CIS Controls Can Help You Stop Cyber Attacks

cislogowebOn of the more hopeful presentations from the Cyber Security Summit was presented by Tony Sager from the Center for Internet Security.  Titled “Making Best Practices Common Practices: The CIS Controls,” Tony provided us with a road map for implementing secure practices in our networks.

There are 20 CIS controls.  Tony said that implementing the first 5 (20%) would reduce your risk by 80%.  You can check out the chart below for all twenty.  If you are working the NIST-CSF in your organization, the CIS Controls can help you prioritize and streamline your implementation.

The first 5 controls are:

  • Inventory of authorized and unauthorized devices – most businesses have no real idea of what is attached to their network.  This solves that problem.
  • Inventory of authorized and unauthorized software.
  • Secure configurations for hardware and software on mobile devices, laptops, workstations, and servers.
  • Continuous vulnerability assessment and remediation – when we perform follow-up vulnerability scans, we always find vulnerabilities that weren’t on the previous scan.  That’s because new vulnerabilities are discovered all the time.
  • Controlled use of administrative privileges – giving every user local administrative privileges is a recipe for disaster.  Anyone logged onto a system, including an attacker, has full rights for installing software and making other critical system changes

Here are the rest.  More complete information can be found on the Center for Internet Security website.




About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.