W H I T E PA P E R

A Definitive Guide
to Understanding
and Meeting the CIS
Critical Security Controls
The CIS Critical Security Controls are the industry
standard for good security. Are you up to par?
Introduction

Everyone in security has heard of the CIS Critical Security Controls, but not all understand exactly how to implement them.
The CIS controls supplement almost every other security framework, such as NIST, CSF, NIST 800.53, ISO 27001, PCI, and
HIPAA, and they’re a useful base for developing or assessing your security program. However, with lengthy documentation
and many methods out there for meeting them, implementing these controls can be a daunting project to embark on.
Because of this, Rapid7’s Advisory Services team, which specializes in security assessments for organizations, developed
this guide to explain each control in plain language and assess how it can be approached, evaluated, and implemented.

Understanding and Meeting the CIS Critical Security Controls 2

What are the CIS
Critical Security Controls?
The Center for Internet Security (CIS) Top 20 Critical Secu- As a subset of the Priority 1 items in the NIST Special Pub-
rity Controls (previously known as the SANS Top 20 Critical lication 800-53, these controls are also highly relevant and
Security Controls), is an industry-leading way to answer the complementary to many established frameworks.
question on every security practitioner’s mind: The Rapid7 Advisory Services team relies heavily on the
CIS Top 20 Critical Controls as a framework for security
program analysis because they are universally applicable
to information security and IT governance.

“How can I be prepared Correct implementation of all 20 of the controls greatly re-
to stop known attacks?” duces security risk, lowers operational costs, and improves
any organization’s defensive posture. However, as you likely
know, simply being compliant is not enough to entirely
mitigate attacks and protect your critical information. While
there’s no silver bullet for security, organizations can reduce
Developed by leading security experts from around the
their chances of compromise by moving from a compli-
world, these controls are not simply a list of best practices
ance-driven approach to a risk management approach
to implement, but rather a framework of real ideas and
focused on real-world effectiveness.
actions gathered from seasoned individuals and enterprises
to help everyone strengthen their security posture and stop
today’s most pervasive and dangerous threats.

The 20 critical controls are divided into three categories: Implementing the CIS
Basic, Foundational, and Organizational. Basic controls Top 20 Critical Security Controls
(1–6) should be implemented in every organization for es-
sential defense readiness. Foundational controls (7–16) are
is a great way to protect your
the next step up from basic controls, while the Organization- organization from some of
al controls (17–20) focus more on people and the most common attacks.
processes. Whether you’re just starting out or are looking
to build onto your existing security program, the CIS con-
trols transform best-in-class threat intelligence into priori-
tized and actionable ways to protect your organization.
This guide will help you better understand how to
approach and implement each of the key controls
The controls were designed in such a way so that they can
so you can go on to develop a best-in-class security pro-
scale across organizations of any size. Many organizations
gram for your organization.
use the CIS controls as the foundation of their entire securi-
ty strategy. The sequence of controls allows you to follow a
logical path of building your foundation while you gradually
improve your security posture and reduce your exposure to
risk.

Understanding and Meeting the CIS Critical Security Controls 3

TA B L E O F CO N T E N T S

Basic 5

CONTROL 1: Inventory and Control of Hardware Assets Page 5

CONTROL 2: Inventory and Control of Software Assets Page 6

CONTROL 3: Continuous Vulnerability Management Page 7

CONTROL 4: Controlled Use of Administrative Privileges Page 8

CONTROL 5: Secure Configuration for Hardware and Software on

Mobile Devices, Laptops, Workstations, and Servers Page 9

CONTROL 6: Maintenance, Monitoring, and Analysis of Audit Logs Page 10

Foundational 11

CONTROL 7: Email and Web Browser Protections Page 11

CONTROL 8: Malware Defenses Page 12

CONTROL 9: Limitation and Control of Ports, Protocols, and Services Page 13

CONTROL 10: Data Recovery Capabilities Page 14

CONTROL 11: Secure Configuration for Network Devices

Such as Firewalls, Routers, and Switches Page 15

CONTROL 12: Boundary Defense Page 16

CONTROL 13: Data Protection Page 17

CONTROL 14: Controlled Access Based on the Need to Know Page 18

CONTROL 15: Wireless Access Control Page 19

CONTROL 16: Account Monitoring and Control Page 20

Organizational 21

CONTROL 17: Implement a Security Awareness and Training Program Page 21

CONTROL 18: Application Software Security Page 22

CONTROL 19: Incident Response and Management Page 23

CONTROL 20: Penetration Tests and Red Team Exercises Page 24

Understanding and Meeting the CIS Critical Security Controls 4

 BASIC

Control 1
Inventory and Control of Hardware Assets

The theme of this first control is fairly simple: You can’t Implementation of Dynamic Host Configuration Protocol
protect what you don’t know is there. This means you need (DHCP) logging and management. will effectively address
the ability to see what is on your network, know which sys- several sections of Critical Control 1. For organizations with
tems belong to whom, and use this information to prevent a security information and event management (SIEM)
unauthorized users from connecting to your network. This solution or centralized audit repository, ingested DHCP
control is split into eight focused sections relating to net- logs can allow correlation with other security and network
work access control, automation, and events. Correlating the logs against additional system infor-
asset management. mation from tools like SCCM or event monitoring services
can also assist with inventory tracking and automated
With the ability to actively manage all hardware devices on inventory management, which leads to added benefits on
your network, you can ensure only authorized devices have the financial and operations side of the shop.
access and unauthorized ones are found and prevented If you don’t use SCCM, most agent-based system discovery
from gaining access. This requires being able to inventory, and configuration management can still address this con-
track, and correct asset permissions. Implementing inven- trol and other governance requirements.
tory control is likely the least glamorous part of a security
program, but because it serves as the foundation for many Though these tools often require time and effort to deploy,
other controls, it can reduce insider-threat and the cost benefit is significant, as it allows smaller IT teams
loss risks, clean up the IT environment, and improve the to quickly have a major impact on their network.
other CIS Critical Security Controls.

How to implement it How Rapid7 can help

Successful implementation often requires bridging existing The following Rapid7 solutions enhance an organization’s
system inventory or configuration management services ability to discover and identify devices as they connect
with device-based network access control. The inventory to corporate assets via the network, email services, or
management portion is usually based on software or end- cloud applications:
point management services such as the Microsoft System
Center Configuration Manager (SCCM), while access control • InsightVM • InsightIDR
can leverage existing network technology • InsightOps • Advisory Services
to limit device access to networks.
Rapid7 Global Services will evaluate and document the gaps
in your asset discovery process to make recommendations
for improving your inventory capabilities.

Understanding and Meeting the CIS Critical Security Controls 5

 BASIC

Control 2
Inventory and Control of Software Assets

Like Control 1, this one addresses the need for awareness Beyond limiting administrator and installation rights and
of what software is running on your systems and network, blacklisting, you should also set up some form of integrity
as well as finding any unauthorized and unmanaged soft- checking and management. In most cases, this is possible
ware and preventing it from being installed or executed. using only OS-based tools, and Microsoft includes integ-
Inventory knowledge and control is an essential security rity management tools in Windows 10. OS-level integrity
need, and when done correctly, it improves the detection management tools typically rely on limiting installation
and response aspects of any security program. Because based on a list of trusted actors (installers, sources, etc.)
of this, CIS places these controls in the “Top 2” in the same In more comprehensive cases (such as in some endpoint
way that the NIST Cybersecurity Framework addresses protection services), there are heuristic and behavior-based
them as “Priority 1” controls on the 800-53 framework. tools that monitor critical application libraries and paths for
change. Because integrity management is intrinsically tied
to malware prevention and data protection, implementing
How to implement it this section of the control actually assists with:

To start, Local Administrator access and install rights

should not be granted for most users. This limitation • Control 7: Email and Web Browser Protections
also assists with other critical controls that deal with
access and authentication.
• Control 8: Malware Defenses
• Control 13: Data Protection
Once installation rights have been limited, any whitelisting
or blacklisting of processes should be done in stages, typi- Getting your inventory in order will also cut down on the
cally starting with a list of unauthorized applications amount of work needed when an incident arises and will
(a “denylist” or “blacklist”) and finishing with a list of autho- make policy development and enforcement far easier.
rized applications that comprise the whitelist.
This can be rolled out as an authorized software policy
first, then followed up with scanning, removal, and central
inventory control. Successful implementations of software
How Rapid7 can help
inventory control often focus on bridging system configu-
The following Rapid7 solutions are built to automatically
ration management services and software blacklisting and
scan systems and catalog the running applications to
whitelisting. The inventory management portion is usually check them for known vulnerabilities, known malware,
based on software inventory tools or endpoint management and other potential risks:
services such as SCCM,
FootPrints, or GPO and local policy controls on Windows. • InsightVM • InsightIDR
• InsightOps • Advisory Services

Understanding and Meeting the CIS Critical Security Controls 6

 BASIC

Control 3
Continuous Vulnerability Management

Understanding and managing vulnerabilities is a continuous You then need to understand how vulnerabilities could
activity that requires dedicated time, attention, and resources. affect your organization. This control states that there must
Failing to proactively scan for vulnerabilities and address be a process to risk-rate a vulnerability based on exploit-
discovered flaws means there is a high likelihood an organi- ability and potential impact, then use that as guidance for
zation’s systems will become compromised. prioritizing remediation. However, what it doesn’t spell out is
what this process looks like. Here
This control offers guidelines for: are three important factors to consider:

• Performing vulnerability scans 1. Threat level: What is the importance of the

• Monitoring and correlating logs asset in terms of the data it hosts and its expo-
sure level?
• Staying on top of new and emerging
vulnerabilities and exposures
2. Risk of compromise: What is the likelihood that
• Implementing remediation the vulnerability could compromise this system?
• Establishing a process to assign risk
ratings to vulnerabilities
3. Impact of compromise: If a particular vulnerabili-
ty is exploited, how will it affect
How to implement it the confidentiality, integrity, and availability
of the system and its data?
To begin meeting this control, you need to adopt scanning.
CIS states that vulnerability scanning should occur weekly,
but that is not always possible due to various circum- This rating system can help you determine the order in
stances and may depend more so on how mature your which to proceed with remediation. To ensure patches are
organization is from a security standpoint. It is important to being applied across all systems within the organization,
have both an internal and external scan — internally facing it is recommended to deploy and use an automated patch
machines should only have authenticated scans performed management tool and software update tool. However, tools
on them, and outward-facing devices should have both are not enough to ensure patches are fully and correctly
authenticated and unauthenticated scans performed. applied. Vulnerability scans that occur after remediation
should be analyzed to check that vulnerabilities that were
Next, all scanning activities must be logged, monitored, and supposed to be remediated are no longer showing up on
stored. Your security team must be able to see these events the report.
are being generated and then match them to scan logs in
order to determine whether the exploit was used against a
target known to be vulnerable instead of being part of an
actual attack. Scan logs and alerts should be generated How Rapid7 can help
and stored to track when and where administrative creden-
The following Rapid7 solutions enable continuous data
tials were being used. This way, you can determine that the
collection from all systems through scanning, integrations,
credentials are only being used during scans on approved
and endpoint agents and simplify remediation workflows in
devices and only within approved timeframes. the language of the IT team responsible:

• InsightVM • InsightAppSec
• Advisory Services

Understanding and Meeting the CIS Critical Security Controls 7

 BASIC

Control 4
Controlled Use of Administrative Privileges

This control can be contentious and is often disliked The conversation

by system admins and users alike. However, it can
The conversation with your users may be painful, so here are
have a large impact on risk because it has to do with admin-
a few pointers. Start by saying, “We’re reducing/controlling
istrative access.
risk by allowing you to use your privilege only for the tasks
that require it.” This conveys that privilege is not being taken
Two very common attacks rely on privilege to execute. away from them, but rather needs to be used more securely.
The first is when a privileged user is tricked into opening For executives who still demand it, point out that they are the
a malicious email attachment or downloading a malicious highest risk to the organization due to their status.
file from a website. The second is guessing or cracking an
administrator’s password to gain access to a target ma-
chine. To prevent these common attacks,
Technical details
administrative privilege should be heavily restricted To fully meet the requirements of this control, you’ll then
to only those users whose jobs and tasks require it. need to do the following:
Regular users should never require admin privileges
to conduct daily tasks — even system admins and superus-
ers do not require admin access 100% of
• Change all default passwords on all deployed devices
the time. • Use multifactor authentication for all
administrative access

Put another way, much of the effort spent implementing • Use long passwords (14 characters or more)
all the other CIS controls can be undone if administrative
access is not restricted. • Require system admins to have a normal account
and a privileged account

How to implement it • Configure systems to issue alerts on unsuccessful

logins to admin accounts

First, you will have to deal with the political issues of doing • As an advanced control, require that admin tasks
can only be performed on machines that are
this. Some users think they need admin access to install
software (hint: they don’t), some say they need it to do their air-gapped from the rest of the network and only con-
job, while others simply demand it. While admin rights are nect to systems they need to administer.
required to do some tasks, not all tasks call for them.
Reducing or controlling admin access is a change to the
Here’s an exercise that may be helpful: List the tasks an way things are being done, and fear of change is very pow-
admin user does on an average day, then mark each task erful. However, by reducing admin privilege and satisfying
that can be accomplished without admin privileges. Show the first three CIS Critical Security Controls, you can reduce
that list to the person responsible for managing risk in your the risks in your organization by 80% or more.
organization. Then, create a separate, normal user account
for admins and require them to use it for all normal tasks.
For other tasks, they can escalate into their admin account
and then de-escalate when complete. It’s an extra step, but How Rapid7 can help
it’s a secure one.
The following Rapid7 solutions monitor access controls
and baseline permitted access to systems in critical envi-
ronments to identify any suspicious change in
settings or behavior:

• Metasploit • InsightIDR • Advisory Services

Understanding and Meeting the CIS Critical Security Controls 8

 BASIC

Control 5
Secure Configuration for Hardware and Software on
Mobile Devices, Laptops, Workstations, and Servers
This control is about shrinking the attack surface by secur-
ing anything that connects to your network. Meeting the requirements of Control 5 also
Default configurations are normally geared toward requires addressing these five sub-controls:
ease-of-deployment, not security. This includes open
and running ports and services, default accounts or pass-
words, and pre-installed software, which are all exploitable 1. Document and standardize security configura-
in their default state. tions for authorized operating
systems and software.
How to implement it

To begin addressing this control, you first have to ask your- 2. Maintain secure images or templates
self what constitutes a secure configuration. As with most for all systems based on approved
questions in security, the answer is contextual and based configuration standards.
on your business rules. Approach this with a mindset of
starting as small as you can and gradually opening up your
3. Store master images and templates on securely
systems and applications until they are usable.
configured servers that are monitored 24/7.

This is great for new systems or those that have yet to

be deployed, but what about older systems? You likely 4. Deploy system configuration management tools
can’t just shut them down and work through this process. to automatically enforce and redeploy configura-
Still, you should seek to reduce the running services and tion settings to systems on a
ports, especially those that are known to be vulnerable routine basis.
and not in use.

Here are a few recommended configuration frameworks: 5. Leverage a Security Content Automation Proto-
col-compliant configuration monitoring system to
verify security configurations, log exceptions, and
• NIST 800-70 rev 3 send alerts when unauthorized changes occur.
• National Vulnerability Database (NVD)
• CIS Benchmarks The vulnerability management process is continuous, not
• Security Technical Implementation Guide (STIG) one and done. Changes to your configurations will occur as
systems and applications are patched and updated, new
software is introduced, or operational support changes.

How Rapid7 can help

The following Rapid7 products scan existing systems
and monitor activity across the modern environment to
identify misconfigurations and negative outcomes they
may have caused:

• InsightVM • InsightIDR
• Advisory Services

Understanding and Meeting the CIS Critical Security Controls 9

 BASIC

Control 6
Maintenance, Monitoring, and Analysis of Audit Logs

This control covers a variety of areas, including Network Wondering what log data you should be collecting? In a per-
Time Protocol (NTP) configuration, verbose logging of fect world where storage isn’t an issue, each of the following
traffic from network devices, best practices for leveraging would have security logs sent to the SIEM:
a SIEM for consolidated view and action points, and how
often reports need to be reviewed for anomalies. It also
runs alongside or directly connects to many other CIS Criti-
• Network gear: Switches, routers, firewalls, wireless con-
trollers, and their access points
cal Security Controls.
• Third-party security support platforms: Web proxy and
filtration, anti-malware solutions, endpoint security plat-
How to implement it forms (HBSS, EMET), identity management solutions,
and IDS/IPS
Implementation of this control ranges in complexity from
a quick win to full configuration. What’s your quick win? • Servers: Application, database, web, and file servers, as
well as domain controllers in a Windows environment
NTP. By leveraging the various NTP pools that are available
(such as those offered by the NTP Pool Project), your sys-
tems can check in to a single regionally available
• Workstations: Pretty much all security log files
server on your network. Because it has obtained its time
This list is by no means exhaustive, so here are a
from the NTP pool, you’ll be spared from hours of chasing
few references to refine what information to include
down information.
in log collections:

Full-scale implementation, on the other hand, requires re-

viewing log data and issuing alerts on any problems. • SANS Log Management Strategies
Most regulatory requirements state that logs should be re-
viewed “regularly” but remain vague on what this means. A
• NIST SP 800-92
good rule of thumb is to review your logs on a weekly basis • Malware Archeology
at the bare minimum. You’ll also have to define what critical
alerts look like, who should receive these, and how they
should be alerted in order to fine-tune your alerts.
How Rapid7 can help
SIEM manufacturers and managed service providers have
their predefined criteria, but you may have additional needs, The following Rapid7 solutions identify systems, ingest
so take the time to define your use cases to ensure alerts audit logs, and identify the anomalies and events of
are sent to the appropriate resources and for the appropri- interest for each organization as they occur:
ate level of concern to avoid alert fatigue.
• Metasploit • InsightIDR
• InsightOps • Advisory Services

Understanding and Meeting the CIS Critical Security Controls 10

 FOUNDATIONAL

Control 7
Email and Web Browser Protections

The biggest threat surface in any organization is its work- Configure all the things!
stations. This control helps you understand how to manage
There are a number of ways to handle browser configura-
this threat surface without limiting usability and covers
tion that can both enable your users and limit the risks from
topics such as browser and email client safety, which are
malicious code in websites (as well as any attachments that
critically important for low-level risk mitigation.
get through your ironclad email server). We typically recom-
mend disabling browser plugins and only running authorized
How to implement it scripting languages and any software that
hasn’t been reviewed by the security team.
Because this control touches on a number of IT functions,
it’s important to have the people who run the various impli- When implementing this control, follow this simple axiom:
cated systems on board when working with it.
Follow these steps:

Start with filtering

You need to make it simple
Successful implementations usually work from two
for the users, or they will
sides: the server/network side and the endpoint configura-
tion/application side. Networking and email find a way around it.
server teams should start by limiting how attachments are
handled and forwarded from the mail server to clients, and
should implement content filtering first. This is already set
up on many mail servers, but it’s worthwhile to ensure po-
Increasing complexity or the effort users have to put in of-
tentially malicious content is being filtered before it reaches
ten leads to privilege misuse or other workarounds to defeat
users’ inboxes.
the controls.

Implement SPF, or something similar

Implementing the Sender Policy Framework (SPF) at How Rapid7 can help
a DNS level and on mail servers can cut down on the
amount of spam and malicious traffic coming into the The following Rapid7 solutions analyze links received
system. SPF records and implementation should include through email, identify filtering services on both endpoints
receiver-side verification. Though a high-effort measure, and servers, and test out the effectiveness of all protections:
it’s extremely useful for SMTP traffic reduction, better
junk-mail sorting, and compatibility with other services. • InsightVM • Metasploit
• InsightIDR • Advisory Services

Understanding and Meeting the CIS Critical Security Controls 11

 FOUNDATIONAL

Control 8
Malware Defenses

This control requires protections at the system, network,

and organizational levels. It assesses infrastructure, IoT, Not only will this give you system-wide visibil-
mobile devices, and anything else that can be a target for ity, but it will also ensure you are not granting
malware — not just endpoints. Control 8 will significantly network access to devices that may be carrying
improve the type of incident response program you’re devel- malware. Aim for as much coverage as possible.
oping. As a bonus, any decent antivirus software still scans
for most malware signatures and malicious behavior, and
despite claims to the contrary, antivirus is not dead; it just 4. Enable the detection of OS-level malware, re-
grew up. movable media, installation, and tampering
Malware can show up anywhere, and removable
media is a major source of infection. Your antivi-
How to implement it rus policy should be able to scan
removable media before it’s allowed on
anything, as well as limit who can install soft-
Successful implementation of Control 8
ware. Removing root privileges also
requires following these five steps: reduces the risk of user-installed software, mal-
ware attacking critical system objects,
or exploiting access to admin rights.
1. Centralize, automate, and configure
Centralizing the management of antivirus
and anti-malware system logs can greatly accel- 5. Watch your edges
erate and simplify the incident detection process. Looking at inbound and outbound network
You probably already have a good start if you’re traffic from unusual IP addresses will also
using any centrally managed antivirus service and help with identifying malware patterns as they
managing your workstation and endpoint config- emerge and informing response activities. IDS
uration. and logging play a huge role here — specifically,
log session lengths, DNS requests, and traffic
patterns to look for access with Command
2. Log your incidents and track them over time and Control networks used by known malware.
Enterprise-level antivirus and anti-malware solu- Session length logging can also give hints about
tions usually have some form of logging facility, data exfiltration, and looking at things like failed
and this — in concert with other logs from fire- attempts to authenticate on services may also
walls, network instruments, and critical systems act as an attack indicator of a virus or worm.
— will give the security team a clear picture of
what’s going on inside the network.
Log both detection and response information
from your antivirus tool, and have a service to
monitor the number of infected and damaged How Rapid7 can help
machines to help you pinpoint where the
The following Rapid7 solutions detect both known
malware is.
malware and unknown suspicious software, in addition
to testing evasion techniques for malware defenses:
3. Anti-malware everything, always
• Metasploit • InsightIDR
Make it clear that everything on your network
needs to have an antivirus installed and that any- • Managed Services
thing that is run by your IT team should have an
antivirus client that reports back to you.

Understanding and Meeting the CIS Critical Security Controls 12

 FOUNDATIONAL

Control 9
Limitation and Control of Ports, Protocols, and Services

You can greatly reduce your attack surface by knowing

what is running on your network and eliminating extraneous setup should allow stakeholders to receive alerts
means of communication. Control 9 requires that all ports, so they know to investigate the activity and vali-
protocols, and services (PPS) in use within your infra- date its business purpose.
structure are defined, tracked, and controlled, and that any
corrections are made within a reasonable time frame. The
initial focus should be on critical assets but should evolve 4. Hit your external IP space by performing port
over time to encompass your entire infrastructure. scans against the entire range of external IPs
you have assigned — A number of organizations
only scan specific external IP addresses as part
Most off-the-shelf server software will come with instruc-
of their vulnerability management programs, and
tions on which ports are required to run the system and
there is always a chance that a host may have ac-
allow you to configure things like communications between
cidentally been placed in the external space. Find-
applications and databases. This can help with creating fire-
ing these hosts and moving them into a VLAN in
wall rules and ensuring your data protection program and
your internal private IP space is an important part
disaster recovery/business continuity plans are up-to-date.
of risk reduction.

How to implement it
5. Separate critical services on individual
host machines — While you may be leveraging
Successful implementation of Control 9 your domain controller for DHCP, you should not
requires following these six steps: include any other critical services on these boxes.
Physical segregation is ideal, but in complex
computing and operational environments, this
1. Perform a baseline port scan of the hardened may not be feasible. Regardless of segmentation,
system using your vulnerability scanner enhance the security of the hosts by locking them
You can also use other freely available applica- down to only the required services. In the case of
tions, such as port scanners and packet-captur- critical services such as DNS, DHCP, and data-
ing tools. Once the system is installed, perform base servers, ensure the attack landscape
another port scan and compare the results. is kept at a minimum and that attackers cannot
Anything required of the system that wasn’t gain access to multiple lines of advancement to
mentioned in the configuration and instructions the crown jewels.
should be made known at this time.

