Last updated at Sat, 13 May 2023 21:22:15 GMT

What are the CIS Critical Security Controls?

The Center for Internet Security (CIS) Top 20 Critical Security Controls (previously known as the SANS Top 20 Critical Security Controls), is an industry-leading way to answer your key security question: “How can I be prepared to stop known attacks?” The controls transform best-in-class threat data into prioritized and actionable ways to protect your organization from today's most common attack patterns.

What's new in Version 7 of the CIS Critical Security Controls?

With the release of Version 7 of the controls, CIS has attempted to provide consistency and simplify the wording of each control. It has also simplified the controls by implementing "one ask" per sub-control, making them more precise. There is more focus on authentication and application whitelisting, and they now better align with other security frameworks, such as NIST.

Version 7 keeps the same 20 controls but now separates them into three distinct categories: basic, foundational, and organizational. The basic controls (1—6) should be implemented in every organization for essential defense readiness. The foundational controls (7—16) are the next step up from the basic controls, while the organizational controls (17—20) focus more on people and processes.

Achievable Implementation of the CIS Critical Security Controls

The interesting thing about the critical security controls is how well they scale to work for organizations of any size, from very small to very large. They are written in easy to understand business language, so non-security people can easily grasp what they do. They cover many parts of an organization, including people, processes and technology. As a subset of the priority 1 items in the NIST 800-53 special publication, they are also highly relevant and complimentary to many established frameworks.

Leveraging Rapid7's expertise to assist your successful implementation

As part of a Rapid7 managed services unit, the Security Advisory Services team at Rapid7 specializes in security assessments for organizations. Using the CIS Critical Security Controls (formerly the SANS 20 Critical Controls) as a baseline, the team assesses and evaluates strengths and gaps, and makes recommendations on closing those gaps.

The Security Advisory Services team will be posting a blog series on each of the controls. These posts are based on our experience over the last two years of our assessment activity with the controls, and how we feel each control can be approached, implemented and evaluated. If you are interested in learning more about the CIS Critical Controls, stay tuned here as we roll out posts weekly. Thanks for your interest and we look forward to sharing our knowledge with you!

The definitive guide of all CIS Critical Security Controls

As the blog series expands, we'll use this space to keep a running total of all the 20 CIS Critical Controls. Check back here to stay updated on each control.

Control 1: Inventory and Control of Hardware Assets

This control is split into eight focused sections relating to network access control, automation and asset management. The control specifically addresses the need for awareness of what's connected to your network, as well as the need for proper internal inventory management and management automation. Implementing inventory control is probably the least glamorous way to improve a security program, but if it's done right it reduces insider threat and loss risks, cleans up the IT environment and improves the other 19 controls. Learn more.

Control 2: Inventory and Control of Software Assets

The second control is split into 10 sections, each dealing with a different aspect of software management. Much like Control 1, this control addresses the need for awareness of what's running on your systems and network, as well as the need for proper internal inventory management. The CIS placed these controls as the "top 2" in much the same way that the NIST Cybersecurity Framework addresses them as "priority 1" controls on the 800-53 framework; inventory and endpoint-level network awareness is critical to decent incident response, protection and defense. Learn more.

Control 3: Continuous Vulnerability Management

Organizations operate in a constant stream of new security information: software updates, patches, security advisories, threat bulletins, etc. Understanding and managing vulnerabilities has become a continuous activity and requires a significant amount of time, attention and resources. Attackers have access to the same information, but have significantly more time on their hands. This can lead to them taking advantage of gaps between the appearance of new knowledge and remediation activities. Control 4 challenges you to understand why vulnerability management and remediation is important to your overall security maturity. Learn more.

Control 4: Controlled Use of Administrative Privileges

The ultimate goal of an information security program is to reduce risk. Often, hidden risks run amok in organizations that just aren't thinking about risk in the right way. Control 5 of the CIS Critical Security Controls can be contentious, can cause bad feelings, and is sometimes hated by system administrators and users alike. It is, however, one of the controls that can have the largest impact on risk. Discover how reducing or controlling administrative privilege and access can reduce the risk of an attacker comprising your sensitive information. Learn more.

Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

This control deals with Secure Configurations for Hardware & Software. The Critical Controls are numbered in a specific way, following a logical path of building foundations while you gradually improve your security posture and reduce your exposure. Controls 1 and 2 are foundational to understanding what inventory you have. The next step, Control 3, is all about shrinking that attack surface by securing the inventory in your network.Learn more.

Control 6: Maintenance, Monitoring, and Analysis of Audit Logs

This control has eight sections which cover everything from NTP configuration, to verbose logging of traffic from network devices to how the organization can best leverage a SIEM for a consolidated view and action points, and how often reports need to be reviewed for anomalies. Learn more.

Control 7: Email and Web Browser Protections

Critical Control 7 has 10 sections that cover the basics of browser and email client safety, secure configuration and mail handling at the server level. The control pays specific attention to concepts like scripting and active component limiting in browsers and email clients, attachment handling, configuration, URL logging, filtering and whitelisting. The premise of the control is fairly straightforward: browser and email client security are critically important for low-level risk mitigation. Learn more.

Control 8: Malware Defenses

Control 8 covers malware and antivirus protection at system, network, and organizational levels. It isn't limited to workstations, since even servers that don't run Windows are regularly targeted (and affected) by malware. Control 8 should be used to asses infrastructure, IoT, mobile devices, and anything else that can become a target for malicious software—not just endpoints. Learn more.

Control 9: Limitation and Control of Ports, Protocols, and Services

Control 9 covers management of ports, protocols, and services (PPS) on devices that are a part of your network. This means that all PPS in use within your infrastructure must be defined, tracked, and controlled, and that any corrections should be undertaken within a reasonable timeframe. The initial focus should be critical assets and evolve to encompass your infrastructure in its entirety. By maintaining knowledge of what is running and eliminating extraneous means of communication, organizations reduce their attack surface and give attackers fewer areas in which to ply their trade. Learn more.

_Control 10: Data Recovery Capabilities

Control 10 discusses processes and tools used to properly back up critical information with a proven methodology for timely recovery of it. The control standard consists of four criteria which are labelled as foundational elements to a security program; these focus on system backups and testing. Learn more.

Control 11: Secure Configurations for Network Devices, such as Firewalls, Routers, and Switches

Control 11 covers secure configurations for network devices, including firewalls, routers, switches, and network IDS setups; many of these concepts can be applied to DHCP/DNS appliances, NAC enforcement appliances, and other solutions, too. The goal is to harden these critical network infrastructure devices against compromise, and to establish and maintain visibility into changes that occur on them—whether those changes are made by legitimate administrators or by an adversary. Learn more.

Control 12: Boundary Defense

Control 12 covers boundary defense, or an organization's first line of protection against outside threats. There are ten subsections to this control that cover your DMZ, firewalls and proxies, IDS/IPS, NetFlow, and remote access. Today, many attackers focus on exploiting systems that they can reach across the internet; they are constantly probing perimeters for vulnerabilities and information needed to build their attack plan. Learn more.

Control 13: Data Protection

Data protection is one of the cornerstones of a solid security program, and it is a critical function of the CIA Triad of Confidentiality, Integrity, and Availability. Data protection, as characterized by Critical Control 13, is essentially secure data management. Learn more.

Control 14: Controlled Access Based on the Need to Know

Control 14 covers controlled access of the processes and tools used to track, control, prevent, and correct secure access to critical assets such as information, resources, and systems. It’s important to establish a formal classification of your data types in order to define which persons, computers, and applications have a need and right to access them. Learn more.

Control 15: Wireless Access Control

Control 15 covers the processes and tools used to track, control, prevent, and correct the security use of wireless local area networks (LANs), access points, and wireless client systems. With so many emails, documents, logins, and the like being transmitted around us, we must turn our attention to securing this sensitive data. Learn more.

Critical Control 16: Account Monitoring and Control

Control 16 recommends processes to manage the lifecycle (creation, use, dormancy, and deletion) of system and application accounts. To address this control, companies can implement best practices for account lifecycle management, configuration settings, and two-factor authentication. Learn more.

Critical Control 17: Implement a Security Awareness and Training Program

You can put all the work you want into developing out a security program, but the project will remain incomplete if you don’t training your employees on it. Control 17 covers steps to take to ensure your team understands security best practices, current defense strategies, and what is expected of them. Learn more.

Critical Control 18: Application Software Security

Control 18 covers the process of implementing application software security and the various sub-controls that it covers. This entails fostering a relationship with app development and procurement groups, implementing security gates to address the controls, and ensuring you have the proper people and tools in place. Learn more.

Critical Control 19: Incident Response and Management

The key principle of Control 19 is protecting the organization's information and reputation by developing and implementing an incident response infrastructure for quickly discovering an attack and effectively containing the damage, eradicating the attacker's presence, and restoring the integrity of the network and systems. Learn more.

Critical Control 20: Penetration Tests and Red Team Exercises
Control 20 discusses the need for penetration tests and Red Team exercises to consistently evaluate the effectiveness of your organization's security program. Though both can be instrumentally helpful in ascertaining your security standing, they are not quite the same thing. Learn more.