Getting a Grip on Basic Cyber Hygiene with the CIS Critical Security Controls

Article By: Autum Pylant, CIS Senior Product Communications Specialist

We know that good “hygiene” is conducive to good health and cleanliness. And, if you’re reading this blog it’s safe to say that you’re familiar with the term “cyber” as it relates to computers and information technology (IT). Combine the two, throw in the word “basic,” and voila! You’ve got basic cyber hygiene. But, what exactly does that mean?

Similar to “regular” hygiene – a set of minimum standards that we look to experts (like the CDC) to put out and we follow like wash your hands, cover your mouth, wear face masks, etc., basic cyber hygiene is where a group of experts (community formed by CIS, the Center for Internet Security) set a minimum set of cybersecurity standards with the expectation that everyone can/should follow.

Sounds simple enough, right? Well it is, and it isn’t.

Poor Cyber Hygiene Invites Risks

In regard to cyber defense, basic cyber hygiene or a lack thereof, can mean the difference between a thwarted or successful cyber-attack against your organization. In the latter, the results can be catastrophic.

Almost all successful cyber-attacks take advantage of conditions that could reasonably be described as “poor cyber hygiene” – not patching, poor configuration management, keeping outdated solutions in place, etc. Inevitably, poor cyber hygiene invites risks and can put the overall resilience of an organization into jeopardy.

Not surprisingly, today’s security focus is on risk management: identifying risks and vulnerabilities, and eliminating and mitigating those risks where possible, to make sure your organization is adequately protected. The challenge here is that cybersecurity is often an afterthought. To improve a cybersecurity program, there needs to be a specific action plan that the entire cyber ecosystem of users, suppliers, and authorities (government, regulators, legal system, etc.) can understand and execute. That plan should have an emphasis on basic cyber hygiene and be backed up by implementation guidance, tools and services, and success measures.

The CIS Critical Security Controls (CIS Controls) do just that!

The CIS Controls: A Prioritized Path

The CIS Controls are independent and trusted prescriptive, prioritized, and simplified cybersecurity best practices that provide a clear path to improve an organization’s cyber defense program. While most frameworks list all the things organizations should do to improve their security, the CIS Controls tell you what is critical to do, and more importantly, how to do it. They translate cyber threat information into action, giving enterprises an executable plan to defend themselves against the most common and important attacks.

But, what does this have to do with basic cyber hygiene? A lot, actually!

The CIS Controls are broken down into three Implementation Groups (IGs), containing Safeguards that provide a prioritized path to gradually improve an organization’s cybersecurity posture. An organization can determine what IG they belong to by looking at the sensitivity of the data they need to protect and the resources they can dedicate towards IT and cybersecurity.

Here’s the kicker – IG1 is the definition of basic cyber hygiene!

An Action Plan for Basic Cyber Hygiene

IG1 is a foundational set of cyber defense Safeguards that every enterprise (especially those with limited resources or expertise) should apply to guard against the most common attacks, and represents an emerging minimum standard of information security for all enterprises.

An action plan for basic cyber hygiene includes the Safeguards in IG1 and an accompanying campaign, that has the following attributes:

• Covers both organizational and personal behavior
• Actions are specific and easily scalable
• Effect on preventing, detecting, or responding to attacks can be stated
• No detailed domain knowledge or execution of a complex risk management process is necessary to get started
• Safeguards can be supported with a marketplace of tools for implementation and measurement
• Actions provide an “on-ramp” to a more comprehensive security improvement program

IG1 (basic cyber hygiene) is the on-ramp to the Controls. IG2 prescribes what has to be done for more sensitive components of an organization depending upon the services and information they handle, and builds upon IG1. IG3 is the highest level of cyber hygiene, and are steps taken for fully mature organizations to protect the most sensitive parts of their missions.

Community Defense Model Brings Perspective

The CIS Community Defense Model (CDM) puts all three IGs into perspective, bringing more rigor, analytics, and transparency to the security recommendations found in the CIS Controls.

The CDM shows that the CIS Controls (IG1, IG2, and IG3) are effective at mitigating approximately 83% of the enterprise attack techniques in the MITRE ATT&CK Framework, and more specifically 90% of the ransomware ATT&CK Techniques identified in the framework.

IG1 alone (yes, basic cyber hygiene again) provides mitigation against ransomware AND the top four attack patterns listed in the 2019 Verizon Data Breach Investigations Report (DBIR).

Brace yourself. It doesn’t stop there; basic cyber hygiene also mitigates 79% of malware ATT&CK Techniques and 100% of the Insider Privilege and Misuse ATT&CK Techniques.

Impressive, right?

Begin by Assessing

Assess where you are in your journey by checking out the CIS Controls IGs, and then use the free CIS Controls Self Assessment Tool (CIS CSAT) to conduct, track, and assess implementation of the CIS Controls.

Implementing all three IGs is CIS’s definition of an effective cybersecurity program…but that’s a topic for another day!

Using IG1 of the CIS Controls for your basic cyber hygiene needs is an effective way to improve your organization’s overall cybersecurity posture and health.