CIS Controls and Vulnerability Assessment: practical guide to adopting best practices
Estimated reading time: 6 minutes
Critical Security Controls, also known as CIS Controls, are a series of cybersecurity actions and technologies developed to protect organizations from common and effective cyber attacks. This article explains what CIS is, the benefits of adopting CIS Controls and how to integrate them into the Vulnerability Assessment process to improve your security posture.
What is CIS (Center for Internet Security)?
The Center for Internet Security (CIS) is a non-profit organization dedicated to improving cyber resilience globally. CIS manages various programs including:
- The CIS Controls or Critical Security Controls.
- The MS-ISAC (Multi-State Information Sharing & Analysis Center) to share threat intelligence.
- CIS Benchmarks for secure computer system configurations.
CIS is supported by governments, private companies, academic institutions and technical communities to develop cybersecurity best practices.
CIS Controls (Critical Security Controls)
It is a series of actions, policies and security tools prioritized and consolidated into a standard checklist. The goal is to guide organizations to implement the most critical and effective defenses to block known and emerging cyber attacks.
The benefits of adopting CIS Controls include:
- Pragmatic, high-impact approach – focuses on the highest-value best practices.
- Evidence-based – derived from the analysis of millions of real attacks.
- Cross-disciplinary applicability – effective for organizations of all sizes and sectors.
- Measurable metrics – implementation score to track improvement.
- Constantly updated – continuously reviewed by experts to reflect the threat landscape.
Evolution of CIS Controls
The first version of Critical Security Controls dates back to 2008. Over the years they have been reviewed and updated regularly to keep them relevant against emerging threats.
The latest release is version 8 (CIS Controls v8) released in 2021, which includes 20 core controls. Here are some of the main new features:
- Unification of identity and access controls in a single domain.
- New controls specific to mobile and IoT devices.
- Increased focus on supply chain attacks and ransomware.
- Integration of emerging technologies such as microservices and containers.
- New deployment metrics for more granular measurement.
The 20 Critical Security Controls CIS v8
Below are the 20 domains of CIS Controls ver. 8 grouped into their respective management areas:
Protect critical information and systems
- Inventory of authorized and unauthorized devices
- Inventory of authorized and unauthorized software
- Protect hardware and software configurations on mobile devices, laptops, workstations and servers
- Continuous assessment and remediation of vulnerabilities
- Protection of the development and delivery stages of the software application
Develop a culture of safety and awareness
- Administrative authorization
- Maintenance, monitoring and analysis of audit logs
Strengthen defense and simplify security
- Defense against malware
- Limitation and control of network ports, protocols and services
- Data protection
- Network protection
- Sensitive access control
Use analytics to respond to events
- Data protection and security analysis systems
- Event detection and response to security incidents
Reduce the attack surface and opportunities for attackers
- Implementation of a Zero Trust security architecture
- Data protection and access control
- Security implementation for network and mobility devices
- Device and data center protection on on-premises, hybrid networks and cloud systems
Respond adaptively to restore the situation
- Incident response and disaster recovery plans
- Exercises to evaluate and improve incident response and disaster recovery plans
CIS Controls Self-Assessment Scanner
To simplify the adoption of CIS Controls, CIS provides a free self-assessment tool, the CIS Controls Self-Assessment Scanner.
This scanner allows you to fill out an online questionnaire on the implementation status of various controls within your organization.
At the end, a report is obtained that assigns an overall score and identifies priority areas for improvement to strengthen defenses based on CIS Controls.
The tool provides a high-level overview but does not directly test the security or effectiveness of the controls. This is why more in-depth activities such as Vulnerability Assessment are necessary.
Integrate CIS Controls into Vulnerability Assessment
Carrying out a periodic Vulnerability Assessment allows you to promptly identify all vulnerabilities and security flaws within the IT infrastructure.
To comprehensively cover attack vectors, the assessment should check both misconfigurations that can violate CIS Controls and technical vulnerabilities in systems.
For example, scanning can:
- Detect configuration errors that expose sensitive network ports.
- Identify unnecessary services active on servers and workstations.
- Find out-of-date and exploit-prone software applications.
- Uncover accounts with weak passwords or default credentials.
- Identify operating systems or databases that are obsolete and no longer supported.
- Analyze security policies and settings in detail.
Therefore, the final Vulnerability Assessment report can include specific remediation indications to resolve these problems, aligning with the violated CIS Controls.
In this way the organization is able to:
- Measure the actual level of compliance with CIS best practices.
- Prioritize corrective actions based on risk.
- Monitor progress in implementing key defenses.
- Demonstrate commitment to following standards validated by the IT community.
- The Vulnerability Assessment becomes an even more valuable tool by integrating the checks with the CIS Controls as a reference framework.
