CIS Controls Can Help You Stop Cyber Attacks

cislogowebOn of the more hopeful presentations from the Cyber Security Summit was presented by Tony Sager from the Center for Internet Security.  Titled “Making Best Practices Common Practices: The CIS Controls,” Tony provided us with a road map for implementing secure practices in our networks.

There are 20 CIS controls.  Tony said that implementing the first 5 (20%) would reduce your risk by 80%.  You can check out the chart below for all twenty.  If you are working the NIST-CSF in your organization, the CIS Controls can help you prioritize and streamline your implementation.

The first 5 controls are:

  • Inventory of authorized and unauthorized devices – most businesses have no real idea of what is attached to their network.  This solves that problem.
  • Inventory of authorized and unauthorized software.
  • Secure configurations for hardware and software on mobile devices, laptops, workstations, and servers.
  • Continuous vulnerability assessment and remediation – when we perform follow-up vulnerability scans, we always find vulnerabilities that weren’t on the previous scan.  That’s because new vulnerabilities are discovered all the time.
  • Controlled use of administrative privileges – giving every user local administrative privileges is a recipe for disaster.  Anyone logged onto a system, including an attacker, has full rights for installing software and making other critical system changes

Here are the rest.  More complete information can be found on the Center for Internet Security website.

20-cis-controls

 

0

About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Senior Cybersecurity Engineer at Computer Integration Technologies, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment