IT Asset Protection and The CIS Controls v8

If you are concerned about data security in your company, that’s a good thing. Protecting your company’s data, and other information that is in your organization’s care, is an essential responsibility in today’s environment. Data security, however, is just one piece of a comprehensive asset protection plan.

Data security is just one piece of a comprehensive asset protection plan.

We outlined in a recent post about the first step in all cybersecurity plans, even simply understanding your environment will expand your view of where vulnerabilities exist. Moving into the phase of protecting your assets will likely further expand your thinking well beyond just data security.

If know your environment is the first step, protect your assets is the next.

Protect Your Assets

A partial list of what the asset protection phase of a modern cybersecurity plan entails:

• Protecting data
• Configuring systems and software with security in mind
• Managing accounts
• Managing access control
• Assessing and monitoring vulnerabilities
• Collecting and analyzing audit logs
• Configuring software and systems for malware detection
• Managing network infrastructure devices

And that’s a partial list! It’s a big job. Someone (or a team) needs to understand and unpack how data, applications, users, computers, network devices, etc., all interact in the context of your business.

Wouldn’t it be great if there was a template that details the protections to put in place, breaks them down into more manageable chunks, and points you to useful resources?

The CIS Controls Provides a Framework for IT Asset Protection

As a matter of fact, that’s exactly what the Center for Internet Security (CIS) created and maintains. The independent non-profit group’s current version of its Critical Security Controls (version 8) details 18 categories comprised of 153 safeguards to help organizations like yours design and implement comprehensive cybersecurity plans. Documentation about each control includes:

• Why the control is critical
• Procedures and tools required to implement
• Resources
• Individual safeguards that comprise the control

The CIS Controls v8 Reference

Of the 18 controls, 14 focus on protecting an organization’s assets. Like we said, this phase is the meat of a cybersecurity plan. We’ve summarized each of the controls for your reference below.

KEY:

Look for the shield icon. These contorls are focused on asset protection.

Control #1) Inventory and Control of Enterprise Assets

Actively manage all enterprise assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise.

Cybersecurity professionals use Control #1 as a guide for the “know your environment” phase of a cybersecurity plan, as we discussed in our recent post. The key in this step is to develop a truly comprehensive list of assets that need protection, including end-user devices, network devices, non-computing/Internet of Things (IoT) devices, and servers. The list must address what is connected to the infrastructure physically, virtually, remotely, as well as those within cloud environments.

Control #2) Inventory and Control of Software Assets

Actively manageall software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

This control extends the advice of Control #1 to include software assets like operating systems and applications.

Control #3) Data Protection

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

The documentation will help an experienced cybersecurity professional establish data classification guidelines, institute practices for handling data, and develop plans for responding to a breach. 

The Data Protection control includes 14 recommended safeguards to identify, detect, and protect data. For many small businesses, however, only 6 of them are likely necessary.

Control #4) Secure Configuration of Enterprise Assets and Software

Establish and maintain the secure configuration of end-user devices, network devices, non-computing, devices, and servers, and software.

Most new software and systems come from the vendor with very open configurations, from a security perspective, for easier deployment. This control helps a company prioritize security. 

This control includes 12 recommended safeguards for asset configuration. For many small businesses, however, only 7 of them are likely necessary.

Control #5) Account Management

Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.

As you have probably learned, it is easier for an external or internal threat actor to gain unauthorized access to enterprise assets or data through using valid user credentials than through “hacking” the environment.

Smart policies and effective training are critical to implementing this control. Six safeguards (4 of which are identified as essential even for smaller organizations) provide structure for implementation.

Control #6) Access Control Management

Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.

Organizations planning for greater cybersecurity will have to pare down some of the freedoms users currently enjoy. Accounts should only have the minimal authorization needed for the role. This includes configuring users to not have local administrator privileges for the computers they use.

Five of the eight safeguards in this control are recommended even for smaller businesses with limited budgets.

Control #7) Continuous Vulnerability Management

Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure.

Measures detailed in this control help remediate, and minimize, the window of opportunity for attackers to take advantage of vulnerabilities. Procedures and tools can be put in place to discover vulnerabilities quickly and address them (through means such as installing patches).

Safeguards detailed in the document provide structure to how your business can identify, protect, and respond to vulnerabilities.

Control #8) Audit Log Management

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

Unlike system logs, audit logs take planning, consideration and effort to set up. Because they capture user-level events, such as when a user logged in, files accessed, etc., analysis of these logs can reveal information about the timing, methods, and intent of an attack.

Unfortunately, many companies fail to adequately configure and analyze audit logs. Hackers know this, allowing their attack to go unnoticed for months or even years.

Twelve safeguards are explained in the CIS controls, with 3 of them deemed to be critical even for small businesses.

Control #9) Email and Web Browser Protections

Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.

