CIS Critical Security Controls 101: Everything to Know About the 18 Controls

The Center for Internet Security (CIS) defines CIS Critical Security Controls as

A prioritized set of Safeguards to mitigate the most prevalent cyberattacks against systems and networks.”

Essentially, CIS Controls are a framework of actions that organizations can take to improve their overall security posture. These controls are organized into categories and updated frequently to address emerging threats and technologies. 

In this article, we’ll look deeper into all 18 controls. 

What is the Center for Internet Security (CIS)? 

The Center for Internet Security (CIS) is a nonprofit organization focusing on enhancing the cybersecurity readiness and resilience of public and private sector entities. They’re known for developing CIS Controls, but a few other projects and initiatives undertaken by them include:

  • CIS Benchmarks
  • CIS-CAT Pro
  • Multi-State Information Sharing and Analysis Center (MS-ISAC)
  • Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC)

The organization developed critical security controls in 2008, but the latest update (Version 8) was released in 2021.

What are CIS Critical Security Controls?

Here’s why CIS Controls are valuable and how they can help your organization:

  • Prioritization: With CIS Controls, you have a proper list of security actions that can help you focus your efforts on the most critical and impactful security measures for your organization. You can first identify the most important areas to address to allocate your limited resources effectively.
  • Standardization: With CIS Controls comes a standardized set of security practices to help establish a common language and baseline for security across different sectors within your organization.
  • Measurable Progress: The CIS Controls gives a clear roadmap to measure your organization’s progress in implementing security measures. This helps keep track of the security maturity, identify gaps, and prioritize ongoing improvements.

CIS Controls v8: The 18 CIS Critical Security Controls

CIS controls give you the base layer of security measures to protect systems against malicious activities. Here’s a deeper dive into each control:

1) Inventory and control of enterprise assets 

This control focuses on keeping track of all the devices and software in an organization's environment. It lets CyberSec experts maintain an up-to-date inventory of authorized devices (like computers, servers, and mobile devices) and software (applications, operating systems, etc.) to track the total assets managed within the organization. 

With this control, you can also identify and manage any unauthorized devices or software that may pose security risks. By maintaining a comprehensive inventory, organizations can monitor and control their assets, making it easier to ensure the security of their environment.

Organizations need to understand which data is important to them so they can enact security measures to protect it. By managing their assets effectively using this control, they can determine which parts of their business house or handle this important data. 

Implementing inventory and control

  • Create and keep a thorough inventory of all assets within the organization.
  • Deal with any unauthorized assets.
  • Make use of a tool that actively discovers assets.
  • Update the enterprise asset inventory by logging information through the Dynamic Host Configuration Protocol (DHCP).

2) Inventory and control of software assets 

This control lets you manage the software installed on enterprise assets. By effectively managing software assets, you can prevent the execution of unauthorized software so it doesn’t introduce security risks and vulnerabilities

Having a comprehensive inventory of software keeps your organization’s system safe. And to protect your organization from severe attacks, you should update and patch your software frequently. 

But here's the catch: if you don't know what software you have, it's hard to identify if any of it is vulnerable, or if you're breaking any licensing rules. 

How to get started with software asset control

Here’s how you can follow and implement this control:

  • Create and manage your software inventory.
  • Make sure the software you're using is up-to-date and officially supported.
  • Deal with any software that you're not supposed to have.
  • Take advantage of automated tools to keep track of your software inventory.
  • Only allow approved software to run on your systems.
  • Only allow approved software libraries to be used.
  • Only allow approved scripts to be executed.

3) Data protection

Data is not confined within a company's boundaries anymore. It can be found in the cloud, on portable devices that users use at home, and is often shared with partners or online services hosted anywhere in the world. 

When hackers manage to breach a company's infrastructure, one of their initial goals is to locate and steal data. Companies may not be aware that sensitive information is leaving their system because they are not monitoring the data flow. 

To address this issue, you should implement data encryption when transmitting data and leaving data at rest. This not only helps protect against data breaches but is also a requirement imposed by regulations for most types of controlled data.

