Building Cyber Resilience with the CIS Controls
In today’s rapidly evolving cyber threat landscape, it’s not enough to simply protect your systems.
Organisations must ensure that they are resilient—capable of withstanding, responding to, and recovering from cyberattacks. The key to achieving cyber resilience is not just prevention but also the ability to continue operating despite disruptions.
One of the most effective frameworks for building cyber resilience is the CIS (Center for Internet Security) Controls, mentioned by Campbell McKenzie, a forensic technology expert and cyber security consultant at Incident Response Solutions in our latest Cybersecurity Series.
These best practices provide a comprehensive, actionable approach to securing systems, detecting threats, responding to incidents, and ensuring recovery. In this blog, we’ll explore each of the CIS 18 Controls and how they contribute to a resilient cybersecurity strategy.
What are the CIS Controls?
The CIS Controls are a set of 18 prioritised cybersecurity actions designed to help organisations protect their assets from the most common and impactful cyber threats. These controls are a framework of best practices that aim to improve an organisation's defence against cyberattacks and to establish effective processes for detection, response, and recovery.
The CIS Controls are divided into three categories:
- Basic Cyber Hygiene: Foundational practices that should be adopted by every organisation to secure their environment.
- Foundational Controls: Steps to build on the basic controls and improve overall cybersecurity capabilities.
- Organisational Controls: Advanced practices for organisations to implement to further enhance their cyber resilience.
Building Cyber Resilience with the CIS Controls
Let’s walk through each of the CIS Controls and examine how they contribute to a robust and resilient cybersecurity framework.
1. Inventory and Control of enterprise Assets
To protect an organisation's infrastructure, it's vital to keep a detailed inventory of all assets—physical, virtual, remote, or cloud-based. This allows organisations to monitor and manage every network-connected device, quickly identifying unauthorised or rogue assets. The goal is to ensure only authorised assets access the network, reducing the attack surface and preventing unauthorised access.
Key Actions:
- Automated discovery tools to detect and inventory all connected devices, both hardware and virtual, within the enterprise.
- Continuous monitoring to ensure that all devices remain compliant and any changes to the inventory are immediately flagged.
- Asset classification to group devices based on their risk profile, criticality, or sensitivity of the data they access.
- Regular audits to ensure proper decommissioning of devices and to identify potential unauthorised assets.
2. Inventory and Control of Software Assets
To reduce software vulnerabilities, organisations must inventory, track, and manage all software, including operating systems, applications, and third-party software. Ensure only authorised, secure software is installed to prevent unauthorised, malicious, or vulnerable software. Maintain vigilance to detect and block unauthorised software on enterprise devices.
Key Actions:
- Software whitelisting to allow only authorised applications to run and prevent the installation of unauthorised software.
- Regular updates and patches to ensure software remains secure and vulnerabilities are mitigated.
- Automated software inventory tools to track software versions, compliance, and licensing.
- Audits and monitoring to identify any unauthorised software installations or changes in the environment.
3. Data Protection
Organisations must adopt innovative data protection by establishing reliable processes and advanced controls. This ensures data is identified, classified, stored, and securely disposed of.
Focus on protecting data at rest and in transit, shielding sensitive information from unauthorised access. Effective strategies ensure compliance with privacy regulations and secure data disposal when no longer needed.
Key Actions:
- Data classification to determine the sensitivity of information and apply appropriate protection measures.
- Encryption of sensitive data both at rest and in transit to prevent unauthorised access.
- Data retention and disposal policies to ensure data is securely handled throughout its lifecycle and safely destroyed when no longer needed.
- Access control mechanisms to limit who can view, modify, or handle sensitive data.
4. Secure Configuration for Enterprise Assets and Software
This control highlights the need for secure configurations across enterprise assets and software to reduce vulnerabilities and prevent exploitation. By regularly updating configurations for hardware (like network devices and servers) and software (such as operating systems and applications), you can protect against threats. This involves following security best practices, disabling unnecessary services, and configuring devices to limit access.
Key Actions:
- Baseline configuration standards that adhere to security best practices (e.g., CIS benchmarks) for all enterprise systems.
- Regular audits to ensure that configurations remain secure and that deviations are remediated.
- Automated configuration management to ensure consistent application of security settings across systems.
- Patch management to keep configurations updated and address newly discovered vulnerabilities.
5. Account Management
Effective account management is key to protecting user credentials, including administrative and service accounts. This involves using processes and tools to assign, manage, and revoke access to enterprise assets and software, ensuring only authorised personnel have access to sensitive systems, and promptly revoking access when it's no longer needed.
Key Actions:
- Automated account provisioning to ensure that user access is appropriate based on their role.
- Role-based access control (RBAC) to assign access rights based on the principle of least privilege.
- Periodic review of account access permissions to ensure they are up to date and aligned with current job responsibilities.
- Account deactivation when employees leave or when their access is no longer required.
6. Access Control Management
Access control safeguards enterprise systems and sensitive data by allowing only authorised access. It involves creating, managing, and revoking user credentials and privileges, adhering to the principle of least privilege. Regular access reviews ensure no unauthorised accounts or privileges persist, maintaining security.
Key Actions:
- Multi-factor authentication (MFA) for all sensitive systems to strengthen the verification of user identities.
- Access control policies to manage permissions based on job roles and responsibilities.
- Automated tools for provisioning, modifying, and revoking access rights in a timely manner.
- Periodic access reviews to ensure that users’ access privileges remain appropriate.
7. Continuous Vulnerability Management
To safeguard against potential threats, organisations need to implement robust processes that consistently identify, evaluate, and address vulnerabilities throughout their infrastructure. This proactive approach requires vigilant monitoring of the security landscape to detect new vulnerabilities and ensure that any identified weaknesses are swiftly resolved, thereby reducing exposure and enhancing overall security.
Key Actions:
- Vulnerability scanning on a regular basis to identify and assess risks in the environment.
- Patch management to ensure timely remediation of vulnerabilities.
- Prioritisation of vulnerabilities based on risk to reduce exposure from critical issues.
- Incident tracking to ensure remediation efforts are properly tracked and validated.
8. Audit Log Management
Audit logs are vital for pinpointing and managing security incidents. This control ensures logs are collected, reviewed, and retained securely to detect unusual activities or breaches. Logs must be protected from tampering and kept long enough for investigations and compliance.
Key Actions:
- Centralised log collection to ensure logs are easily accessible and stored securely.
- Automated log analysis to detect and alert on suspicious activity or anomalies.
- Log retention policies to ensure logs are kept for the required period based on business or regulatory needs.
- Incident response procedures that include reviewing logs for forensics and recovery.
9. Email and Web Browser Protections
Email and web browsers are main channels for malware and phishing attacks, so this control enhances defences. It deploys technical safeguards to block harmful content and provides user training to recognise threats.
Key Actions:
- Email filtering solutions to block malicious attachments and links.
- Web filtering tools to prevent users from visiting malicious or suspicious websites.
- Browser security settings to minimise vulnerabilities, such as disabling unneeded plug-ins or enforcing HTTPS.
- User training and awareness to recognise phishing emails, malicious links, and other social engineering tactics.
10. Malware Defences
This control is dedicated to safeguarding the enterprise environment by preventing the installation and execution of malicious software. It involves implementing robust preventive measures, diligently monitoring systems for any signs of malware activity, and ensuring swift remediation should an infection occur.
Key Actions:
- Anti-malware software deployed on all endpoints and network devices.
- Automated malware detection and remediation to identify and remove threats.
- Behavioural analysis tools to detect and block suspicious or malicious activity.
- Network segmentation to limit the spread of malware in case of an infection.
11. Data Recovery
Data recovery is crucial for business continuity, allowing quick restoration of essential data and systems after data loss or corruption. It highlights the need for a solid backup and recovery plan to withstand threats like ransomware, natural disasters, or hardware failures.
Key Actions:
- Regular data backups for all critical systems and data.
- Offsite and cloud backups for enhanced security and redundancy.
- Disaster recovery planning to ensure timely and effective restoration of operations.
- Testing of recovery processes to ensure that data can be reliably restored.
12. Network Infrastructure Management
This control guarantees that network devices—like routers, firewalls, and switches—are managed and monitored with precision, safeguarding against potential threats and vulnerabilities in network services or access points.
By taking a proactive approach to device management, organisations can significantly reduce the risk of unauthorised access and maintain a robust and resilient network infrastructure.
Key Actions:
- Regular audits and configuration reviews to ensure devices are configured securely.
- Network segmentation to limit lateral movement by attackers.
- Real-time monitoring for suspicious or unauthorised network activity.
- Patch management to ensure that network devices are updated with the latest security fixes.
13. Network Monitoring and Defence
Implementing this control means utilising advanced monitoring tools and defence mechanisms to proactively detect and neutralise security threats throughout the enterprise network. It underscores the importance of maintaining continuous visibility into network activities, enabling swift identification of potential attacks and ensuring a prompt, effective response.
