What’s new and changed in CIS CSC version 8 – IG1
In version 7.1 CIS introduced Implementation Groups, abbreviated IG, which is a guidance in the recommended order of priority for implementing the different sub controls. One minor thing to notice is that those are also no longer referred to as sub-controls, but as safeguards.
IG1 is intended to replace the earlier way of thinking about the controls, where the initial controls formed the priority rather than a width first approach, leading to some organizations getting stuck and never getting to bits such as having a working backup strategy and hence were unable to recover from a ransomware attack. If we look at the implementation groups, group 1 is essentially for everyone, group 2 requires dedicated employees and some enterprise-grade solutions, and group 3 is for organizations with risk management, application security, penetration testing and other teams in-house. Those safeguards are also sufficiently advanced to resist or detect targeted skilled attackers, rather than the more general and opportunistic attacks countered by the basic safeguards.
Now, one of the most evident changes in CIS version 8 is the shift from “the top 20” to “the top 18”. Yes, we are looking at two LESS controls. But that of course doesn’t mean there is less to do, rather, the recommendations have been reorganized, and many were split up and moved around. For example, the new SAFEGUARD 1.5 – “Use a Passive Asset Discovery Tool”, has absorbed the old sub-controls 1.2 and 15.2, meaning “Detect Wireless Access Points Connected to the Wired Network” is now merged into this task. This is made possible as the Implementation Groups means putting this in an early control will not hinder progression of implementation, even though this is more in the deep end of the pool for those that have started getting their cybersecurity under a mature control.
What is very interesting is that 53 out of 243 safeguards are new, and 14 of those are in IG1, the basic hygiene space. That’s where we will focus in the first blog, because IG1 is the area that calls for immediate attention and is applicable to everyone.
What do you need to know about IG1?
CIS Control 1-3: It’s all about visibility and your data!
The first three new controls form a logically coherent group, starting with information tracking – what we have, where we have it, who is responsible, how sensitive is it, how do we manage, process, retain and finally dispose of the data. You can sense a combination of great reasons behind those recommended controls, with lessons learned from data leaks in the past year where overdue data were left on systems, often in unexpected places, and even more often with inadequate protection. This is also closely related to GDPR requirements and other privacy legislations demanding organizations to process data responsibly and not to keep them unnecessarily for long durations unless fully justified.
So, we have 3.1 “Establish and Maintain a Data Management Process”, 3.4 “Enforce Data Retention” and 3.5 “Securely Dispose of Data”. All are policy and process level controls relating to data protection that need to be implemented.
CIS Control 4: Stop using 1990s remote management, please!
Fast track to control 4, namely 4.6, which concerns network or rather remote management, dubbed “Securely Manage Enterprise Assets and Software”, which applies to on-premise devices as well as remote devices and cloud environments that have become increasingly important since the pandemic due to remote working and mass cloud migration.
This control relates to not using archaic unencrypted remote management such as telnet, unencrypted http, old FTP and so on – use encrypted communication. For Outpost24 customers using HIAB or OUTSCAN, our network security solutions will alert you to the presence of unencrypted remote management, as well as plaintext HTTP, so you can quickly gain control of where this is an issue with a few clicks in the interface and put a report in the hands of your teams for resolution.
CIS Control 6: Managing permissions or identities and deploying MFA
This relatively straight forward requirement is then followed again by two requirements that require more acceptance and implementation in the organization, 6.1 “Establish an Access Granting Process” and 6.3 “Require MFA for Externally-Exposed Applications”.
Both are of course critical. It is the age-old access and permissions challenge and implementing a centralized identity provider. Most solutions today should be able to integrate for example using SAML or other open standards and should be expected to support for example authenticator apps if you will not use a centralized identity provider.
CIS Control 7: Taking control of your vulnerability management
Now, the next few basic controls are added within the vulnerability management domain. Already a common practice to scan for and remediate vulnerabilities in corporate assets, this controls further emphasized the need to not just do vulnerability scans, but to do it well - 7.1 “Establish and Maintain a Vulnerability Management Process” and 7.2 “Establish and Maintain a Remediation Process”.
In short, organizations need a cohesive strategy and process for managing vulnerabilities, but also set a risk-based process for effective remediation, which should preferably be reviewed on a regular and continuous basis. Most security teams are already working in this manner with automated discovery scanning, vulnerability prioritization, and integrated escalations and management reporting to concerned teams for remediation. Mature organizations may also pull Key Performance Indicators to measure the success of the program.
The important bit here is scanning is not enough and trying to fix every CVE at once is not an efficient use of security resource. To achieve greater remediation efficiency organizations should prioritize vulnerabilities by attributes such as:
- if the vulnerabilities concern core assets.
- if there are exploits available for them.
