Posts tagged CIS Controls

7 min CIS Controls

The CIS Critical Security Controls Series

What are the CIS Critical Security Controls? The Center for Internet Security (CIS) Top 20 Critical Security Controls [https://www.rapid7.com/solutions/compliance/critical-controls/] (previously known as the SANS Top 20 Critical Security Controls), is an industry-leading way to answer your key security question: “How can I be prepared to stop known attacks?” The controls transform best-in-class threat data into prioritized and actionable ways to protect your organization from today's most common

6 min CIS Controls

The CIS Critical Security Controls Explained - Control 4: Controlled Use of Administrative Privilege

The ultimate goal of an information security program [https://www.rapid7.com/fundamentals/security-program-basics/] is to reduce risk. Often, hidden risks run amok in organizations that just aren't thinking about risk in the right way. Control 4 of the CIS Critical Security Controls [https://rapid7.com/solutions/compliance/critical-controls/] can be contentious, can cause bad feelings, and is sometimes hated by system administrators and users alike. It is, however, one of the controls that can h

5 min CIS Controls

The CIS Critical Security Controls Explained - Control 3: Continuous Vulnerability Management

Welcome to the third blog post on the CIS Critical Security Controls [https://rapid7.com/solutions/compliance/critical-controls/]! This week, I will be walking you through the third Critical Control: Continuous Vulnerability Management. Specifically, we will be looking at why vulnerability management [https://rapid7.com/solutions/vulnerability-management/] and remediation is important for your overall security maturity, what the control consists of, and how to implement it. Organizations operat

5 min CIS Controls

The CIS Critical Security Controls Explained - Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers

Stop No. 5 on our tour of the CIS Critical Security Controls [https://www.rapid7.com/solutions/compliance/critical-controls/] (previously known as the SANS Top 20 Critical Security Controls) deals with Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers. This is great timing with the announcement of the death of SHA1. (Pro tip: don't use SHA1 [https://arstechnica.com/security/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/]

4 min CIS Controls

The CIS Critical Security Controls Explained - Control 1: Inventory and Control of Hardware Assets

The Rapid7 Security Advisory Service relies heavily on the CIS top 20 critical controls as a framework for security program analysis because they are universally applicable to information security and IT governance. Correct implementation of all 20 of the critical controls greatly reduces security risk, lowers operational costs, and significantly improves any organization's defensive posture. The 20 critical controls are divided into Basic, Foundational, and Organizational families, and each con

4 min CIS Controls

The CIS Critical Security Controls Explained - Control 2: Inventory and Control of Software Assets

As I mentioned in our last post, the 20 critical controls [https://www.rapid7.com/solutions/compliance/critical-controls/] are divided into Basic, Foundational, and Organizational families in order to simplify analysis and implementation. This also allows partial implementation of the controls by security program developers who aren't building a program from scratch, but want to apply all 20 of the controls. The first two controls of the Center for Internet Security's (CIS) Critical Controls are

5 min CIS Controls

Using CIS Controls To Stop Your Network From Falling in With the Wrong Crowd

Earlier this month Kyle Flaherty wrote a post [/2016/10/06/rapid7-on-top-in-sans-critical-security-controls] on the Rapid7 Community Blog about how Rapid7 came out on top for coverage of the Center for Internet Security (CIS) Top 20 Security Controls [https://www.cisecurity.org/critical-controls.cfm]. In light of recent DDoS events I'd like to take a little time to discuss at a high level what the controls are, how they would help, and what organizations can do to improve their posture in these

3 min Awards

Rapid7 On Top in SANS Top 20 Critical Security Controls

Being great is, well… great, right? But as we all know it doesn't happen in a vacuum, it's an equation: Greatness = Individual Excellence + Teamwork + Meaningful Customer Relationships Coincidentally (or not), these items make up three of the five core values [https://www.rapid7.com/company/careers.jsp#ourcorevalues?CS=blog] we strive towards here at Rapid7 – the other two play a role as well in ‘Disciplined Risk Taking' and ‘Continuous Learning', but we all know blog posts need three things,

2 min CIS Controls

Use DHCP Discovery to Implement Critical Security Control 1

The number one critical security control from the Center for Internet Security recommends actively managing all hardware devices on the network: CSC 1: Inventory of Authorized and Unauthorized Devices Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access. http://www.cisecurity.org/critical-controls.cfm Here a some of the reasons y

2 min CIS Controls

Top 3 Takeaways from the "Simplify Controls: How to Align Security Controls to Reduce Risk to Your Business" Webcast

This week we heard from Bill Bradley, Product Marketing Manager at Rapid7, about the far reaching implications of security controls. Each organization (SANS and the Australian Signals Directorate to name a couple) that highlights recommended controls promotes a slightly different twist on the weighting and criticality of controls. We looked at which controls across each organization with recommendations are the most important and effective risk reduction tools, and how professionals in different

3 min CIS Controls

How ControlsInsight aligns to SANS 20 Critical Security Controls

During the development of ControlsInsight, we selected the first set of controls based on input from Rapid7 experts with extensive experience in attacker methodology (like HD Moore and our co-founders Tas Giakouminakis and Chad Loder) combined with industry best practices for risk mitigation. One of the best practices we used was the SANS 20 Critical Security Controls [http://www.sans.org/critical-security-controls/], which helps organization focus efforts on security controls that would have th