When companies struggle with what to do and how to demonstrate their Cybersecurity efforts for auditing purposes, many turn to ISO 27001 & ISO 27002.
While these frameworks are excellent for showing compliance, they are not well suited for prioritizing, measuring and implementing practical IT-security initiatives that actually enhance your overall cybersecurity posture.
The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) provides a means for these organizations to describe and make balanced risk-based decisions regarding their cybersecurity programs. This approach directly maps to an industry-driven set of cybersecurity best practices, methodologies and controls known as the Center for Internet Security Critical Security Controls, or the CIS Controls.
CIS Controls
The CIS Controls, by design, are a prioritized set of technical controls aimed at helping organizations address the most common and pervasive threats attack methodologies that companies face on a daily basis. As such, the CIS Controls can provide an appropriate starting point for organizations who seek to achieve and progress through the NIST CSF. Following the CIS Controls will also allow organizations to leverage mappings to other regulations and frameworks (e.g. NIST 800-53, ISO 27001, NIST 800-39, 800-37, 800-30, ISO 27005, FAIR, etc.).
Together with the NIST CSF, the CIS Controls can drive the creation of a well-balanced foundational cybersecurity program that can grow in lock step with your organization.
A Multi-Layered Model: Basic, Foundational and Organizational
The Basic level of CIS Controls should be implemented in every organization for essential cyber defense readiness. Foundational Controls are technical best practices that provide clear security benefits and are a smart move for any organization to implement if they have the maturity to do so. Organizational CIS Controls are more focused on People and Processes involved in the day to day cybersecurity and are for companies with higher security maturity.
Currently in version 7, CIS Controls offers 20 controls, each of which includes between 5 and 13 sub-controls.
Implementation Groups
Implementation Groups (IG) provide a simple and accessible way to help organizations of different classes focus their security resources, and still leverage the value of the CIS Controls program, community, and complementary tools and working aids. Depending on the grouping, different CIS Controls will apply. IG classification will be determined during the initial discovery sessions.
Implementation Group 1 (IG1):
An IG1 organization is small to medium-sized with limited IT and cybersecurity expertise to dedicate toward protecting IT assets and personnel. The principal concern of these organizations is to keep the business operational as they have a limited tolerance for downtime. The sensitivity of the data that they are trying to protect is low and principally surrounds employee and financial information. However, there may be some small to medium-sized organizations that are responsible for protecting sensitive data and, therefore, will fall into a higher Group.
Sub-Controls selected for IG1 should be implementable with limited cybersecurity expertise and aimed to thwart general, non-targeted attacks. These Sub-Controls will also typically be designed to work in conjunction with small or home office commercial-off-the-Shelf (COTS) hardware and software.
Implementation Group 2 (IG2):
An IG2 organization employs individuals responsible for managing and protecting IT infrastructure. These organizations support multiple departments with differing risk profiles based on job function and mission. Small organizational units may have regulatory compliance burdens. IG2 organizations often store and process sensitive client or company information and can withstand short interruptions of service. A major concern is loss of public confidence if a breach occurs. Sub-Controls selected for IG2 help security teams cope with increased operational complexity. Some Sub-Controls will depend on enterprise-grade technology and specialized expertise to properly install and configure.
Implementation Group 3 (IG3):
An IG3 organization employs security experts that specialize in the different facets of cybersecurity (e.g., risk management, penetration testing, application security). IG3 systems and data contain sensitive information or functions that are subject to regulatory and compliance oversight. A IG3 organization must address availability of services and the confidentiality and integrity of sensitive data. Successful attacks can cause significant harm to the public welfare. Sub-Controls selected for IG3 must abate targeted attacks from a sophisticated adversary and reduce the impact of zero-day attacks.
Measurement & Adherence - CyberHunter ASCA Software
When performing a cybersecurity risk assessment of any organization, CyberHunter will take into account the company’s maturity factors, objectives and produce a customized plan that includes continuous & ongoing activities as outlined in the CIS Controls.
No matter the combination of CIS Controls being used, we recommended starting with the “Basic 6” high-level CIS Control categories as part of a continuous key security measurement effort. To accomplish this, the CyberHunter Automated Security Controls Auditor (ASCA) software can be deployed inside the target network.
The following CIS Controls (and sub-controls) are covered with the ASCA software in place:
CIS Control #1 – Inventory & Control of Hardware Assets
CyberHunter will continuously detect hardware assets on your network and report on the changes in hardware assets, as well as newly discovered devices. The first CIS Control guides organizations to implement a process of regularly, automatically discovering assets and then authorizing or removing unauthorized devices.
Custom property and grouping functions within the CyberHunter reports will assist in dividing organizational hardware assets into special groups such as “Most Critical Devices” and “Devices Related to PII”.
CIS Control #2 – Inventory & Control of Software Assets
CyberHunter will automatically discover the software (including version) on all your scanned hardware assets (with the right credentials). Organizations must implement a process for removing unwanted software from your network thereby leaving only authorized software on the authorized devices. CyberHunter’s reports will help identify and mark software as Allowed, Denied and Neutral.
CIS Control #3 – Continuous Vulnerability Management
When software asset versions can be identified, CyberHunter’s vulnerability reports check to see if the software is not missing any security patches that could leave it exposed. The regular scanning for software-related vulnerabilities produces audit reports that identify critical trending vulnerability issues such as BlueKeep, Zombieload, or SWAPGS. The results can be listed as part of an Audit Report, a dashboard, or can be set up email alerts to review the report output straight into your inbox.
CIS Control #4 – Controlled Use of Administrative Privileges
Organizations must maintain “the principle of least privilege” whereby users have Local Administrative Rights on an asset-by-asset basis. CyberHunter will help identify all the unauthorized administrators and control who can manage your assets, highlight which users and which groups you need to “groom” to reduce admin privileges. If applicable, CyberHunter’s integration with AD lets you audit individual administrative accounts and see detailed AD User information including account state and password audit data.
CIS Control #5 – Secure Configurations for Hardware and Software*
The CIS Benchmarks guide organizations to implement secure software and hardware configurations. A substantial number of the recommendations such as Processes, Services, Shares, Registry settings, System settings, and BitLocker status will be checked and reported by CyberHunter. Additionally, CyberHunter can check for end of life Firmware versions for network devices and scan for the existence or absence of specific files and registry keys for complete CIS bench-marking.
* A more in-depth benchmarking of workstations and servers (Windows, Linux, Mac) can be offered as an optional service.
CIS Control #6 – Maintenance, Monitoring, and Analytics of Audit Logs
CyberHunter can ensure proper security logging is in place and provide an ongoing 24×7 Logging & Monitoring of key security events and insider behaviour that may be harmful to your environment. Firewalls, antivirus software, and other traditional security controls do not provide full coverage. The CyberHunter CLIRSec Advanced Threat Detection provides coverage like a cybersecurity camera for your organization.
BE PROACTIVE.
Trust in a network device is very temporary. Be proactive and ensure you scan, test and hunt on a regular basis.
TRUST NOTHING.
Security teams should NEVER trust an endpoint or server until it can be PROVEN to be trusted.
MALWARE CAN GET IN.
Companies need to prepare and be ready to respond to advanced persistent threats.