Data protection safeguards

Here’s how you can follow and implement this control:

  • Set up and maintain a system for managing data.
  • Keep track of all the data you have.
  • Control who can access the data by setting permissions.
  • Make sure data is stored for the right amount of time.
  • Safely get rid of data you no longer need.
  • Protect data on devices used by end-users.
  • Create and keep a system for organizing data by importance.
  • Document how data moves within your organization.
  • Encrypt data stored on removable devices.
  • Encrypt sensitive data during transfer.
  • Encrypt sensitive data while it's at rest or stored.
  • Separate data processing and storage based on how sensitive it is.
  • Use a solution to prevent data loss.
  • Keep a record of who accesses sensitive data.

4) Secure configuration of enterprise assets and software 

Out of the box, most enterprise assets and software come with default settings focused on easy setup and user-friendliness rather than security. These are great for getting started quickly, but these default settings can leave your system vulnerable to attacks. 

Attackers can exploit basic controls, default passwords, pre-configured DNS settings, and outdated protocols if you don't change them from their default state. So, this control focuses on establishing secure configurations for hardware (devices and systems) and software components used within the organization. 

How to manage asset and software configuration

Here’s how you can follow and implement this control:

5) Account management

Unauthorized access to your assets or data is most likely to occur when someone with valid user credentials, whether from inside or outside the organization is involved, rather than relying on traditional hacking techniques

Those with administrative accounts in your organization are core targets since the attackers can use their accounts to create additional accounts or modify assets in a way that makes them susceptible to further breaches. 

This control suggests you closely manage user access privileges, password policies, and account activity. And by doing so, you can ensure that only authorized individuals can access specific systems or data based on their roles and responsibilities. 

Key aspects of account management

Here’s how you can follow and implement this control:

  • Create and maintain an inventory of accounts.
  • Use different passwords for each account.
  • Deactivate unused accounts.
  • Limit administrative powers to specific administrator accounts.
  • Establish and manage an inventory of service accounts.
  • Consolidate account management in one central place.

6) Access control management

While CIS Control 5 is about managing user accounts, access control management focuses on controlling the level of access user accounts have in your organization. It guides about restricting access to critical systems and sensitive data based on the principle of least privilege

Per this control, account users should only have access to the data or assets relevant to their job and have strong authentication measures in place for sensitive data. By implementing these measures, you can limit the risk of unauthorized access and potential misuse of resources in your organization. 

So consider using MFA (Multi-Factor Authentication) and PAM (Privileged Access Management) tools to assign and revoke access credentials and privileges for different types of accounts (users, administrators, and services).

(MFA and PAM are great ways to get ahead of common attacks such as password spraying.)

Access control management safeguards

Here’s how you can follow and implement this control:

  1. Set up a process to grant access.
  2. Set up a process to revoke access.
  3. Ensure Multi-Factor Authentication (MFA) is used for applications accessible from outside the organization.
  4. Ensure the use of MFA for accessing the network remotely.
  5. Ensure the use of MFA for administrative access.
  6. Create and keep a list of systems that verify and authorize users.
  7. Consolidate access control in a central location.
  8. Establish and manage access control based on specific roles.

7) Continuous vulnerability management

Continuous vulnerability management is the practice of assessing and addressing vulnerabilities in your systems and applications. It emphasizes the importance of defenders regularly assessing their environment to identify vulnerabilities before attackers can exploit them.

Cyber defenders face ongoing challenges from attackers who seek out weaknesses in their infrastructure to exploit and gain entry. That’s why the defenders (AKA the blue team) should have access to up-to-date information about potential threats, such as software updates, patches, and security advisories

Applying continuous vulnerability management

Here’s how you can follow and implement this control:

  • Set up and maintain a system to identify and address vulnerabilities in your organization.
  • Set up and maintain a process to fix identified issues.
  • Use automated tools to keep your operating systems up to date with the latest patches.
  • Use automated tools to update applications with the latest patches.
  • Use automated tools to scan your internal company assets for potential vulnerabilities.
  • Use automated tools to scan your external-facing company assets for potential vulnerabilities.
  • Take action to fix any vulnerabilities that are detected.

