Note: CVSS score 8.8(for databases) and 9.8(WebLogic servers).
The CIS controls, earlier known as critical security controls, are an approved set of measures that provides certain actionable methods to curtail or bring an end to today’s prevalent and threatening attacks.
The latest version of CIS, v.8 has introduced some interesting updates. To keep in line with the fast-changing cybersecurity infrastructure and threat landscape.
The “CIS controls V8 has been boosted in such a way that it blends easily with modern systems and software. A major shift towards cloud-based computing, virtualization, mobility, and work from home were the key reasons that prompted this update.
Nonetheless, this newest version also underpins an enterprise’s security as they move to both full cloud and hybrid environments.
These updated CIS controls are more task-based and accompanied by activities rather than who controls the devices. Physical devices, marked boundaries and distinct islands of security application now hold lesser significance
These characteristics are evident in v8 through revised terminologies and the arrangement of safeguards. Therefore, lessening the number of controls from 20 to 18.
Changes in Terminologies, and numbers.
The 18 controls, as stated above, consist of 153 ‘safeguards’ which were previously known as ‘Sub-controls’. The former version, on the contrary, had 171 ‘Sub controls.
Not only that, formally known as the SANS Critical Security Controls (SANS Top 20) and the CIS Critical Security Controls, the tight controls are now officially termed as the CIS Controls.
Each safeguard asks for one thing at a time; this approach aids in communicating the message less vaguely and more straightforwardly. By doing so, it eases the understanding of the whole matter to a greater extent respectively.
Every safeguard not only concentrates upon actions that could be measured but also incorporates those measurements into the whole process altogether. This results in a more simplified language that avoids duplication.
IG1 is the definition of “Basic cyber hygiene”. It talks primarily about the emerging minimum standard of information security across all enterprises.
IG1 could be easily regarded as the foundational set of cyber defense safeguards. That every organization should implement to shield itself from any potential cyber-attack, mostly common ones.
IG3 and IG2 are built based on previous IGs, whereas IG1 could be considered as the on-ramp of controls.
The latest updated version of CIS controls assists with and draws attention to existing independent standards and security recommendations wherever they exist.
SAFE Code was an important contributor to the application software security Control.
The goals of CIS version 8 are as follows,
There isn’t any general mandate that obliges compliance with the CIS Controls. However, there are plenty of individual companies, states as well as local government bodies that have adopted CIS Control compliance at various levels and track that compliance regularly.
The CIS controls, with the least shadow of a doubt, are an excellent medium to adopt the best industry practices for data security and a great way to begin preparing for other compliance efforts that are apparent for your organization.
By Hira Saleem