The COVID-19 pandemic has forced organizations to quickly implement contingency plans to sustain their operations. For those businesses that have remained operational, IT and security teams have often been so focused on securing their newly remote workforces that they have had little time to consider the additional security challenges from employees slowly returning to the office.
For CISOs, IT managers and risk professionals, it may seem like an impossible task to keep up with a rapidly evolving threat landscape, compounded by the dramatic pandemic-related increase in cyberattacks over the past year. Many organizations deploy a series of products as part of a layered security approach, but when it comes to threat and vulnerability management, these products may not provide adequate security for the new conditions under which they now operate.
Implementing Security Controls
Many seasoned cybersecurity leaders are familiar with the Center for Internet Security’s (CIS) critical security controls as a means of extending their cyberrisk management practices beyond simple vulnerability management. Developed using best practices from the global IT community, these controls create a framework of real-world actions that, when implemented correctly, can help organizations strengthen their security posture and take a more proactive approach.
The CIS Top 20 Critical Security Controls are divided into three categories: basic, foundational and organizational. Basic controls should be implemented in every organization. After that, implementing foundational controls paves the way for organizational controls, which focus more on people, processes and workflows. Whether organizations are just starting to research ways to strengthen their cybersecurity perimeter or seeking to add onto their existing security program, the CIS controls help transform threat intelligence into prioritized and actionable implementation activities to better protect the organization.
The controls were designed to scale across organizations of any size, and many use them to guide their entire security strategy. The sequence of controls allows a organization to follow a foundational blueprint while gradually improving its security posture and reducing its risk exposure.
According to CIS data, organizations can reduce their overall cyberthreat and risk impact by more than 85% by simply implementing five basic CIS controls. Now, as more offices reopen in varying capacities, organizations should look beyond the basic controls to deal with the unique cybersecurity challenges caused by the pandemic and subsequent recovery.
The following are some of the CIS Top 20 Critical Security Controls that can help meet COVID-related challenges:
CIS Controls 1 & 2: Inventory and Control of Software and Hardware Assets. Bad actors continuously scan target organizations for vulnerable versions of software they can exploit. Some actors also distribute malicious web pages, document files, media files and other content via their web pages or otherwise trustworthy third-party sites.
For months, employees have worked remotely, having to balance work and home life across multiple devices. Children may have borrowed a parent’s laptop to use for school or entertainment, and parents may have used their family’s tablet to check their corporate email. Each of these situations presents a potential security risk for organizations.
Actively manage—inventory, track and correct—all software on the network so that only authorized software can be installed and executed, and that unauthorized and unmanaged software is found and prevented from installation or execution.
CIS Control 3: Continuous Vulnerability Management. The National Institute of Standards and Technology (NIST) has published thousands of reports of common vulnerabilities and exposures (CVEs) since the beginning of this year, and organizations must prioritize patching these vulnerabilities while managing the demands of the workforce. Organizations that do not scan for vulnerabilities and proactively address discovered flaws increase the likelihood of having their systems compromised.
Conducting regular vulnerability assessments enables organizations to identify vulnerable or misconfigured systems and prioritize endpoint patching promptly. With a managed solution, organizations can continue to function without in-office IT staff if teams are overwhelmed or are not able to work on-site.
CIS Control 16: Account Monitoring and Control. Attackers frequently identify and exploit legitimate but inactive user accounts. The presence of inactive accounts on systems allows them to impersonate authorized users, making their existence and intentions more challenging to discover. With millions of Americans temporarily or permanently losing their jobs during the pandemic, system administrators need to ensure furloughed employees are properly deactivated. This will help ensure that their credentials can no longer be used to access corporate systems and sensitive data for unauthorized and sometimes malicious purposes.
As part of this process, organizations should scan for information harvested from known data breaches that is publicly available on the internet and dark web. This can help identify potential credential exposures and prompt password resetting for any exposed accounts.
CIS Control 17: Implement a Security Awareness and Training Program. For cybercriminals and scammers, COVID-19 has presented many opportunities to benefit from chaos and uncertainty. Indeed, the FBI reported in April that cybercrime incidents had already increased 300% since the beginning of the pandemic. Companies can significantly reduce the probability of an incident by implementing education programs that focus on threats related to COVID-19 or even just offer a refresher on basic cyber hygiene.
Bracing for a Second Wave
Companies may get the go-ahead to reopen and then be forced to close again if infection rates increase. Turning to a set of standards such as the CIS Critical Security Controls can help provide IT and security leaders with the framework they need to manage the changing security landscape, particularly given the challenges of COVID-19. While the five CIS controls discussed are perhaps the most important to implement in the near-term, organizations may need to conduct a thorough examination of how they currently adhere to the entire set of CIS Critical Security Controls to maximize their cyberrisk mitigation efforts in the long term.