Call us today on: +44 (0)203 88 020 88
SecureTeamSecureTeamSecureTeamSecureTeam
  • Home
  • Our Services
    • Infrastructure Testing
      • Internal Network Penetration Test
      • External Network Penetration Test
      • Wireless Network Penetration Test
      • Vulnerability Assessment
      • Network Segregation Test
      • Voice over IP (VoIP) Penetration Test
    • Application Testing
      • Web Application Penetration Test
      • Mobile Application Penetration Test
      • Desktop Application Security Assessment
      • Citrix Breakout Test
    • Configuration Review
      • Windows Server Build Review
      • Linux Server Build Review
      • Citrix Configuration Review
    • Information Assurance
      • ISO 27001 Gap Analysis
    • Cyber Essentials
  • News
  • Articles
  • About
    • About SecureTeam
    • STORM Appliances
      • Installing a STORM Device
      • Returning a STORM Device
    • White-Label Consultancy
    • Jobs
    • Cookie Policy
    • Quality Policy
    • Security Policy
    • Privacy Notice
    • Website Terms & Conditions
  • Contact Us

Articles

Home  >  Articles  >  Information Assurance  >  What’s new in CIS Controls v8?
NextPrevious

What’s new in CIS Controls v8?

Articles, Information Assurance | 23 June, 2021 | 0

The world has changed, and the CIS Controls have evolved to reflect those changes.  The increased use of cloud computing, remote working, virtualisation, and outsourcing have all redefined and blurred the edges of the corporate network.  The latest version 8 of the CIS Controls provides a practical framework for organisations of all sizes to identify the right security controls for their situation.

The 18 Controls published by the Centre for Internet Security have been updated to reflect the types of attacks and attackers organisations of all sizes face in 2021 and they propose a guided set of steps organisations can follow based on their risk profile.  The latest version continues with the use of three Implementation Groups first introduced in version 7.1.   Simply put, the three groups correspond to lower, medium and higher risk organisations and make it easier for security managers to focus on the controls most relevant to their organisation’s risk profile.

The CIS produces a library of resources and publications that are well respected by the global cyber security community.  SecureTeam uses the CIS security baselines as the foundation for our own Configuration Reviews for example.

 

CIS Implementation Groups

The CIS Controls contain 153 safeguards which are organised into three implementation groups.

Basic Cyber Hygiene – IG1

Implementation Group 1 defines a set of controls and safeguards that provide a basic level of Cyber Hygiene for small to medium sized organisations.  Similar in scope to the Cyber Essentials scheme, the 56 safeguards in IG 1 provide a foundational set of controls that every organisation should implement to defend against the most common attacks, yet should be achievable with limited IT and cyber security expertise.

Enterprise level protection for regulated businesses – IG2

Implementation Group 2 adds 74 additional safeguards on top of those included in IG1.  Specialised expertise will be needed to implement and configure some of the technologies and systems required with some individuals dedicated to managing and protecting the IT infrastructure.  Organisations with a regulatory or compliance burden will likely fall into this group as they process sensitive information.

Protection against targeted and zero-day attacks – IG3

23 additional safeguards come in Implementation Group 3 for organisations that process the most sensitive data or face the highest risk.  Likely requiring security experts with specialised knowledge of different aspects of cyber security, organisations choosing IG3 will be responsible for critical national infrastructure, health care, large volumes of sensitive personal information or operate systems where a breach or outage would cause significant public harm.

As an example of the progression of safeguard complexity across the implementation groups, Control 18 – Penetration testing, only applies to IG 2 and IG 3.  For IG 1, there is no requirement for a penetration testing program. In IG 2 external penetration testing is needed, and for IG 3 internal penetration testing is added in addition to the external testing.

CIS Controls Overview

Version 8 of the CIS Controls has rationalised the number of Controls down to 18 (previously there were 20).  Each Control is made up from a number of Safeguards – the number of Safeguards per control growing as you move from IG 1 up to IG 3.

The controls are now organised by activity (previously they were organised based on how things are managed) as follows:

1: Inventory and Control of Enterprise Assets

You can’t protect what you don’t know about.  This control focuses on identifying all the assets (devices) that form part of your organisation, regardless of where they live.

 

2: Inventory and Control of Software Assets

This control provides safeguards to ensure you know what software is present in your network and unauthorised software is identified

 

3: Data Protection

Identify, locate, and categorise the sensitivity of data and manage it through the collection>protect & use>disposal life cycle.

 

4: Secure Configuration of Enterprise Assets and Software

Escape the tyranny of the default by actively choosing how to configure firewalls, servers and other devices against secure baselines.

 

5: Account Management

Actively manage how, when, and why user accounts are issued and ensure they are disabled and revoked when no longer needed.

 

6: Access Control Management

Ensure user accounts have the least privilege access required and are protected by strong passwords and multi-factor authentication.

 

7: Continuous Vulnerability Management

Keep your patching up to date, and ensure you take steps to mitigate known vulnerabilities where patches are not yet available.

 

8: Audit Log Management

The answers and evidence is always in the logs, so make sure the logs are collected, protected and looked at.

 

9: Email and Web Browser Protections

Deploy anti-malware to scan incoming email and protect your users from visiting website that are high risk.

 

10: Malware Defenses

Deploy anti-malware protections and ensure the protections are active and update themselves automatically to the latest signatures.

 

11: Data Recovery

Make sure your backups are running, test them to ensure they work and confirm the backups are isolated from your network and protected against any ransomware attack.

