Levi, Ray & Shoup, Inc.

Updating the Critical Security Controls

5/17/2018 by LRS IT Solutions

We recently co-sponsored a cybersecurity seminar for business leaders in our hometown of Springfield, Illinois.

LRS IT Solutions talked about the value of penetration testing and vulnerability assessment, while others presented on such topics as the legal ramifications of a data breach.

We also presented the updated list of 20 Security Controls from the Center for Internet Security (CIS). As we noted in our blog post a year ago, the original list was developed by the SANS Institute, which handed management of the controls to CIS.

The latest list is version 7.0, and it can greatly assist in specific and actionable ways to stop today's most pervasive and dangerous attacks.

These controls have been used by organizations both large and small. By adopting these sets of controls, organizations can prevent the majority of attacks. A study of the previous release found that by adopting just the first five controls, 85 percent of attacks can be prevented. Adopting all 20 controls will prevent upwards of 97 percent of attacks.

Basic CIS Controls

  1. Inventory and Control of Hardware Assets
  2. Controlled Use of Administrative Privileges
  3. Inventory and Control of Software Assets
  4. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
  5. Continuous Vulnerability Management
  6. Maintenance, Monitoring and Analysis of Audit Logs

Foundational CIS Controls

  1. Email and Web Browser Protections
  2. Boundary Defense
  3. Malware Defenses
  4. Data Protection
  5. Limitation and Control of Network Ports, Protocols, and Services
  6. Controlled Access Based on the Need to Know
  7. Data Recovery Capabilities
  8. Wireless Access Control
  9. Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
  10. Account Monitoring and Control

Organizational CIS Controls

  1. Implement a Security Awareness and Training Program
  2. Incident Response and Management
  3. Application Software Security
  4. Penetration Tests and Red Team Exercises

The list of top 20 Critical Security Controls is a valuable road map and is available as a PDF from LRS IT Solutions. Each individual organization, however, must still determine which specific tools to leverage and how to implement each control.

This may be challenging for organizations going at it alone, so enterprises should work with their security vendors, as they can provide guidance and services to assist in building a secure foundation for cyber security.