ISC S1 Overview of CIS Control 01-18

CIS Control 01 - Goal

Track and manage IT assets connected to infrastructure, physically or virtually.

CIS Control 01 - Importance of Tracking IT Assets

To know the totality of assets, which should be monitored and protected.

CIS Control 01 - Tool for Tracking Assets

A simple IT inventory list tracking various data points.

CIS Control 01 - Handling Sensitive Data

Know which device has sensitive info for closer monitoring.

CIS Control 01 - Guest/Third-Party Access

Properly secure or terminate guest/third-party access/networks.

CIS Control 02 - Main Focus

Inventory and control of software assets like OS and applications.

CIS Control 02 - Unauthorized Software

Use policies and whitelisting to approve only authorized software.

CIS Control 02 - Regular Verification

Ensure the most current software is installed and old apps are renewed/removed.

CIS Control 03 - Goal

Securely manage data from start to end.

CIS Control 03 - Data Handling

Identify, archive, label, and classify data.

CIS Control 03 - Types of Classification

Public, internal, sensitive, confidential.

CIS Control 03 - Mapping Sensitive Data

To identify the software that accesses these types of data.

CIS Control 03 - Policy Requirements

Data retention, usage, and disposal guidelines.

CIS Control 03 - Data Security

Use encryption for data at rest and in transit.

CIS Control 04 - Configuration Recommendation

Establish and maintain secure baseline configurations for enterprise assets.

CIS Control 04 - Included Assets

Network devices, mobile/portable devices, IoT, operating systems.

CIS Control 04 - Default Configurations Risk

They may present vulnerabilities that can be exploited.

CIS Control 04 - Reconfiguration Sources

Publicly available security standards.

CIS Control 04 - Security Hardening

Adjusting target configurations continuously to reduce vulnerabilities.

CIS Control 04 - Hardening Actions

Remove unused software, change default passwords, turn off non-essential services.

CIS Control 04 - Supporting Tools

Firewalls, IDS/IPS, DLP systems, MDM software.

CIS Control 04 - Multiple Environments

Use separate baseline configurations for each type/classification level.

CIS Control 04

Continuously monitor for deviations and updates.

CIS Control 05 - Main Focus

Best practices for managing account credentials and authorization.

CIS Control 05 - Inventory Accounts

So appropriate controls can be applied.

CIS Control 05 - Policies to Communicate

Account safety guidelines and password requirements.

CIS Control 05 - Admin Accounts Handling

Restrict usage

separate from regular user accounts.

CIS Control 05 - Additional Protection

Multi-factor authentication (2FA).

CIS Control 06 - Purpose

Ensure users only have access needed for their job roles.

CIS Control 06 - Guiding Principles

Least privilege and need-to-know.

CIS Control 06 - Risks to Reduce

Unauthorized access and security breaches.

CIS Control 06 - Systems to Inventory

Authentication and authorization systems.

CIS Control 06 - Access Control

Access granting and revoking protocols (ARK/separation of duties).

CIS Control 06 - Access Handling During Hiring/Firing

Add/remove access in a timely manner.

CIS Control 07 - Goal

Continuously identify and manage vulnerabilities.

CIS Control 07 - Staying Current on Threats

To defend against known and unknown vulnerabilities.

CIS Control 07 - Zero-Day Exploits

Unknown vulnerabilities with no remediation available.

CIS Control 07 - Handling New Vulnerabilities

Assess and prioritize based on likelihood and impact.

CIS Control 08 - Goal

Collect, alert, review, and retain logs for detecting and recovering from attacks.

CIS Control 08 - System Logs

Record system start/end times, crashes, and restorations.

CIS Control 08 - Audit Logs

Track user actions like logins, file access, and application use.

CIS Control 08 - Importance of Event Logs

Used in legal matters, process improvement, and compliance.

CIS Control 08 - Log Lifecycle

The full log lifecycle from collection to disposal.

CIS Control 09 - Focus

Prevent cybercrime via email and web access.

CIS Control 09 - Risks of Browsers and Email

They allow attackers to reach users directly with malware or scams.

CIS Control 09 - Common Attack Types

Phishing scams targeting executives and others.

CIS Control 09 - Recommended Protections

URL filtering, file type blocking, browser add-on restrictions.

CIS Control 10 - What is the goal of CIS Control 10?

Prevent the installation of malware onto company assets.

CIS Control 10 - What types of malware are mentioned in CIS Control 10?

Viruses, worms, spyware, adware, keyloggers, and ransomware.

CIS Control 10 - How can malware damage an organization per CIS Control 10?

By stealing intellectual property, login credentials, destroying data, or encrypting it for ransom.

CIS Control 10 - What should be done with anti-malware solutions per CIS Control 10?

They should be automated, centrally managed, maintained, and deployed to all potential entry points.

CIS Control 10 - How does CIS Control 10 recommend handling unauthorized downloads?

Security features should prevent the installation of unauthorized downloads.

CIS Control 10 - What is "living off the land" in the context of CIS Control 10?

Attackers use an organization's existing tools against itself to avoid detection.

CIS Control 10 - How do attackers use stolen credentials per CIS Control 10?

Hackers exploit existing tools/applications with stolen credentials to gain access to systems.

CIS Control 11 - What is the purpose of CIS Control 11?

Establish data backup, testing, and restoration processes to recover assets to a pre-incident state.

CIS Control 11 - Why is data recovery essential in CIS Control 11?

Organizational data is critical for conducting business and targeted by ransomware attacks.