6. Use application firewalls and place them

2. Leverage host-based firewalls on your servers in front of any critical servers — This helps en-
Whitelists should be configured to only allow sure that only the appropriate traffic is permitted
communications between aspects of the systems to access the application.
(e.g., database connections or admin access
from specific IP spaces). Workstations can use
this technology, but other nonessential communi-
cations should be blacklisted. How Rapid7 can help
The following Rapid7 solutions track activity across
3. Perform port scans of your infrastructure ports and protocols, identify running services, and
to understand and control exposure test host-based firewalls for susceptibility to attack:
Developing a baseline should be one of the first
things you do. When a discrepancy is discovered • InsightVM • Metasploit
between the known and approved baseline, your • InsightIDR • Advisory Services

Understanding and Meeting the CIS Critical Security Controls 13

 FOUNDATIONAL

Control 10
Data Recovery Capabilities

Adversaries like to muddle in more than just configurations

and software — they can also alter data, potentially contam- Control 10 consists of four criteria:
inating the entire organization. Think about the data in your
systems and consider the cascading effects of large-scale
contamination, such as the loss of financial reports for a 1. Ensure each system is automatically backed
business or health records for a hospital. These types of up on at least a weekly basis, and more often
attacks have the potential to be catastrophic, especially for for systems storing sensitive information, so
those handling sensitive information such as PII or medical that in the event of malware infection,
records. restoration can be from a version that is
believed to predate the original infection.
According to CIS, the following is the key principle of All backup policies should be compliant
this control: with any regulatory or official requirements.

2. Perform a data restoration test on a regular

basis to ensure the backup is working properly.
“The processes and tools used to
properly back up critical information 3. Ensure backups are properly protected via physi-
with a proven methodology for cal security or encryption both at rest
timely recovery of it.” and in transit. This includes remote backups
and cloud services.

4. Ensure key systems have at least one backup

How to implement it destination that is not continuously addressable
through operating system calls. This will mitigate
There are several facets to implementation, but policies, the risk of attacks like ransomware.
processes, and tools related to backups and testing remain
central to this control.

Like many things in life, practice makes perfect — or at least

reduces the chance of a noteworthy problem or setback.
While data recovery procedures make up one small piece
of the larger security puzzle, well-rounded data recovery
procedures are vital.

How Rapid7 can help

Rapid7’s Advisory Services tailor to your organization’s in-
frastructure by recommending system backup technology
and, most importantly, helping to implement
a robust restoration testing process.

Understanding and Meeting the CIS Critical Security Controls 14

 FOUNDATIONAL

Control 11
Secure Configuration for Network Devices Such as Firewalls, Routers, and Switches

The goal of this control is to harden critical network

devices against compromise, as well as establish and main- 5. Security updates
tain visibility into both legitimate and malicious changes that Install the latest stable version of any security-re-
occur on them. lated updates on all network devices. The
days of considering attack surfaces only on your
outer boundaries are long gone. A mixture of
How to implement it high-availability configurations for failover, com-
bined with automation for both patching
Adherence to Control 11 requires and post-testing, can go a long way in moving
beyond this critical security maturity level.
the following:

6. Admin access
1. Baselining Network engineers should use a dedicated
Compare firewall, router, and switch configurations machine for all administrative tasks or tasks re-
against standard secure configurations defined quiring elevated access. This machine should be
for each type of network device. Security configu- isolated from the organization’s primary network
rations should be documented, reviewed, and ap- and not allowed internet access. It should never
proved by a change control board, and deviations be used for reading email, composing docu-
or updates should be documented ments, or surfing the web.
and approved.

7. Connectivity
2. Change management Manage the network infrastructure across network
New configuration rules that allow traffic to connections that are separated from the business
flow through network security devices such as use of that network, relying on separate VLANs or,
firewalls and network-based intrusion prevention preferably, on an entirely different physical con-
systems should be documented and recorded in a nectivity for management sessions for network
configuration management system with a specif- devices. The easiest and most predictable network
ic reason for each change, who is responsible for to start with is usually your network infrastructure
the business need, and the duration of the need. device administration connectivity, where at-
tackers often hide and attempt lateral movement
through your environment.
3. Change detection
Use automated tools to verify standard
device configurations and detect changes.
All alterations to such files should be logged
and automatically reported. How Rapid7 can help
The following Rapid7 solutions scan existing
4. Two-factor authentication and encryption systems for vulnerabilities and monitor activity
across networking devices to identify
Integrate network infrastructure devices with
misconfigurations and suspicious activity:
multifactor authentication solutions. Or, consider
restricting administration to geographically dispa-
• InsightVM • InsightIDR
rate or independently hosted administrative jump
stations and implement two-factor authentication • Advisory Services
on those stations. This means
no telnet, anywhere.

Understanding and Meeting the CIS Critical Security Controls 15

 FOUNDATIONAL

Control 12
Boundary Defense

Today, attackers are constantly probing perimeters for

vulnerabilities and information to build their attack plan. 2. Collect, analyze, monitor
However, your boundary defense strategy should not just be Logs from your firewalls, IPS/IDS, and DMZ
about keeping the attackers out, but also keeping sensitive should flow through your SIEM solution for cor-
information in. Control 12 defines protections for outside relation, monitoring, and analysis. This centraliz-
threats, covering your DMZ, firewalls and proxies, IDS/IPS, es the recording of traffic through
NetFlow, and remote access. the network, network bandwidth, and traffic pat-
terns, streamlines monitoring of applications and
protocols that are using the most bandwidth,
How to implement it and detects denial-of-service attacks.

Use the step-by-step approach below

3. Remote access control
to meet Control 12: When connecting to the internal network,
the security profile (configuration policies)
should be scanned to ensure security configura-
1. Segment network and control flow tions and patch levels are up-to-date. Additionally,
Boundary defense is a multilayered approach all access allowing users to remotely log in to the
that requires segmenting your networks in internal network should require
order to control the flow of your data. First, two-factor authentication.
set up a DMZ between your internal network
and the internet. Configure it to communicate
with the internal network via application layer
proxies and set up outbound proxies to filter ma-
licious websites from being visited by end users. How Rapid7 can help
Apply blacklists to block traffic to
The following Rapid7 solutions scan perimeter defenses,
known malicious IPs or whitelists to ban
monitor activity over remote access protocols like VPNs,
access to everything not needed for approved
and effectively test all of these defenses against effective
business purposes. attacker techniques:

To ensure sensitive information isn’t being exfil-

• InsightVM • Metasploit
trated, use proxies to decrypt network
traffic and log individual TCP sessions. Set • InsightIDR • Advisory Services
your firewall to block all outbound traffic
except for approved business applications.
All inbound and outbound traffic should be fil-
tered and monitored.

Adding to your defense-in-depth strategy, net-

work-based IDS and IPS tools should be imple-
mented. While an IDS issues alerts on attacks by
sniffing the traffic flowing through
your network, an IPS can actively defend and
block unwanted or malicious communications
from getting in. Some open source IDS solutions
we recommend include Snort, Suricata, and Bro
IDS. Most commercial firewall tools offer
a network-based IPS.

Understanding and Meeting the CIS Critical Security Controls 16

 FOUNDATIONAL

Control 13
Data Protection

Data protection is the cornerstone of a solid security pro-

gram, whether you’re following a law to protect certain types 3. Technical controls
of data or regulatory obligations (such as PCI) that require These controls actually protect data and include
you to make good-faith efforts to keep data safe. encryption, blocking access to known file transfer
and email sites, and blocking USB ports. Data
loss prevention (DLP) tools and privileged ac-
How to implement it count management (PAM) tools can also be used
to protect data.
The following are the three types of controls
Managerial controls can be the hardest to im-
utilized in data protection: plement, as they require executive sponsorship,
leadership, and funding. Everyone, from the CEO
down to the security team, needs to eat the same
1. Managerial controls
dog food. Procedural and technical controls are
The foundation of a successful implementation
usually easier to put in place, and some can be
begins with executive support for policies that
done for little to no cost, such as blocking USB
outline what types of data the organization has,
mass-storage devices or blocking webmail and
how they’re classified or organized, and what can
file transfer websites. And don’t forget setting ap-
and cannot be done with the data. Taking invento-
propriate file and folder permissions and account
ry of your data helps you understand
control lists (ACLs) to restrict access
your environment and how interconnected sys-
to data to those who have a valid need to know.
tems and subsystems really are. This can also be
All of these can provide a great foundational layer
used to help define data retention requirements
of data protection for your organization.
and policies.
While policies themselves can’t stop a breach or
data leakage, they do help employees understand
2. Procedural controls
how the organization uses data and what their
These controls provide structure and
roles are in protecting that information.
consistency within the organization to
protect data. Common procedural controls
are performing scans for sensitive information
to ensure it is stored where it is supposed to be
stored, and developing processes, procedures, How Rapid7 can help
and configurations to ensure data is routed and
stored in the appropriate areas. The following Rapid7 solutions identify passwords
and other sensitive data available in plaintext, monitor
for exfiltration attempts, and identify the usage of
cloud-based file transfer services:

• Metasploit • InsightIDR
• Advisory Services

Understanding and Meeting the CIS Critical Security Controls 17

 FOUNDATIONAL

Control 14
Controlled Access Based on the Need to Know

This control defines the processes and tools to track,

control, prevent, and correct secure access to critical assets 2. Segment your network based on the information
such as information, resources, and systems. It’s important from your classification policy. For example, all
to establish a formal classification of your data types in systems with data classified as sensitive should
order to define which people, computers, and applications be located on separate VLANs with firewall filter-
have a need and right to access them. ing. AI network switches should enable private
VLANs to reduce the ability of an attacker to com-
municate to other devices on the same subnet
Let’s start with some simple yet often from a compromised system.
unasked questions:
• Do you know which critical assets exist in your organi-
zation’s network? 3. Implement ACLs on all systems and audit not
only the ACLs themselves, but also the detailed
• Do you have a data classification policy? user access to those systems and data. Follow

• Who defines the criticality of systems and information? the principle of least privilege or role-based
access control (RBAC) to assign roles to job func-
tions rather than individuals.
These are tough questions to answer, but they can be ex-
tremely helpful in determining which people, computers, and
applications have both the need and right to access critical 4. Encrypt data both at rest and in transit,
assets and data. especially when data traverses trust zones.
Your most sensitive data should require second-
How to implement it ary authentication in order to access it.

Use the following step-by-step approach to 5. Offload and archive old data sets that have not
meet Control 14: been accessed for a specific length of time.

1. Develop an organization-wide data classification

policy and apply it to all IT systems. It should How Rapid7 can help
include the following levels:
The following Rapid7 solutions monitor access
• Level 1: Data for public consumption that controls and baseline permitted access to systems
may be freely disclosed in each customer’s environment to identify any
suspicious changes in settings or behavior:
• Level 2: Internal data not for public disclosure
• InsightIDR • Advisory Services
• Level 3: Sensitive internal data that could
affect the company if disclosed

• Level 4: Highly sensitive corporate, employee,

and customer data

Understanding and Meeting the CIS Critical Security Controls 18

 FOUNDATIONAL

Control 15
Wireless Access Control

Control 15 covers the processes and tools you need to

track, control, prevent, and correct the security use of wire- 5. Perform wireless (radio frequency)
less local area networks (WLANs), access points, site assessments
and wireless client systems. With so many emails, docu- This can be performed by professional services
ments, and logins being transmitted, this control organizations or by running your own tools to
has never been more important. identify rogue wireless devices on your network
and verify that the controls you have in place limit
wireless to authorized access points.
How to implement it

6. Create a guest network

Consider the following step-by-step approach
Having a segmented, bandwidth-limited guest
to meet Control 15: network that does not have access to any critical
resources allows your vendors and other visitors
to get to their emails and VPNs without you giving
1. Do not broadcast your SSID them the keys to the kingdom.
While not foolproof, it will stop most curious
types from having a peek.
7. Monitor
Keeping an eye on (and logging) who is connect-
2. Deploy TLS certificates on your ed to which networks will help in the event of an
main/secure networks incident. You know who is in your house, right?
This takes a little extra effort to set up but is far This is no different.
superior because the end-user devices will need
the SSL certificate (which you control). This also Wireless access is a convenient — and perhaps
helps with the threat of rogue access points being even mandatory — component of your overall net-
set up with the same name. work. The protection of this component should
be an elevated and discrete part of any mature
security plan. Knowing who is connected and
3. Use WPA2-Enterprise
from where is key — it’s not like there is a cable to
This forces per-user authentication via RADIUS.
chase down.
Again, it’s more involved than setting a shared
WPA2 passphrase, but far more secure.

