Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CIS Updates the 20 Critical Security Controls

The Center for Internet Security (CIS) has come forward with their most recent set of information security controls. The previous edition of the Critical Security Controls listed 20 controls for an organization to implement to protect their networks. The most recent edition (CIS Critical Security Controls v6.0) keeps the same number of controls, but replaces one control and adjusts the priority of others. The data used to formulate these controls comes from private companies, and government entities within many sectors (power, defense finance, transportation and others). Experts from various organizations combined their knowledge to create this consensus of controls, and it is a great reference point for any organization looking to improve their information security posture.

It is a great reference point for any organization looking to improve their information security posture

The changes

The CIS web site states:

The new Controls include a new Control for “Email and Web Browser Protections,” a deleted Control on “Secure Network Engineering,” and a re-ordering to make “Controlled Use of Administration Privileges” higher in priority.

This makes sense, as the Secure Network Engineering Control could be interpreted to encompass multiple controls within the 20 Controls mentioned on their list. Removing it provides more room for elaboration in other areas, such as the newly added Email and Web Browser Protections control, and others already mentioned (Wireless Access Control, Malware Defenses, Boundary Defenses, etc.).

The top 4 controls

A particular point of interest is with the top four controls, as there has been no change in their order at all. CIS still identifies these four controls as their most important:

  • Inventory of Authorized and Unauthorized Devices
  • Inventory of Authorized and Unauthorized Software
  • Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  • Continuous Vulnerability Assessment and Remediation

Notably, the fourth bullet places emphasis on the term “Continuous” which is now a part of the standard of due care, also emphasized in NIST and PCI DSS frameworks to name a few. Additional information on compliance support for the shift to a more continuous state of compliance is elaborated further in our blog Continuous Now Part of the Standard of Due Care.

How Tenable can help

This falls perfectly in line with Tenable’s family of products and the services

This falls perfectly in line with Tenable’s family of products and the services we provide our customers. The recent release of SecurityCenter™ 5.1 has inventory, continuous network monitoring, and configuration assessment capabilities to cover all four of these controls. To learn more, visit the SecurityCenter Continous View page.

Changes in priorities

Another point of interest in the revised Controls is the lowering in priority of “Malware Defense” from number 5 to number 8, with “Controlled Use of Administrative Privileges,” “Maintenance, Monitoring, and Analysis of Audit Logs,” and “Email and Web Browser Protections” all being moved ahead of it. This speaks to the trend in IT security of not attempting to chase down a defense for every new malware that is created. Rather, assume that your organization has been compromised at some point, and prepare to identify, control, and respond to the breach. With that understanding, it’s an effective transition from the first four controls that speak to proper inventory of devices, software and their configuration within an environment.

Control 20 “Penetration Tests and Red Team Exercises” remains in the same position. However, the priority levels of Controls 9 through 19 have been modified from the last version of the Critical Security Controls.

The 20 Critical Security Controls

Here is a summary of the 20 Controls:

  • CSC 1: Inventory of Authorized and Unauthorized Devices
  • CSC 2: Inventory of Authorized and Unauthorized Software
  • CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  • CSC 4: Continuous Vulnerability Assessment and Remediation
  • CSC 5: Controlled Use of Administrative Privileges
  • CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
  • CSC 7: Email and Web Browser Protections
  • CSC 8: Malware Defenses
  • CSC 9: Limitation and Control of Network Ports, Protocols, and Services
  • CSC 10: Data Recovery Capability
  • CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  • CSC 12: Boundary Defense
  • CSC 13: Data Protection
  • CSC 14: Controlled Access Based on the Need to Know
  • CSC 15: Wireless Access Control
  • CSC 16: Account Monitoring and Control
  • CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
  • CSC 18: Application Software Security
  • CSC 19: Incident Response and Management
  • CSC 20: Penetration Tests and Red Team Exercises

For more information

We invite you to read our whitepaper on leveraging these controls for your organization.

Visit the CIS web site to download a copy of the 20 controls.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training