Get The CIS Controls Guide 1717988322
Get The CIS Controls Guide 1717988322
Conclusion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Pax8 and CIS Controls
Introduction
The threat of cyberattack should not be taken lightly. That’s why there will be increased pressure on
Every year, more and more businesses experience businesses to implement an effective security
cyberattacks, with estimates suggesting cybercrime framework, as regulation and compliance becomes
will cost the world $10.5 trillion in damages by 2025. a major focus of the IT world.
A security framework is a combination of tools, policies, people and documentation – defining policies and
procedures for establishing and maintaining a set of security controls. Implementing CIS Controls endorsed by
PCI, HIPAA, NIST, and cyber insurance agencies, can keep your organization compliant and insulated from cyber
threats. This will also set you up for future success as compliance measures continue to expand. Between supply
chain attacks, compliance and regulatory concerns, and subrogation from insurers, it is vital that you create a
defensibility posture for your business.
The most popular of all security and compliance frameworks, having been implemented by 18% of top MSPs,
the CIS Controls framework is built to protect any business.
This document presents a high-level overview of all 18 controls, tips on how to implement them within your
business, and what Pax8 software solutions will help you with implementation. It’s a useful reference guide in
your journey toward a strong security framework. And as always, you can reach out to your channel account
manager or sales rep for more details.
Control Overview
Control 1 keeps track of your assets so you can and remotely. That way, you’ll understand the scope
manage them properly. Inventory should be reviewed of what needs to be monitored and protected. Without
and updated on a regular basis, with counts compared keeping a proper record, you’re vulnerable to insider
against one another to establish a “true” count. threats, loss risk, and external attackers scanning for
unprotected assets.
It’s important to identify all organizational assets
connected to your infrastructure physically, virtually,
How To Implement It
Implementing this CIS Control requires both technical of using both active and passive asset discovery tools to
and procedural actions to create a process that search for and address unauthorized assets.
accounts for and manages the inventory of all
Unauthorized assets should be removed from the
company assets and critical data. Maintaining an
network, denied from connecting remotely, or
accurate view of organizational assets can be a
quarantined. The active tool should be executed daily
challenging process because rarely there is a single
(or more frequently), and the passive tool should be used
definable answer – to have a high-confidence asset
to update the asset inventory at least weekly.
count, assets should be scanned and assessed using
a variety of safeguards, with counts compared You can also use Dynamic Host Configuration Protocol
against one another to establish a “true” count. (DHCP) logging or IP address management tools as
additional resources to update the asset inventory.
Implementing this CIS Control requires both technical
and procedural actions. You should implement a process
Control Overview
Control 2 involves the active management (inventory, As attackers continually scan organizations for
track, and correct) of all software assets on the network, software vulnerabilities, one of the key defenses is
so only authorized software can be executed. It’s critical ensuring that all software assets are up to date and
to understand what’s running on your systems, with patched. By establishing an inventory of software
unauthorized and unmanaged software identified and assets, you can determine if vulnerable or outdated
prevented installation on the network. software is connected to your network.
How To Implement It
Begin by establishing and maintaining a detailed exception process should include detailing mitigating
inventory of all licensed software installed on your controls and residual risk acceptance. If unauthorized
systems. The inventory should document the title, software is identified, and does not have a documented
publisher, initial install/use date, and the business exception, that software should be removed from
purpose of that software, logging additional organizational assets.
categories such as URL and version as needed.
And automate the discovery and documentation
Now ensure that only currently supported software, of installed software with technical controls such as
designated as authorized, is installed on organizational application allow listing. Technical controls can also be
assets. Implement a process for documenting software used to ensure that only authorized software libraries
exceptions if the software is unsupported yet necessary are allowed to load into a system process and to ensure
for the fulfillment of the organization’s mission. This that only authorized scripts are allowed to execute.
The Power of
Data Protection
Control Overview
Control 3 will help you develop processes and technical will do is find and download company data. If the
controls to identify, classify, securely handle, retain, company does not monitor data outflows, they are at
and dispose of data. When an attacker infiltrates an risk of losing and exposing their sensitive data.
organization’s infrastructure, one of the first things they
How To Implement It
Implement a process that includes a data management Encryption is the most obvious solution to implement
framework, data classification guidelines, and data protection. Data should be encrypted on end-user
requirements for handling, retention, and disposal of devices, removable media, services, applications, and
data. There should also be an incident response plan databases containing sensitive data.
developed in the event of a data breach, including a
Data retention should be enforced accordingly and
compliance and communication plan.
must include minimum and maximum retention timelines,
Data should be organized according to sensitivity and when those timelines expire data must be securely
level – key types of data need to be cataloged disposed. Additionally, a data loss prevention tool can
according to the overall criticality to the organization be implemented to identify all sensitive data stored,
using labels such as “Sensitive,” “Confidential,” and processed, or transmitted through company assets.
