TheCriticalSecurityControls(V6)
ExecutiveSummary
Background
Creditcardbreaches,identitytheft,ransomware,theftofintellectualproperty,lossofprivacy,denialof
service–thesehavebecomeeverydaynews.Formostofus,it’sahead-spinningmixofdensetechnical
jargon,conflictingexpertopinions,doomsdaypredictions,andmarkethyperbole.
Andhere’sthereallyconcerningpart:thevastmajorityofcybersecurityproblemsthatplagueustodaycould
havebeenpreventedbyaction,technology,andpoliciesthatarealreadyknowntoexistinthemarketplace.
We’renotbeingattackedbywizardswieldingunstoppablemagic,we’rebeingoverwhelmedbymassive
numbersofrelativelymundaneparlortricks.
It’snotthatorganizationsaren’taware,orthattheirdefendersaren’tskilledenough.Instead,mostarejust
overwhelmedbywhatwecallthe“FogofMore”1-morework,problems,regulatoryandcompliance
requirements,conflictingopinions,marketplacenoise,andmoreunclearordauntingrecommendationsthan
anyonecanmanage.EvenfortherareEnterprisethathastheinformation,expertise,resources,andtimeto
figurethisout,it’srarelytrueforalloftheirkeybusinesspartners,suppliers,andclients.
ThePhilosophy
ThesearethekindsofissuesthatledtoandnowdrivetheCISCriticalSecurityControls(“theCISControls”).
TheCISControlsareaconcise,prioritizedsetofcyberpracticescreatedtostoptoday'smostpervasiveand
dangerouscyberattacksaimedatITusersworldwide.TheControlsaredeveloped,refined,andvalidatedbya
communityofleadingglobalexperts.Theystartedasagrass-rootsactivitytocutthroughthefogtosharpen
focusonthemostfundamentalandvaluableactionseveryenterpriseshouldtake.Theyalignwithandmapto
allofthemajorcomplianceframeworkssuchasNISTCybersecurityFramework,NISTguidelines,andtheISO
27000seriesorregulationssuchasPCIDSS,HIPAA,NERCCIP,FISMA.Theirvalueisdeterminedbyknowledge
anddata–theabilitytoprevent,alert,andrespondtotheattacksthatareplaguingenterprisestoday.Strong
evidencerevealsthatthevastmajorityofthreatsoutinthewildaffectallorganizations,directlyorindirectly,
andwhetherornottheyknowit.
Thehistoryofcyberdefensehasbeendrivenbyverywell-intentionedexpertsdefiningordemonstratingallof
thethingsthatBadGuysmightdo,andallofthethingsthatmightgowrong.Andthentheytellyouallabout
thethingsthatyoucoulddotodefendyourself.
TheCISControlstakeaParetoPrinciple,“80/20Rule”approachtothisproblembyfocusingonwhattheBad
Guysaredoingnow.Whatarethecore,foundational,stepsIcantaketogetmostofmysecurityvalueandstop
theseattacks?
1
https://www.youtube.com/watch?v=OZLO-xekp3o
1
Howaretheycreated?
LedbytheCenterforInternetSecurity(CIS),theCISControlshavematuredintoaninternationalmovementof
individualsandinstitutionsthat:
• shareinsightintoattacksandattackers,identifyrootcauses,andtranslatethat
intoclassesofdefensiveaction;
• documentstoriesofadoptionandsharetoolstosolveproblems;
• tracktheevolutionofthreats,thecapabilitiesofadversaries,andcurrent
vectorsofintrusions;
• maptheCISControlstoregulatoryandcomplianceframeworksandbring
collectivepriorityandfocustothem;
• sharetools,workingaids,andtranslations;
• reviewleadingbreachreportsthatrevealthedefensesthatcouldhave
preventedmostofthereportedbreaches
• identifycommonbarriers(likeinitialassessmentandimplementation
roadmaps)andsolvethemasacommunityinsteadofalone;and
•
maketheoutputofthisworkavailableatnocosttoanyorganizationtryingto
improvetheircyberdefenses.
Whoaretheexpertvolunteers?
ThevolunteerswhodeveloptheCISControlscomefromeverypartofthecyberecosystem(companies,
governments,individuals);representingeveryrole(threatrespondersandanalysts,technologists,
vulnerability-finders,toolmakers,solutionproviders,defenders,users,policy-makers,auditors,etc.);and
withinmanysectors(government,power,defense,finance,transportation,academia,consulting,security,IT).
Theseareprofessionalsmostcompaniescan’taffordtohire,bringingknowledgeyoudon’thave,creating
contentthatyoucouldnotbuildonyourown.
TheirextensiveexperienceensuresthattheCISControlsarenotjustanotherlistof“goodthingstodo”,buta
prioritized,focusedsetofactionsdrivenbyacommunitysupportnetworktomakethemimplementable,
usable,scalable,andcompliantwithallindustryorgovernmentsecurityrequirements.Overthedecades,
manygreatideasincybersecurityhavebeenabandoned,forgotten,andreinventedbecausenooneplanned
forthelong-termsupportoftheidea.
TheCorporateView
WhiletheControlsdocumentcontainsalotofspecializedtechnicaljargon,keepinmindthatanyeffective
cybersecurityimprovementprogramshouldbeabletobridgethegapfromdetailedtechnicalsecurity
requirementsupintobasicquestionsofcorporateriskmanagement,like:
• Doweknowwhatisconnectedtooursystemsandnetworks?
• Doweknowwhatsoftwareisrunning(ortryingtorun)onoursystemsandnetworks?
• Arewecontinuouslymanagingoursystemsusing“knowngood”configurations?
• Arewecontinuouslylookingforandmanaging“knownbad”software?
• Doweminimizeriskbytrackingthepeoplewhocanbypass,change,orover-rideour
securitydefenses?
• Areourpeopleawareofthemostcommonthreatstoourbusinessormission,andwhatthey
candoaboutthem?
2
Thesequestionsaren’t“rocketscience”,andmostaresimilartothekindsofquestionsthatcorporateleaders
alreadyaskaboutphysicalinventory,safety,finances,andnumerousotherareasofcorporaterisk
management.EachofthesequestionsmapsdirectlyintooneofmoreoftheCISControls.
GettingStarted
Yourjourneyofcybersecurityimprovementstartsatwww.cisecurity.org.Inexchangeforanemailregistration,
youcandownloadtheCISCriticalSecurityControlsdocumentandhaveaccesstonumerousworkingaids,use
cases,resources,andagrowinguser
TheCenterforInternetSecurity(CIS)isa501(c)(3)
communityofvolunteerstohelpyou
organizationdedicatedtoenhancingthecybersecurity
succeed.You’llstillhavelotsofhardwork
ahead,butthejourneybecomes
readinessandresponseamongpublicandprivatesector
manageablewithaplan,andwithtrusted
entities.Utilizingitsstrongindustryandgovernment
helpalongtheway.
partnerships,CIScombatsevolvingcybersecurity
TheCriticalSecurityControls
challengesonaglobalscaleandhelpsorganizations
adoptkeybestpracticestoachieveimmediateand
effectivedefensesagainstcyberattacks.CISishometo
theMulti-StateInformationSharing&AnalysisCenter
(MS-ISAC®),CISSecurityBenchmarks,andCISCritical
SecurityControls.Tolearnmore,visitCISecurity.organd
followusonTwitter@CISecurity.
CSC1:InventoryofAuthorizedand
UnauthorizedDevices
CSC2:InventoryofAuthorizedand
UnauthorizedSoftware
CSC3:SecureConfigurationsfor
HardwareandSoftwareonMobile
Devices,Laptops,
Workstations,andServers
CSC4:ContinuousVulnerabilityAssessmentandRemediation
CSC5:ControlledUseofAdministrativePrivileges
CSC6:Maintenance,Monitoring,andAnalysisofAuditLogs
CSC7:EmailandWebBrowserProtections CSC8:MalwareDefenses
CSC9:LimitationandControlofNetworkPorts,Protocols,andServices
CSC10:DataRecoveryCapability
CSC11:SecureConfigurationsforNetworkDevicessuchasFirewalls,Routers,andSwitches
CSC12:BoundaryDefense
CSC13:DataProtection
CSC14:ControlledAccessBasedontheNeedtoKnow
CSC15:WirelessAccessControl
CSC16:AccountMonitoringandControl
CSC17:SecuritySkillsAssessmentandAppropriateTrainingtoFillGaps
CSC18:ApplicationSoftwareSecurity
CSC19:IncidentResponseandManagement
CSC20:PenetrationTestsandRedTeamExercises 3