The volume of network security advice is overwhelming. It can be difficult to know where to start.
The Center for Internet Security (CIS) aims to answer this question with its 20 Critical Security Controls (formerly known as the SANS 20).
The CIS 20 is a prioritized list of cybersecurity actions designed to minimize costs and maximize security benefits. Although intended for enterprises, they are also an effective guide for small and medium businesses.
The list was originally created in 2008 by an international group of cyber security experts from across public, private, and academic institutions. Learn more in this CIS 20 FAQ.
In short, the security controls are one of the best ways to start a network security program. It’s highly regarded throughout the security industry.
The first five controls of the CIS 20 are particularly important. Multiple studies have proven them to be an effective defense against about 85% of cyberattacks, according to CIS.
See how these five controls can help your organization below.
Security Control #1. Inventory of Authorized & Unauthorized Devices
Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.
You cannot defend a network if you do not know the devices that use it.
This critical security control requires you to create an inventory of the devices that may attempt to connect to the network.
Hundreds of network inventory tools are available to help you identify devices on your network. They range from simple and free to feature-rich and expensive.
Small business networks do not need fancy tools to create an inventory of network devices. A simple spreadsheet will do.
This spreadsheet will be the master list of authorized network devices.
The hardware you will eventually list in the spreadsheet may include:
- Desktop and laptop computers
- Smartphones and tablets
- Printers, scanners, and VoIP phones
- Servers, routers, and switches
- Any other devices authorized to use the network
In a spreadsheet, create columns for each detail you wish to record about the devices. For example, you may wish to record the following:
- IP Address
- MAC Address
- Device Type
- Model Number
- Serial Number
- Operating System Version
- Firmware Version
- Primary User
Check out this blog post on how to create a network inventory spreadsheet to learn more about the first critical security control.
Security Control #2. Inventory of Authorized and Unauthorized Software
Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.
Systems are often breached by exploiting software vulnerabilities – i.e. security holes in the software. Vendors regularly release updates or “patches” to fill these holes and improve the software.
Some vendors are more reliable than others, however, and not all can be trusted to discover and fix security gaps in a timely manner.
This is why it’s important to track the software used on network devices and to control the software packages that are allowed to execute, and also to ensure the packages you use are patched.
Create a Software Inventory
Similar to the network inventory described above, this security control requires a list of authorized an unauthorized software. It should cover each type of device on the network – whether workstations, servers, smartphones, or otherwise.
This can be a daunting task, which is why sophisticated software inventory systems are available for larger organizations to monitor the software and versions in use.
Deploy Application Whitelisting
Hailed as one of the most effective CIS critical controls at preventing cyber attacks, application whitelisting allows only an admin-defined list of software suites to run. All other applications are blocked.
Application whitelisting can be tough for organizations to adopt, as it abolishes the widespread practice of allowing users to install software at will. However, with a flexible list of whitelisted apps, the amount of disruption can be minimized.
Security Control #3. Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.
Beyond the vulnerabilities inherent in certain software packages, certain configuration options can open new windows of opportunity for hackers to exploit.
For example, the default configuration settings for operating systems in new workstations are often designed for ease-of-use, not security. While the software may be up-to-date, its configuration can leave the system vulnerable.
This is why hardware and software configurations must be secured across all devices. Set a secure baseline and establish security controls to prevent users from changing important settings.
The configurations must also be monitored as new vulnerabilities surface and new software versions are released.
Build a Secure Baseline
Create a secure system image to deploy new workstations, laptops, servers, and other systems. Store them in a secure location without internet or network access.
To make this process easier, CIS publishes free configuration guidelines called the CIS Benchmarks for various operating systems.
Configuration Management Tools
Manually tracking the configurations of dozens of workstations and network devices would be maddening. Instead, a variety of automated tools are available – including Microsoft’s Active Directory Group Policy Objects.
These tools can help you automatically enforce and reconfigure devices on the network.
Security Control #4. Continuous Vulnerability Assessment and Remediation
Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.
Since hackers are always looking for weaknesses to exploit, this control requires you to become an expert at finding and fixing them.
Sometimes when a new software vulnerability is discovered, the software vendor is alerted before the public. This gives the vendor time to issue a patch.
However, sometimes vulnerabilities are announced months before a patch’s release. This delay, combined with the inevitable delay of the patch being applied by administrators, creates opportunities for hackers to exploit.
This is why it’s critical to identify new vulnerabilities and quickly patch existing ones as soon as possible.
Conduct Vulnerability Scanning
Hundreds of vulnerability scanners exist to help you check the software and configurations of the systems on your network.
Check out this post on 6 Free Network Vulnerability Scanners from Network World.
Be sure to use a scanner validated by the Security Content Automation Protocol (SCAP). A list of validated products is maintained by the National Institute of Standards and Technology (NIST).
Also ensure the scans are performed on systems using administrator authentication so they are as thorough as possible. Don’t forget to compare scan results with prior scans to ensure progress is made.
Practice Patch Management
Identifying vulnerabilities is not enough. You need a systematic approach to fixing them – and you can do this through patch management.
Patch management is the process of identifying, acquiring, installing, and verifying patches for products and systems. It’s critical to network security, since software patches are often the only fully effective way to correct known vulnerabilities.
Patches can be applied in multiple ways:
- Systems and software can be configured to update automatically
- Centralized operating system and patch management tools can monitor and initiate patching on machines across the network
- Patches can be applied manually as needed
For small business, configuring systems to update automatically is highly recommended to ensure patches are applied as soon as possible.
Also, check out free patch management tools such as Ninite, which can automatically monitor and update dozens of software packages on a machine.
While paid solutions can greatly help this process, small businesses can start with a simple spreadsheet that lists their critical systems, the software on them, and the software versions. Check weekly whether new updates are available.
In theory, each day a patch is available but unapplied is another day a system is needlessly vulnerable. As a network grows in size, a coherent strategy to management and prioritize patches is critical to ensuring known security flaws are fixed as quickly as possible.
Subscribe to Vulnerability Intelligence Services
Since thousands of vendors release patches every week, you can identify the most critical patches with the help of vulnerability intelligence services.
Many paid services exist to provide data on the latest threats – including newly discovered malicious hosts, IPs, and others. The data feeds often cost over $1,000/month.
Small businesses can start smaller and cheaper to follow this control. Subscribe to free vulnerability alerts, such as:
You can also followed reputable security publications such as:
Security Control #5. Controlled Use of Administrative Privileges
The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.
Imagine two small banks:
- One bank has 25 employees. Only two employees have keys to the vault.
- A second bank has 25 employees. All 25 employees have keys to the vault.
Assuming the banks are otherwise identical – which one is more likely to be robbed?
The second bank, of course, because attackers have 25 ways of gaining access to the vault, rather than two.
Employees at the second bank are likely to argue that it’s more convenient to have 25 vault keys. It’s easier to perform daily tasks without interruption.
Minimize admin privileges
While it may be more convenient to give all users administrative access to local and network resources, it’s a foolish practice. Grant admin access only when necessary. Be very strict on this security control.
Also, maintain an inventory of administrative accounts and validate that each person is authorized to access the resources in question.
Monitor admin changes
Maintain logs and send alerts for changes to administrative accounts – such as when accounts are created, deleted, or when their privileges are changed.
Do the same for login failures to administrative accounts. While it’s common for a user to enter the wrong password once or twice – a high number of failures suggests someone is trying to guess a password.
Multi-factor authentication is a gold-standard for administrative access, and you should use it when possible.
However, not all small businesses are ready to adopt it. In such cases, use long passwords (more than 14 characters) to make them difficult to crack.
Also – never use default passwords – such as those often found on new routers and wireless access points. They are the first passwords an attacker will guess, so always change them.
Isolate an admin-only machine
An effective method for controlling access to critical resources is to grant access to only a single, dedicated machine and to rigorously limit access to the machine.
Dedicate a workstation to performing only administrative tasks, such as changing firewall settings or accessing customer databases. Then isolate this machine from the primary network and do not grant it internet access.
The machine should never be used for high-risk activities, such as reading email or surfing the web.