CIS Controls Version 7.1, released in April 2019, was developed by Center for Internet Security (CIS), which consists of a community of IT experts. CIS Controls has a set of 20 prioritized controls, divided into three categories as basic, foundational and organizational, which are also termed as Implementation Group (IG) IG1, basic; IG2 – IG1, foundational; and IG3 – IG2, organizational.
The basic category consists of controls for the inventory and control of hardware assets, inventory and control of software assets, continuous vulnerability management, controlled use of admin rights, and the secure configuration for hardware and software on mobile devices, laptops, workstations and servers.
The foundational category has 10 controls: email and web browser protection, malware defenses, limitation and control of network ports protocols and services, data recovery capabilities, secure configuration for network devices, boundary defenses, data protection, controlled access based on the need to know, wireless access control, and account monitoring and control.
The organizational category includes controls for implementing a security awareness and training program, application software security, incident response and management, penetration tests and red team exercises. These controls together form a net that provides best practices for mitigating common attacks against systems and networks.
Organizations should implement basic controls first, followed by foundational and organizational. Basic controls also are referred to as “cyber hygiene,” as these are the essential protections that must be in place to defend against common attacks. IG1 is recommended for small businesses, IG2 is suitable for regional organizations and IG3 is implemented for large corporations. Each control has sub-controls with descriptions for each, and each control has the following elements:
- Description mentioning criticality of control
- Actions that the organization should take to implement the control
- Procedure and tools to enable implementation
- Entity relationship diagrams that show components of implementation
For example, control 5 is described below as given in the CIS V7.1 document.
CIS control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
Establish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
Why is the control critical?
As delivered by manufacturers and resellers, the default configurations for operating systems and applications are normally geared toward ease-of-deployment and ease-of-use – not security. Basic controls, open services and ports, default accounts or passwords, older (vulnerable) protocols, and pre-installation of unneeded software can be exploitable in their default state.
Developing configuration settings with good security properties is a complex task beyond the ability of individual users, requiring analysis of potentially hundreds or thousands of options in order to make good choices (the procedures and tools section below provides resources for secure configurations). Even if a strong initial configuration is developed and installed, it must be continually managed to avoid security “decay” as software is updated or patched, new security vulnerabilities are reported, and configurations are “tweaked” to allow the installation of new software or to support new operational requirements. If not, attackers will find opportunities to exploit both network-accessible services and client software.
Actions organization should take to implement control
|
Sub-Control
|
Asset Type
|
Security Function
|
Control Title
|
Control Description
|
IG1
|
IG2
|
IG3
|
|
5.1
|
|
|
Establish Secure Configurations
|
Maintain documented security configuration standards for all authorized operating systems and software
|
✓
|
✓
|
✓ |
|
5.2
|
Applications*
|
Protect Δ
|
Maintain Secure Images
|
Maintain secure images or templates for all systems in the enterprise based on the organization’s approved configuration standards. Any new system deployment or existing system that becomes compromised should be imaged using one of those images or templates
|
|
✓
|
✓
|
|
5.3
|
|
|
Securely Store Master Images
|
Store the master images and templates on securely configured servers, validated with integrity monitoring tools, to ensure that only authorized changes to the images are possible
|
|
✓
|
✓
|
|
5.4
|
|
|
Deploy System Configuration Management Tools
|
Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals
|
|
✓
|
✓
|
|
5.5
|
|
Detect
|
Implement Automated Configuration Monitoring Systems
|
Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalogue approved exceptions, and alert when unauthorized changes occur
|
|
✓
|
✓
|
* Asset type includes assets such as applications, devices, users, network, data, etc.,
Δ Security function include Identify, protect, detect, respond and recover
Procedures and tools
Rather than start from scratch developing a security baseline for each software system, organizations should start from publicly developed, vetted, and supported security benchmarks, security guides, or checklists. Excellent resources include:
Organizations should augment or adjust these baselines to satisfy local policies and requirements, but deviations and rationale should be documented to facilitate later reviews or audits.
For a complex enterprise, the establishment of a single security baseline configuration (for example, a single installation image for all workstations across the entire enterprise) is sometimes impractical or deemed unacceptable. It is likely that you will need to support different standardized images, based on the proper hardening to address risks and needed functionality of the intended deployment – for example, a web server in the demilitarized zone (DMZ) versus an email or other application server in the internal network. The number of variations should be kept to a minimum in order to better understand and manage the security properties of each, but organizations then must be prepared to manage multiple baselines.
Commercial and/or free configuration management tools can then be employed to measure the settings of operating systems and applications of managed machines to look for deviations from the standard image configurations. Typical configuration management tools use some combination of an agent installed on each managed system, or agentless inspection of systems by remotely logging in to each managed machine using administrator credentials. Additionally, a hybrid approach is sometimes used whereby a remote session is initiated, a temporary or dynamic agent is deployed on the target system for the scan, and then the agent is removed.