CIS Updates the 20 Critical Security Controls
The Center for Internet Security (CIS) has come forward with their most recent set of information security controls. The previous edition of the Critical Security Controls listed 20 controls for an organization to implement to protect their networks. The most recent edition (CIS Critical Security Controls v6.0) keeps the same number of controls, but replaces one control and adjusts the priority of others. The data used to formulate these controls comes from private companies, and government entities within many sectors (power, defense finance, transportation and others). Experts from various organizations combined their knowledge to create this consensus of controls, and it is a great reference point for any organization looking to improve their information security posture.
It is a great reference point for any organization looking to improve their information security posture
The changes
The CIS web site states:
The new Controls include a new Control for “Email and Web Browser Protections,” a deleted Control on “Secure Network Engineering,” and a re-ordering to make “Controlled Use of Administration Privileges” higher in priority.
This makes sense, as the Secure Network Engineering Control could be interpreted to encompass multiple controls within the 20 Controls mentioned on their list. Removing it provides more room for elaboration in other areas, such as the newly added Email and Web Browser Protections control, and others already mentioned (Wireless Access Control, Malware Defenses, Boundary Defenses, etc.).
The top 4 controls
A particular point of interest is with the top four controls, as there has been no change in their order at all. CIS still identifies these four controls as their most important:
- Inventory of Authorized and Unauthorized Devices
- Inventory of Authorized and Unauthorized Software
- Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Continuous Vulnerability Assessment and Remediation
Notably, the fourth bullet places emphasis on the term “Continuous” which is now a part of the standard of due care, also emphasized in NIST and PCI DSS frameworks to name a few. Additional information on compliance support for the shift to a more continuous state of compliance is elaborated further in our blog Continuous Now Part of the Standard of Due Care.
How Tenable can help
This falls perfectly in line with Tenable’s family of products and the services
This falls perfectly in line with Tenable’s family of products and the services we provide our customers. The recent release of SecurityCenter™ 5.1 has inventory, continuous network monitoring, and configuration assessment capabilities to cover all four of these controls. To learn more, visit the SecurityCenter Continous View page.
Changes in priorities
Another point of interest in the revised Controls is the lowering in priority of “Malware Defense” from number 5 to number 8, with “Controlled Use of Administrative Privileges,” “Maintenance, Monitoring, and Analysis of Audit Logs,” and “Email and Web Browser Protections” all being moved ahead of it. This speaks to the trend in IT security of not attempting to chase down a defense for every new malware that is created. Rather, assume that your organization has been compromised at some point, and prepare to identify, control, and respond to the breach. With that understanding, it’s an effective transition from the first four controls that speak to proper inventory of devices, software and their configuration within an environment.
Control 20 “Penetration Tests and Red Team Exercises” remains in the same position. However, the priority levels of Controls 9 through 19 have been modified from the last version of the Critical Security Controls.
The 20 Critical Security Controls
Here is a summary of the 20 Controls:
- CSC 1: Inventory of Authorized and Unauthorized Devices
- CSC 2: Inventory of Authorized and Unauthorized Software
- CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- CSC 4: Continuous Vulnerability Assessment and Remediation
- CSC 5: Controlled Use of Administrative Privileges
- CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CSC 7: Email and Web Browser Protections
- CSC 8: Malware Defenses
- CSC 9: Limitation and Control of Network Ports, Protocols, and Services
- CSC 10: Data Recovery Capability
- CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- CSC 12: Boundary Defense
- CSC 13: Data Protection
- CSC 14: Controlled Access Based on the Need to Know
- CSC 15: Wireless Access Control
- CSC 16: Account Monitoring and Control
- CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
- CSC 18: Application Software Security
- CSC 19: Incident Response and Management
- CSC 20: Penetration Tests and Red Team Exercises
For more information
We invite you to read our whitepaper on leveraging these controls for your organization.
Visit the CIS web site to download a copy of the 20 controls.
Related Articles
Cybersecurity Snapshot: New Report Ranks Top Cloud Threats, while CISA Guide Helps Assess Security of Software Products
August 9, 2024The Cloud Security Alliance has released its list of top cloud threats for 2024. Plus, CISA and the FBI published a guide for determining if a software product was built ‘secure by design.’ Meanwhile, find out how AI can transform offensive security. And get the latest on the Royal ransomware gang, the CIS Benchmarks and TikTok’s legal troubles!
Cybersecurity Snapshot: U.K. Cyber Agency Urges Software Vendors To Boost Product Security, While U.S. Gov’t Wants Info on Banks’ AI Use
June 14, 2024Check out the NCSC’s call for software vendors to make their products more secure. Plus, why the Treasury Department is looking at how financial institutions are using AI. And the latest on the cybersecurity skills gap in the U.S. And much more!
Cybersecurity Snapshot: EPA Urges Water Plants To Boost Cybersecurity, as OpenSSF Launches Threat Intel Platform for Open Source Software
May 24, 2024Check out the EPA’s call for water plants to beef up their cyber defenses. Plus, open source developers have a new platform to share threat intelligence. Moreover, business email compromise attacks prompt alert from U.K.’s cyber agency. And CISA tackles DNS encryption best practices. And much more!
Cybersecurity Snapshot: Prompt Injection and Data Disclosure Top OWASP’s List of Cyber Risks for GenAI LLM Apps
November 22, 2024Don’t miss OWASP’s update to its “Top 10 Risks for LLMs” list. Plus, the ranking of the most harmful software weaknesses is out. Meanwhile, critical infrastructure orgs have a new framework for using AI securely. And get the latest on the BianLian ransomware gang and on the challenges of protecting water and transportation systems against cyberattacks.
Active Directory Under Attack: Five Eyes Guidance Targets Crucial Security Gaps
November 21, 2024A landmark global report from cybersecurity agencies emphasizes 17 attack techniques against Microsoft Active Directory and cautions organizations to step up protections. In the first of our two-part series, we offer five steps you can take today to shore up your AD defenses.
Five Cyber Agencies Sound Alarm About Active Directory Attacks: Beyond the Basics
November 21, 2024A landmark global report emphasizes 17 attack techniques against Microsoft Active Directory and cautions organizations to step up protections. In the second of our two-part series, we take you beyond the basics to highlight three key areas to focus on.
- Center for Internet Security (CIS)
- SANS
- Standards