CIS Updates the 20 Critical Security Controls

The Center for Internet Security (CIS) has come forward with their most recent set of information security controls. The previous edition of the Critical Security Controls listed 20 controls for an organization to implement to protect their networks. The most recent edition (CIS Critical Security Controls v6.0) keeps the same number of controls, but replaces one control and adjusts the priority of others. The data used to formulate these controls comes from private companies, and government entities within many sectors (power, defense finance, transportation and others). Experts from various organizations combined their knowledge to create this consensus of controls, and it is a great reference point for any organization looking to improve their information security posture.

It is a great reference point for any organization looking to improve their information security posture

The changes

The CIS web site states:

The new Controls include a new Control for “Email and Web Browser Protections,” a deleted Control on “Secure Network Engineering,” and a re-ordering to make “Controlled Use of Administration Privileges” higher in priority.

This makes sense, as the Secure Network Engineering Control could be interpreted to encompass multiple controls within the 20 Controls mentioned on their list. Removing it provides more room for elaboration in other areas, such as the newly added Email and Web Browser Protections control, and others already mentioned (Wireless Access Control, Malware Defenses, Boundary Defenses, etc.).

The top 4 controls

A particular point of interest is with the top four controls, as there has been no change in their order at all. CIS still identifies these four controls as their most important:

• Inventory of Authorized and Unauthorized Devices
• Inventory of Authorized and Unauthorized Software
• Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
• Continuous Vulnerability Assessment and Remediation

Notably, the fourth bullet places emphasis on the term “Continuous” which is now a part of the standard of due care, also emphasized in NIST and PCI DSS frameworks to name a few. Additional information on compliance support for the shift to a more continuous state of compliance is elaborated further in our blog Continuous Now Part of the Standard of Due Care.

How Tenable can help

This falls perfectly in line with Tenable’s family of products and the services

This falls perfectly in line with Tenable’s family of products and the services we provide our customers. The recent release of SecurityCenter™ 5.1 has inventory, continuous network monitoring, and configuration assessment capabilities to cover all four of these controls. To learn more, visit the SecurityCenter Continous View page.

Changes in priorities

Another point of interest in the revised Controls is the lowering in priority of “Malware Defense” from number 5 to number 8, with “Controlled Use of Administrative Privileges,” “Maintenance, Monitoring, and Analysis of Audit Logs,” and “Email and Web Browser Protections” all being moved ahead of it. This speaks to the trend in IT security of not attempting to chase down a defense for every new malware that is created. Rather, assume that your organization has been compromised at some point, and prepare to identify, control, and respond to the breach. With that understanding, it’s an effective transition from the first four controls that speak to proper inventory of devices, software and their configuration within an environment.

Control 20 “Penetration Tests and Red Team Exercises” remains in the same position. However, the priority levels of Controls 9 through 19 have been modified from the last version of the Critical Security Controls.

The 20 Critical Security Controls

Here is a summary of the 20 Controls:

• CSC 1: Inventory of Authorized and Unauthorized Devices
• CSC 2: Inventory of Authorized and Unauthorized Software
• CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
• CSC 4: Continuous Vulnerability Assessment and Remediation
• CSC 5: Controlled Use of Administrative Privileges
• CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
• CSC 7: Email and Web Browser Protections
• CSC 8: Malware Defenses
• CSC 9: Limitation and Control of Network Ports, Protocols, and Services
• CSC 10: Data Recovery Capability
• CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
• CSC 12: Boundary Defense
• CSC 13: Data Protection
• CSC 14: Controlled Access Based on the Need to Know
• CSC 15: Wireless Access Control
• CSC 16: Account Monitoring and Control
• CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
• CSC 18: Application Software Security
• CSC 19: Incident Response and Management
• CSC 20: Penetration Tests and Red Team Exercises

For more information

We invite you to read our whitepaper on leveraging these controls for your organization.

Visit the CIS web site to download a copy of the 20 controls.