Even if a strong initial configuration is developed and installed, it must be continually managed to avoid security “decay” as software is updated or patched, new security vulnerabilities are reported, and configurations are “tweaked” to allow the installation of new software or to support new operational requirements. Basic controls, open services and ports, default accounts or passwords, older (vulnerable) protocols, and pre-installation of unneeded software can be exploitable in their default state.ĭeveloping configuration settings with good security properties is a complex task beyond the ability of individual users, requiring analysis of potentially hundreds or thousands of options in order to make good choices (the procedures and tools section below provides resources for secure configurations). Entity relationship diagrams that show components of implementationįor example, control 5 is described below as given in the CIS V7.1 document.ĬIS control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and ServersĮstablish, implement, and actively manage (track, report on, correct) the security configuration of mobile devices, laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.Īs delivered by manufacturers and resellers, the default configurations for operating systems and applications are normally geared toward ease-of-deployment and ease-of-use – not security.Procedure and tools to enable implementation.Actions that the organization should take to implement the control.
Description mentioning criticality of control. Each control has sub-controls with descriptions for each, and each control has the following elements: IG1 is recommended for small businesses, IG2 is suitable for regional organizations and IG3 is implemented for large corporations. Basic controls also are referred to as “cyber hygiene,” as these are the essential protections that must be in place to defend against common attacks. Organizations should implement basic controls first, followed by foundational and organizational. These controls together form a net that provides best practices for mitigating common attacks against systems and networks. The organizational category includes controls for implementing a security awareness and training program, application software security, incident response and management, penetration tests and red team exercises. The foundational category has 10 controls: email and web browser protection, malware defenses, limitation and control of network ports protocols and services, data recovery capabilities, secure configuration for network devices, boundary defenses, data protection, controlled access based on the need to know, wireless access control, and account monitoring and control. The basic category consists of controls for the inventory and control of hardware assets, inventory and control of software assets, continuous vulnerability management, controlled use of admin rights, and the secure configuration for hardware and software on mobile devices, laptops, workstations and servers. CIS Controls has a set of 20 prioritized controls, divided into three categories as basic, foundational and organizational, which are also termed as Implementation Group (IG) IG1, basic IG2 – IG1, foundational and IG3 – IG2, organizational. Sepember 2020 - SheLeadsTech 2 - AI Beyond TechnologyĬIS Controls Version 7.1, released in April 2019, was developed by Center for Internet Security (CIS), which consists of a community of IT experts. Sepember 2020 - SheLeadsTech 1 - Cybercrimes at Corporate World. May 2020 - CoWin - Survive tough times with IT Governance. April 2020 - Understanding NIST Cybsersecurity Framework. April 2020 - Continuity Risk Management Physical & IT Security. .png "cis critical security controls version 7")
May 2021 - Security Threat Intelligence.May 2021 - Information Security and Governance.May 2022 - A Simple and scalable way to achieve data protection.Threat Management and its Implication in Industry - India Expo - October 2019.Mobile & API Security - CPE Event - Airtel, Gurugram.SDLC and PCIDSS - CPE & IIC, New Delhi.Cloud Security Workshop - February 2020.
0 kommentar(er)