“Public” to classify the data.
The Pax8 Security Solution Consultant team can
Once the sensitivity of company data has been outlined, also evaluate your existing tech stack to make
a data inventory (or mapping) should be implemented recommendations on what you can implement to better
that identifies the software accessing sensitive data protect company data, as well as best practices to
along with the hardware being used. enhance your data protection process.
Secure Configuration of
Enterprise Assets and Software
Control Overview
Control 4 establishes and maintains a secure any security configuration on the devices. The preset
configuration of assets and software to prevent configuration can be exploitable in its default state as it
exploitation from attackers. When a company orders uses basic controls, default accounts/passwords, and
new computers for their business, this is when the comes installed with unwanted software.
hardware is at its most vulnerable due to the lack of
How To Implement It
You can utilize many different existing security baseline software on all assets, configuring trusted DNS services,
resources that are publicly developed and vetted, such managing default accounts, and configuring devices t
as the CIS Benchmarks Program and the NIST National o automatically lock after a defined period of inactivity
Checklist Program Repository. or after several failed authentication requests.
These baselines should be reviewed and adjusted Once a security configuration is established, it is
as needed to satisfy internal security policies and important that the configuration is managed and
industry/government regulatory requirements. Any maintained. The process should be reviewed and
changes made to the baselines should be documented updated as needed annually. Additionally, implementing
to facilitate future reviews. A good security process capabilities such as the ability to enforce remote
includes implementing and managing a firewall for wipes on portable end-user devices is important for
services and end-user devices, uninstalling unnecessary maintenance in the event of lost or stolen devices.
Account Management
Control Overview
Control 5 establishes a process to assign and manage Administrative accounts are a primary target, allowing
authorization to credentials for user accounts. This attackers to add other accounts to the network, or alter
is critical to preventing unwanted attackers from the organization’s security framework to make it more
accessing your system. Controlling administrative vulnerable. Controlling and monitoring administrative
access and enforcing strong passwords can mitigate accounts, ensuring that they have strong credentials,
potential phishing attacks and prevent unauthorized is important in preventing unwanted attackers from
access to your network. accessing and modifying your systems.
How To Implement It
From an action perspective, first start by establishing While this control is easy to implement from a software
and maintaining an inventory of all accounts managed perspective, there may be some pushback from
by the organization, including user and administrator employees/end users as they believe that they will need
accounts. Enforce unique passwords on all assets and administrative access to install software or perform
encourage users to use a longer “passphrase” for added other parts of their job. Work with admin user staff
security, as well as enabling multi-factor authentication. to determine what tasks truly require administrative
Disable dormant accounts after a defined period of access and establish a process or redelegate tasks to
inactivity. Restrict administrator privileges to dedicated minimize the number of active administrator accounts
administrator accounts and centralize account in the system.
management through a directory or identify service.
Control Overview
Control 6 focuses on managing the access privileges what access and developing a process to enforce and
of each specific account depending on the user’s role monitor these accesses is a good step to take to make
within the organization. your system more secure.
Accounts should only have the minimal authorization
needed for the role. Determining what roles need
How To Implement It
As a baseline, a process should be established to be able High-privileged accounts should not be used for
to grant and revoke user privileges as needed. Role-based day-to-day use such as web surfing. Administrators
access is used to manage access requirements for each should have separate accounts for daily office users,
account based on need to know, least privilege, privacy only logging into administrator accounts when
requirements, and separation of duties. performing tasks that require that level of authorization.
Next, require all third-party applications to enforce MFA A system should also be put into place to monitor what
through a directory service or SSO provider. MFA should administrator users are doing, making sure that they
be enabled for all users accessing the system from any are logging into an administrator account only to
organization asset. This approach is more secure than complete required tasks.
a one-time code via SMS. However, administrator
users should utilize privileged access management
(PAM) tools for enhanced security.
Control Overview
Control 7 helps you continuously assess and track increase as the number of software assets increase
vulnerabilities so you can minimize opportunities for to account for the different patch cycles of each
attackers. Scanning should occur frequently and new asset.