- Hardening of systems via CIS Controls
- CIS Controls provide operational guidance to protect IT systems through “hardening” best practices, i.e. strengthening security.
- Here are some examples of hardening activities led by CIS Controls:
- Remove unnecessary software – uninstall non-essential components, features and services according to Check 2.
- Closing ports and services – block network ports, disable obsolete and unused services by applying Checks 9 and 11.
- Periodic updates – keep operating systems, software and firmware fully patched as indicated in Check 4.
- Minimize users and privileges – assign the minimum administrative privileges required by the user’s role as per Check 6.
- Data Protection – encrypt sensitive data both in transit and at rest by implementing Control 10.
- Multi-factor authentication – require multiple credentials to access critical assets as Control 12 dictates.
- Network segmentation – logically separate sensitive environments and data flows as recommended by Control 11.
- Log collection and retention – collect, centralize and maintain system, application and security event logs for Control 7.
- By regularly verifying compliance with these best practices during Vulnerability Assessment, organizations can maintain a robust security posture for their critical assets.
- Continuous Automated Infrastructure Penetration Testing – Breach and Attack Simulation (BAS)
- To maintain compliance with CIS Controls and an understanding of security risks, it is essential to perform Vulnerability Assessment frequently and continuously.
- Benefits of an ongoing VA program include:
- Real-time visibility – proactively monitor exposure to new threats as systems and applications change.
- Speed of intervention – immediate identification of new gaps to be resolved according to CIS Controls.
- Progressive improvement – tracking progress over time towards complete coverage of critical controls.
- Dynamic risk management – evaluating the impact of internal and external changes on exposure to attacks.
- Proof of Diligence – demonstration of concrete commitment to following recognized best practice frameworks.
- By outsourcing ongoing Vulnerability Assessment to qualified managed service providers, companies and organizations can benefit from specialized skills and advanced technologies to effectively integrate CIS Controls into their security program.
- The CIS Critical Security Controls constitute a solid foundation of cybersecurity best practices developed by high-profile experts.
- By integrating them into the Vulnerability Assessment process, organizations can concretely evaluate their compliance with these validated standards and identify priority areas for improvement.
- A continuous program of checks allows you to monitor the security status over time and guide hardening and risk mitigation activities in line with the CIS Controls recommendations.
- By taking a proactive approach, you can respond more quickly to evolving threats, reducing your attack surface and strengthening your overall cybersecurity posture.
- What is it for? Hadoop Security Data Lake (SDL)
- Secure Online Desktop achieves ISO 27001: the security certification for managed services
- SOCaaS and Active Defense Deception Webinar – Guide to the next cybersecurity online event
- Auditing IT della sicurezza: guida completa all’analisi proattiva di vulnerabilità e conformità
- CIS Controls and Vulnerability Assessment: practical guide to adopting best practices
- Kerberoasting: a threat to cybersecurity and how to mitigate it with Security Posture analysis
- Protect Your Business: Antivirus vs. SOC Service with EDR and Next Generation Antivirus (NGA)
- CSIRT and SOC: Differences between incident management and security monitoring
- Backup as a Service (17)
- Cloud Conference (3)
- Cloud CRM (1)
- Cloud Server/VPS (22)
- Conferenza Cloud (4)
- ICT Monitoring (5)
- Log Management (2)
- News (23)
- ownCloud (4)
- Privacy (7)
- Secure Online Desktop (14)
- Security (190)
- Web Hosting (15)
- Interpol Arrests Smuggler With New Biometric Screening Database December 1, 2023Interpol has upgraded its biometric background check tech. It'll help catch criminals, but will it protect sensitive, immutable data belonging to the innocent?
- The European Space Agency Explores Cybersecurity for Space Industry December 1, 2023An ESA cybersecurity expert explains how space-based data and services benefit from public investment in space programs.
- The Latest Delinea Secret Server Release Boosts Usability With New Features December 1, 2023
- Flow Security Launches GenAI DLP December 1, 2023
- North Korea APT Slapped With Cyber Sanctions After Satellite Launch December 1, 2023Sanctions on Kimsuky/APT43 focuses the world on disrupting DPRK regime's sprawling cybercrime operations, expert says.
- Critical 'LogoFAIL' Bugs Offer Secure Boot Bypass for Millions of PCs December 1, 2023Hundreds of consumer and enterprise-grade x86 and ARM models from various vendors, including Intel, Acer, and Lenovo, are potentially vulnerable to bootkits and takeover.
- Japan's Space Program at Risk After Microsoft Active Directory Breach December 1, 2023The agency, known as JAXA, has shut down parts of its network as it conducts an investigation to discover the scope and impact of the breach.
- Emirates CISOs Flag Rampant Cybersecurity Gaps December 1, 2023UAE security leaders warn that people, tech, and process gaps are exposing their organizations to cybercrime.
