In my last paper I went over the reasons why conducting a Center for Internet Security (CIS) controls assessment is a good way to build a roadmap for establishing a solid information security program at your organization. This week I’m going to discuss how a CIS controls assessment is conducted, the control categories that make up the current CIS Critical Security Controls (version 8) and the results that you can expect to get from the assessment.

The first step in conducting a CIS controls assessment is determining which CIS implementation group (IG1, IG2 or IG3) your organization should aspire to achieve. For simple organizations that do not have a complex network, and that do not hold sensitive private or regulated data, IG1 may be appropriate. However, for most commercial businesses, implementation groups IG2 and IG3 are recommended. These higher levels of controls offer higher safeguards for private/regulated data and help the organization resist focused cyber-attacks such as ransomware. At this time, the organization also determines the amount of time they wish to allow for reaching their aspirational security goals. This can vary from one organization to the next, but a typical time frame for full implementation is three years.

The next step in the process involves interviewing knowledgeable persons in the organization in order to compare the CIS V8 controls to your current information security measures. The interviewer will question your personnel about each security control and rate your organization’s compliance as:

• Steady-state operational: these are controls that are already being used by the organization and that are included in written policies and procedures. To assure that these controls are in place, the assessor will ask for proofs such as screen shots or records.
• Ad-hoc: these are controls that the organization does employ at least somewhat, but that are not documented or applied systematically.
• Non-existent: these, obviously, are controls that the organization does not employ at all.
• Non-applicable: these are controls that are recommended by the standard, but do not apply to the technology stack or processes that are in use in the organization.

This interview process will probably take 2 or more sessions to complete as there are currently 18 control categories in version 8 of the controls. These include:

1. Inventory and control of enterprise assets
2. Inventory and control of software assets
3. Data protection
4. Secure configuration of enterprise assets and software
5. Account management
6. Access control management
7. Continuous vulnerability management
8. Audit log management
9. Email and web browser protections
10. Malware defenses
11. Data recovery
12. Network infrastructure management
13. Network monitoring and defense
14. Security awareness and skills training
15. Service provider management
16. Application software security
17. Incident response management
18. Penetration testing

In the next step of the process, the assessors will perform written gap analyses of both the baseline security controls (IG1) and the aspirational security controls (IG2 & IG3). These gap analyses will detail percentages of controls that are compliant, ad-hoc, non-existent and NA, and detail the levels of risk that these gaps pose to the organization.

Finally, the assessors will document a detailed roadmap for closing the gaps found during the assessment and meeting the control goals of the organization. This roadmap is typically split into several phases. With a three-year overall timeframe for achieving aspirational goals, these phases will include immediate goals (3-6 months), short-term goals, (6-12 months), intermediate goals (13-24 months) and long-term goals (25-36 months).

These roadmaps are quite detailed. They list the recommended controls to be implemented during each time period. They also list the estimated technical complexity, political complexity and financial cost of implementing each control rated as high, medium or low. Other implementation guidance is also listed for each control as necessary.

As can be seen from this overview, conducting a CIS security controls assessment will provide your organization with a clear understanding of where you are now, where you need to be in the future and what you need to do to reach your security goals. This will bring an end to much of the confusion and frustration entailed in implementing an information security program. It will also give your organization the comfort of knowing that you are working with cutting edge information security controls that give you the most bang for your buck!

No matter what size business or organization you have, in today’s world, the ever-increasing cyber-menace we face affects all of us. To keep our heads above water, all concerns need to have at least a basic documented and monitored information security program in place. For small and medium concerns, how to accomplish this necessary task without breaking the bank can be a truly frustrating and confusing task to undertake.

For one thing, your concern has different information security needs depending on what type of organization you have. Is your network simple or complex? Do you hold or process regulated data such as personal private information, personal health information or financial information? Could compromise of your organization provide a portal for cyber-attackers to gain access to other organizations?

