The 5 CIS controls you should implement first

The CIS Critical Security Controls list (formerly the SANS Top 20 controls) has been the gold standard for security defense advice. These are the tasks you should do first.

cybersecurity controls

Most companies do not properly evaluate computer security risk and end up with controls misaligned to their biggest risks. It’s the subject of my Data-Driven Computer Security Defense book. A lot of security pros know this, which is why after many of my talks on risk management, I’ll be asked which controls to implement from the SANS Top 20 Critical Controls list.

Most serious computer security professionals I know look forward to each SANS Top 20 update and the poster that comes with it. It contains very good computer security defense advice, but as with any action list, it’s impossible to perfectly do more than a few things at once. Following is advice on which controls to do first, but first let me provide a little history on the SANS list.

It’s now the CIS Controls

SANS turned over the Top 20 list to the Center for Internet Security (CIS) years ago, and it’s now called the CIS Critical Security Controls. The CIS is another highly respected, non-profit computer security organization that has been around decades. They are probably best known for publishing their operating system best practice security recommendations and benchmarks. If you want an independent, non-governmental entity’s recommendations for securing Microsoft Windows, CIS is where you go.

cis controls v7.1 matrix july 2019 Center for Internet Security

The CIS Critical Security Controls

The SANS list starts with Tony Sager

That CIS picked up the SANS Top 20 list is not a huge surprise if you know its history. The list began with Tony Sager, CIS’s senior vice president and chief evangelist. Tony is probably most famous for his Fog of More lecture series, where he argues that information overload is one of the primary problems against better computer security.

Tony is a smart, thoughtful guy who spent 34 years working to improve computer security at the National Security Agency (NSA). Most people only think of the NSA as spies and spooks, but they are also tasked with protecting our nation by helping us build and implement better defenses. To that last aim, Tony was one of the primary people. He led one of the first “blue teams” within the NSA and eventually became the chief leader of the NSA’s Vulnerability Analysis and Operations programs.

“I’m probably one of the few NSA people who can say he spent his entire career in the defense side of the agency,” Tony tells me. “I got to see how systems failed more than anyone else. I was able to see what did and didn’t work in protecting computers, from both the side of what one country did to break into another country, how they did it, and what didn’t stop them.”

Tony says that the original list came from him and a few other people being stuck in a room one day and trying to figure out a small list. “We didn’t want a list that could solve every problem in the world.” They wanted to pick a handful of items that they each could agree would be their top recommendations to anyone who wanted to defend their computers and networks. By the end of one day, they came out with a short list, which eventually grew to be ten controls. They had it peer reviewed and Tony eventually sent his list to the Pentagon “as a friendly gesture,” as he put it.

He was surprised to see his list take off and gain credibility. Allen Paller of SANS, whom Tony knew because of SANS’s close work with the government, called and asked if SANS could take the list, teach it, and promote it. Tony was thrilled. Boy, did SANS take it and run with it. Over the years the Top 10 list turned into the Top 20. It became THE list serious computer security professionals would use to help protect their environments.

Eventually, SANS and Tony thought the right thing to do for guidance that had become a global de facto security guidance was to turn it over to a non-profit. So, it went from the NSA to the Pentagon to SANS to CIS. So, after decades, Tony’s list is with an organization that Tony is involved in for safe keeping.

That’s a brief history of the Top 20 Controls, now back to which ones you should implement first.

The top five CIS Top 20 controls

The CIS Top 20 Controls should all be implemented. There isn’t one that should not be considered and implemented as soon as possible. They really are the bare minimum of what every computer security program should have. With that said, you have to start somewhere.

Here’s my top five list:

  • Implement a security awareness and training program
  • Continuous vulnerability management
  • Controlled use of administrative privileges
  • Maintenance, monitoring and analysis of audit logs
  • Incident response and management

Implement a security awareness and training program

Up to 90% of all malicious data breaches occur because of phishing and social engineering, according to the Verizon 2019 Data Breach Investigations Report. That alone makes this first control a no-brainer. Like many attack types, you can fight using a combination of technical controls (e.g., firewalls, anti-malware, anti-spam, anti-phishing, content filtering) and training.

No matter what technical controls you use, some phishing will get through to the end user. That’s why it’s important that you teach all users how to recognize maliciousness and what to do once they see it. How you conduct your security awareness training is up to you, but the education should be done multiple times a year, probably more than once a quarter. Trainings with less frequency don’t do much to help reduce the risk.

Continuous vulnerability management

Unpatched software is implicated in 20% to 40% of all successful data breaches, making it the second most frequent reason why organizations are successfully breached. Vulnerability management should definitely be your number two priority. It means not only scanning your environment for vulnerabilities and missing patches, but also in automating as much of that patching as is possible.

What needs to be patched? Well, out of the 16,555 separate vulnerabilities announced last year, less than 2% were used to compromise an organization. Nearly all of those had exploit code that was in the wild, the best predictor of whether a software vulnerability will be used to attack an organization. If there isn’t an exploit listed in the public realm, give it less criticality.

Second, we all know that the most-attacked client-side vulnerabilities are with browsers and browser add-ins, followed by operating system holes. On the server side, vulnerabilities are mostly related to web server software, databases and server management. Yes, other types of software can be attacked, but these categories are by far the most attacked types. Begin by aggressively patching these types of software programs and your computer security risk will drop dramatically.

Controlled use of administrative privileges

Minimizing the number of admin accounts and using high security to protect admin accounts is a wise thing to do. Most of the badness trying to break into your environment will look for elevated accounts as its first order of business after the initial exploitation, so they can do maximum damage. Every admin account you don’t have and don’t use on a regular basis is a roadblock for an attacker.

  • Minimize the number of members of any elevated group
  • Require that all elevated accounts use multi-factor authentication to log on
  • Require checking out of elevated credentials
  • Time-limit the checkout
  • Heavily log any such use and checkout

Want to stop the worst malicious abuses of your computers and network? Stop the bad guy from getting administrator and root.

Maintenance, monitoring and analysis of audit logs

The Verizon Data Breach Investigations Report concludes that evidence of malicious break-ins is in most security logs and that the resulting damage could have been minimized if the organizations analyzed their logs. I get it. Collecting and analyzing logs is not easy. It requires collecting hundreds of millions of events, most of which do not indicate maliciousness, and finding the critical needles in a haystack.

That’s why you need a top-notch event logging system that aggregates and analyzes your logs for you. A good security information event management (SIEM) system should do all the hard work for you. All you need to do is respond to indicated suspicious events and modify and train the system to minimize false positives and false negatives.

Incident response and management

No matter what you do, badness will get by your defenses. There is no perfect defense, so plan on failing the best you can. This means developing effective incident response people, tools and processes. The better and quicker incident response investigation and remediation happens, the less damage badness can cause to your environment.

There are many other strong contenders for the top five controls you should be implementing (such as email and browser controls), but these are the ones I would put at the top of anyone’s list. A few controls don’t really help as much as many people think, such as network access control and password policy. Every minute that people spend on those two controls is time not spent on the bigger issues.

One last comment: The most common root exploit causes (social engineering and unpatched software) have been the most common types of attacks since computers were invented. The things we need to do to fight them haven’t changed much, either. We just need to focus on and mitigate them to minority players.

Copyright © 2019 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline