With the increasing number of data breaches every year, it becomes crucial for every organization to ensure that they have all the necessary security controls in place to keep their data secure. Although many organization has a variety of tools and best practices to secure infrastructure against interruptions, many organization doesn’t know what they should focus on first to prevent themselves from security breaches and what security measures will have the most significant impact. In this context, the SANS Institute, together with the Center for Internet Security (CIS) and in collaboration with other organizations developed the 20 Critical Security Controls (CSC) to help all organizations as a starting point and guidance to prevent themselves from security breaches. But do you know what CIS is and what are the CIS 20 Critical Security Controls? CIS (Center for Internet Security, Inc.) is a forward-thinking, non-profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats. CIS Controls and CIS Benchmarks are the worldwide standard and recognized best practices for securing IT systems and data against the most pervasive attacks. These proven guidelines are continuously refined and verified by a volunteer, global community of experienced IT professionals. CIS is home to the Multi-State Information Sharing and Analysis Center® (MS-ISAC®), the go-to resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial government entities. The Center for Internet Security (CIS) is formed in October 2000, and Its mission is to "identify, develop, validate, promote, and sustain best practice solutions for cyber defense and build and lead communities to enable an environment of trust in cyberspace." The complete list of CIS Critical Security Controls, version 6.1 is a set of 20 controls designed to help organizations and protect their systems and data from cyber-attacks. It can also be a practical and comprehensive guide for companies that do not have an internal inbuilt security program. Below is the list of CIS 20 Critical Security Controls and how Nesha Corporation services can help to meet each Security Control: 1. Inventory of Authorized and Unauthorized Devices Organizations must actively manage all the hardware devices on the network so that only authorized devices are given access, and unauthorized devices can be quickly identified and disconnected before they inflict any harm. Our security team will help to implement network security best practices to reduce threats to critical business assets, and continuously monitor network and protect devices from attacks. 2. Inventory of Authorized and Unauthorized Software Organizations must actively manage all software on the network, so only authorized software is installed. Security measures like application whitelisting can enable organizations to find unauthorized software before it has been installed quickly. Attackers look for vulnerable versions of software that can be remotely exploited. We offer a managed vulnerability assessment service that entails scanning all web applications and other network-resident software to detect threats, assess their risk, and devise a remediation plan to mitigate them quickly. 3. Secure Configurations for Hardware and Software Companies need to establish, implement, and manage the security configuration of laptops, servers, and workstations. Companies must follow strict configuration management and enforce change control processes to prevent attackers from exploiting vulnerable services and settings. Our advisory consulting will help provide the default configurations of operating systems and applications for ease of deployment and use a thorough test of applications to uncover vulnerabilities. Our application security services identify security gaps and provide recommendations to remediate risks. 4. Continuous Vulnerability Assessment and Remediation Organizations need to continuously acquire, assess and act on new information (example, software updates, patches, security advisories, and threat bulletins) to identify and remediate vulnerabilities and to minimize the window of opportunity for attackers. We offer a managed vulnerability assessment service that entails scanning services which help to scan all web applications, databases, networks, operating systems and other network-resident software to detect threats, assess their risk and create a remediation plan to mitigate them quickly. 5. Controlled Use of Administrative Privileges This control requires companies to use automated tools to monitor user behavior and keep track of how administrative privileges are assigned and used to prevent unauthorized access to critical systems and information. We provide a full change management solution, including audit log detailing for all changes in privileges and keep track of how administrative rights are assigned and used to prevent unauthorized access to critical systems. 6. Maintenance, Monitoring, and Analysis of Audit Logs Organizations need to collect, manage, and analyze event logs to detect aberrant activities and investigate security incidents. Our security team performs Log Management to improve security. It helps to provide real-time correlation and analysis of security and network events to enable an enhanced security response. 7. Email and Web Browser Protections Organizations need to ensure that only supported web browsers and email systems are used in the organization to minimize the attack surface. AWS or Azure Web Application Firewall (WAF) Management service provides real-time monitoring of all inbound and outbound application traffic including encrypted traffic threats are screened and inspected, resulting in blocking of inappropriate or malicious application traffic. 8. Malware Defenses Organizations need to make sure they control the installation and execution of malicious code at multiple points in the enterprise. This control recommends using automated tools to monitor workstations continuously, servers, and mobile devices with anti-virus, anti-spyware, personal firewalls, and host-based IPS functionality. Modern malware can be fast-moving and fast-changing, and it can enter through any number of points. Therefore, we help to provide real-time security event response to known and emerging threats. 9. Limitation and Control of Network Ports, Protocols, and Services Organizations must track and manage the use of ports, protocols, and services on network devices to minimize the windows of vulnerability available to attackers. Our scanning and assessment services identify the available ports, protocols & services and deliver finding reports that detail specific findings and provide the information needed to begin remediation. 