If you are a board member or business executive, it’s time to get acquainted with the CIS Controls, commonly referred to as the CIS 20. This is perhaps the most comprehensive and simplest guide to best practices in basic cybersecurity controls and hygiene, issued by the Center for Internet Security. The current state-of-the-art is version 7. I’m not advocating that you memorize all 20 recommended controls in version 7; nor do you have to read the entire 73-page PDF document describing these controls. However, you should be acquainted with this important cybersecurity framework and be conversant on the six controls that are considered basic to cybersecurity best practices. Why do you need to get on this? Just look at the news headlines where data breaches affect millions of customers. Like every organization, you’d want to avoid such headlines. While it’s not your role to put cybersecurity protections in place, you are in a position to insist that your cybersecurity leaders utilize best practices. This type of oversight is increasingly becoming a fiduciary responsibility for board members, given the potential crippling impact a major cybersecurity breach can have on organizations.
The Six Basic Security Controls
The full CIS 20 can be accessed here at the Center for Internet Security. The downloadable PDF describes all 20 controls, organized into three general category areas: Basic, foundational and organizational.
In my experience working for the FBI, I can avow that virtually every single case involved some violation of these controls. When you align your cybersecurity profile to these controls, your organization has a better chance to protect and defend against internal and external attacks on the network.
For non-technical business leaders, I suggest starting with the six basic controls for this reason: If your teams are not highly functioning—or at least moderately functioning—in these areas, they have no business asking you to make large-scale investments. It doesn’t mean you shouldn’t be doing anything; but it does mean they need to get their act together on the basics and then be in a position to ask for additional investments.
So what are the basics and what do you need to know about them in order to have intelligent, reasonable and goal-oriented conversations with your organization’s cybersecurity leaders? Here’s a simple checklist to help get you started.
CIS Control No. 1: Inventory and control of hardware assets.
Your security teams need to be able to know what hardware assets they have and where they are, so they can determine what scripts to run and what needs to be protected. It may sound easy, but for global enterprises that have hardware assets all over the world, it can be a challenge. Your teams must be able to actively manage all hardware devices on the network so only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
CIS Control No. 2: Inventory and control of software assets.
What applications are running, where they are running, etc. Again, this may sound simple, but in today’s era of multiple cloud environments, new cloud-native applications and software-as-a-service, organizations have many more software assets than they’ve ever had before, and IT departments don’t always own all the applications or have control over them. IT must be able to inventory, track and correct all software on the network so only authorized software is installed, and unauthorized and unmanaged software is discovered and prevented from installation or execution.
CIS Control No. 3. Continuous vulnerability management.
Security teams need to ensure they are continuously managing and monitoring potential vulnerabilities, and systems are constantly patched and updated so current versions are used consistently through the organization. Cybersecurity teams must continuously acquire, assess and take action on new information in order to identify vulnerabilities, remediate problems and minimize the window of opportunity for attackers.
CIS Control No. 4: Controlled use of administrative privileges.
The misuse of administrative privileges is a primary method for attackers to spread inside a target enterprise. For most hackers, the goal is to get into your system and identify an individual with escalated privileges to expand their attack. If administrative privileges are loosely and widely distributed, or if identical passwords are used for critical systems, attackers have a much easier time of finding a desired path. CIS advises organizations to use automated tools to inventory all administrative accounts to ensure only authorized individuals have elevated privileges.
CIS Control No. 5: Secure configurations for hardware and software on mobile devices, laptops, workstations and servers.
Older configurations and factory-default configurations come with multiple vulnerabilities. The organization must develop its own configuration settings to minimize risk and must ensure that these are continuously managed and updated. As noted by CIS, “even if a strong initial configuration is developed and installed, it must be continuously managed to avoid security ‘decay’ as software is updated or patched and as new security vulnerabilities are reported.”
CIS Control No. 6: Maintenance, monitoring an analysis of audit logs.
Deficiencies in security logging and analysis allow attackers to hide their location and activities on victim machines. When bad things happen, logs are the first point of entry in doing the post-mortem analysis. In fact, sometimes logging records are the only evidence of a successful attack. Network security teams need to ensure the recording and capturing of audit logs, with the ability to go back and conduct analysis in regular cadence to ensure that there are no activities that fall outside of the organization’s normal parameters.
In the past, it probably was not necessary for business leaders and board members to dig this deeply into the weeds of cybersecurity defenses. But times have changed. Cybersecurity is now a business enabler and a critical factor in supporting innovation. If you have a fiduciary responsibility to the organization, then you also have a fiduciary responsibility to be aware of the basics of cybersecurity hygiene and best practices. CIS Controls one through six are the best place to get started.
M.K. Palmore is Field Chief Security Officer in Americas for Palo Alto Networks.