CIS controls for protecting IT infrastructure
Cybersecurity is one of the most worrisome issues for companies today. In their eagerness to demonstrate these efforts, many companies rely on certifications such as ISO27001 and ISO27002, which are excellent frameworks for demonstrating compliance, but are inadequate when it comes to prioritizing, measuring and implementing practical IT security initiatives. The Center for Internet Security (CIS), proposes a set of 20 controls, informally known as the CIS controls, which, little by little, will help us to achieve greater security for our infrastructure.
About the CIS Controls
This is a consensus-based framework that includes detailed and prioritized, practical tips on how to implement security in our IT equipment. The CIS controls include detailed instructions regarding what to do, how to measure, how to set priorities and how to audit the infrastructure in order to secure it.
The new work models pose an important challenge to the cybersecurity of businesses.
Let’s start with an example. A company provides an employee with a company device with Windows 7 (this is not so unusual, there are many already) that is connected to the corporate network via VPN through a home network. Another device is also connected to this network (perhaps without antivirus or firewall) onto which the user downloads “files” from Internet from web pages and P2P networks with rather doubtful security, such as music or movies. The probability that this home device winds up becoming infected is extremely high. And this device is “in the IP next to” the corporate IP, which, we must remember, has an operating system that is already beyond the lifecycle of Microsoft, and therefore does not receive safety patches. And moreover, when was the antivirus last updated? Is the firewall enabled? Is the Remote Desktop disabled? Or is it still enabled ever since it was configured on an emergency basis during the lockdown in March and April 2020?
This example illustrates that it is not possible to control full the security of home networks of the company IT users. And so, what we can (and must) do is everything in our power to maximize security of company devices that connect every day to potentially unsafe networks.
With this aim, the Center for Internet Security (CIS) proposes a set of 20 controls, which, little by little, will help us to achieve greater security for our infrastructure, and which are classified into three levels of maturity:
You cannot increase the security of an asset if you are not aware of its existence
Now that we have reached this point, you might be wondering: How can I apply these controls in my company? And furthermore: How do I complete the first two steps of inventory and control of hardware assets and inventory and control of software assets?
IT Asset Management is the starting point for following through with implementation of security checks. This simple inventory already provides detailed information on the current situation, and we could even plan the indispensable first lines of action based on this.
And what are these 10 major contributions, among many others, that an IT Asset Management system such as Proactivanet provides immediately to help improve the security of the infrastructure?
- A 110% complete inventory
- You will find out in detail about the operating systems that have exceeded their lifecycle.
- And also about the operating systems that are more modern, but that have not been patched.
- Which devices are not equipped with firewall or antivirus.
- Equipment that has obsolete software.
- Old databases.
- Equipment with sensitive services.
- Network devices with firmware that has not been updated.
- Company mobile devices and BYOD connected to the network.
- Active users and the access history of each of them.
You have probably realized the potential of this tool for the security of your company. Would you like to continue improving on this topic? Just download our whitepaper and find out how these 10 actions of the IT Asset Management system help you secure your infrastructure immediately.
We hope that you enjoy it, and farewell
Marketing Team at Proactivanet