The 18 CIS critical security controls: How to implement a cybersecurity strategy
Table of Contents
CIS has designed 18 critical security controls to help companies analyze their security strategies and optimize them to repel attacks
At the end of January, the U.S. subsidiary of telecommunications company T-Mobile made public that a malicious actor had fraudulently accessed the personal data of 37 million of its customers last November. The criminals could get hold of names, billing addresses, email addresses, telephone numbers and dates of birth. This incident suffered by the German multinational is the umpteenth demonstration of the risks faced by companies. And it highlights the need for companies to place cybersecurity at the heart of their strategy if they want to avoid being faced with far-reaching economic, legal and reputational consequences.
To help them in this task, the Center of Internet Security, a global reference organization, has developed and updated the CIS critical security controls over the years.
These critical security controls are based on the knowledge shared by cybersecurity experts worldwide and industry best practices. And their primary goal is to turn all that information into implementable measures for companies to protect themselves against cyberattacks.
Below, we will discuss what these controls consist of and briefly dissect each of the 18 critical security controls included in the latest version of this guide. These controls highlight the importance of relying on cybersecurity services to be protected against the magma of cyberattacks.
1. The CIS controls: A starting point for tackling cybersecurity
The CIS emphasizes that critical security controls are not just a list but are the backbone of a cybersecurity ecosystem.
These CIS critical security controls are a starting point for companies to implement a security strategy. Thus, the controls allow companies and cybersecurity experts to prioritize different areas depending on the business model and the available economic, human and technological resources.
From critical security controls, organizations can draw on industry knowledge, share experiences, learn from success stories and use other methodologies with which the CIS guidelines are aligned, such as the NIST cybersecurity framework or the OWASP methodology.
This approach shows that critical security controls do not constitute a checklist that guarantees that the organization is fully protected against attacks when applied in a company. Every day new threats emerge, new techniques emerge, and new technologies open the way for the attack. Cybersecurity is a sector in constant movement, so it is essential to be permanently connected to what is happening in this field and learn from all the knowledge generated.
2. How are critical security controls articulated?
Let’s get down to the nitty-gritty of how critical security controls operate. These controls are, above all, categories that systematize the concrete actions organizations must implement to build an effective security strategy.
Thus, the CIS guide establishes various safeguards for each critical security control, stipulating which assets they are aimed at, what security function they fulfill and what type of companies must implement them. Let us take a closer look at this structure.
Safeguards are the keystone of CIS critical security controls. Each safeguard is a specific action the organization must take to implement the control.
For example, safeguard 1.1. is to «establish and maintain a detailed inventory of business assets». The CIS guidance does not simply outline the action but sets out several considerations cybersecurity professionals must consider to undertake the action successfully.
Each of the 18 critical security controls has its safeguards. For example, in the case of the first control (Inventory and Control of Business Assets), the guide proposes five safeguards or actions that must be put in place to implement the control effectively.
In total, the 18 critical security controls include 153 safeguards.
2.2. Security functions
In addition to describing each of the safeguards, the guide facilitates their understanding and execution by categorizing them around the functions performed when they are implemented. Let’s see it better with the example above.
Safeguard 1.1. is an identification action since it precisely identifies the business assets that need to be protected against attacks.
Whereas, for example, safeguard 4.1. «Establish and maintain a secure configuration process» is a protection action since it revolves around implementing and maintaining a secure configuration process for the different assets of the organization.
How many security functions does the CIS critical security controls guide include? Five:
Each is present to a greater or lesser extent depending on the objectives of the critical security control. Thus, for example, in control 9 (Protection of email and web browser), the seven safeguards consist of performing protective actions. Whereas the safeguards in control 17 (Incident response management) are, logically, either response or recovery.
These security functions highlight the core actions that underpin any security strategy:
- First, identify the assets to be protected.
- Then, implement security mechanisms and address vulnerabilities to protect assets.
- Detect threats and weaknesses before they are exploited. And detect attacks early to prevent them from impacting the organization.
- Respond to attacks in an agile and effective manner.
