Sonrai Security website logo for identity and data governance and cloud security

Center for Information Security (CIS) Offers Cybersecurity Solutions

Author: Pam Sornson, JD - Contributed Writer | Date: July 16, 2020
Read Time: 6 minutes
Skill Level: Learner
Skill Level: Learner
Hackers Held 23,000 Unsecured MongoDB Databases Ransom | CIS

While the Internet facilitates almost unlimited opportunities for growth and development, it also harbors nefarious actors who seek to steal, 'borrow,' or destroy those assets. Since 2000, the digital wizards at the Center for Internet Security (CIS) have been developing the programming, standards, and practices to protect the values offered by Internet computing while detecting and defending against the bad actors who would abuse its resources for personal and criminal gain.

What is the Center for Internet Security (CIS)?

A non-profit launched in 2000, the agency is a unique amalgam of public-private interests working together to improve cybersecurity readiness and response. Using a crowdsourcing model and utilizing industry and global experts, the CIS develops recommendations for cybersecurity practices and procedures that are then validated through a consensus-driven decision-making process. Its stated mission is to "make the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats." In short, the CIS generates crowdsourced cyber defenses that build global trust and confidence in accessing cyberspace for corporate, governmental, and human gain.

Solving the "Fog of More"

The CIS agency designed its cybersecurity tools to address the primary concern faced by every organization that wants to remain secure while accessing the Internet: how to safely manage the overwhelming volume of complexities involved in today's computing environments. Not only must every entity develop the digital environment most suited to achieve its ends, but it must also protect that environment from a continually evolving series of threats. And always more options are becoming available

Add to that burden the ever-growing list of optional products and services that claim to be 'the' solution to every threat. It becomes impossible for any IT professional to know how to organize their systems to optimize both safety and productivity.  

The CIS volunteers took on this challenge of the "Fog of More" and asked themselves: "How do we make sense of our digital needs and what we can do to meet them?" From this inquiry grew three sets of tools that perform the various functions underlying a comprehensive cybersecurity system: CIS Controls®, CIS Benchmarks®, and CIS Hardened Images®. 

CIS Controls® 

The CIS designed its Controls to solve shared cybersecurity problems by sharing information resources. Noting that virtually every organization in the world faces the same cybersecurity threats every day, the CIS volunteers discerned what those were, based on known actual cyberattack methods and patterns. They then devised a set of 20 best practices that can be implemented by any entity to reduce or eliminate their vulnerability to those threats. 

The 20 Controls are arranged into three categories: 

  • Basic Controls (Controls 1 - 6) which cover hard- and software assets, vulnerabilities, and monitoring practices.
  • Foundational Controls (Controls 7 - 16) which cover services (email and web browsers), connectivities (networks, configurations), defenses, and data protections. 
  • Organizational Controls (Controls 17 - 20) which cover training, app security, incident responses, and testing. 

CIS Benchmarks® 

The benchmarks offer best practice guidance for organizations to securely configure those systems that generate the most cybersecurity risks. The CIS benchmarks help entities clarify their 'attack surface' (vulnerabilities known to be exploitable) and then provide the guidance needed to minimize those risks. 

Users can download the benchmarks in PDF format and manually implement the benchmark configurations, or they can become a CIS SecureSuite® member to access CIS automated tools for benchmark achievement.

The CIS benchmarks represent the globally recognized best practice standard for maintaining adequate, fluid cybersecurity practices. They cover the secure management of browsers, computers, mobile devices, security systems, servers, and even virtualized platforms. 

CIS Hardened Images® 

These virtual machine images are configured to globally recognized CIS benchmark standards, so they are already CIS compliant as users access them. They are 'hardened' (rendered unchangeable) to limit the potential vulnerabilities that might otherwise allow unauthorized access, denial of service attacks, and other forms of cyber threat. 

Using hardened images allows for consistency across platforms, especially those on the cloud that are accessible by any number of machines from any number of locations. Corporations with distributed workforces and resources rely on hardened images to ensure that employees access identical resources regardless of their purpose or location.   

CIS Information Sharing & Analysis Centers (ISAC)

Using the CIS tools, these agencies gather, share, and analyze the actionable threat information most significant to today's governments and industries. Sharing resources allows all connected entities to learn from the experiences of the others and share in the defensive and protective processes that evolve out of threat-involved incidents. 

There are two ISAC's:


Multi-state - Information Sharing & Analysis Center, which is used by US state, local, tribal, and territorial governments to share information and data regarding threats, attacks, defenses, and protections. Numerous agencies access MS-ISAC resources, including the Department of Homeland Security, the FBI, and schools, utilities, airports, and transportation services from around the country. 


The Elections Infrastructure ISAC monitors and supports all US elections agencies, detects election systems threats, and shares intelligence regarding incident responses, vulnerabilities, and monitoring activities. 

CIS and Identity and Access Management 

Cybersecurity from the CIS perspective follows the Pareto Principle: for the vast majority of activities, 80% of the consequences flow from 20% of the causes. Following this principle directs researchers to identify and protect against the 20% of causes that are common to 80% of the breaches. And many of the actions that comprise that 20% are related to inappropriate and unauthorized access to data. While all of the controls are relevant to identity and access management, Controls 4, 5, 12, 13, 14, 15, and 16 address those concerns directly. 

Control 4: Controlled Use of Administrative Privileges

Administrative privileges allow access to broader aspects of the company's systems, so inappropriate access to and use of those privileges is a common entry avenue for cybercriminals. In many cases, thieves use infected emails to access a single workstation that has no controls on its administration privileges. Once in, the criminal can then move through whatever resources granted to it by those privileges. This Control recommends that administrative activities be contained only to machines designated for that purpose.

Control 5: Configuring Security for Xware and Machines

Default 'security' protections installed by OEM's rarely rise to the level of protection needed in today's intense cybercrime universe. Many manufacturers include a broad spectrum of software capacities within their devices to make them as flexible as possible for their diverse user groups. However, without intentionally removing the unnecessary software, these unnecessary programs also act as vulnerable portals for cyber thieves. Configuring all devices - laptops, mobiles, work stations, and servers - to a single, proprietary security standard eliminates the default OEM software as a threat.  

Control 12 - Boundary Defense

This Control anticipates that every corporation has a 'perimeter' of endpoints (servers, computers, devices, etc.) that routinely reach into the Internet for connections, resources, etc. Each of those Internet excursions opens the door to the criminal lurking on the other side. CIS recommends that automated Intrusion Prevention Systems monitor for and protect against inappropriate transmission across those endpoints, and that all authorized users use only two-factor authentication to gain entrance to company data. 

Control 13: Data Protection

This control suggests processes to prevent inappropriate exfiltration of data, by inappropriate people or for inappropriate reasons. It recommends parsing information into classes requiring differing layers of protection, with your most critical corporate data - your company's "Crown Jewels" - being the most important. Segregating this data away from less important information and in encrypted vaults reduces the opportunity for both internal and external criminals to access it even if they've infiltrated other areas of your databases and banks. 

Control 14: Access Based on the Need to Know

Very few members of your team need to know everything all the time. Limiting their access to information that's unnecessary to their work reduces their capacity to either use that information improperly or inadvertently share it with others. This Control recommends utilizing the data segmentation suggested in Control 13 to also control who gains access to which segments. Encryption of that data adds another layer of protection when authorized personnel access information from less trusted networks or resources. 

Control 15: Wireless Access Control

There are distinct differences in activities protecting wired systems versus wireless systems. Today's cybercriminals are masters at bypassing physical barriers and sliding through data vault doors through wireless connections captured in airports, subway trains, and other locations where people use their wireless devices to conduct company business. Advanced Encryption Standards can prevent these intrusions. 

Control 16: Account Monitoring and Control

Another common entry point used by hackers is the inactive user account abandoned by a former employee or left behind in an obsolete file. Dormant files and their attached identities are especially challenging because the head office or IT security team doesn't know of their presence. Routine scans to locate and disable dormant or unused accounts prevents intrusions through these inadvertent gaps.

The CIS provide a framework giving any enterprise the opportunity to build into their environment. the highest levels of organizational security protocols and practices. Sonrai Security can help your organization govern the controls to prevent nefarious identities from accessing your organization's critical information.  

You Might Also Like

4 Considerations to Maintain Compliance in a Cloud Native World

Powerful identity and access (IAM) models of public cloud providers like AWS, Azure, and GCP, enable the deployment[...]

Read More

3 Security Considerations for Multi-Cloud

Multi-Cloud vs Hybrid Cloud While hybrid and multi-cloud are terms often thrown around interchangeably in techno[...]

Read More

Getting to and Maintaining the Principle of Least Privilege

What Does Principle of Least Privilege Mean? The principle means giving an identity (user, role, and/or service)[...]

Read More