How To Implement It
There are many vulnerability scanning tools at your that can track the status of any issues, helping to
disposal to evaluate your security framework and ensure that critical vulnerabilities are tracked and
monitor for new vulnerabilities. Scanning should occur resolved, not overlooked.
frequently and increase as the number of software
In addition to identifying, tracking, and resolving
assets increase to account for the different patch cycles
vulnerabilities, organizations should use NIST’s
of each new asset.
Common Vulnerability Scoring System to determine
Advanced vulnerability scanning tools can be the potential impact of an exploit and prioritize their
implemented for administrator users to scan response accordingly. The release of a new exploit,
organization assets more comprehensively, known as or new information related to a known vulnerability,
“authenticated scans.” Many businesses will link their should alter the priority in which the exploits are
vulnerability scanning tools with ticketing systems considered for patching.
Control Overview
Control 8 helps you keep track of anything happening system-level events such as process start/end times and
within your systems so you can better understand crashes, while audit logs record user-level events such
an attack and recover from it. System logs record as when a user logs in and accesses a file.
How To Implement It
If an organization has a poor log analysis process, it is implementation of this control much easier. All logging
possible for an attacker to infiltrate the system and control features should be activated, and the logs should be
assets for months or years without anyone noticing. sent to centralized logging servers.
An audit log would show that an unknown user is To ensure that all assets are logging data as desired,
utilizing assets and accessing software/data that compare the log records to the asset inventory established
should not be accessed. That log could then be in Control 1. Firewalls, proxies, and remote access
used to further analyze the attack, showing when systems should all be configured for detailed logging.
the attack occurred and what information was
To best use logs as a defense strategy, your team
accessed, which is helpful to identify the weaknesses
should define what constitutes a critical alert, and
in your security framework and conduct follow-up
regularly review logs to watch for these alerts (ideally
investigations into the attack.
on a weekly basis.) Audit logs should be retained
Audit logging should be configured for any assets for a minimum of 90 days, but critical logs should be
containing sensitive data. Most assets and retained indefinitely to aid in future investigations.
software have native logging capabilities, making
Control Overview
Control 9 helps you implement tools for a secure web to entice users into disclosing credentials, providing
browser and email. It is very easy for an attacker to craft sensitive information, or exposing a vulnerability that
an innocent looking email or web page that is designed allows hackers to gain access to the system.
How To Implement It
To prevent web browser attacks, browsers should be their targets. Installing an encryption tool to secure
configured to not allow plug-ins from untrusted sources, email and communications adds another layer of
and a firewall should be enabled to block untrusted or security. It can also be beneficial to only allow users to
fraudulent sites asking for sensitive data. Most browsers access certain file types that they need for their role
today automatically utilize a database of phishing and to minimize the risk of a malicious attachment.
malware sites and filter them out – these filters should
Along with the implementation of software tools, it’s
be enabled, as well as pop-up blockers.
also important to train employees to spot suspicious
For email attacks, there are some basic safeguards red flags in an email or web browser. A process
that can be utilized to reduce the risk of attack, like should also be implemented for employees to report
using spam-filtering and malware screening tools to suspicious emails to IT security.
stop malicious emails and attachments from reaching
Malware Defenses
Control Overview
Control 10 helps you address attacks by malicious Malware can be introduced in many ways – with new
software (one of the most common threats to an and creative methods being invented regularly. So IT
organization’s systems.) With modern malware being security and all company employees should not click
developed with the assistance of machine learning on anything suspicious or use any untrusted hardware/
and artificial intelligence, it is more critical than ever software assets on company devices.
to implement a secure process of detecting and
eliminating malware before it poses a risk.
How To Implement It
Malware protection includes the typical endpoint In the last decade there has been an increase in
malware prevention tools, and these should be “living-off-the-land” attacks where malicious code
managed centrally to provide consistency across is embedded within trusted software to minimize the
the system. These tools function by scanning for, risk of being detected by anti-malware tools. Keeping
identifying, and blocking malware before it has the careful logs will make it easier to track where the
chance to damage the system. Automatic updates malware came from, why it happened, and what
should be enabled to ensure that the software is was compromised.
always up-to-date and providing the best protection.
Data Recovery
Control Overview
Control 11 ensures that a system is in place to secure and making changes to key configurations, adding accounts,
recover data. It is important to have recent backups or or adding software or scripts. Ransomware attackers
mirrors of data to restore assets back to a trusted state will even try to encrypt an organization’s data and
in the event of an attack. demand money for its restoration.