Another point of confusion is provided by the disparate security service organizations, security devices and security applications that are available. How do you know which of these you may need, and how do you pick between the varying offerings? What is the learning curve involved, and will you need extra personnel to handle the increased load? These are all questions that can be very difficult to get a handle on let alone answer decisively.

To help cut the confusion and avoid unnecessary frustration, it seems to me what is needed is a clear path to follow to your security goal. That means finding out where you are now, constructing a roadmap of what needs accomplishing and building a timeline for reaching each step in the process. This is where a Center for Internet Security (CIS) Critical Security Controls assessment comes into play.

The CIS was formed in 2000 with the goal of “making the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats.” To accomplish this goal, they publish a list of the most effective security controls available, which are arrived at through a consensus decision-making process of the cybersecurity community. These controls are constantly under scrutiny and are updated regularly. Currently, the CIS Security Controls are in version 8. In this version there are 18 safeguard categories, each with a varying number of individual information security controls to be implemented. These controls are further divided into three implementation groups (IG1, IG2 and IG3).

IG1 controls are those that provide “the basic cyber security hygiene that all organizations, regardless of size, complexity, and regulatory requirements should meet to resist basic attacks and breaches.”

IG2 controls are those at “the maturity level which is designed for distributed organizations with multiple sites, networks, and complex data structures but without regulatory concerns and a significant amount of sensitive data to protect…”

IG3Controls are at “the highest level of maturity, designed for complex environments with access to significant amounts of sensitive data who need to resist focused, well-resourced attacks.”

There are two basic factors that makes this type of information security controls paradigm most suitable for roadmapping the security needs of disparate organizations: The first factor is the effectiveness of the controls, especially when employed as a group. These are the controls that do the job and give your organization the most bang for your buck. The second factor is the granularity of the controls. The three implementation groups allow your concern to plan and implement your information security program in easy bites over a reasonable period of time.

In addition, knowing what you need to accomplish over a period of time allows your organization to choose how you want to implement your program with the end game in sight. This allows you to choose security service providers, devices and application wisely, avoiding unnecessary duplication and waste of resources. The fewer the number of these types of security assets you have, the easier they are to update and protect. This is in addition to the money savings you will incur.

In my next blog, I will describe what a CIS controls assessment entails and the different control categories that are included.

In my last paper I discussed the high level of risk that third-party service providers and vendors pose to organizations. If vendors have a connection to your internal network, or are trusted implicitly by organizational staff, they are a potential risk to private information and services at your business. Because of this danger, it is becoming increasingly important to conduct vendor risk assessments. In addition, vendor risk assessments will produce information valuable to increasing the accuracy of the organization’s business impact analysis. For small to medium size businesses, the goal is producing a useful vendor risk assessment without expending inordinate amounts of time and resources. I will outline below the basic methodology for conducting such a risk assessment.

The first step is formulating questionnaires for both internal employees and for the services providers being assessed. For the internal questionnaires, it is best to question application/vendor owners and subject matter experts. It is also valuable to have the input of IT and security personnel. Some of the information you may want to gain from this effort includes:

• What data and systems does the vendor have access to? How critical to the business are these systems and data? Is the data regulated or sensitive (i.e. PPI, PHI)?
• How does the vendor access these assets (i.e. via VPN, 2FA, simple user name/password)? Is access automatic or must it be enabled before access is granted? Is vendor access logged and monitored? Is there a shared access account used to communicate with the vendor, or is access individual to the employee?
• How critical is the availability of this vendor to business processes? Is the vendor really necessary (Are there other vendors used by the organization that provide similar services to other lines of business, and is it possible to a number of vendors with just one)?
• Has a review of vendor contracts and agreements been performed to see if they meet the organizations security policy and functional requirements?
• Are there periodic reviews of the vendor performed to check on their status in the industry (i.e. financial status, reputation)?