- Restore normality and minimize the consequences of a security incident.
Each safeguard consists of a specific action, as mentioned above, which must be carried out on a certain type of asset. For example, safeguard 1.1. is focused on the company’s devices that are implementing critical security controls. Whereas safeguard 4.1. acts on the organization’s applications.
Thus, the guide differentiates five types of assets:
Each of them has its characteristics, and the way to secure them requires different actions or safeguards.
2.4. Implementation groups
As indicated above, the CIS critical security controls guide sets out as many as 153 safeguards that organizations must implement to ensure that they comply with the controls. Does this mean that all companies must perform the same actions? No. The CIS guide proposes three implementation groups, depending on the size and characteristics of each company:
- IG1. Small and medium-sized companies without extensive technological backgrounds must secure their assets and ensure business continuity.
- IG2. Companies that are composed of several departments that have the personnel to manage their technology infrastructure and need to safeguard sensitive information about their customers and business model.
- IG3. Companies that contract advanced cybersecurity services (pentesting, app auditing…). They are subject to stricter regulations and manage particularly sensitive data.
The first group will only have to execute basic cybersecurity safeguards. While the other two will also have to perform more advanced actions.
As is the case, for example, with the OWASP standards, the layers of safeguards add up. In other words, group 1 includes 56 basic actions. And finally, group three, designed for companies with cybersecurity experts and are particularly sensitive to data protection, includes all of the above safeguards plus 23 more advanced ones.
This way, CIS critical security controls become a tool for building and optimizing a security strategy capable of adapting to any company. And not only to large companies but also to small and medium-sized companies that must take cybersecurity seriously to avoid crises that could undermine their business model.
3. From asset inventory to penetration testing. The 18 critical CIS security controls
In addition to the elements we have just discussed, the CIS critical security controls have two essential aspects:
- An explanation of why implementing security control is important to protect the enterprise and its assets.
- The procedures and tools must be used to carry out the different safeguards that make up the control. This section also includes other documents generated by the CIS itself and guides produced by other prestigious institutions such as NIST.
Based on this information, companies and cybersecurity experts can proceed to implement the safeguards for each of the 18 critical security controls, depending on each company’s size, characteristics and resources.
3.1. Inventory and control of corporate assets
Every company has assets that it must defend against attackers. Both physical and digital. As the CIS guide states, «companies cannot defend what they do not know they have».
That is why it is so important when building a security strategy, to start by taking an inventory of all the company’s assets: computers, cell phones, IoT devices, network devices, servers, applications, cloud assets…
By inventorying, the company not only identifies the assets that need to be protected and secured but also detects unauthorized assets that need to be removed so that they do not become a security breach.
To sum up, the inventory and control of assets do not only consist of inventorying the assets but also of monitoring and remedying the weaknesses detected.
3.2. Inventory and control of software assets
Just as business assets must be inventoried, it is also essential today, in a fully digitized world, to inventory the software used by companies. From the operating systems of their equipment to the solutions and applications they use daily.
Companies must ensure that the software they work with is up to date and patched, as well as detect software they do not use but which they have installed and which may pose a cybersecurity risk.
3.3. Data protection
By now, we are all aware that data protection is a central issue in today’s society and economic system. The adoption of increasingly stringent regulations, such as the GDPR, bears witness to this.
Companies that do not have effective measures to protect their and their customers’ data expose themselves to major reputational, legal and economic crises.
Therefore, companies must have processes in place that enable them to store, process and secure data effectively.
The CIS guide emphasizes that the company’s technical controls must manage data comprehensively, guaranteeing its safeguarding and privacy. The actions to be implemented in terms of data protection are as follows:
- Secure disposal
3.4. Secure configuration of assets and enterprise software
The first two CIS critical security controls referred to the need to inventory a company’s assets and software. This fourth control goes one step further: securely configuring them. And maintaining that configuration.
Why is this control important? Because as the CIS points out, devices and software are marketed with premeditated configurations that are not so much focused on guaranteeing the security and protection of these assets but rather on facilitating their use by users and companies.
Hence, companies must securely configure their assets and ensure that security controls are effective initially and over time. This is because software is updated periodically, and attackers innovate their techniques.
3.5. Account management
When launching cyberattacks, many attackers use legitimate user credentials to gain access to a company’s system and commit fraudulent actions. For example, through social engineering attacks.
This is a testament to the importance of account management today.
In conclusion, enterprises must employ processes and tools to grant and manage account credentials for multiple users within a company.
3.6. Access Control Management
This control complements the previous one. In this case, the CIS guide focuses on how to manage each account’s access level. The objective should be that each user only has access to the data and documents that they need to view to carry out their functions.
The company must have the tools to assign and revoke user credentials to achieve this. As well as to stipulate the access privileges of the different accounts, both user, administrator and service.
Failure to precisely define user roles within the enterprise can trigger serious security incidents, allowing malicious actors to access a greater amount of information by breaching the credentials of a single user.
3.7. Continuous vulnerability management
Vulnerabilities are one of the most important elements of a cybersecurity strategy. Attackers are constantly on the lookout for new vulnerabilities to exploit.
Hence, companies need to have mechanisms in place to assess the vulnerabilities present in their assets and systems continuously. Through this ongoing monitoring, weaknesses can be detected before malicious actors can detect and mitigate them.
Vulnerability management is essential to prevent attacks, secure assets and reduce the risk of security incidents and their potential impact.
3.8. Audit trail management
What happens if a company is attacked? How is the attack detected? Through audit trail management. The collection and analysis of logs are key to the following:
- Quickly detecting cybercriminal activity. Preventing attacks from running for weeks and months.
- Identify the attack’s impact on the company and its assets.
- Recovering from the attack effectively.
- Conducting a comprehensive investigation into what happened.
3.9. Protecting email and web browsers
Email is one of the most important work tools for most companies. Relevant information about companies, their employees and their customers is shared via email.
Millions of professionals in their work also use web browsers.
Therefore, email and web browser protection must be a priority for all companies. Otherwise, these attack vectors can be used by criminals to get hold of confidential data or even gain access to company systems.
Malware, phishing, ransomware… Attackers use multiple techniques to try to breach the security of email and web browsers used by corporate users.
Therefore, it is essential to detect threats linked to these two asset classes and take the necessary actions to strengthen their security.
3.10. Malware defenses
In the previous control, we mentioned one of the great enemies of companies and cybersecurity professionals: malware.
Malicious software is the protagonist of the tenth critical security control. It focuses on the need to act to prevent the installation and propagation of this type of cyber-attack.
To this end, it is essential to have anti-malware defenses on all business assets capable of detecting attacks, containing them and helping to remediate them.
As with most aspects addressed by CIS critical security controls, continuous monitoring and updating, as well as the ability to act in an agile and diligent manner are key to protecting a company against viruses and Trojans.
3.11. Data recovery
While control 3 focused on data protection, control 11 focused on data recovery in the event of a security incident.
When setting up or optimizing a security strategy, companies must have protocols and mechanisms in place to manage the recovery of normality after a cyber-attack has occurred.
Data recovery is essential in this regard. Hence, companies must be able to recover data to restore attacked business assets, always ensuring the confidentiality, integrity and availability of information.
Data is a business asset of the first level. Decision-making in companies is based on data. However, just as the processing of information brings enormous advantages, it also entails risks, as we pointed out when talking about data protection.
Therefore, this security control is essential to ensure business continuity and minimize the impact of an attack on the company.
By implementing this control, the aim is to have effective recovery procedures in place to restore data and assets to a state of confidence before the attack. And, thus, to successfully deal with fraudulent actions such as data hijacking.
3.12. Network infrastructure management
Firewalls, wireless access points, routers… The network infrastructure comprises various elements that must be managed and secured to ensure that it is secure and acts as a barrier to attacks.
As we pointed out when talking about business assets and software, the initial configurations of network devices prioritize usability over security. It is, therefore, important to analyze these configurations to prevent attackers from exploiting potential security holes.
