The latest version of the CIS Controls was released in June 2024. The new version, 8.1, introduces some minor updates via design principles. Context New asset classes are updated to better match the specific parts of an enterprise’s infrastructure that each Safeguard applies to. New classes require new definitions, so CIS has also enhanced the descriptions of several Safeguards for greater detail, practicality, and clarity. Coexistence CIS Controls has always maintained alignment with evolving industry standards and frameworks and will continue to do so. This assists all users of the Controls...
Author: Matthew Jerzewski
Since 2008, the CIS Controls have been through many iterations of refinement and improvement leading up to what we are presented with today in CIS Controls version 8.1. CIS Controls reflect the combined knowledge of experts from every part of the ecosystem (companies, governments, and individuals). The controls reflect consideration by people in many different roles, such as threat analysts, incident responders, solution providers, policy-makers, and more. This work is the collected wisdom from across many sectors that have banded together to create, adopt, and support the CIS Controls. Today...
Today, I will be going over Control 2 from version 8.1 of the top 18 CIS Controls – Inventory and Control of Software Assets. I will go over the seven safeguards and offer my thoughts on what I’ve found. Key Takeaways for Control 2 Reusability. The tools that were mentioned in Control 1 will be used in Control 2 as well. Reusing tools that accomplish goals for both Controls 1 and 2 can help cut costs and will help you gain familiarity and knowledge of the extent of the tools capabilities. Establish a secure baseline. Establishing a baseline of installed software enables an organization to...
Key Takeaways for Control 3 At the heart of a strong data management plan is awareness surrounding the ' Five Ws' of the enterprise's data: What data does the enterprise store or handle? Who should have access to it? Where is it stored or accessed? When should it be deleted? Why does it need protection? A comprehensive data management plan incorporates the answers to these questions with policy decisions and incident response procedures. Knowing what data an enterprise produces or consumes, as well as being able to classify it based on sensitivity, are the keystones of such a plan...
Key Takeaways for Control 4 Most fresh installs of operating systems or applications come with preconfigured settings that are usually insecure or not properly configured with security in mind. Use the leverage provided by multiple frameworks such as CIS Benchmarks or NIST NCP to find out if your organization needs to augment or adjust any baselines to become better aligned with the policies your organization is trying to adhere to. Throughout the CIS Controls, many controls will play off one another, or some may need data from previous controls to get a better understanding of what is secure...
In the early part of 2024, the Center for Internet Security (CIS) released the latest version of the well-respected Critical Security Controls (CSC). The new version, 8.1, adds contours to the prior versions, making it more comprehensive and timely in today’s challenging cybersecurity environment. The CIS CSC has been a valued source of guidance for many organizations since its initial release in 2008. However, its detail and depth make it somewhat intimidating for some organizations. The latest version contains 153 safeguards. In a recent webinar, I reviewed the new version and highlighted...
Knowing who has credentials, how those credentials are granted, and how they are being used is the foundation of any secure environment. It begins with user accounts and the credentials they use. Maintaining a thorough inventory of all accounts and verifying any changes to those accounts as authorized and intentional vs unintended is paramount to establishing a secure environment, and this includes service accounts. Establishing and maintaining visibility on all accounts can protect assets in multiple ways. If an adversary is able to attack from a different vector that we do not have any...
CIS Control 6 merges some aspects of CIS Control 4 (admin privileges) and CIS Control 14 (access on a need-to-know basis) into a single access control management group. Access control management is a critical component in maintaining information and system security, restricting access to assets based on role and need. It is important to grant, refuse, and remove access in a standardized, timely, and repeatable way across an entire organization. Privileged accounts, such as administrators, should be protected with multi-factor authentication. Enforcing and maintaining access control policies...
When it comes to cybersecurity, vulnerability management is one of the older technologies that still play a critical role in securing our assets. It is often overlooked, disregarded, or considered only for checkbox compliance needs, but a proper vulnerability management program can play a critical role in avoiding a series of data breaches. CIS Control 07 provides the minimum requirements and table stakes, if you will, for establishing a successful vulnerability management program. Key Takeaways for Control 7 At the core of CIS Control 7 is a reliance on known standards, terms from...
Audit logs provide a rich source of data critical to preventing, detecting, understanding, and minimizing the impact of network or data compromise in a timely manner. Collection logs and regular reviews are useful for identifying baselines, establishing operational trends, and detecting abnormalities. In some cases, logging may be the only evidence of a successful attack. CIS Control 8 emphasizes the need for centralized collection and storage and standardization to better coordinate audit log reviews. Some industries have regulatory bodies that require the collection, retention, and review of...