For the external questionnaires, the goal is to gain information about and from the vendor. This information can be gleaned from publicly available sources, user groups, the Better Business Bureau, or you can contact the vendor itself. Some of the information you may wish to collect includes:

• Does the vendor have a SOC 2, PCI DSS, ISO certification in place, or is there other evidence of a risk management program in place?
• Does the vendor support multi-factor authentication mechanisms such as hard tokens, Okta, etc.?
• Is the vendor financially sound?
• Does the vendor have a good reputation in the industry and among users of the vendor service or application?
• Does the vendor have a documented information security program in place that is compliant with the organization security program? Does the vendor perform logging and monitoring of their systems? Do they have an incident response program in place? Etc.
• Does the vendor have a history of security compromises or data breaches?

Once you have the information about the vendors you need, you can apply the regular risk assessment paradigm to them; what threats may menace the vendor, what impacts would the business suffer if the vendor were compromised, how likely is compromise of the vendor? From this you assign the vendor a risk rating, usually stated as high, medium or low.

After the risk ratings have been assigned to all of the organization’s vendors, the risk treatment process can be undertaken. For example:

• Should additional security controls be put in place around the vendor?
• Should a replacement be found for the vendor?
• Is there a way to avoid the risk posed by the vendor to the organization?
• Does the benefit derived from using the vendor outweigh the risk posed to the organization by the vendor?
• Can agreements with the vendor be renegotiated in order to meet the organization’s security and functionality needs?

Although this process is relatively simple, the organization can derive great benefit from undertaking it. In the present business climate, information security cannot be taken too seriously.

We all are a little overwhelmed by the complexity and difficulty of securing our private information against attackers such as cybercriminals and nefarious nation states. It seems that attacks come at us from all sides on a regular basis. One way we cope with this is to outsource our cybersecurity needs to third-party organizations that have staff who perform such services as network monitoring or security patching for a number of client organizations. Another way is to employ third-party security applications that provide such services as email security and data loss protection. We trade our money for their time and expertise.

And there is nothing wrong with that in a lot of ways. The people that form and work for these organizations are able to concentrate their efforts on specific aspects of information security, and often have a great depth of understanding of their particular subjects. Using them or their applications certainly will save you time and can also save you money. However, it is ironic that the very act of allowing such organizations and applications to connect to your networks is a great risk to your private information and systems in and of itself. So, in a way, by trying to simplify your risk management problems, you are actually increasing the attack surface available to cybercriminals, thereby making your cybersecurity problems even more complex and unwieldy.

A big problem is that, despite our best efforts, risk can never be totally eradicated; risk can only be lessened. This is the result of Order and Chaos and the very nature of reality. So even when a cyber-service provider is conscientious and diligent in their security efforts, they can still be compromised. And when they are, there is a good chance that their clients will be compromised as well. Unfortunately, no matter who was responsible for the compromise, you or your organization have the ultimate responsibility for the security of your own information or assets. This creates a no-win situation; you lose, your customers lose, and the service provider loses.

A current example of this is the LastPass hack that occurred sometime in August according to the company. Although details are sketchy, the latest information shows that the breach was massive and exposed encrypted password vaults as well as other user data. The company announced that hackers were able to copy a backup of customer vault data from the encrypted storage container. This means that these hackers have had months to try to guess the master passwords for these vaults. With time, cracking these passwords becomes more and more likely. This creates a huge hassle for clients who now have to change all their passwords and ensure that two-factor authentication is enabled wherever possible. It also has created a huge reputational hit for LastPass. Many information security professionals are even recommending that their clients dump LastPass.

So, what can we do to protect ourselves from the dangers of service provider compromise? The answer is that there is no perfect solution. The best thing we can do is be constantly aware of the situation and put no trust in our hope that the service providers we employ will not be compromised. We need to examine each service provider we use and ask ourselves if we really need the app or service. If we can get by without, then dump that provider. The less service providers we have, the smaller the attack surface we present to the outside world. We also need to do risk assessment of our current and prospective service providers to see how competent and stable they are, and to determine the impact we would experience if compromise did occur. In addition, we need to develop incident response procedures to help us minimize negative impacts that we can foresee, and practice our responses so that we are quick and competent if the incident occurs. Forewarned is forearmed!