CIS Control 11 - What factors can make data unusable, as mentioned in CIS Control 11?

Human error, misconfigurations, and natural events.

CIS Control 11 - What are the best practices for data recovery in CIS Control 11?

Automate backups, use off-site storage, and encrypt backup data.

CIS Control 11 - How often should data recovery functions be tested according to CIS Control 11?

At least once per quarter.

CIS Control 12 - What is the focus of CIS Control 12?

Managing and securing a company's network infrastructure.

CIS Control 12 - What types of network devices are covered in CIS Control 12?

Firewalls, routers, switches, gateways, access points, and physical/virtual devices.

CIS Control 12 - Why must network documentation be kept current in CIS Control 12?

To reflect the organization's network topology and layout accurately.

CIS Control 12 - What should network documentation include according to CIS Control 12?

Critical vendor contact information for timely upgrades or patches.

CIS Control 12 - What should be done with end-of-life network components per CIS Control 12?

Monitor and upgrade them as necessary.

CIS Control 12 - How does CIS Control 12 recommend dealing with insecure default network configurations?

Continuously identify and remediate insecure settings.

CIS Control 12 - What tools help fulfill the requirements of CIS Control 12?

Commercial tools to evaluate network configurations and run sanity checks.

CIS Control 13 - What is the focus of CIS Control 13?

Monitoring and defending a company's network infrastructure.

CIS Control 13 - What is crucial for network defense according to CIS Control 13?

Continuous monitoring and fine-tuning network security.

CIS Control 13 - How can networks be attacked, as described in CIS Control 13?

Through Denial of Service (DoS) attacks and ransomware.

CIS Control 13 - What happens during a DoS attack, as per CIS Control 13?

A perpetrator overloads a network, rendering it useless.

CIS Control 13 - How does ransomware work according to CIS Control 13?

Attackers block access to a company's system and demand payment to regain access.

CIS Control 13 - What tools should be used for monitoring and defense in CIS Control 13?

SIEM, NIPS, NGFW, DLP, and EDR systems.

CIS Control 13 - What role do SOC/NOC centers play in CIS Control 13?

They monitor and defend against security threats in larger organizations or through outsourced MSPs.

CIS Control 14 - What is the goal of CIS Control 14?

Establishing security awareness and training programs to reduce cyber risk.

CIS Control 14 - Why is training important in CIS Control 14?

Uninformed employees are a major security risk to IT systems.

CIS Control 14 - What topics should be covered in CIS Control 14 security training?

Recognizing unusual behavior, social engineering, asset handling, risks of insecure networks.

CIS Control 14 - How often should security training occur according to CIS Control 14?

Training should be more frequent than annual and include current, relevant examples.

CIS Control 14 - What recent events should be discussed in CIS Control 14 training?

Recent data breaches, phishing scams during tax season, and phishing emails about fake rewards.

CIS Control 15 - What does CIS Control 15 address?

The management of third-party service providers that access sensitive data or handle IT functions.

CIS Control 15 - Why is third-party service provider management important in CIS Control 15?

Because third-party services may not meet the same security standards, posing a risk.

CIS Control 15 - What is recommended for evaluating third-party services per CIS Control 15?

Establish a process to oversee the service provider's lifecycle and assess their performance.

CIS Control 15 - How can System Organization Controls (SOC) reports be used in CIS Control 15?

To assess risks and performance of third-party providers.

CIS Control 16 - What is the focus of CIS Control 16?

Application software security during the software development lifecycle.

CIS Control 16 - What types of vulnerabilities are mentioned in CIS Control 16?

Buffer overflows, Cross-Site Scripting (XSS), SQL injections, and race conditions.

CIS Control 16 - When should application security practices be introduced according to CIS Control 16?

As early in the software development lifecycle (SDLC) as possible.

CIS Control 16 - What should be done with third-party software components in CIS Control 16?

Inventory third-party software and ensure it is up-to-date and configured correctly.

CIS Control 16 - How can organizations mitigate risks in Software-as-a-Service (SaaS) platforms per CIS Control 16?

Inquire about security practices and obtain SOC reports to ensure compliance.

CIS Control 16 - What is a bug bounty program in CIS Control 16?

A program where employees are rewarded for identifying flaws in software.

CIS Control 17 - What is the purpose of CIS Control 17?

Establishing an incident response management program to detect, respond, and prepare for cyber-attacks.

CIS Control 17 - Why is incident response important in CIS Control 17?

To comply with laws and regulations like HIPAA and GDPR, and mitigate fines and data breach impacts.

CIS Control 17 - What should an incident response process include per CIS Control 17?

A key contact, response team, and communication plan for notifying impacted parties.

CIS Control 17 - How often should incident response processes be tested in CIS Control 17?

Periodically, to assess effectiveness and identify areas for improvement.

CIS Control 18 - What is the focus of CIS Control 18?

Penetration testing to evaluate cybersecurity defenses through simulated attacks.

CIS Control 18 - How does penetration testing differ from vulnerability testing in CIS Control 18?

Penetration testing attempts to exploit vulnerabilities, while vulnerability testing only identifies them.

CIS Control 18 - What is the process of penetration testing in CIS Control 18?

Discover the environment, scan for vulnerabilities, attempt exploitation, and revise controls.

CIS Control 18 - How often should penetration testing be performed according to CIS Control 18?

At least annually for large organizations with significant cyber risk.

CIS Control 18 - What are "Red Team exercises" in the context of CIS Control 18?

Simulated attacks focusing on specific tactics to test an organization's defenses.