4. Adjust and limit your radio broadcast levels How Rapid7 can help
Some access points are very powerful and may
broadcast outside of your building. Tweak these The following Rapid7 solutions identify rogue wireless
levels to get as close to your building as you can. access points and detect unknown devices connecting
to the wireless network to reduce threats from this
attack vector:

• Metasploit • InsightIDR
• Advisory Services

Understanding and Meeting the CIS Critical Security Controls 19

 FOUNDATIONAL

Control 16
Account Monitoring and Control

Control 16 recommends processes to manage the lifecy-

cle (creation, use, dormancy, and deletion) of system and 3. Two-factor authentication
application accounts. You don’t need bells and whistles to Two-factor authentication is one of the most
meet this control, just basic account controls, configuration effective controls you can implement to protect
settings, and two-factor authentication. your organization, but it has to be done with rea-
sonableness and executive support.
It should absolutely be used for administrator
How to implement it accounts, dedicated accounts with access to sen-
sitive information, and for remote/VPN access.
Addressing Control 16 requires shoring up your Two-factor authentication is also one
of the best bang-for-your-buck controls you can
practices around the following three areas:
put in place.

1. Account lifecycle management

Managing the lifecycle of system and application
accounts is one of the most effective controls How Rapid7 can help
you can have to protect your organization.
An in-depth review will help you determine what The following Rapid7 solutions audit system
types of accounts you have, which accounts are authentication controls, test for weak and shared
still active, and which ones are no longer valid or passwords, and alert on any potential authentication-
in use. Work with HR to develop a communication based attacks or misuse of privileges:
process so that security is made aware when
someone is hired, is fired, quits, or goes on a • InsightIDR • Advisory Services
sabbatical. You should ideally be able to disable
all access within minutes of an individual leaving
the organization. You’ll also want to have a policy
around how long to keep dormant accounts be-
fore they are deleted.

2. Configuration settings
The settings below can have a very positive im-
pact on your security posture:

1. Automatically log users off after a set

of inactivity
2. Set lock screens on devices
3. Monitor for stale accounts that may have
period fallen through the cracks
4. Use account lockouts
5. Set accounts to expire at regular intervals
based on business need and risk appetite
6. Centralize authentication from a single
source, such as LDAP

The first four listed above can be set via

Group Policy.

Understanding and Meeting the CIS Critical Security Controls 20

 ORGANIZATIONAL

Control 17
Implement a Security Awareness and Training Program

While your users may have a basic understanding of secu- Zero in on security topics relevant to your business
rity controls such as antivirus or web filtering controls, they
There are certain security topics applicable to your
likely don’t know the latest defense strategies and what their
business that will require additional awareness and training.
responsibilities are when it comes to security. This control
For example, if you handle healthcare data, there should
helps companies implement a program that instructs em-
be training focused on HIPAA and how to handle sensitive
ployees on all of this.
information. Training can also be tailored to certain roles,
such as support, executives, and sales, or targeted based
How to implement it on best practices your workforce has failed to adhere to.
These targeted trainings should be held on a quarterly
Below is a step-by-step process to meet this control: basis and be mandatory to attend.

Establish baseline security awareness Don’t patroniz—empower

Create an overview document that outlines the expectations Don’t approach training your workforce as a nuisance
your business has for IT system usage. This could be part — they are your frontline defenders, so it’s incredibly import-
of an acceptable use policy, but it doesn’t have to be. New ant they are trained well and that you develop camaraderie
hires should be given this document within their first week with them. A hostile relationship could
on the job, and all employees should be reminded of it at upend all your efforts. Let your workforce know that
least once a year. This can also be done via video train- if they accidentally click on a link or lose a device, they
ings to get them up-to-speed fast. The security landscape can feel safe reporting it to IT. This will empower them
changes rapidly, so training should be updated regularly to report issues right away. To that end, be sure they
so that it’s always relevant. know how to reach the IT and ITSEC teams, perhaps by
creating a dedicated email account to report issues.

Mature security awareness over time

Next, think about ongoing security awareness training that
addresses new technologies, threats, and other require- How Rapid7 can help
ments employees should be aware of. Consider creating
short, quarterly video trainings that touch on The following Rapid7 solutions can help you implement
a security awareness and training program:
the following:

• Phishing Awareness Training

• The latest social engineering tactics
(e.g., phishing, phone calls)
• Advisory Services

• Authentication methods (e.g., two-factor authentica-

tion, strong passwords)

• Sensitive data handling

• Mobile, email, and internet security
• Device loss/theft procedures
Put posters like this one around the office, develop phishing
awareness training programs, distribute a quarterly security
newsletter, and recognize employees who report incidents
to reward good behavior.

Understanding and Meeting the CIS Critical Security Controls 21

 ORGANIZATIONAL

Control 18
Application Software Security

This control helps organizations manage the security lifecy-

cle of all software (both developed in-house and acquired) 3. Ensure you have proper people
in order to prevent, detect, and correct security issues. and tools in place
Although this control consists of nine sub-controls, many Project owners will be required to make
companies (even the ones that are lower on the maturi- sure implementation and adherence to
ty scale) have at least some components of this control the requirements in this control. In meeting
already in place. with stakeholders, ask those who express
the most interest to be a security advocate,
Sub-controls include deploying web application firewalls or ask if they know of someone on their team who
(WAFs), error checking, web application scanning prior to is interested. Basic training may be required to
deployment, maintaining separate environments for produc- get them up to speed — but once that’s done, you
tion and development, hardening of applications, can bring in tools to ease the burden of imple-
and more. menting your security control around your SDLC,
such as a WAF, application firewalls for non-web-
facing applications, and even host-based WAFs,
How to implement it as mentioned earlier.

Control 18 can seem like a lot to cover, but

these controls can be met in three steps:
How Rapid7 can help

1. Foster a relationship with application develop- The following Rapid7 solutions can scan custom applica-
tions, third-party software, and databases
ment and procurement groups
to identify vulnerabilities and produce clear
It’s key at this phase to develop a relationship
remediation recommendations:
with those working in development, business,
change management, and project management.
• InsightVM • InsightAppSec
Have a meeting with these stakeholders to get
an understanding of how the software develop- • Advisory Services
ment lifecycle (SDLC) works, pain points that can
be addressed by security, and regulatory and
compliance requirements that are already being
addressed. Once you have a good understanding
of all of this, you can move on to the next phase.

2. Use security gates along the way instead

of a pass/fail at the end of the SDLC
Too many companies wait to do security checks
until the end of the SDLC. Instead, security should
be addressed along the way using security gates.
Work with your development team to identify the
security requirements for the products they’re
responsible for and build a security gate stack to
check for them during the SDLC. This way, securi-
ty can be iterative, not handled at the end.

