Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Center for Internet Security Releases CIS Controls Version 8

August 10, 2021

No, I couldn’t think up a sexier title, sorry. But it is important news.

Thanks to Dark Reading for its July 27 post highlighting how CIS Controls version 8 affects small and mid-sized businesses (SMBs).

CNBC reported that threat actors were targeting SMBs almost half (43%) of the time. These attacks became security incidents for two-thirds of SMBs globally that year, according to TechRepublic. A lack of preparedness was a contributing factor for those attacks.

The CIS Controls consist of fundamental security measures that get to the core of an organization’s security posture. As such, organizations of any size can use them to mitigate some of the most dangerous threats facing their systems and networks.

When it comes to SMBs, the Center for Internet Security explained in its v7.1 companion guide that organizations can use its Critical Security Controls in a three-step plan to augment their digital defenses. The first phase involves getting to know their environments such as by creating an inventory of hardware and software assets that are connected to the network. Then SMBs can move on to the second phase of protecting their assets using technical tools and employee awareness training. These initiatives lead into the third phase — that of organizations preparing to respond if they do encounter a security incident.

As noted by the Center for Internet Security on its blog, version 8 of the CIS Controls contains some important changes. Those include a greater focus around vendor relationships and cloud technologies, as shown by the addition of a new CIS Control that provides recommendations on how organizations can manage their upstream service providers. This new control reads like a timely warning to “Watch out for supply chain attacks,” which is of particular interest to federal, state, and local municipalities, considering recent events.

These updates are welcome but might be difficult for SMBs to implement. “I’m a big fan of the CIS Controls, and I feel that the v8 changes that focus on cloud, mobile, and supply chain, if implemented correctly will make small/medium-sized organizations more secure, but it will also increase complexity,” explains Scott Smith, CISO with the City of Bryan, Texas. “Implementing new technical and procedural controls to manage mobile, cloud, and supply chain resources is not a small undertaking, and it will require additional resources for already overtasked staff to enact those changes.”

One thing that can simplify implementation is the dispersal of all Controls and their Safeguards (formerly Sub-Controls) across three Implementation Groups (IGs), a modification that occurred in CIS Controls v7.1. The Center for Internet Security originally created those IGs to help organizations prioritize their implementation of its Critical Security Controls. IG1 consists of basic cyber hygiene that all organizations can use to defend against the most common types of attacks. IG2 builds on IG1, and IG3 encompasses the other two categories along with additional measures.

Tyler Morgan, vice president and CSO at Farmers and Merchants Bank in Arkansas, says it’s those groupings that will ultimately make it easier for organizations to approach the changes introduced in v8.

“In my view, any addition to the CIS Controls is a net positive for organizations of all sizes,” he says. “The fact of the matter is, all organizations (regardless of size) are facing the challenges introduced via cloud, mobile, and supply chain risk vectors (along with many others). The primary difference is the level of scale faced by the larger organizations. The fundamental truth, regardless of the technology stack, is that you can’t protect what you don’t know about or don’t understand, and this is something the CIS Controls expound upon across their Safeguards. The CIS Controls do a better job than any framework at highlighting the real-world question, ‘How do we do this?’ Small/medium-sized orgs are going to have to answer these questions anyway, and the CIS Controls provide examples of practical application.”

With the introduction of IGs in v7.1 and the changes in v8, the CIS Controls offer the best and easiest-to-follow road to good cyber hygiene for smaller organizations. Start off by simply highlighting all the items in IG1 and seeing how your organization’s security initiatives stack up against those recommendations.

You may download version 8 of the CIS Control here.

Hat tip to Dave Ries

Notice: We will be transferring our blogs to a new platform shortly which will be hosted on our website. The new URL for accessing the blog will be https://senseient.com/ride-the-lightning/ Users currently subscribed via email delivery should not be impacted. Those users subscribed via RSS feed will need to resubscribe from the blog once it is relocated to the website.

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email:  Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology