CIS 20 overview and what not to miss

One of the more common mistakes that I see organizations make on digital security is ignoring free resources that can help their business level up. This is rarely intentional. Instead, teams simply don’t know about the resources they have available. Often, that’s because their leadership doesn’t know where to look for good information security guidelines. There’s nothing wrong with that. No one knows everything. Once an organization learns about high-quality security resources, they’re able to make positive changes to their organizational security posture.

One such resource is the Center for Internet Security. The CIS is an organization formed with the mission to “identify, develop, validate, promote, and sustain best practice solutions for cyber defense and build and lead communities to enable an environment of trust in cyberspace.” Their free resources aid organizations in identifying places where their own security postures fall short.

One of the best of these is the CIS 20, a list of 20 security recommendations for businesses of all sizes. The CIS 20 are 20 recommendations surrounding organizational internet security, split into three sections. Those three sections are Basic CIS Controls, Foundational CIS Controls, and Organizational CIS Controls. We’ll take a look at each of these sections, and break down what they contain. We’ll also highlight an often-overlooked recommendation that can pay special dividends for organizations that adopt it.

How does the CIS work?

The CIS employs a unique recommendation model. Their recommendations come from crowd-sourcing. This means that leading security professionals working in the broader security community make suggestions about which recommendations the center should make. Then, security engineers from all over the world offer input into whether and how the CIS presents those recommendations. Once those engineers reach a consensus, the organization adopts the recommendation and presents it as a security best practice.

Because of this unique process, recommendations from the CIS can carry extra weight. They represent an agreement by security researchers the world over. The best of these recommendations make up the CIS 20.

Group 1: Basic CIS controls

First up are the Basic CIS controls. These comprise recommendations about general-purpose security controls and aren’t aimed at mitigating any specific threat. Instead, they’re intended to make sure that an organization is well-prepared for any threat that might come their way. Recommendations like continuous vulnerability management provide a broad base of protection against all threats. Similarly, controlled use of administrator privileges exists to make sure that attackers have a hard time controlling systems they access.

Implementing the Basic CIS controls will make every organization more secure. They’re simple, easy to implement changes, and once implemented the whole organization benefits.

Often overlooked: Inventory and control

Many organizations fail to take account of item #2, inventory and control of software assets. Especially as organizations grow larger and older, or start deploying with more agile and faster development cycles, they wind up with software and applications running in hidden corners that few people know about. These applications support some critical business function or internal process, but are almost always specialized.

New apps, even small ones, can also introduce vulnerabilities to the organization’s network. Sometimes this is because they’re forgotten, and no one updates them. Sometimes, it’s because the software needs to run on specific, outdated platforms to work as expected. Whatever the reason, these apps escape the notice of business leadership and dedicated security teams. They present an unknown risk for the company.

Effective inventory of software assets brings those hidden software and applications into the light. It ensures that business leadership and security teams know about everything the company has deployed. The organization can then mitigate or accept the risks that running these apps pose. In my experience, many organizations skip this step because it presents a real challenge. Organization leaders assume creating and maintaining the software inventory is time-consuming or impossible to maintain. Thankfully, new tools like Sqreen’s App Inventory simplify this process, both for collecting data and keeping it up to date.

Group 2: Foundational CIS controls

These controls are what most people picture when they think of information security. The foundational CIS controls are recommendations organizations should make to counter more specific technical threats. These include recommendations like up-to-date malware defenses or limiting network access.

While these controls address more specific technical threats, they’re still broad enough that they’re good advice for any organization. In my experience, these changes can also be difficult for organizations to implement. They’re terrific recommendations, but adding new security measures can often upset the apple cart. If your organization works without a firewall, for instance, adding one can be a shock to the system. That doesn’t mean that you shouldn’t adopt these controls. Instead, it means that you should make a positive case for how they help the business. I can say from experience that it’s much easier to build a quality security organization working collaboratively instead of antagonistically. Starting with incremental improvements — easy to implement tools and processes — can be a great way to get the ball rolling. 

Often overlooked: Account monitoring and control

Item #16, account monitoring and control, is one recommendation that’s rarely implemented well. Many organizations don’t overlook this so much as they find it politically difficult. As noted above, there are likely to be certain users in your organization who expect to do things a certain way. Often times, they’re senior members of the organization. When the team enacts new controls, they bristle at their decreased technical capacity. Not having access to key company accounts slows down their work, and they struggle with that kind of change.

As a security team, when you experience a user like this, it’s important to remain positive. I’ve found that a powerful way to overcome objections like these is to work with the user to understand what they’re trying to do. Many times, users upset over increased controls on things like user accounts don’t know there’s a more secure way to do their jobs. They’ll respond saying that some new change is “unacceptable.” But, once they’ve had a chance to talk things out, they realize that they can still do their job, just a little differently than before. This is a win for the company and the security team. The organization is more secure and the team is able to build relationship bridges into the organization, making future changes easier.

Group 3: Organizational CIS controls

These controls can be some of the most important to implement. They also operate at the highest level. Implementing controls in this tier, like a security awareness and training program, are key to building long-term security maturity in your company.

Controls on this tier feed into every other control on the list. In many organizations, they make sense to implement as the first set of changes. They help to improve the organization’s overall security posture in ways that mitigating against specific technical threats can’t. Having an incident response and management program doesn’t protect you from any threat, but it helps you recover from every threat.

Often overlooked: Application software security

Organizations often forego #18, application software security, in large part because it’s hard to do. This challenge is two-fold: you need to know what you have in order to protect it, and you have to be able to properly implement protections that successfully block attacks without causing false positives. Most businesses operate in a world where they need hundreds of different software packages. Effectively implementing this control means knowing the state of all that software. Engineers need to understand the latest software and security patch cycle for each item on the list. They also need a thorough inventory of every place that software runs. Finally, they need to be able to distribute those patches and document that it’s happened.

When they know what it is they want to protect, organizations then need to be able to easily deploy and manage solutions that can provide multiple layers of protection, without requiring heavy configuration and maintenance. 

If that’s a situation you find your organization in, Sqreen can help on both counts. 

The CIS 20 is a secure foundation

Even if your organization were to implement every control on the CIS 20, you can’t guarantee security. Real security work involves constant vigilance against new and existing threats. But the CIS 20 does create a real foundation for your company to build on. Even just taking a few minutes to read the list will give you ideas to improve your organization’s security posture. Because the recommendations come from a consensus of security professionals around the world, you know the advice is worthwhile. As a bonus, getting involved with the CIS is a great way to plug your company into the security community worldwide. Today is as good as any to start improving your security. 

---

Eric Boersma wrote this post. Eric is a software developer and development manager who’s done everything from IT security in pharmaceuticals to writing intelligence software for the US government to building international development teams for non-profits. He loves to talk about the things he’s learned along the way, and he enjoys listening to and learning from others as well.