Understanding CIS Control 1

To celebrate National Cyber Security Awareness Month, CIS will kick-off each week in October with a deep dive into one of the top 5 CIS Controls.

This week, we’re focusing on CIS Control 1: Inventory of Authorized and Unauthorized Devices. More specifically: “Actively manage (inventory, track, and correct) all hardware devices on the network so that only authorized devices are given access, and unauthorized and unmanaged devices are found and prevented from gaining access.”1

Put simply, it’s impossible to protect devices you don’t know about. Because the CIS Controls are a prioritized set of actions for improving cybersecurity posture, Control 1 is essential – and the first step to take when implementing a cybersecurity program. Your inventory should include any device with an IP address, such as printers, Voice Over IP phones and laptops. All devices should be identified whether they are connected to the network or not. Older laptops that have been taken off the network could have been previously infected and will need to be updated.

According to Chad Wilson, the Director of Information Security at Children’s National Medical Center in Washington D.C., you need the mentality that “‘if you can’t see it, you can’t protect it’; if companies aren’t sure where data is and which systems are used to access it, then they’re likely putting its users’ trust in limbo.” 2

Achieving CIS Control 1

How can an organization successfully apply Control 1? There are three key steps:

  • identify all devices
  • document the inventory
  • keep the inventory current

This can be a major effort, especially for large organizations with a high number of devices. Automate the process where possible. There are large-scale enterprise products that can help with asset inventory, but smaller organizations might benefit from more modest tools that gather data by sweeping the network. In addition to active scanning tools that sweep the network, other tools passively listen on networks for devices sending traffic. While identifying network devices, keep in mind that the environment is highly dynamic due to wireless devices and virtual private networks (VPNs) that may connect and disconnect frequently. Tools can also retrieve media access control (MAC) addresses and other information from connecting devices that can be reconciled with your organization’s asset inventory. Once MAC addresses are confirmed, switches should be configured to only allow authorized systems to connect to the network.

Once your devices are identified, document the list. At a minimum, your inventory should include the name of the device, its IP address, and whether or not it is portable. Asset owners need to be documented and updated whenever there is a change in ownership. You may need to implement additional organizational policies and procedures, such as employee agreements for devices they receive. If your devices have serial numbers, add those to list – these numbers can identify your organization’s unique items if you need customer support or in case of theft. This inventory list will also be helpful for companies implementing a business continuity plan (BCP).

As with all CIS Controls, device inventory isn’t a one-time check. You’ll need to make sure your inventory of devices – both those your organization owns and those connected to your networks – stays up-to-date.

Ready to get started? Check out these resources:

[1] CIS Critical Security Controls for Effective Cyber Defense, Version 6.1
[2] https://threatpost.com/ftc-panel-encourages-basic-security-hygiene-to-counter-ransomware/120421/ .