20 critical controls for effective cyber defence

CIS stands for the Center for Internet Security, based in the USA. The CIS put together a list of critical security controls for effective cyber defence that prioritises the actions needed to defend against the most common attacks. While created for US businesses, they are applicable to UK businesses.

The controls are derived from an analysis of the strategies used by attackers to compromise systems, and they cover key areas. By implementing these controls, organisations can significantly reduce the risk of being breached.

The original 20 CIS critical security controls were released in 2008, and the latest update in May 2022 reflects the changing threat landscape and developments in cyber security with a list of 18 controls.

The original 20 CIS critical controls

Below, we look at the latest list, but the original CIS controls were:

• Inventory and Control of Hardware Assets
• Inventory and Control of Software Assets
• Continuous Vulnerability Management
• Controlled Use of Administrative Privileges
• Secure Configuration for Hardware and Software
• Maintenance, Monitoring, and Analysis of Audit Logs
• Email and Web Browser Protections
• Malware Defence
• Limit and Control Network Ports, Protocols and Services
• Data Recovery Capability
• Secure Configuration for Network Devices
• Boundary Defence
• Data Protection
• Controlled Access
• Wireless Access Control
• Account Monitoring and Control
• Implement a Security Awareness and Training Program
• Application Software Security
• Incident Response and Management
• Penetration Tests and Red Team Exercises

From the original list, two controls were removed because they were seen as being less relevant for contemporary organisations, while the four new additions reflect the importance of emerging threats in areas such as cloud computing and industrial control systems.

Critical controls for effective cyber defence

The latest version 8 of the CIS Controls groups cyber safeguards by activities rather than by who manages the devices.

This led to revised terminology and grouping of safeguards and the latest list of critical controls for the cyber defence of organisations consists of:

Inventory and Control of Enterprise Assets

It’s important to keep track of all the devices connected to your network, both physically and virtually. This includes computers, mobile devices, servers and any other internet-connected devices.

Inventory and Control of Software Assets

It’s critical to keep track of all the software running on your network, both authorised and unauthorised. Make sure only authorised software is installed and can run, and that unauthorised software is found and prevented from being installed or running.

Data Protection

To effectively protect data, businesses need to develop processes and controls to identify, classify, securely handle, retain, and dispose of it.

Secure Configuration of Enterprise Assets and Software

To effectively defend your enterprise against cybersecurity threats, you need to establish and maintain the secure configuration of all your assets.

Account Management

Businesses must develop processes and tools to assign and manage authorisation for user accounts that can access sensitive assets and software. This ensures proprietary information is protected both against internal error and external threats.

Access Control Management

Organisations need to have processes and tools in place to manage access credentials and privileges for users, administrators, and service accounts.

Continuous Vulnerability Management

Businesses need to have a plan in place to continuously assess and track vulnerabilities on all enterprise assets to remediate any potential threats and minimise the window of opportunity for attackers.

Audit Log Management

Organisations should collect, review and store audit logs of events that could help them detect, understand or recover from an attack.

Email and Web Browser Protections

Email and web-based threats are a major opportunity for attackers to exploit human behaviour. Businesses should improve their protections and detection mechanisms for these vectors.

Malware Defences

To control or prevent the installation, execution and spread of malicious code or applications.

Data Recovery

Businesses should not only establish but maintain a data recovery system to restore enterprise assets to a trusted and pre-incident state.

Network Infrastructure Management

Network devices should be properly managed to prevent attackers from exploiting vulnerabilities and gaining access to the network.

Network Monitoring and Defence

To have processes and tools for establishing and maintaining network monitoring and defence against a security threat against the user base or network infrastructure.

Security Awareness and Skills Training

An effective cybersecurity programme should include security awareness training to help employees understand how they can play a role in protecting the organisation’s data. The training should cover topics such as proper password management, recognising phishing emails, and understanding social engineering attacks.

Service Provider Management

It’s important for businesses to have a process in place for assessing the cybersecurity practices of any service providers that have access to sensitive data or critical IT systems.

Application Software Security

Effective cyber defence requires software to be up-to-date. The security life cycle of software must be managed effectively to prevent, detect and remediate issues before they can have an impact on the business.

Incident Response Management

An incident response programme is essential for any organisation that wants to be prepared for and quickly respond to attacks. Such a programme should include policies, plans, procedures, defined roles, training, and communications.

Penetration Testing

To test the effectiveness of an organisation’s cyber defences, security experts try to identify and exploit weaknesses in people, processes and technology. Penetration testing helps them understand how well business networks can withstand an attack. By simulating the objectives and actions of an attacker, organisations can get a better sense of what needs to be improved.

The NCSC ’10 steps to cyber security’

The UK’s National Cyber Security Centre (NCSC) has guidance for medium and large organisations, titled ‘10 steps to cyber security‘. These steps cover the same areas as the CIS controls. However, the CIS controls contain several additional tips, particularly regarding cloud computing and new forms of conducting business safely online.

Following both the NCSC guidance and CIS controls helps ensure your organisation is protected against the latest threats.

CIS Controls v8 addresses cloud and mobile device security

The Center for Internet Security says its CIS Controls v8 addresses cloud and mobile device security, while moving to develop ‘the whole ecosystem’ with the promotion of self-assessment, risk management and a ‘Community Defence Model’.

You can download the latest version of the CIS Critical Security Control v8 from their site.

CIS says: “CIS officially launched CIS Controls v8, which was enhanced to keep up with evolving technology, evolving threats and even the evolving workplace. The pandemic changed a lot of things, and it also prompted changes in the CIS Controls.”

Critical controls for effective UK cyber defence

The CIS Controls are an important tool for UK businesses to use to protect themselves against cyber threats. By implementing these controls, businesses can create more effective cyber defence procedures and better protect employees and data.