While the Internet facilitates almost unlimited opportunities for growth and development, it also harbors nefarious actors who seek to steal, ‘borrow,’ or destroy those assets. Since 2000, the digital wizards at the Center for Internet Security (CIS) have been developing the programming, standards, and practices to protect the values offered by Internet computing while detecting and defending against the bad actors who would abuse its resources for personal and criminal gain.
What is the Center for Internet Security (CIS)?
A non-profit launched in 2000, the agency is a unique amalgam of public-private interests working together to improve cybersecurity readiness and response. Using a crowdsourcing model and utilizing industry and global experts, the CIS develops recommendations for cybersecurity practices and procedures that are then validated through a consensus-driven decision-making process. Its stated mission is to “make the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats.” In short, the CIS generates crowdsourced cyber defenses that build global trust and confidence in accessing cyberspace for corporate, governmental, and human gain.
Solving the “Fog of More”
The CIS agency designed its cybersecurity tools to address the primary concern faced by every organization that wants to remain secure while accessing the Internet: how to safely manage the overwhelming volume of complexities involved in today’s computing environments. Not only must every entity develop the digital environment most suited to achieve its ends, but it must also protect that environment from a continually evolving series of threats. And always more options are becoming available.
Add to that burden the ever-growing list of optional products and services that claim to be ‘the’ solution to every threat. It becomes impossible for any IT professional to know how to organize their systems to optimize both safety and productivity.
The CIS volunteers took on this challenge of the “Fog of More” and asked themselves: “How do we make sense of our digital needs and what we can do to meet them?” From this inquiry grew three sets of tools that perform the various functions underlying a comprehensive cybersecurity system: CIS Controls®, CIS Benchmarks®, and CIS Hardened Images®.
The CIS designed its Controls to solve shared cybersecurity problems by sharing information resources. Noting that virtually every organization in the world faces the same cybersecurity threats every day, the CIS volunteers discerned what those were, based on known actual cyberattack methods and patterns. They then devised a set of 20 best practices that can be implemented by any entity to reduce or eliminate their vulnerability to those threats.
The 20 Controls are arranged into three categories:
- Basic Controls (Controls 1 – 6) which cover hard- and software assets, vulnerabilities, and monitoring practices.
- Foundational Controls (Controls 7 – 16) which cover services (email and web browsers), connectivities (networks, configurations), defenses, and data protections.
- Organizational Controls (Controls 17 – 20) which cover training, app security, incident responses, and testing.
The benchmarks offer best practice guidance for organizations to securely configure those systems that generate the most cybersecurity risks. The CIS benchmarks help entities clarify their ‘attack surface’ (vulnerabilities known to be exploitable) and then provide the guidance needed to minimize those risks.
Users can download the benchmarks in PDF format and manually implement the benchmark configurations, or they can become a CIS SecureSuite® member to access CIS automated tools for benchmark achievement.
The CIS benchmarks represent the globally recognized best practice standard for maintaining adequate, fluid cybersecurity practices. They cover the secure management of browsers, computers, mobile devices, security systems, servers, and even virtualized platforms.
These virtual machine images are configured to globally recognized CIS benchmark standards, so they are already CIS compliant as users access them. They are ‘hardened’ (rendered unchangeable) to limit the potential vulnerabilities that might otherwise allow unauthorized access, denial of service attacks, and other forms of cyber threat.
Using hardened images allows for consistency across platforms, especially those on the cloud that are accessible by any number of machines from any number of locations. Corporations with distributed workforces and resources rely on hardened images to ensure that employees access identical resources regardless of their purpose or location.
CIS Information Sharing & Analysis Centers (ISAC)
Using the CIS tools, these agencies gather, share, and analyze the actionable threat information most significant to today’s governments and industries. Sharing resources allows all connected entities to learn from the experiences of the others and share in the defensive and protective processes that evolve out of threat-involved incidents.
There are two ISAC’s:
Multi-state – Information Sharing & Analysis Center, which is used by US state, local, tribal, and territorial governments to share information and data regarding threats, attacks, defenses, and protections. Numerous agencies access MS-ISAC resources, including the Department of Homeland Security, the FBI, and schools, utilities, airports, and transportation services from around the country.
The Elections Infrastructure ISAC monitors and supports all US elections agencies, detects election systems threats, and shares intelligence regarding incident responses, vulnerabilities, and monitoring activities.
CIS and Identity and Access Management
Cybersecurity from the CIS perspective follows the Pareto Principle: for the vast majority of activities, 80% of the consequences flow from 20% of the causes. Following this principle directs researchers to identify and protect against the 20% of causes that are common to 80% of the breaches. And many of the actions that comprise that 20% are related to inappropriate and unauthorized access to data. While all of the controls are relevant to identity and access management, Controls 4, 5, 12, 13, 14, 15, and 16 address those concerns directly.
Administrative privileges allow access to broader aspects of the company’s systems, so inappropriate access to and use of those privileges is a common entry avenue for cybercriminals. In many cases, thieves use infected emails to access a single workstation that has no controls on its administration privileges. Once in, the criminal can then move through whatever resources granted to it by those privileges. This Control recommends that administrative activities be contained only to machines designated for that purpose.
Default ‘security’ protections installed by OEM’s rarely rise to the level of protection needed in today’s intense cybercrime universe. Many manufacturers include a broad spectrum of software capacities within their devices to make them as flexible as possible for their diverse user groups. However, without intentionally removing the unnecessary software, these unnecessary programs also act as vulnerable portals for cyber thieves. Configuring all devices – laptops, mobiles, work stations, and servers – to a single, proprietary security standard eliminates the default OEM software as a threat.
This Control anticipates that every corporation has a ‘perimeter’ of endpoints (servers, computers, devices, etc.) that routinely reach into the Internet for connections, resources, etc. Each of those Internet excursions opens the door to the criminal lurking on the other side. CIS recommends that automated Intrusion Prevention Systems monitor for and protect against inappropriate transmission across those endpoints, and that all authorized users use only two-factor authentication to gain entrance to company data.
This control suggests processes to prevent inappropriate exfiltration of data, by inappropriate people or for inappropriate reasons. It recommends parsing information into classes requiring differing layers of protection, with your most critical corporate data – your company’s “Crown Jewels” – being the most important. Segregating this data away from less important information and in encrypted vaults reduces the opportunity for both internal and external criminals to access it even if they’ve infiltrated other areas of your databases and banks.
Very few members of your team need to know everything all the time. Limiting their access to information that’s unnecessary to their work reduces their capacity to either use that information improperly or inadvertently share it with others. This Control recommends utilizing the data segmentation suggested in Control 13 to also control who gains access to which segments. Encryption of that data adds another layer of protection when authorized personnel access information from less trusted networks or resources.
There are distinct differences in activities protecting wired systems versus wireless systems. Today’s cybercriminals are masters at bypassing physical barriers and sliding through data vault doors through wireless connections captured in airports, subway trains, and other locations where people use their wireless devices to conduct company business. Advanced Encryption Standards can prevent these intrusions.
Another common entry point used by hackers is the inactive user account abandoned by a former employee or left behind in an obsolete file. Dormant files and their attached identities are especially challenging because the head office or IT security team doesn’t know of their presence. Routine scans to locate and disable dormant or unused accounts prevents intrusions through these inadvertent gaps.
The CIS provide a framework giving any enterprise the opportunity to build into their environment. the highest levels of organizational security protocols and practices. Sonrai Security can help your organization govern the controls to prevent nefarious identities from accessing your organization’s critical information.
Center for Information Security is just the start
Since the dawn of the Internet, bad actors have been trying to steal, borrow, or destroy the valuable assets it offers. In response, the digital wizards at the Center for Internet Security (CIS) have been working hard to develop the programming, standards, and practices needed to protect those assets and act as a center for information security. CIS has a team of experts who work tirelessly to create security controls that can be used to defend against the constantly evolving threats posed by cybercriminals. In addition to developing security controls, CIS also provides guidance and training on how to implement them properly. As a result of CIS’s efforts, countless organizations have been able to keep their systems and data safe from harm. CIS is an important resource for anyone who wants to improve their cybersecurity.
The cloud has become an essential part of many businesses, but it has also introduced new security challenges as outlined by the Center for Information Security. Organizations must now contend with a complex web of legacy tools and new solutions, which can make it difficult to keep track of all the identities in their cloud as well as all of the controls and regulations of their business. This complexity can directly impact an organization’s ability to scale securely. Many teams are struggling to find a single solution that will provide a comprehensive view of all the identities and data in their cloud, even with the information from CIS. So how can we help prevent incidents from slipping through the cracks at organizations struggling? Sonrai Security is dedicated to helping businesses find the right solution for their needs. We offer a wide range of services that can help organizations secure their cloud environments. Contact us today to learn more about how we can help you secure the cloud.