10. Data Recovery Capability Companies need to ensure that critical systems and data are adequately backed up on at least a weekly basis. They also need to have a proven methodology for timely data recovery. Attackers often make changes to data, configurations, and software. Our security team ensures that critical systems and data are appropriately backed up at regular intervals. 11. Secure Configurations for Network Devices Organizations must establish, implement, and actively manage the security configuration of network infrastructure devices, such as routers, firewalls, and switches. Our security team performs network security evaluation and assessment during the security audit to identify and help to manage the configuration of devices. 12. Boundary Defense Organizations need to detect and correct the flow of information between networks of different trust levels, with a focus on data that could damage security. The best defense is technologies that provide deep visibility and control over data flow across the environment, such as intrusion detection and intrusion prevention systems. We provide services such as Log management, web application firewall which helps to manage and detect the flow of data between networks to ensure data security. 13. Data Protection Organizations must use appropriate processes and tools to mitigate the risk of data exfiltration and ensure the integrity of sensitive information. Data protection is best achieved through the combination of encryption, integrity protection, and data loss prevention techniques. Our security teams perform network security evaluation and assessment during a security audit which helps in confidential data handling and encryption. 14. Controlled Access Based on the Need to Know Organizations need to be able to track, control, and secure access to their critical assets and quickly determine which people, computers, or applications have a right to access these assets. Our advisory consulting will help to identify and separate most critical assets from less sensitive data, to make sure only required users have access to sensitive data, and all other users have restricted access to sensitive data. 15. Wireless Access Control Organizations need to have processes and tools in place to track and control the use of wireless local area networks (LANs), access points, and wireless client systems. They need to conduct network vulnerability scanning tools and ensure that all wireless devices connected to the network match an authorized configuration and security profile. Our vulnerability assessment and Log management service helps to track, control, prevent, and correct the security use of wireless local area networks (LANs), access points, and the wireless client. 16. Account Monitoring and Control It is critical for organizations to actively manage the lifecycle of user accounts (creation, use, and deletion) to minimize opportunities for attackers to leverage them. All system accounts need to be regularly reviewed, and accounts of former contractors and employees should be disabled as soon as the person leaves the company. Attackers frequently exploit inactive user accounts to gain authorized access to an organization’s systems and data, which makes detection of the attack more difficult. Our Log management service provides real-time correlation and analysis of any changes in user accounts. 17. Security Skills Assessment and Appropriate Training to Fill Gaps Organizations should identify the specific knowledge and skills they need to strengthen security. This requires developing and executing a plan to identify gaps and fix them through policy, planning, and training programs. Our security team helps the organization to identify the specific knowledge, skills, and abilities needed to support the defense of the enterprise. We develop and execute an integrated plan to assess, identify gaps, and remediate through policy, and training. 18. Application Software Security Organizations must manage the security lifecycle of all software they use to detect and correct security weaknesses. They must regularly check that they use only the most current versions of each application and that all the relevant patches are installed promptly. Attackers often take advantage of vulnerabilities in web-based applications and other software. To monitor this, our security team uses Web App Vulnerability Scanning and Web Application Firewall along with 24x7x365 firewall administration, log monitoring, and response to security and device health events. 19. Incident Response and Management Organizations need to develop and implement proper incident response, which includes plans, defined roles, training, management oversight, and other measures that will help them discover attacks and contain damage more effectively. Our Log management services improve incident response and resolution for security, performance, and availability incidents via quick browser-based access to all historical log data. 20. Penetration Tests and Red Team Exercises The final control requires organizations to assess the overall strength of their defenses (the technology, the processes, and the people) by conducting regular external and internal penetration tests. This will enable them to identify vulnerabilities and attack vectors that can be used to exploit systems. Our security team helps to perform penetration testing, which includes network penetration testing and application security testing as well as controls and processes around the networks and applications. And it occurs from both the sides of the network, from outside the network and from inside the network. After testing, we deliver finding reports that detail specific findings and helps to provide with the information needed to begin remediation. Getting value from the CIS Critical Security Controls does not necessarily mean implementing all 20 controls at once. The implementation of security controls requires a complete strategy, time, resources, and money. Only a few organizations have the budget, human resources, and time needed to implement the entire set of controls at the same time. Our solutions and services are intended to help all organization to meet all CIS 20 Security Control points and reduce the burden on the existing security team.