Because users interact with external, untrusted users and environments primarily through email and web browsing, these are prime points of entry for attackers. They can craft messages that encourage users to disclose credentials, provide sensitive information, or otherwise open the door for infiltration.

This CIS control details 7 safeguards ranging from ensuring the use of fully-supported browsers and email clients to deploying and maintaining anti-malware protections. Two of these safeguards are considered essential for all organizations.

Control #10) Malware Defenses

Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.

Malware is behind many of the attacks that reach the news. As attackers leverage machine learning, their malware has become able to adapt and more successfully avoid, deceive, and disable defenses.

Protection measures that use automation, are frequently updated, and integrate with other processes are most successful at protecting IT assets. Full implementation of this control goes beyond protection and detection to include centrally collecting and analyzing logs. Three of the control’s 7 safeguards are considered critical for any organization.

Control #11) Data Recovery

Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.

Relevant primarily to the 3rd phase of your cybersecurity plan, to the Data Recovery control details methods your organization can use to get back up and running quickly in the event of an attack, such as a ransomware.

Control #12) Network Infrastructure Management

Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.

Hardware and software gateways, firewalls, wireless access points, routers, and switches are also vulnerable targets for attackers. As with computer systems and software, default configurations are geared for ease of deployment, not security.

Not only should your IT team change those default configurations, but they will also need to monitor them over time. Exceptions often get made for specific applications and users that open up windows of opportunity for hackers.

At a minimum, organizations should create and consistently update network infrastructure software and firmware. The CIS documentation goes on to explain 7 additional safeguards.

Control #13) Network Monitoring and Defense

Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.

Having technology in place can give a company a false sense of security. People, process, and technology must collaborate to consistently monitor and adapt to changing infrastructure and nimble threats.

Time and again attackers have been able to infiltrate and go undetected for long periods of time due to poor monitoring and analysis. Eleven safeguards are detailed in this CIS control, but some smaller organizations may be sufficiently set up to detect problems and protect their assets based upon safeguards covered in other controls.

Control #14) Security Awareness and Skills Training

Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cybersecurity risks to the enterprise.

As stated earlier, enticing a user to click a link or open an email attachment are easy ways for an attacker to gain entry. Such an infiltration strategy can help a cyber criminal subvert the most sophisticated technology.

Users at every level need to be trained to recognize risks, use safe behavior, and alert IT management to concerns. This CIS control is broken down into 9 safeguards – in this case user training categories. All but one of them are considered critical to any-sized business.

Control #15) Service Provider Management

Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.

Checklists abound to help a company evaluate the security practices of a critical vendor. This control focuses mostly on the need to develop a business practice of capturing and maintaining information about your service providers, not a detailed list of what to inspect.

At a minimum, all organizations should establish and maintain an inventory of service providers and update that information regularly. This applies to all vendors that hold sensitive data, but this is crucial for selecting your IT vendors. You might find this IT vendor selection guide helpful for future reference.

Control #16) Application Software Security 

Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.

Smaller companies may not have in-house developed software. But for those that do, safeguards must be in place that address risks throughout the development, deployment and testing processes.

Control #17) Incident Response Management

Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.

Like Control # 11, Incident Response Management pertains to the 3rd phase of your cybersecurity plan implementation. Protections will not be effective 100% of the time. This control provides guidance for how to not only recover so that operations can continue, but to: identify threats, respond to them before they spread, remediate them, and translate lessons learned into updated prevention schemes.

 Control #18) Penetration Testing 

Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker.

Companies with significant risks due to the volume or nature of the information they manage, prestige of their brand, or other factors that make them prime targets for attackers should perform periodic penetration testing. Regular execution of such tests will help identify gaps and arm internal training programs with valuable examples of proper or improper conduct.

Cybersecurity Planning Next Steps

Rolling out a cutting edge cybersecurity plan is a process. It begins with a thorough understanding of your environment. In our experience, not only will diligent pursuit of the first phase result in a longer list of assets than expected, it will reveal devices, applications, or data that should not be there.

The heart of a cybersecurity plan is protecting assets.

Next, the heart of a cybersecurity plan is, of course, protecting those assets as outlined in this post. But that’s not the end of the story! Absolute protection is not cost-effective or even feasible. It’s imperative that your technology, processes, and people also prepare for quickly recovering from a cybersecurity incident. We’ll cover that topic in our next post, including methods for learning and adapting.

Depend on an experienced vendor that is well versed in these controls and skilled at adapting them to unique business circumstances. Your business has evolved in an exclusive and organic way. It needs a comprehensive security plan tailored to your infrastructure, budget and goals.

The best way to get started is to schedule a cybersecurity consultation, which you can do here.

Asset protection, or moreso cybersecurity overall, is a large, complex and dynamic discipline. The CIS Controls document provides excellent guidance, but it is not a paint-by-numbers solution. So keep exploring. Talk to companies with a proven track record for successfully building and maintaining IT security systems.

* The 18 controls developed and published by CIS are updated regularly and available for free on the organization’s website.