The CIS 20 Organizational Controls – Controls 17-20 Explained
by Robert Bond
Controls 17-20 — CIS 20 Part Three – The “Organizational” Controls
As we suggested in the first two blog posts of our CIS 20 blog post series, the first steps in your cybersecurity approach require developing and implementing technical tools to fend off attackers and protect your organizational assets. That is the purpose of the CIS 20 basic and foundational controls (CIS 1-16).
But those technical defenses will have limited impact if they are not combined with a robust, strategic approach to cybersecurity processes, training, and attack response across the organization. Consider the following scary statistics:
- 56 percent of e-mail recipients clicked on a link from an unknown sender, despite the risks.
- Up to 95 percent of cyber-attacks start with phishing attacks
- Only 21 percent of surveyed businesses considered their existing cybersecurity measures to be satisfactory
These statistics demonstrate why organizations need to go beyond technical tools and tactics to ensure that their cybersecurity training and awareness, incident response, and pen testing programs are implemented. The best way of making this happen is through implementing the CIS 20 controls 17-20.
Organizations that apply just the first 5 CIS Controls can reduce their risk of cyberattack by around 85 percent. Implementing all 20 CIS Controls increases the risk reduction to around 94 percent. (CISecurity.org)
In this third part of a three-part series we look at CIS 17-20, the ‘organizational’ controls, and set out how you can implement them within your organization to establish a robust security culture. This means:
- Implementing a security awareness and training program
- Implementing a secure coding practices program
- Developing an incident response capability
- Making use of penetration tests and red team exercises
CIS 17 – Implement a Security Awareness and Training Program
You will not be able to implement any technical cybersecurity solutions (i.e. those set out in CIS 1-16) effectively, without the commitment of the people in the organization to support cybersecurity goals. Cyber attackers will often focus on employees with a poor understanding of cybersecurity best practices. CIS 17 is the control that asks you to set up a plan for your organization laying out how this will be achieved. This plan or program will need to:
- Set out all functional roles within the organization, with a focus on those who are most central to the organization’s success
- Identify the specific knowledge, skills, and abilities, that are required for a robust cyber defense of your enterprise
- Make a plan which identifies any skills and knowledge gaps within the organization, and sets out how the organization will manage its training and security awareness to deal with those gaps
CIS 18 – Application Software Security
Large organizations maintain scores of software, both acquired and developed in-house, which can present a vulnerability for the organization. Cyber attackers can use a range of tools to attack organizations in relation to known vulnerabilities. These might include:
- Buffer overflows. This occurs when data temporarily written to a ‘buffer’, overflows and starts overwriting other memory locations
- Structured Query Language (SQL) injection attacks. These are malicious lines of code entered into an entry field for executing
- Cross-site scripting. This attack, commonly applied to web applications, involves malicious scripts being inserted into webpages viewed by other users;
- Click-jacking of code. This occurs where a user is tricked into clicking on a malicious webpage element, which is invisible or otherwise disguised.
CIS 18 requires that organizations put in place a ‘security life cycle’ for all software to continuously identify, and improve on, any security weaknesses. Specific steps to take include:
- Ensuring secure coding practices within the organization
- Using static and dynamic analysis tools to ensure secure coding practices are being adhered to.
CIS 19 – Incident Response and Management
Most of the CIS 20 controls are about preventing attacks from happening in the first place. But once an attack has happened, it is critical for an organization to have established processes in place to respond quickly and effectively to the threat. This is called an ‘incident response infrastructure’. It is essential in order to contain the damage and ensure the ongoing security of your assets. Your incident response infrastructure needs to contain:
- Written incident response plans. Analogous to an emergency response plan for workplace fires, the incident response plan will define the roles of employees in relation to the incident, as well as setting out the different steps for handling the incident;
- An up-to-date register of third-party contact information for reporting security incidents to relevant parties, which may include law enforcement, government departments, and vendors.
CIS Control 20 – Penetration Tests and Red Team Exercises
Once you have the relevant cybersecurity planning and training for the organization in place, the question remains, how are you going to test its effectiveness? This is where CIS control number 20 plays a role. This control requires that you test the overall strength of your cyber defenses using simulated attacks. The attack should include all elements of your cyber defense – the technological tools, the processes, and people’s capability to uncover vulnerabilities that were unknown and unaddressed when implementing the basic and foundational controls.
A penetration test begins by identifying the vulnerabilities of the organization. Next, tests are designed and carried out to demonstrate how an attacker might get around the organization’s defenses.
A ‘Red Team exercise’ is a more targeted form of assessment than a penetration test. While a penetration test looks for as many vulnerabilities in the organization as possible, a red team exercise tries to break through cyber defenses to get to organizational assets, using any tools in the tester’s arsenal.
Both penetration tests and red team exercises are the most effective ‘audit’ of your cybersecurity systems and processes, to ensure that they are fit-for-purpose. Without implementing these controls, you cannot operate with the assurance that your cybersecurity approach is sufficient.
All organizations need to have a robust cybersecurity strategy and program in place. This is all-the-more-important with an increased number of employees working remotely and the security vulnerabilities that may entail. We recommend a three-pronged approach based on CIS-20.
- The basic controls 1-6, to ensure a ‘bare minimum’ of security
- The foundational controls 7-16, to develop a higher quality of ‘cyber hygiene’
- The organizational controls 16-20, to ensure that you have the people and processes, in addition to the technical tools, for robust cybersecurity
Before we end this 3-part blog series, here again, are the CIS 20 security controls as a reminder.
- CSC 1: Inventory of Authorized and Unauthorized Devices
- CSC 2: Inventory of Authorized and Unauthorized Software
- CSC 3: Continuous Vulnerability Assessment and Remediation
- CSC 4: Controlled Use of Administrative Privileges
- CSC 5: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CSC 7: Email and Web Browser Protections
- CSC 8: Malware Defenses
- CSC 9: Limitation and Control of Network Ports, Protocols, and Services
- CSC 10: Data Recovery Capability
- CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- CSC 12: Boundary Defense
- CSC 13: Data Protection
- CSC 14: Controlled Access Based on the Need to Know
- CSC 15: Wireless Access Control
- CSC 16: Account Monitoring and Control
- CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps
- CSC 18: Application Software Security
- CSC 19: Incident Response and Management
- CSC 20: Penetration Tests and Red Team Exercises
To Learn More About How to Protect Your Organization through a Cybersecurity Strategy Please Call Us – as Always We Are Happy to Help – 1 (888) 982-0678
October 15, 2020
September 22, 2020