An Overview of the CIS 20 Controls

This article is the second in a series of walkthroughs for The Center for Internet Security’s 20 Critical Controls (CIS 20) as a framework for teaching principles of information security. 

The CIS 20 controls are prioritized to a degree; generally, organizations should focus on the lower numbers first, as these provide high Return on Investment (ROI) and lay the foundation for the later controls. The controls are divided into three grouping:

  • Basic (Controls 1-6)
  • Foundational (Controls 7-16)
  • Organizational (Controls 17-20)

Many organizations choose to assess and implement the CIS 20 in these groupings, establishing separate projects for each. If you choose to implement the CIS 20 in your environment, remember that no prioritization is absolute. You should seize opportunities to achieve high ROI when opportunities are uncovered, regardless of the numbering assigned to the finding.

What is CIS Control 1: Inventory Control of Hardware Assets?

The first control, Inventory and Control of Hardware Assets, addresses two broad risks:

  1. The risk posed by not knowing where assets are when patching and other critical security maintenance is required (that’s the inventory part)
  2. The risks posed by unauthorized devices on the network (that’s the control part)

To hammer home why this control is important enough to be ranked #1, let’s step back to what we know to be true about cyber-attacks: most successful exploits take advantage of vulnerabilities for which patches are available. 

Definitions of some of the terms used above:

  • Vulnerability: This is a flaw in a piece of software (or firmware, which is like software baked into the computer hardware). The vulnerability is the opening that provides an opportunity for an attacker.
  • Exploit: This is the software tool that the attacker writes to take advantage of the vulnerability. Exploits give the attackers their initial access to the target machine.
  • Patch: Think of a patch as a vaccine; once you apply it, the vulnerability is gone, and any exploits written for that’s vulnerability won’t work.

Why is CIS Control 1: Inventory Control of Hardware Assets Important?

So back to the fact that most successful exploits are against vulnerabilities for which patches are available. How is this possible? Because even though patches are available, they are often not deployed in a timely fashion (if at all). One reason software doesn’t get patched: the IT department doesn’t have an accurate record of where all the machines are (or what software is loaded, but we’ll save that thought for Control #2).

So what should you inventory on your network? Everything! Because even if you find something that shouldn’t be there, you want to know about it! This sounds hard…and it’s not easy, especially if starting from scratch. But there are many tools that can sniff the network and help you build your awareness. If using a scanning tool to enumerate your network, you will undoubtedly find plenty of mysteries to investigate – and some of these investigations will almost certainly turn up things you don’t want on your network. 

But who wants to be continuously playing whack-a-mole, hunting for rogue devices that have been plugged into your network by those who don’t know better (or don’t care)? Wouldn’t it be easier to somehow prevent them from connecting in the first place? It is easier, and it is possible. The process is called Network Access Control (NAC), because, well, it controls access to the network. 

You can’t prevent people from connecting rogue devices into open ports on the wall. However, you can prevent any rogue devices from passing information through your network. There are a few ways to do this, but really it comes down to having your networking devices refuse to provide connectivity to any devices that are not authenticated.

Another term definition if you’re unsure:

  • Authenticate: The process by which a computing device or software proves its identity to another computing device or software. The computing device between your ears authenticates every time you enter a password.

But what’s the big deal anyway? Why should we be concerned about unauthorized computers on the network? Because if it isn’t authorized, it also means that you aren’t maintaining it – which means it could have all sorts of nastiness, and that nastiness could spread through your network.

Not going to lie: Network Access Control isn’t easy to set up from scratch. It’s not particularly complicated, but there is a labor bill for your IT staff. But preventing unauthorized devices on your network is important – so important that the Center for Internet Security made it part of their #1 control.

How to Implement CIS Control 1: Inventory Control of Hardware Assets

  • Use a tool to actively discover and monitor devices connected to your network and make sure your hardware assets are up to date with new security. This will allow easier digestion of hardware usage to make it easier to identify threats.
  • Maintain an up-to-date inventory of all authorized devices on your network. This makes it easy to identify unauthorized devices and ban them from your network before a breach can occur.

Check Out Our Latest Posts