Again, the CIS guide reminds us that continuous monitoring, re-evaluation and constant updating are critical to keeping the network infrastructure secure over time.
3.13. Network monitoring and defense
Precisely, CIS 13 control focuses on network monitoring and defense. In other words, it goes one step further than the previous control. This means that, unlike the controls we have seen so far, it does not have safeguards designed to be implemented by smaller companies.
This control seeks to help companies implement processes that allow them to permanently monitor the defense of the network, taking into account the constant innovations that are taking place in the field of cybersecurity.
The CIS guide stresses how crucial it is for companies of a certain size to have mechanisms in place to detect any attack against their network early on. The longer it takes to detect a security breach, the greater the company’s and its assets’ exposure.
3.14. Security Awareness and Skills Training
When we think about a company’s security strategy, we may dwell on the software or devices it works with. But there is another, more important element: the human beings that make it up.
People are often the weak link in a security strategy. Carelessness or bad practices on the part of users can lead to breaches through which malicious actors can slip through and trigger severe security incidents.
For this reason, raising awareness among all company professionals and carrying out cybersecurity training activities is of enormous importance for large companies and small companies.
The combined action of awareness and training makes it possible to reduce risks and limit cyber exposure.
3.15. Management of service providers
We said in the previous critical security control that people are a weak point in the security strategy. Well, the CIS 15 control focuses on the supply chain.
It is no use for a company to implement the critical security controls we have been discussing if its IT suppliers need an adequate security program.
In brief, the best way to ensure that suppliers avoid becoming a vector for an attack is to assess them beforehand, monitor them regularly and ensure that they protect data and platforms adequately.
3.16. Security in application software
The use of applications (web, mobile, Cloud…) is part of the daily life of many companies. These tools help to reduce unproductive times, facilitate actions and systematize data.
This makes them a very attractive attack target for criminals. They can access confidential data, control assets, and even install malware through an application.
Given the importance of software in the day-to-day running of companies, securing it has become a major issue. Especially for the most technologically mature companies, software plays an extremely valuable role.
This security control implements an application security program and makes cybersecurity an essential aspect of software development.
3.17. Incident response management
Most critical CIS security controls aim to reduce the risks faced by a company by securing its assets, detecting vulnerabilities and threats, and addressing weaknesses.
However, a comprehensive security strategy must also include the company’s response and recovery mechanisms to deal with attacks.
Thus, it is essential to design response and recovery policies and plans, establish what role each actor within the organization should play in the event of an attack and ensure that the company can respond quickly to any attack.
Detecting an attack early, containing it and eradicating it is critical. In addition to technical controls, it is necessary to have an effective communication channel between all parties involved. It is also necessary to prioritize resources according to the objectives and characteristics of the business.
For example, when implementing a recovery plan, deciding which data or assets should be recovered and restored first is necessary.
Cybersecurity is not a watertight compartment, separate from a business’s business strategy, but a central dimension of it.
3.18. Penetration testing
Penetration testing services are fundamental to the evaluation of a security strategy. This is because the professionals who perform them simulate a real attack to detect vulnerabilities that malicious agents can exploit and check how the security measures respond.
For the most technologically mature companies, in which cybersecurity is a strategic pillar, penetration testing becomes a highly valuable service since it allows to:
- Observing and analyzing what impact a successful attack could have. Obtaining an accurate picture of the effects of a security incident.
- Check how the company’s defenses respond to an attack. And based on the information gleaned, address weaknesses and optimize the security strategy as a whole.
In short, CIS critical security controls guide users around the world to lay the foundations of a security strategy tailored to a company’s needs, objectives, characteristics and resources.
A starting point on which to build an ecosystem in which cybersecurity becomes a strategic issue for the company. Thanks to the implementation of critical security controls and the continuous evaluation of the effectiveness of the safeguards put in place.
This article is part of a series of articles about CIS controls
- CIS controls: best practices in cyber security
- The 18 CIS critical security controls: How to implement a cybersecurity strategy
- CIS Controls Implementation Groups: How to protect enterprises