Why CIS Top 20 List of Security Controls Gets It Right, And You Should Follow It

By: Albie Swartz, Senior Manager, IT Risk Advisory & Security

Aaron Kerr


Why CIS Top 20 List of Security Controls Gets It Right, And You Should Follow It

For a few minutes forget about governance, architecture, and implementing a complex security framework based on a massive 500 page manual. If you want to know where your organization should start in terms of protecting itself from cyber threats, look no further than the Center for Internet Security (CIS) Top 20 Controls (CT20).

I’m also a fan of the NIST Cybersecurity Framework (CSF). Using CSF and CT20 together makes a lot of sense, but if you have to choose one list – make it the Top 20. Here’s why.

1. CT20 does a fantastic job of stating the safeguards that should be implemented for each major control.

Other publications are more strategic, high-level, and top-down focused. Examples are COBIT 5, AICPA’s new Cybersecurity Risk Management Examination (CRME), NIST CSF, FFIEC and so forth. Then there are mega-guides, such as NIST 800-53 and ISO 27001/2. None of these do what CIS has done because they do not tell you exactly what to implement and in which order according to the tenet of prioritization (i.e. reducing the most risk with the fewest safeguards based on real-world attacks and breaches), while emphasizing measurement, metrics, continuous mitigation, and automation. Remember, an organization cannot do everything all-at-once, nor should it. You have precious resources and you must be judicious when it comes to using them.

2. CT20 actually conforms to the thinking of a security-minded brain.

Finally, a publication that resonates with me, aligning with my thought process as I try to help educate organizations on how to think about cybersecurity. The story is often the same for many of us security folk, whether we consult, manage internally, or even wear the security hat as part of ODAA (other duties as assigned). We need to promote a culture of security while simultaneously implementing safeguards where they are needed most. CT20 tells us where and how. Let me explain.

When someone tells me they need help with security, whether it be specific assets or everything, the first things I ask are, “What do you (i.e. your organization) do?” and “What are all of your IT assets?” Literally, please give me a list of everything IT that you own, manage, or otherwise use, plus everything that’s connected directly to your network, including any third-party endpoints and integrations. Guess how many times the response is, “Sure, here you go.” Zero. It actually never happens. OK maybe once or twice, sort of. This is a problem.

The problem can be stated simply: you cannot protect what you don’t know exists. Period. If you have one leaky pipe somewhere in your house and you don’t know it’s there, you will end up with mold or water damage. If you have one unsecured or unaccounted for asset, it’s a potential attack vector. So what does the CT20 have to say about all of this? Let’s take a look at the Basic Controls (1-6) of CT20 and see exactly why we have to do these first.

Controls 1 and 2

These are all about hardware and software inventory. Find everything. Build a database. Verify there are no unauthorized endpoints connected to your computing environment. Discern if there is any undesired or unapproved software installed, running, or stored (portable .exe) on your systems. Make sure software versions are supported and up-to-date.  Put compensating controls around any high-risk systems, such as segregating them from other network segments, or placing an additional authentication mechanism in front of them. Many organizations struggle with mastering C1 and C2, attaining only a partial implementation state. Now, I personally think partial is far better than having nothing, but do we really want to be masters of none when it comes to the very basic foundation of IT asset management? No, of course not. The need to fully implement basic security practices is greater now than it’s ever been. Once you understand what you have, then you begin to secure it.

Controls 3 and 5

These describe continuous vulnerability monitoring (scanning and reporting) and secure configurations, respectively. Now C3 will help inform C1 and C2 tremendously, and without C5 the primary assets of your users are just waiting to be pwned, so really those four controls establish the very basis of activities that must be on-going FOREVER at your organization in order to maintain control. And the idea of control brings us to access and monitoring.

Controls 4 and 6

Controls 4 and 6 talk about administrative access and monitoring/analysis of logs, respectively. My goodness, the number of times someone discovered that horrendous access management practices were happening is a number so large, the human mind can’t even handle it. Okay, maybe it’s not that big, but honestly it happens far too often. C4 is focused on securing admin access because in a perfect world unprivileged users could do much less harm if they are unable to gain unauthorized access to privileged rights.

C4 promotes specific controls, such as multi-factor authentication (MFA), using dedicated accounts, and so forth. We all know getting admin access is like becoming Superman of the computing world (or maybe the One-Above-All for comic aficionados), so of course we have to protect this special access. No need to elaborate. But what happens when someone does gain unauthorized access, privileged or not?

3. Monitoring happens.

Or at least it should. There have been several articles published recently (in 2018) by security researchers claiming that any network can be infiltrated, many of them trivially with a competent, skilled team.  What this means for business leaders is: you need to watch your computing environment very closely for signs of unauthorized activity and perform constant analysis of relevant data, much of it being logs. You have to watch all the time, 24x7x365. You can’t have anyone asleep at the wheel, out on vacation for a couple days, or simply saying, “Yup I looked real quick, didn’t see much.” Wrong answer. In a world where successful breaches are happening all around us, detection is key to response. And of course you have to be able to respond, but that’s a topic for another day.

So, there you have it. In the vast cyber security universe full of possible ways to detect, protect, and respond, you should start with the CT20 Basic 6 because they give you the biggest bang for your buck. By “your buck” I am referring back to the resources and investments that you will have to commit to cyber risk management activities. Such investments can be considerable in terms of Total Cost of Ownership (TCO), and therefore you ought to invest wisely based on risk reduction. Good thing someone did the heavy lifting for you.


With questions on this topic, contact the author, Albie Swartz at aswartz@cviewllc.com.

More From Aaron

More in IT Risk Advisory & Security

Related Case Study