The Center for Internet Security (CIS) Critical Security Controls is a list of security best practice guidelines that organizations have been utilizing since 2008. Formerly known to many as the “CIS Top 20,” this publication covers a wide variety of security practices that assist organizations in taking the preventative measures needed to limit risk against cyber-attacks. Last month, CIS released the latest version of their publication, v8, to address the rising concerns that organizations are facing in 2021 and beyond. This version consolidates the former 20 controls into 18 and includes focus on many modern practices such as work-from-home, cloud computing, and increased mobility. Let’s take a look at the first 6 controls and how nGuard can help you down the path to compliance. We will cover the remaining controls in a future security advisory.
Control 1: Inventory and Control of Enterprise Assets
It’s important to know where your company-owned assets are located. How can you actively secure your network if you don’t even know how many devices are connected to it? This practice lays out the controls that are needed to dynamically monitor assets and keep track of the devices that are connected to your network.
Control 2: Inventory and Control of Software Assets
Is your development team standing up new web servers? Is your IT team exposing management style applications to the internet for remote management? It’s important to keep track of these things. nGuard consistently finds management interfaces exposed to the internet that our customers didn’t know existed. Out of the box, these applications can be insecure. It is essential that you know what types of applications exist in your environment.
Control 3: Data Protection
Is customer data living on your company’s network shares forever? Is it encrypted? Does everyone at the company have access to it, or only the people who need it? Data retention can be a difficult thing to manage properly. Complying with this control will give your customers a peace of mind that their data is properly managed within your organization.
Control 4: Secure Configuration of Enterprise Assets and Software
Does your organization have a proper patch management program in place? Can you say for sure that default accounts aren’t enabled on your network equipment? This control will help you develop policy to ensure proper patches are applied and new devices are configured properly.
Control 5: Account Management
8-character passwords are likely not secure. Your employees are probably using similar passwords for their domain and email accounts. Are you confident that your employees won’t fall victim to a social engineering attack? Account management is one of the more important controls for securing access to sensitive data and assets.
Control 6: Access Control Management
When nGuard engineers perform internal penetration testing, they consistently gain access to what are believed to be “low-privilege” user accounts. It turns out that this account has local administrator privileges on the workstation which allows engineers to dump domain administrator credentials from memory and compromise the entire network. Is your organization conducting annual internal penetration testing to identify weaknesses that may lead an attacker to gain elevated privileges?
Whether you are forced to comply with these controls, or just want to elevate the security posture of your organization, nGuard offers a wide variety of services that will assist you along the way. Tactical assessments like Penetration Testing can point out the flaws that exist in your environments while strategical assessments like the Best Practice Strategic Security Assessment (SSA) can assist your organization in implementing the preventive controls needed to minimize risk. Additionally, nGuard specializes in policy development that can lead your organization down the path to compliance. Talk to an nGuard Account Executive today!