Key Actions:
- Intrusion detection systems (IDS) to monitor network traffic for signs of malicious activity.
- Firewalls and network segmentation to limit access to sensitive data and systems.
- Real-time traffic analysis to identify anomalies that may indicate an attack.
- Incident response protocols to ensure a swift response to detected threats.
14. Security Awareness and Skills Training
To minimise human error, a key contributor to numerous cybersecurity incidents, this initiative is dedicated to cultivating a robust culture of security awareness across the organisation. It underscores the importance of continuous training, empowering employees to comprehend security risks, identify threats, and respond effectively with confidence.
Key Actions:
- Security awareness programs to train employees on best practices and how to identify threats like phishing.
- Regular training sessions to keep employees up to date on the latest cybersecurity trends.
- Simulated phishing campaigns to test employee awareness and reinforce training.
- Security champions within departments to advocate for security best practices.
15. Service Provider Management
In today's dynamic business landscape, organisations depend on third-party service providers for a range of essential services, such as cloud hosting, data management, and software solutions. Organisations focus is on ensuring these providers uphold the highest standards of security for the data and IT platforms they manage.
Through regular assessments and thorough evaluations of their security practices, we confidently ensure that they maintain robust and appropriate security measures, safeguarding your business with trust and innovation.
Key Actions:
- Vendor risk assessments to evaluate the security posture of third-party providers.
- Contractual agreements that enforce security requirements and data protection standards.
- Ongoing monitoring of service providers to ensure compliance with security policies.
- Incident response planning that includes third-party service providers in case of a security breach.
16. Application Software Security
This control guarantees that the security of in-house developed, hosted, or acquired software is meticulously managed throughout its entire lifecycle. It emphasises the proactive identification, resolution, and remediation of security vulnerabilities within software applications, safeguarding the organisation from potential exploits.
Key Actions:
- Secure software development practices to ensure that applications are built with security in mind.
- Regular code reviews and security testing to identify vulnerabilities before deployment.
- Patch management for third-party and open-source software components.
- Security-focused deployment practices to ensure secure configuration of software.
17. Incident Response Management
Building a robust incident response capability is essential for organisations to swiftly and effectively tackle security incidents. This strategic approach emphasises the importance of preparation by developing and upholding comprehensive policies, procedures, and training. This ensures that an organisation is well-equipped to detect, respond to, and recover from security breaches with confidence and precision.
Key Actions:
- Incident response plans that define roles, responsibilities, and steps to take during a security event.
- Tabletop exercises and simulations to test the response plans and readiness of the team.
- Clear communication protocols to ensure coordination during a security incident.
- Post-incident reviews to identify lessons learned and improve future responses.
18. Penetration Testing
Penetration testing is a strategic approach that simulates real-world cyber-attacks on enterprise systems, meticulously assessing their resilience and effectiveness in thwarting potential threats. This proactive measure is designed to pinpoint vulnerabilities in systems, applications, or processes, ensuring they are fortified before adversaries can exploit them.
Key Actions:
- Regular penetration testing to evaluate the security posture of enterprise assets.
- Red teaming to simulate realistic attack scenarios.
- Vulnerability assessments to identify potential entry points or weaknesses.
- Remediation of findings to strengthen defences based on test results.
Conclusion
Cyber resilience is not just about defence—it's about being prepared to respond, recover, and continue operations no matter what happens. By implementing the CIS Controls, organisations can build a comprehensive cybersecurity framework that prioritises prevention while also focusing on detection, response, and recovery.
The CIS Controls guide organisations through the foundational steps necessary for securing their networks, detecting and mitigating threats, and recovering quickly when an incident occurs. With these controls in place, your organisation can not only survive but thrive in an increasingly hostile cyber landscape. Cyber resilience is a journey, and the CIS Controls provide a clear roadmap to a more secure, resilient future.
At Sharp, we understand the importance of cybersecurity in today's interconnected world. That's why we strive to provide not only innovative products and solutions but also guidance and support to help our valued customers navigate the challenges of cybersecurity. Our Endpoint Security solutions secure and safeguard your critical business data, protecting end-user devices from printers, laptops and displays, wherever they are.
Check out our latest cybersecurity series with Campbell McKenzie from Incident Response Solutions and improve your organisations cyber resilience.
Find out more about Incident Response Solutions here: https://incidentresponse.co.nz/
Contact us today and allow us to assist you in strengthening your defences and safeguarding both your valuable data and your customers' sensitive information.