8) Audit log management 

Audit records sometimes are the sole proof of a successful attack. Attackers know that some organizations maintain audit logs for compliance reasons, yet they don’t examine them often. Exploiting this knowledge, attackers conceal their whereabouts, malicious software, and actions on compromised machines. 

Due to non-existent log analysis procedures, threat actors gain control over victim machines for extended periods without the targeted organization being aware of their presence.

That’s why this control focuses on reviewing and retaining detailed logs of activities and events within an organization's systems and networks. By analyzing audit logs, you can detect suspicious or unauthorized activities, identify potential security incidents, and respond promptly to mitigate their impact. 

Audit log management safeguards

Here’s how you can follow and implement this control:

  • Set up and maintain a system for managing audit logs.
  • Gather the audit logs.
  • Make sure you have enough storage space for the audit logs.
  • Ensure that all devices have synchronized time.
  • Collect thorough and detailed audit logs.
  • Gather logs for DNS queries.
  • Gather audit logs for URL requests.
  • Gather audit logs for command-line activities.
  • Consolidate all the audit logs in a central location.
  • Keep the audit logs for a specified duration.
  • Regularly review the audit logs.
  • Obtain logs from the service provider.

9) Email and web browser protections 

Email and web browsers are prime targets for both malicious software and social engineering tactics. That’s why this control emphasizes preventing phishing attacks, malware infections, and other web-based threats. 

Attackers target web browsers and email clients because of direct interaction with users within a company. They create deceptive content to trick users into sharing their login credentials, revealing sensitive information, or providing an entry point for unauthorized access.  

Email and web browser protections

Here’s how you can follow and implement this control:

  • Make sure you only use web browsers and email programs that are fully supported.
  • Utilize services that filter and block harmful websites through the Domain Name System (DNS).
  • Keep and enforce filters on your network that block access to suspicious or unsafe URLs.
  • Limit the use of browser and email extensions that are unnecessary or not authorized.
  • Set up and enforce DMARC (Domain-based Message Authentication, Reporting, and Conformance) to enhance email security.
  • Prevent the downloading or opening of unnecessary file types that could pose a risk.
  • Set up and maintain protections on your email server to defend against malware attacks.

10) Malware defense

Malicious software, like viruses or trojans, poses a significant and hazardous risk in the realm of internet threats. It infiltrates enterprises through vulnerabilities found in end-user devices, email attachments, webpages, cloud services, mobile devices, and removable media. 

That's why organizations should implement malware defenses across all possible entry points and enterprise assets. These defenses help identify, prevent, or manage the presence of malicious software or code by thwarting the execution of harmful applications, code, or scripts on enterprise assets.

Malware defense safeguards

Here’s how you can follow and implement this control:

  • Install and keep up-to-date antivirus software.
  • Set up automatic updates for antivirus signatures.
  • Turn off the automatic opening of removable media.
  • Schedule regular automatic scans of removable media for viruses.
  • Activate features that protect against software vulnerabilities.
  • Manage antivirus software from a central location.
  • Utilize antivirus software that detects suspicious behavior.

11) Data recovery 

When attackers gain access to systems, they modify settings, create new accounts, and sometimes install unauthorized software or scripts. These alterations are difficult to detect because attackers may replace legitimate applications with malicious ones or use seemingly normal account names.

That’s why as per this control, you should have up-to-date backups or copies of your data and systems to restore your enterprise assets and data to a known, trusted state.

Data recovery safeguards:

Here’s how you can follow and implement this control:

  • Set up and keep a plan for recovering data.
  • Use automated tools to make backups.
  • Safeguard the data used for recovery.
  • Create and manage a separate copy of the recovery data.
  • Check if the data recovery process works correctly.

(Data recovery is a key aspect of any disaster recovery plan.)