Understanding and Meeting the CIS Critical Security Controls 22

 ORGANIZATIONAL

Control 19
Incident Response and Management

The key principle of Control 19 is to protect the organiza-

tion’s information and reputation in the event of an incident. 3. Test!
By developing and implementing an incident response Testing is critical to ensure your plan
infrastructure, companies can quickly discover new attacks, will be effective during an actual incident
effectively contain the damage, eradicate the attacker’s and that employees understand current
presence, and restore the network and systems. threats, risks, and their responsibilities in support-
ing the incident handling team.
Tabletop exercises and functional/simulation
How to implement it exercises are recommended.

Below are four steps to follow when

implementing and managing an effective 4. Raise awareness
Everyone should be aware of how to report an
incident response strategy:
incident to your organization’s security group. De-
velop standards for how quickly issues should be
reported, how to report them, and what informa-
1. Craft plans and procedures
tion to submit. Then, include this as part of your
The foundation of your incident response
routine employee awareness activities and make
strategy is your incident response plan (IRP)
reporting easily accessible by establishing an
and procedures. Create one if you don’t have one,
email address or web page specifically designat-
but if you do, now is a good time to review and
ed for security incidents.
update it. Your IRP should define different proce-
dures (runbooks) for various types of incidents,
including malware, data loss, and distributed
denial-of-service (DDoS) attacks. Here’s a tutorial
on how to draft your plan. How Rapid7 can help
The following Rapid7 solutions test existing incident re-
2. Build your team sponse capabilities and ease the detection and
Your IRP should define personnel roles for han- response process, optionally through technology
dling incidents, including the people managing or a managed service:
your security and application log information,
support personnel, system administrators, and • Metasploit • InsightIDR
network engineers. • Incident Response
They may require specific training to
ensure they know their role in the investigation
when the plan is activated. In addition, bring
in legal, public relations, communications,
senior leadership, HR, supply management,
and vendors.

Understanding and Meeting the CIS Critical Security Controls 23

 ORGANIZATIONAL

Control 20
Penetration Tests and Red Team Exercises

Last but certainly not least, Control 20 ensures the

overall strength of your defenses by simulating the objec-
• Do you want to test employee security
awareness through social engineering?

• Do
tives of an attacker through penetration testing
you want the pen test team to target
and Red Team exercises.
a particular section of your network?

Penetration testing involves leveraging techniques used • Do you need the team to exclude any systems
from their tests?
by computer attackers to identify vulnerabilities and exploit
them. Many organizations fail to perform pen tests out of
fear of what will be found, but it’s better to know your weak-
• Does your organization have many web-based
services or applications that could benefit from
nesses than to discover you were breached through a web app pen test?
an unpatched vulnerability that went unnoticed.
• Do you want to focus on vulnerabilities or do you
want to test your detection and response capabilities?
Red Team exercises are designed for more mature organi-
zations that have been through multiple penetration tests,
have remediated vulnerabilities identified during those Other considerations to keep in mind
assessments, and are ready to test their whole organiza- A pen test will often require the use of a system account to
tion’s security posture through a simulated attack. These perform some authenticated parts of the testing, so you’ll
engagements simulate a skilled and motivated attacker want to ensure these accounts are disabled once testing is
interested in compromising their specific organization in over — or, at the very least, ensure any activities on those
order to achieve a specific objective, such as gaining access accounts are isolated to the testing windows. It’s also
to credit card numbers or sensitive files. Rather than the critical to use pen test results in conjunction with vulnera-
approach of finding many vulnerabilities and attack paths bility assessment results. Was a pen tester able to exploit a
as possible as in the case of penetration testing, Red Team vulnerability that was identified months ago? Is your orga-
exercises are meant to test the detection and response nization’s patch management program effective? There are
capabilities of the client in order to identify gaps in coverage many ways a pen test can help identify other programmatic
and help direct future investments. deficiencies in your security program.

How to implement it
How Rapid7 can help
Use the following guidelines to implement effective
testing methods: The following Rapid7 solutions simplify penetration testing
and Red Team operations and track the results over time
Define the type of penetration test you need to help organizations address issues to help prevent future
gaps from arising:
Not all pen tests are created equal, so it’s important to
develop clear goals from the outset. Ask yourself these • InsightVM • Metasploit
questions before engaging in these activities:
• Penetration Testing

• Are you looking for just a network-based pen

test that searches for OS and host-based
vulnerabilities or do you want to test your
whole organization’s preparedness?

• Do you want to evaluate your perimeter

defenses (external pen test) or look at your
internal defenses based on a presumed
compromise (internal network pen test)?

Understanding and Meeting the CIS Critical Security Controls 24

That’s a Wrap

There is a lot to digest in this guide, but the secret is to prioritize which controls are most applicable to your organization
and will have the highest impact. Every company has different security requirements, including the regulations they are
required to meet, the customer data they’re contractually obligated to protect, culture standards, and more.

Because most companies use these 20 controls to build or solidify their security program, it’s important to start where you
are. Not all of these controls may be immediately applicable to you, and that’s fine. Begin with the ones that will meet the most
requirements from the law, your customers, your partners, and your own security standards. Over time, it will become apparent
which ones should be implemented next, and by referencing this guide, you can get a jump start on understanding and address-
ing them.

The good news is that addressing many of these controls becomes easier by leveraging a small set of tools, many of which
Rapid7 offers. Click here for a complete breakdown of how Rapid7 can help you meet or enhance each control, or reach out
to Rapid7 Advisory Services to ask how we can help simplify this process for you. We assist many organizations of different
sizes and industries in maturing their security programs, and we’d be happy to help you, too.

Understanding and Meeting the CIS Critical Security Controls 25

About Rapid7

Rapid7 (Nasdaq: RPD) is advancing security with visibility, analytics, and automation delivered through our Insight cloud. Our
solutions simplify the complex, allowing security teams to work more effectively with IT and development to reduce vulnerabili-
ties, monitor for malicious behavior, investigate and shut down attacks, and automate routine tasks. 7,800
customers rely on Rapid7 technology, services, and research to improve security outcomes and securely advance their organi-
zations. For more information, visit our website, check out our blog, or follow us on Twitter.

Understanding and Meeting the CIS Critical Security Controls 26