Attackers can take advantage of an organization’s
neglect to backup data by infiltrating the systems and
How To Implement It
Expand on data security safeguards including backup attempt to restore them in a testing environment. The
procedures based on data value and sensitivity. Full backups should be evaluated to ensure that all data
backups should be conducted once a week, and from the backup is intact and functional. Backups
incremental backups with highly valuable/sensitive should be properly protected via security or encryption,
data should be conducted more frequently. ensuring key systems have at least one backup that
is not continuously addressable through operating
Once per quarter, or whenever a new backup process
system calls.
or technology is introduced, a testing team should
evaluate a random sampling of backup data and
Control Overview
Control 12 helps you create a secure network infrastructure are often geared for ease-of-use, not security. Attackers
by managing devices such as physical and virtual search for vulnerable default settings or gaps in a
gateways, firewalls, wireless access points, routers, and firewall ruleset to infiltrate the system.
switches. Default configurations for network devices
How To Implement It
Network security is an ever-evolving issue that requires The exception list should also be regularly evaluated
regular re-evaluation of configurations and access to determine if the exception is still necessary (with as
controls. Potential default vulnerabilities include open few exceptions granted as possible).
services and ports, default accounts and passwords,
Organizations should ensure that network infrastructure
out-of-date versions, and pre-installation of unnecessary
is fully documented, and architecture diagrams are
software. Establish a process to ensure that all assets
established, maintained, and reviewed regularly.
have been securely configured before deploying.
Remote devices should be monitored and fitted with an
Network configurations tend to become less secure organization-managed VPN and authentication service
over time when firewall exceptions are granted to which must be utilized before accessing company
fulfill a business need but then are never removed resources. All assets should always be kept up to date
from the exception list. When enhancing network with the latest secure and stable version.
infrastructure management, a process for evaluating
firewall exception risk should be defined.
Firewall
Control Overview
Control 13 continually monitors your network for threats is compromised, so having a plan in place is critical.
so your security team can be alerted and respond in a Organizations should use software tools in conjunction
timely manner. Every moment counts when malware with establishing security team process used to
is discovered, credentials are stolen, or sensitive data prevent, detect, and quickly respond to cyber threats.
How To Implement It
Start by developing a process to understand critical complemented by weekly log reviews by your security
business functions, network and server architectures, team. As this process develops, the organization
data and data flows, vendor service and business should create and maintain a knowledge base to
partner connections, and end-user devices and accounts. better document and understand the business risks.
At the core of this process should be a trained and
As the security team becomes more comfortable with
organized team that can use this understanding to develop
the organization’s threat intelligence capabilities,
processes for incident detection, analysis, and mitigation.
they will be able to understand which alerts are false
Next, the team should utilize technology to collect and positives and which are relevant threats. And they
analyze logs on network and data access, as well as can use this knowledge to become proactive instead
generally monitor networks and assets for unrecognized of reactive, stopping attackers before they have a
activity. Tech solutions to analyze logs, such as security chance to infiltrate.
information and event management software, should be
Control Overview
Control 14 ensures every employee has the training to Human vulnerability is one of the biggest risks for any
identify and report suspicious behavior. No security security framework.
solution alone can effectively address cyber risk.
How To Implement It
A security training program should be implemented to engineering training, such as phishing tests, as a more
help employees understand the risks, how to avoid them, frequent reminder of the security threat any organization
and how to report potential and actualized threats to the faces. These are used so that the employee can become
security team. This training should be updated regularly familiar with what suspicious emails may look like and
to comply with the latest security standards. how to report them. It should also identify which users
passed or failed the test so that training can be assigned
There should also be more frequent, topical messages
as needed to those who pose more of a security risk.
about security. When an incident does occur internally,
or there is a media story about a severe security A combination of an annual training program,
incident at another company, timely messages should social engineering training, and timely newsletters/
be sent out to remind staff about best practices like reminders of security best practices should be
strong passwords and tips to avoid phishing. implemented to create a strong framework for
security awareness and skills training.
Additionally, your security team can implement social
Control Overview
Control 15 ensures vendors, partners, and third parties where many companies’ sensitive data is threatened
are properly vetted so they handle your sensitive unless a hefty payment is made. The most difficult part is
information properly. there’s nothing your team can do in this situation – they
just have to wait and see what happens. That’s why it’s
Why? There are many cases where third party servicers
important to only work with trusted vendors who care
were breached, sensitive data was exposed, and there
just as much about security as you do.
was a significant impact to all companies relying on that
servicer. A ransomware attack is a good example of this,
How To Implement It
Establish and define a policy for reviewing third party of information to make an informed risk decision. Look
service providers and taking inventory of vendors to see if the company has a managed security service
under review, while associating a risk rating to vendors contract and holds cyber security insurance.
based on potential impact to the business if there
Even if a vendor is deemed trustworthy, review
were an incident. Make sure that contracts with a
them every quarter to ensure that their risk level
vendor include language holding them accountable if
has not increased. When contracts are completed
an incident occurs.
or terminated, ensure the account is properly
There are many online platforms that can be utilized to deactivated (with data flow terminated, and any
determine which third-party vendors are trustworthy data held by the third party disposed securely.)
and right for your business. These platforms have an
inventory of thousands of businesses, providing a lot
Control Overview
Control 16 helps you monitor software to prevent, challenging as it’s difficult to test every aspect of the
detect, and remediate security weaknesses before application for vulnerabilities before releasing it.
they can make an impact. This includes in-house
Software-as-a-service (SaaS) platforms are no
developed or third-party software deployed in any
different. Application vulnerabilities can be present
type of organization.
for many reasons, such as insecure design and/or
Unfortunately, many applications are developed with infrastructure, coding mistakes, weak authentication,
short development cycles, and assembled using a and a failure to test for unexpected conditions. These
complex mix of development frameworks, existing code, are the types of vulnerabilities that attackers exploit.
and new code. This makes security control a lot more
How To Implement It
Application security is an important topic, and there third-party components, applying software
are different ways to implement it depending on the development best practices to their original
scale of your organization. code and basic operational best practices to
vendor-supplied software.
• Smaller organizations that do not require
custom-built applications rely heavily on • Large organizations make a major investment
off-the-shelf software packages. This helps in custom software to run the business, hosting
the organization apply basic operational and software on their own infrastructure. This work
procedural best practices to manage their should be completed by expert software developers,
vendor-supplied software. applying security and software best practices to
the code, while incorporating trusted third-party
• Medium-sized businesses may rely on some
open-source software components as needed.
in-house code applications in conjunction with
Control Overview
Control 17 helps you put a documented plan in If there are no plans in place for how to respond and
place before an incident occurs. Knowing the right recover from an incident, the system is severely at risk.
investigative procedures, legal protocols, and Without fully understanding what happened and
communications strategy will help you manage the what can be done to prevent it from happening again,
incident and recover. nothing will be gained to prevent future incidents.
How To Implement It
All organizations should implement a plan that member, including staff from legal, IT, public relations,
includes the sources for protection and detections, human resources, and incident responders.
whom to call when an incident arises, and
The incident response team should practice their
communication plans for conveying information to
procedures with scenario-based training, working
leadership, employees, regulators, and customers.
through different types of attack scenarios. Technical
It’s ideal to establish an incident response team and team members need to be prepared to handle high-stress
assign key roles and responsibilities to each member incidents, and practicing will make the team better
so they’re prepared to act when an incident arises. prepared to respond quickly and effectively.
Action plans should be put into effect for each team
Penetration Testing
Control Overview
Control 18 helps you periodically perform tests to identify and may include social engineering of users to test
security gaps. Penetration testing seeks to exploit known human vulnerabilities.
weaknesses to see how far an attacker could get, and
Penetration tests are expensive and complex. But they
the level of negative impact that could be created.
can provide valuable insights into vulnerabilities and
The test may be from an external or internal network, the efficacy of defenses.
originating from an application or a specific device,
How To Implement It
Any tests which expose known vulnerabilities are assets with the highest valued information and lower-
a potential risk factor for the organization. Despite value systems that could be leveraged to compromise
these concerns, it’s nothing compared to the impact high-value systems. The rules of engagement should
an actual breach may have. First, utilize scanning describe the times for testing, duration of test(s), and
tools to identify vulnerabilities within the system. Once the overall test approach.
identified, create exploits to demonstrate specifically
After testing is complete, analyze the results of the
how an attacker would use it to compromise the
test both from a personal and defensive standpoint.
organization’s security systems.
Identify any human weaknesses in the process and
Experienced and trustworthy vendors must conduct work on a plan to resolve them. Review the impact of
the penetration tests. The organization should define the vulnerability in order to understand what could
a clear scope and rules of engagement before happen in the event of a real attack.
beginning. The scope should include organization
Conclusion
While any partners already have a good number Implementing these controls will help show
of controls implemented, CIS can help you mature customers your unique value as a trusted MSP.
your business by adding valuable documentation
and reporting to the mix. And if anything has been
overlooked, CIS will help identify and secure any
vulnerabilities in your security framework.