- Saudi Companies Outsource Cybersecurity Amid 'Serious' Incidents December 1, 2023Saudi companies are seeking extra help in droves, because of a lack of tools and personnel.
- The US Needs to Follow Germany's Attack-Detection Mandate December 1, 2023A more proactive approach to fighting cyberattacks for US companies and agencies is shaping up under the CISA's proposal to emphasize real-time attack detection and response.
- SEC Consult SA-20231123 :: Uninstall Key Caching in Fortra Digital Guardian Agent Uninstaller November 27, 2023Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Nov 27SEC Consult Vulnerability Lab Security Advisory < 20231123-0 > ======================================================================= title: Uninstall Key Caching product: Fortra Digital Guardian Agent Uninstaller (Data Loss Prevention) vulnerable version: Agent:
- SEC Consult SA-20231122 :: Multiple Vulnerabilities in m-privacy TightGate-Pro November 27, 2023Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Nov 27SEC Consult Vulnerability Lab Security Advisory < 20231122-0 > ======================================================================= title: Multiple Vulnerabilities product: m-privacy TightGate-Pro vulnerable version: Rolling Release, servers with the following package versions are vulnerable: tightgatevnc < 4.1.2~1 rsbac-policy-tgpro
- Senec Inverters Home V1, V2, V3 Home & Hybrid Use of Hard-coded Credentials - CVE-2023-39169 November 27, 2023Posted by Phos4Me via Fulldisclosure on Nov 27Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
- [SYSS-2023-019] SmartNode SN200 - Unauthenticated OS Command Injection November 27, 2023Posted by Maurizio Ruchay via Fulldisclosure on Nov 27Advisory ID: SYSS-2023-019 Product: SmartNode SN200 Analog Telephone Adapter (ATA) & VoIP Gateway Manufacturer: Patton LLC Affected Version(s):
- CVE-2023-46307 November 27, 2023Posted by Kevin on Nov 27running on the remote port specified during setup
- CVE-2023-46307 November 27, 2023Posted by Kevin on Nov 27While conducting a penetration test for a client, they were running an application called etc-browser which is a public GitHub project with a Docker container. While fuzzing the web server spun up with etcd-browser (which can run on any arbitrary port), the application had a Directory Traversal vulnerability that is […]
- Survey on usage of security advisories November 27, 2023Posted by Aurich, Janik on Nov 27Dear list members, we are looking for voluntary participants for our survey, which was developed in the context of a master thesis at the University of Erlangen-Nuremberg. The goal of the survey is to determine potential difficulties that may occur when dealing with security advisories. The focus of the […]
- [CVE-2023-46386, CVE-2023-46387, CVE-2023-46388, CVE-2023-46389] Multiple vulnerabilities in Loytec products (3) November 27, 2023Posted by Chizuru Toyama on Nov 27[+] CVE : CVE-2023-46386, CVE-2023-46387, CVE-2023-46388, CVE-2023-46389 [+] Title : Multiple vulnerabilities in Loytec L-INX Automation Servers [+] Vendor : LOYTEC electronics GmbH [+] Affected Product(s) : LINX-151, Firmware 7.2.4, LINX-212, firmware 6.2.4 [+] Affected Components : L-INX Automation Servers [+] Discovery Date :...
- [CVE-2023-46383, CVE-2023-46384, CVE-2023-46385] Multiple vulnerabilities in Loytec products (2) November 27, 2023Posted by Chizuru Toyama on Nov 27[+] CVE : CVE-2023-46383, CVE-2023-46384, CVE-2023-46385 [+] Title : Multiple vulnerabilities in Loytec LINX Configurator [+] Vendor : LOYTEC electronics GmbH [+] Affected Product(s) : LINX Configurator 7.4.10 [+] Affected Components : LINX Configurator [+] Discovery Date : 01-Sep-2021 [+] Publication date : 03-Nov-2023 [+]...
- Senec Inverters Home V1, V2, V3 Home & Hybrid Exposure of the Username to an Unauthorized Actor - CVE-2023-39168 November 12, 2023Posted by Phos4Me via Fulldisclosure on Nov 12Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Estimated reading time: 6 minutes L'impatto crescente delle minacce informatiche, su sistemi operativi privati op… https://t.co/FimxTS4o9G
Estimated reading time: 6 minutes The growing impact of cyber threats, on private or corporate operating systems… https://t.co/y6G6RYA9n1
Tempo di lettura stimato: 6 minuti Today we are talking about the CTI update of our services. Data security is… https://t.co/YAZkn7iFqa
Estimated reading time: 6 minutes Il tema della sicurezza delle informazioni è di grande attualità in questo peri… https://t.co/tfve5Kzr09
Estimated reading time: 6 minutes The issue of information security is very topical in this historical period ch… https://t.co/TP8gvdRcrF