12) Network infrastructure management 

Attackers look for weak default configurations, gaps, or inconsistencies in firewall rules, routers, and switches, they then exploit these vulnerabilities to breach defenses and gain unauthorized access to networks and intercept data during transmission. 

To defend against such attacks, your organization should have a secure network infrastructure. This control recommends establishing, implementing, and managing network devices to prevent attackers from exploiting vulnerable network services and access points.

Network infrastructure management best practices

  • Here’s how you can follow and implement this control:
  • Make sure your network is kept current.
  • Set up and maintain a secure network structure.
  • Manage your network infrastructure securely.
  • Create and keep architecture diagrams.
  • Consolidate network authentication, authorization, and auditing in one place.
  • Use secure protocols for managing and communicating on the network.
  • Ensure remote devices connect to an enterprise's authentication infrastructure through a VPN.
  • Allocate dedicated computing resources for all administrative tasks and keep them maintained.

13) Network monitoring and defense 

Security tools are only effective if they’re part of a continuous monitoring process that enables staff to receive timely alerts and respond swiftly to security incidents. 

So organizations relying solely on technology without considering other factors encounter more false positives, as they overly depend on alerts generated by their tools.

Per this control, you should operate processes and tools to continuously monitor network traffic, identify suspicious activities, and respond promptly to mitigate the impact.

Network monitoring and defense safeguards

Here’s how you can follow and implement this control:

  • Consolidate the alerting system for security events.
  • Set up a system that detects unauthorized activities on individual devices.
  • Set up a system that detects unauthorized activities on the network.
  • Implement measures to filter and control traffic flow between different network parts.
  • Manage and control access to assets from remote locations.
  • Gather logs that capture the flow of network traffic.
  • Set up a system that prevents unauthorized activities on individual devices.
  • Set up a system that prevents unauthorized activities on the network.
  • Implement access control at the port level.
  • Apply filters to monitor and control the application layer of network traffic.
  • Adjust the thresholds for alerting about security events to optimize their effectiveness.

14) Security awareness and skills training 

The actions of users impact whether an organization's security program succeeds or fails. It’s much easier for an attacker to trick a user into clicking a link or opening an email attachment, which installs malicious software and provides access to the organization than to exploit a network vulnerability directly. 

Users can cause incidents by: 

  • Mishandling sensitive data
  • Sending sensitive information to the wrong person
  • Losing a portable device
  • Using weak passwords or reusing passwords from public sites 

That's why you should establish and maintain a security awareness program that promotes a security-conscious mindset and provides the necessary skills to reduce cybersecurity risks for the organization.

Getting started with security awareness and skills training

Here’s how you can follow and implement this control:

  • Establish and maintain a program to raise security awareness.
  • Educate employees to identify social engineering attacks.
  • Provide training to employees on the best practices for authentication.
  • Teach employees the best practices for handling data.
  • Educate employees on the causes of unintentional data exposure.
  • Train employees to recognize and report security incidents.
  • Instruct employees on identifying and reporting missing security updates for enterprise assets.
  • Educate employees about the risks of connecting to and transmitting enterprise data over insecure networks.
  • Conduct role-specific training sessions to enhance security awareness and skills.

(A strong cybersecurity awareness program should emphasize common attacks and good cyber hygiene.)

15) Service provider management 

There have been many instances where organizations have been affected by breaches caused by third parties. Back in the 2000s, payment card information was compromised when attackers gained access to smaller vendors in the retail industry.

CIS Control 15 is designed to sort this problem. It involves managing and monitoring third-party service providers with access to an organization's systems, networks, or data. 

This control recommends assessing and monitoring the security practices of service providers, with an emphasis on ensuring the protection of sensitive information and maintaining the security posture of the organization. 

What to watch for when managing service providers

Here’s how you can follow and implement this control:

  • Create and keep track of a list of service providers.
  • Develop and uphold a policy for managing service providers.
  • Categorize service providers into different groups.
  • Make sure that security requirements are included in service provider contracts.
  • Evaluate service providers to determine their suitability.
  • Keep an eye on service providers to ensure compliance and performance.
  • Safely remove service providers from operations when they are no longer needed.

16) Application software security 

Applications are a user-friendly platform that enables users to access and handle data according to business requirements. They reduce users' need to engage with intricate system operations, such as logging into a database to insert or modify files, which can be prone to errors. 

Instead of going through a complex network and system hacking process to bypass security measures, an attacker may exploit vulnerabilities within the application itself to gain unauthorized access to data. So, you should implement secure coding practices and processes to ensure the security of custom-developed software in your organization. 

Application software security safeguards

Here’s how you can follow and implement this control:

  • Create and maintain a secure process for developing applications.
  • Establish and maintain a system to identify and address software vulnerabilities.
  • Investigate the root causes of security vulnerabilities.
  • Set up and manage a list of software components from third-party sources.
  • Utilize updated and trusted software components from external sources.
  • Create and maintain a system to rate the severity of application vulnerabilities.
  • Use standardized configuration templates to strengthen the security of application infrastructure.
  • Keep production and non-production systems separate.
  • Provide training to developers on application security concepts and secure coding practices.
  • Apply secure design principles when designing application architectures.
  • Utilize pre-verified modules or services for application security components.
  • Implement security checks at the code level.
  • Conduct penetration testing on applications.
  • Perform threat modeling to identify potential risks.

(Take a deep dive into application security.)

17) Incident response management 

Incident response management means developing and implementing an incident response plan to address and mitigate security incidents. An incident response plan outlines the steps and procedures to be followed during a security incident, such as a data breach or a cyber attack. It consists of measures to protect, detect, respond to, and recover from threats. 

In underdeveloped organizations, the response and recovery aspects are often neglected. The only response technique employed when systems are compromised is to restore them to their original state and continue as if nothing happened. 

The main objective of incident response is to identify threats within the organization, respond promptly to prevent their spread and resolve them before they can cause any damage.

Incident response management safeguards

Here’s how you can follow and implement this control:

  • Choose staff members to handle incidents effectively.
  • Keep updated contact information for reporting security issues.
  • Create a systematic approach for reporting incidents across the organization.
  • Develop and sustain a process to handle incidents promptly.
  • Allocate specific roles and responsibilities to team members.
  • Determine effective communication methods during incident response.
  • Regularly practice incident response procedures.
  • Perform reviews after incidents to learn from them.
  • Set and maintain predetermined levels for security incidents.

(Learn more about incident severity levels, incident metrics & best practices for incident postmortems.)

18) Penetration testing

To maintain a strong defense against threats, it's important to have a well-rounded approach that includes effective policies, governance, and technical defenses. Achieving perfection is difficult because technology is always changing and attackers are constantly developing new tactics. That's why you should regularly penetration test your organization’s security measures to uncover any weaknesses and evaluate their ability to withstand attacks

This control recommends testing the effectiveness and resilience of company assets by identifying and exploiting vulnerabilities in the systems, processes, and technology while simulating the actions and goals of an attacker.

Penetration testing

Here’s how you can follow and implement this control:

  • Set up and keep a program for testing how secure your system is from hackers.
  • Conduct regular tests to see if external hackers can break into your system.
  • Fix any issues that are found during the tests.
  • Confirm that your security measures are effective and working correctly.
  • Conduct regular tests to check if someone inside your organization can breach your system.

Summing up the CIS critical security controls

Implement CIS controls to help your organization establish a strong defense against cyber attacks, safeguard sensitive data, and ensure the continuity of its operations. By prioritizing these controls, you can mitigate risks, detect potential vulnerabilities, and respond promptly to incidents.

What is Splunk?

This posting does not necessarily represent Splunk's position, strategies or opinion.

Laiba Siddiqui
Posted by

Laiba Siddiqui

Laiba Siddiqui is a technical writer who specializes in writing for SaaS companies. You can connect with her on LinkedIn and at contentbylaibams@gmail.com.