CIS Critical Security Controls
Common Vulnerability Scoring System (CVSS)
method to help identify and classify vulnerabilities so they can be patched to prevent bad actors from taking advantage of the vulnerabilities.
Continuous Vulnerability Management
Scans for software and firmware vulnerabilities, compare scans after fixes are applied to validate processes for managing the environment
3.4: Deploy Automated Operating System Patch Management Tools
Smaller organizations may do this through manufacturers automated updating from manufactures / vendors directly. (applies to all groups)
3.5: Deploy Automated Software Patch Management Tools
Software applications not just OS needs to be updated.
NIST (ID.AM-2)
Software platforms and applications within the organization are inventoried.
2.2: Ensure Software is Supported by Vendor
Software that is end of support or end of life may have unmanaged vulnerabilities or be unable to be fixed in the event of failure.
2.10: Physically or Logically Segregate High-Risk Applications.
Split out high risk / high value systems to make them harder to gain access to.
Which 3 sub controls (control 1) map to NIST (DE.CM-7)?
1.1: Utilize an Active Discovery Tool 1.2: Utilize a Passive Discovery Tool 1.3: Use DHCP Logging to Update an Asset Repository
What sub control 1 maps to NIST (ID.AM-1)?
1.4: Maintain a Detailed Asset Inventory
Which 3 sub controls (control 1) map to NIST (PR.DS-3)?
1.4: Maintain a Detailed Asset Inventory 1.5: Maintain Asset Inventory Information 1.6: Address Unauthorized Assets
What sub control (control 1) maps to NIST (PR.AC-1)?
1.7: Deploy Port Level Access Controls
What sub control (control 1) maps to NIST (PR.AC-6)?
1.8: Use Client Certificates to Authenticate Hardware Assets
Which CIS sub control does NOT map across to the NIST Cybersecurity Framework?
2.10 has no direct equivalent. NIST mentions physical access controls but not separation due to risk/value
Which 4 Control 2 sub controls map to NIST (ID.AM-2)?
2.1: Maintain an Inventory of Authorized Software 2.2: Ensure Software is Supported by Vendor 2.4: Track Software Inventory Information 2.5: Integrate Hardware and Software Inventories
Which 5 Control 2 sub controls map to NIST (DE.CM-7)?
2.3: Utilize Software Inventory Tools 2.6: Address Unapproved Software. 2.7: Utilize Application Whitelisting 2.8: Implement Application Whitelisting of Libraries 2.9: Implement Application Whitelisting of Scripts
What sub control (control 2) maps to NIST (ID.AM-1)?
2.5: Integrate Hardware and Software Inventories
Which 3 Control 2 sub controls map to NIST (PR.DS-6)?
2.7: Utilize Application Whitelisting 2.8: Implement Application Whitelisting of Libraries 2.9: Implement Application Whitelisting of Scripts
Which Control 3 sub control maps to NIST (ID.RA-1)?
3.1: Run Automated Vulnerability Scanning Tools
Which Control 3 sub controls map to NIST (DE.CM-8)
3.1: Run Automated Vulnerability Scanning Tools 3.2: Perform Authenticated Vulnerability Scans
Which Control 3 sub control maps to the NIST (RS.MI-3)?
3.7: Utilize a Risk Rating Process
1.8: Use Client Certificates to Authenticate Hardware Assets.
After access is granted at port level, or for wireless devices, use certificates to authenticate devices.
3.7: Utilize a Risk Rating Process.
Allow decisions to be made for a vulnerability based on what may happen to a specific organization. Recommended for Group2/3 but equally worthwhile for Group1 organizations.
2.1: Maintain Inventory of Authorized Software.
Allows an organization to identify what software is installed into the environment.
2.5: Integrate Hardware and Software Inventories.
Allows you to locate the asset that a particular piece of software is installed on.
1.4: Maintain a Detailed Asset Inventory.
Applied by all Implementation Groups to understand what is on the network.
NIST (ID.RA-1)
Asset vulnerabilities are identified and documented.
CIS Control 3:
Continuous Vulnerability Management
1.5: Maintain Asset Inventory information
Once asset is discovered maintain the information about the asset over the life of the asset.
2.9: Implement Application Whitelisting of Scripts.
Only allow authorized (such as digitally signed) scripts to run in the environment
3.3: Protect Dedicated Assessment Accounts
Ensure accounts used to assess vulnerabilities have adequate controls and limit use to just scanning
2.7: Utilize Application Whitelisting.
Ensure only authorized software can be installed and used.
3.6: Compare Back to Back Vulnerability Scans.
Ensure patches are being applied in the environment. g2 and g3
2.8: Implement Application Whitelisting of Libraries.
Ensure that only approved application libraries can be built into software packages or run within system processes.
1.6: Address Unauthorized Assets
Ensure you have an approach to unauthorized assets, such as quarantine and removal. Feedback into asset inventory on discovery and remediation.
True or False: All controls provide a 1-2-1 match with NIST CSF.
False, not all controls
1.7: Deploy Port Level Access Controls.
Follow 802.1x standards to control what devices are allowed to physically plug into and then access the network.
3.2: Perform Authenticated Vulnerability Scanning
Gain deeper insights by trusting the scanning source.
What does Control 2 help us understand?
Our software and any risks, inventory and control of software assets, what software we have and why we need it, and what software we need to allow or disallow
2.6: Address Unapproved Software.
Identify what to do with software that is not approved and update inventories to reflect the change implemented.
NIST (PR.AC-1)
Identities and credentials are issued, managed, verified, revoked and audited for authorized devices, users and processes
NIST (PR.AC-6)
Identities are proofed and bound to credentials and asserted in transactions
IG1
Implementation Group 1: small to med orgs, less sensitive data held, limited IT capability and focus on business operations
IG2
Implementation Group 2: Med to enterprise, dedicated IT teams, limited dedicated security teams, some sensitive data and focus cybersecurity on maintaining public confidence
IG3
Implementation Group 3: Enterprise, regulated industries, dedicated cyber teams and tend to suffer targeted attacks.
NIST (PR.DS-6)
Integrity checking mechanisms are used to verify software, firmware and information integrity
CIS Control 1:
Inventory and Control of Hardware Assets
CIS Control 2:
Inventory and Control of Software Assets
1.2: Utilize a Passive Discovery Tool
Passive tools will listen for traffic on a network to identify devices.
NIST (PR.DS-3)
Physical assets are formally managed throughout removal, transfers and disposition
NIST (ID.AM-1)
Physical devices and systems within the org are inventoried.
NIST (DE.CM-7)
Monitoring for unauthorized personnel, connections, devices and software is performed.
NIST (RS.MI-3)
Newly identified vulnerabilities are mitigated or documented as accepted risks
3.1: Run Automated Vulnerability Scanning Tools
Run scans to find vulnerabilities.
1.3: Use DHCP Logging to Update Asset Inventory
This enables automated capture of devices that join the network.
1.1: Utilize an Active Discovery Tool
Tool will perform active discovery such as ping sweeps or subnet scanning to find devices.
2.4: Track Software Inventory Information.
Track key data such as software version, installer, patch level.
NIST (DE.CM-8)
Vulnerability scans are performed.
2.3: Utilize Software Inventory Tools.
You need a tool to inventory installed software, the overhead to manually perform is likely to be too great.
