical controls. 

  • Vulnerability management
    • Scan constantly (IG2) > On a weekly or more frequent basis you should scan your environment for known vulnerabilities. This can be easily done by the buffet of vulnerability scanning tools available. 
    • Scan your insides too (IG2) > When running you’re recurring vulnerability scans, make sure to run authenticated scans as well, which means you’re going to scan as a logged-in user. 
    • Special scanning account (IG2) > When running the credentialed scans it’s best to have a dedicated account that does this and only this. 
    • Automate all the things! (IG1) > Automation is a common subcontrol we’ll run across throughout this series. Using automated patch management tools will save you from making human errors and speed up the process. 
    • Compare scans (IG2) > Each scan should be compared to previous scans, creating a vulnerability trend chart that you’re able to check, keeping an eye on your ability to patch vulnerabilities, as well as ensuring previous vulnerabilities are fixed. 
    • Risk (IG2) > Instead of attempting to patch everything as I mentioned before it’s important to rank each vulnerability based on impact and exploitability. 

We all act a little too privileged

Power is a hard thing to strip away from others, especially when they’ve wielded it for so long. This applies to ancient Greek kings, as well as the accountant that has a little too many privileges on your network. 

Every employee within a company needs a specific level of access to complete their job, but many employees have much more than that due to legacy or simple mistakes. Convincing this accountant or even more difficult an executive why their access being limited has nothing to do with you not trusting them, but instead, it’s about you not trusting their computer when that user isn’t around. 

A simple rule that all companies should incorporate is the “principle of least privilege”, which basically states that employees should only have enough access to their job and nothing more. 

The downfall to higher levels of access is that when an attacker breaks into that account they’re automatically gaining God-like powers within your network. 

Let’s look at the subcontrols recommended for fixing this privilege problem. 

  • Controlled use of administrative privileges
    • Who has it?! > Map and maintain an inventory of the admin account and who has access. 
    • Avoid defaults > Whenever you add a new machine to the network always change the default username and password. Seems obvious, but it’s a very common mistake. 
    • Dedicated Admins > Make sure that there are dedicated admin accounts that are only used for admin stuff, meaning the user with admin privileges should not watch Rick and Morty while checking their email in the admin account. 
    • Multi-factor or long/strong > For systems that allow multi-factor authentication for admin accounts do that, but for everything else create long and strong passwords. 
    • Solo Workstations > If you’re really advanced you could create an entire separate workstation dedicated strictly to admin tasks, that’s separate from the rest of the network. 
    • Scripts = NO > Only admins and developers should have access to scripting tools (e.g. Powershell, Python, etc.), everyone else probably has no idea what “scripting” is… And let’s keep it that way. 
    • Alert and Log it > Anytime a new admin account is created or a failed login attempt for an admin account has happened all your logs and alerts should be firing. 

Sneaky peeky into next weeky!

Next week we’re going to explore critical controls 5 – 8. 🙂

  • Secure Configurations
  • The World of Logs 
  • Your relationship with email and web browsers
  • Defending against dirty Malware

Until next time my beautiful humans.