 

12: Network and Infrastructure Management

Don’t forget to patch the firmware on firewalls, routers and other infrastructure devices. Their admin accounts need multi-factor protection just as much as your database servers. Keep the network diagram up to date.

 

13: Network Monitoring and Defense

Monitor your network and gather logs into a centralised location for real time monitoring and alerting.  Host and Network based intrusion detection and prevention systems help identify unauthorised activity.  Segment the network to hinder lateral movement. Only allow remote access via a VPN with multi-factor authentication.

 

14: Security Awareness and Skills Training

Activate your human firewall through an ongoing culture of security awareness and education.

 

15: Service Provider Management

Protect your network and data against supply chain attacks. Ensure the people you trust to process your data or support your infrastructure take at least as much care as you do.

 

16: Application Software Security

Ensure the software you write, or commission, is security tested and vulnerabilities that are discovered in the future will be fixed.  Make sure third party libraries are also checked and updated.

 

17: Incident Response Management

When disaster strikes it is too late to prepare, so work out today how you will manage a security breach and test the plan you come up with – regularly.

 

18: Penetration Testing

You will never know if your safeguards are working unless you test them, so commission a penetration test from a security testing firm to validate your safeguards, and how your team identifies and responds to the breach.

 

Resources and further reading

For organisations that are not subject to another regime (such as PCI-DSS), the CIS Controls provide an comprehensive starting point for designing an information security architecture or assessing what your organisation has already got in place.

You can download a copy of the CIS Controls here.

 

Subscribe to our monthly cybersecurity newsletter
Stay up-to-date with the very latest cybersecurity news & technical articles delivered straight to your inbox
We hate spam as much as you do. We will never give your email address out to any third-party.
cyber security, Security operations

Related Post

  • Phishing Attacks That Can Bypass MFA

    By Mark Faithfull

    A large-scale phishing attack campaign has emerged using adversary-in-the-middle (AiTM) to steal credentials and circumvent multi-factor authentication (MFA) needs. Microsoft have released a security blog post regarding the use of these phishing attacks and theRead more

  • Log4Shell (still) actively exploited on VMware Systems

    By Mark Faithfull

    The Cybersecurity and Infrastructure Security Agency (CISA) and United States Coast Guard Cyber Command (CGCYBER) released a joint security advisory last week to warn of the active exploitation of CVE-2021-44228. This vulnerability is commonly knownRead more

  • How the Phone-Wiping Banking Trojan BRATA is Becoming a More Advanced Threat

    By Mark Faithfull

    First discovered in 2019, BRATA malware is contained in a malicious app which victims are tricked into installing on their phones. BRATA is a banking Trojan that gains access to your bank, withdraws your funds,Read more

  • CISA Warn of 40 New Actively Exploited Cybersecurity Vulnerabilities This Month So Far

    By Mark Faithfull

    Last week saw the addition of 39 known exploited cybersecurity vulnerabilities to the CISA catalogue, bringing the total added in June so far to 40. The Cybersecurity and Infrastructure Security Agency (CISA), a branch ofRead more

  • 10 Common Security Weaknesses and How To Defend Against Them

    By Mark Faithfull

    The mistakes we make and how to fix them – a new report co-authored by the NCSC reveals the 10 most common security weaknesses exploited by hackers. A joint security alert from the National CyberRead more

NextPrevious

Recent Posts

  • Amex and Snapchat used in Open Redirect Attacks
  • VMware Patch Critical Authentication Bypass Flaw
  • Critical Confluence Vulnerability Exploited in the Wild
  • LinkedIn the Top Phishing Brand in Q2 2022
  • Microsoft Exchange Servers Open to Backdoor Hack

Recent Comments

    Archives

    • August 2022
    • July 2022
    • June 2022
    • May 2022
    • April 2022
    • March 2022
    • February 2022
    • January 2022
    • December 2021
    • November 2021
    • October 2021
    • September 2021
    • August 2021
    • July 2021
    • June 2021
    • May 2021
    • April 2021
    • March 2021
    • February 2021
    • January 2021
    • December 2020
    • November 2020
    • October 2020
    • September 2020
    • August 2020
    • July 2020
    • June 2020
    • April 2020
    • March 2020
    • February 2020
    • January 2020
    • December 2019
    • November 2019
    • October 2019
    • September 2019
    • August 2019
    • July 2019
    • June 2019
    • May 2019
    • April 2019
    • March 2019
    • February 2019
    • January 2019
    • December 2018
    • November 2018
    • July 2018
    • June 2018
    • April 2018
    • January 2018
    • October 2017
    BCS Cyber Essentials Cyber Essentials Cyber Essentials PLUS ISO 9001 ISO 27001
    information. secured.
    • Home
    • Our Services
      • Infrastructure Testing
        • Internal Network Penetration Test
        • External Network Penetration Test
        • Wireless Network Penetration Test
        • Vulnerability Assessment
        • Network Segregation Test
        • Voice over IP (VoIP) Penetration Test
      • Application Testing
        • Web Application Penetration Test
        • Mobile Application Penetration Test
        • Desktop Application Security Assessment
        • Citrix Breakout Test
      • Configuration Review
        • Windows Server Build Review
        • Linux Server Build Review
        • Citrix Configuration Review
      • Information Assurance
        • ISO 27001 Gap Analysis
      • Cyber Essentials
    • News
    • Articles
    • About
      • About SecureTeam
      • STORM Appliances
        • Installing a STORM Device
        • Returning a STORM Device
      • White-Label Consultancy
      • Jobs
      • Cookie Policy
      • Quality Policy
      • Security Policy
      • Privacy Notice
      • Website Terms & Conditions
    • Contact Us
    SecureTeam