Overview of CIS Controls 13-18 and How You Can Implement Them

With the Center for Internet Security (CIS) recently releasing version eight of its controls, consolidating the previous 20 controls into 18, let’s dive into the final set of six controls together to make them more digestible.

To simplify things, we’ll describe each control briefly along with why it is important and how you can easily weave each control into your cybersecurity program. Find a recap of controls 1-6 here and controls 7-12 here.

Control 13: NETWORK MONITORING AND DEFENSE

Description

Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.

Why It’s Important

Boundary protection and network defense is just one part of a comprehensive network security strategy. Not only should you have robust firewall and prevention strategies in place, but also security incident monitoring solutions to alert security teams of instances when those defenses might fail. This does not mean you need to have your own security operations center (SOC), but it does mean you should have both automated tools and manual processes in place to identify, triage, evaluate, and resolve incidents.

How to Implement It

Deploy centralized security event alerting using solutions such as a security information and event management (SIEM) tool or services provided by the major public cloud providers such as AWS CloudTrail and CloudWatch. You may not have the resources to implement everything, but start with the higher risk, more critically important systems and networks and continually improve as you move forward. Deploy network and host-based intrusion detection systems and supporting escalation processes to resolve alerts or events from these systems.

Control 14: SECURITY AWARENESS AND SKILLS TRAINING

Description

Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

Why It’s Important

All personnel, no matter their job title or level, play a role in the success or failure of a cybersecurity program. Attackers are conscious of unwary users and can exploit any gaps or vulnerabilities within the organization. Most personnel at a given organization are not paid to focus on cybersecurity, so it’s critical to promote a culture of cybersecurity through a formal security awareness training program that fits each person’s role and skill level.

How to Implement It

Formalize a security awareness training program to ensure all employees receive training when they are onboarded and on a periodic basis (e.g., annually). Employees should receive training on topics such as recognizing social engineering attacks, password security, data leak prevention, your organization’s security incident response and reporting procedures, and more.

Control 15: SERVICE PROVIDER MANAGEMENT 

Description

Develop a process to evaluate service providers who hold sensitive data or are responsible for an enterprise’s critical IT platforms or processes to ensure these providers are protecting those platforms and data appropriately.

Why It’s Important

All service providers play a role in the success or failure of a cybersecurity program. Many recent breaches were the result of a failure at a third-party service provider who may or may not have had the appropriate security controls and mechanisms in place. Every service provider must be consistent with the enterprise’s security requirements.

How to Implement It

Maintain a comprehensive inventory of your service providers. Risk-rank them according to the services they provide, the type(s) of data they have access to, and the criticality to your organization. Evaluate them according to the risk ranking any time a new provider is on-boarded and at least annually for higher risk providers.

Control 16: APPLICATION SOFTWARE SECURITY

Description

Manage the security lifecycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.

Why It’s Important

Vulnerabilities such as poorly written code, coding mistakes, logic errors, incomplete requirements, and failure to test for unusual or unexpected conditions can exploit sensitive information. Attackers understand the most common weaknesses in applications and can easily exploit them if they exist. They use automated mechanisms to scan source code and identify weaknesses such as buffer overflows, SQL injection, cross-site scripting, click-jacking, and more.

How to Implement It

Formalize your Software Development Lifecycle (SDLC) and document secure coding principles. The SDLC should include, but is not limited to, the following:

• Procedures to identify and address vulnerabilities in application source code.
• A process to handle third-party (e.g., open source) code vulnerabilities. Maintain an inventory of open-source libraries and scan them for vulnerabilities. Apply patches as soon as they are published by the third party.
• Separate development, test, and staging environments from production.
• Train developers in application security concepts such as OWASP Top 10. Provide opportunities for open discussion of secure development and encourage developers to support each other in preventing insecure coding practices.
• Use static and dynamic analysis tools to help identify common vulnerabilities or insecure coding practice before production deployments.
• Perform application penetration testing any time a major system change occurs and at least annually.

Control 17: INCIDENT RESPONSE AND MANAGEMENT

Description

Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.

Why It’s Important

As mentioned previously, it’s critical to have automated mechanisms in place to both prevent and detect incidents, but what happens when those protections fail? This is when a robust incident response is required to mitigate and recover from the incident in accordance with laws and regulations, customer requirements, and business objectives.

How to Implement It

Establish a formal incident response plan and procedures including, but not limited to, the following:

• Roles and responsibilities for incident response.
• Contact information for response teams, external parties, and even law enforcement bodies.

Reporting and communication processes.

• Post-incident reviews, including root-cause analysis to identify how and why an incident occurred.
• Regularly review and test the incident response plan and capabilities using tabletop tests and documentation reviews.

Control 18: PENETRATION TESTING

Description

Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (e.g., people, processes, and technology), and simulating the objectives and actions of an attacker.

Why It’s Important

Independent penetration testing provides a unique, objective view of an organization’s cybersecurity protections. This type of insight is invaluable to preventing breaches and identifying weaknesses in cybersecurity posture. Layered with the vulnerability management practices mentioned previously, penetration testing provides a robust threat identification and prevention practice to protect an organization’s most valuable assets, including sensitive data, intellectual property, reputation, and more.

How to Implement It

Establish a penetration testing program that includes both internal and external penetration testing, remediation procedures, and requirements for modifying security measures based on the results of the tests.

Now that you have a better understanding of each of CIS’s 18 controls, you may be unsure how to prioritize next steps. The BARR team is here to help. Contact us for assistance in understanding and implementing any of these controls within your own organization.