And put your remediation resource on the highest impact solutions with the least effort to achieve greater risk reduction. For those that want to target the prioritization further, our risk-based VM module Farsight integrates threat intelligence and exploit prediction into the prioritization, meaning an attackers perspective is applied to the customers risk prioritization by automatically identifying the imminent threats for remediation. This removes the guess work for vulnerability prioritization and essentially zooms in on the most dangerous CVEs which security teams should patch first to reduce time to remediation.
There is some guidance on how to take on this challenge, one of the better options is in the old NIST 800-40 revision 2. Note that the standard is replaced by version 3 which targets patch management, but for organizations that are looking to establish vulnerability management, a reference is still made to the superseded older standard as the one to turn to. For those still struggling, an option is of course to turn to a provider offering this as a function, but for most who aim for the Implementation Group 1 level, getting a scanner and a process in place and deploying it according to best practice will give a solid foundation to drive this process forward with high automation on the driving and measuring parts.
CIS Control 8: You must still remember what I did last summer
So, this next requirement – 8.1 “Establish and Maintain an Audit Log Management Process” – has been an important part of many security standards over the years, and it remains vital, logging. But, not just logging – setting a plan and policy for what to log, how to log, and most importantly how to ensure those logs are reviewed and actioned make all the difference. Far too many organizations just pile data logs somewhere and never take the time to understand what the data means until something bad happens. But not looking of course means our ability to decern that something indeed has happened is far smaller. Ensure to set a policy for all systems, and then ensure all system owners understand and implement it.
CIS Control 10-11: Malware is still prevalent and data recovery
This is both a new and an old safeguard. It is listed as new but looking at all the previous iterations, malware, or anti-virus, in some form or another have been there on the list.
So what is indeed new?
In version 7.1 we find the recommendation “Utilize centrally managed anti-malware software to continuously monitor and defend each of the organization's workstations and servers”, however looking at version 8, there are some semantic differences.
The difference to note here is of course that we are no longer talking about workstations and servers, but ALL corporate assets. This of course is the result of the earlier mentioned challenges with non-managed, non-monitored, and often outdated IT assets that were not seen as workstations, servers or assets within the organization. Overall, the control is nothing new, the change is a clarification of the importance to apply anti malware to all assets, given the prevalence of malware.
And when we talk about malware there’s no question that ransomware is the most serious cyber security in 2021. 11.1 “Establish and Maintain a Data Recovery Process” is one of the new safeguards closely linked to ransomware by highlighting the importance of data recovery. Ransomware is notoriously hard to prevent, the control clarifies that while data backup is important, you should ensure you can restore the data and have a good view on what data must be restored first, what must be possible to restore, and how should backups be protected to ensure you don’t lose the backups in case of a ransomware breach to limit the impact to the rest of the organizations assets.
CIS Control 14: Train your users to think and act securely
The first training task relates to 14.7 “Train Workforce on How to Identify and Report if Their Enterprise Assets are Missing Security Updates” – or in short, encourage users to inform operations when things do not work as intended and designed. Whenever something happens in an organization, it is very common that someone somewhere already knew about the problems and challenges. In short, one of the important things here is that “Part of this training should include notifying IT personnel of any failures in automated processes and tools.”
Apart from this training, it is also important to 14.8 “Train Workforce on the Dangers of Connecting to and Transmitting Enterprise Data Over Insecure Networks”. This is a result of the change in work environments following the pandemic, and hence the guidelines also point out the need to train users on securing their home networks.
It should however be noted that properly having anti-malware, endpoint protection and implementing safeguard 4.6 substantially decreases risks of this, but any chain is as weak as its weakest link and security awareness training is a cost-effective way to substantially strengthen the weak links in modern enterprise and ensuring your staff are your first line of defense.
CIS Control 15: Know who is processing your data
So, you know what systems you have, you know what information you have, you monitor the assets, you train the staff. Yet, in most organizations, there are many outsourced systems, or service providers, or sub-processors, partners and many many more setups to worry about. As we can see from supply chain attacks such as cloud hopper, SolarWinds and the recent Codecov, the risk of data breaches via third party systems and service providers cannot be ignored. Keeping track of your vendors and their security posture is part of your responsibility. Hence, the need for safeguard 15.1 is “Establish and Maintain an Inventory of Service Providers” - not only should you make security part of the evaluation when you sign them up, you should also inventory them and assign an owner within the organization to classify and monitor the Service Providers on a recurring basis, at least annually. As your organization matures, you should implement more and more controls of your service providers to ensure their security missteps won’t affect you.
Further guidance on the rest of the CIS controls v8 will follow in this three-part blog series. Watch this space and sign up for our newsletter to get the next blog delivered to your inbox.