Prioritized approach to cybersecurity using the Pareto Principles by CIS Controls
Source - Pareto-Principle.pdf (cisecurity.org) By Tony Sager, Senior Vice President and Chief Evangelist and Shannon McClain, GISF
The prevalence of cybersecurity dangers has become a common news item. It’s difficult to disentangle the dense technical jargon, conflicting expert viewpoints, apocalyptic predictions, and market hype. The really dangerous component is that the majority of cybersecurity issues that trouble us today could be alleviated if we took action, used technology, and adopted policies that are already available or in use. It’s not that we are being overwhelmed by small parlor tricks; most organizations are inundated by hordes of relatively simple pranks.
Employees are not unable to do their jobs properly as a result of what CIS calls the “Fog of More”, which is more work, problems, regulatory and compliance demands, conflicting viewpoints, noise in the marketplace, and unclear or difficult recommendations than anyone can handle. Cybersecurity audits may assist organizations in identifying their technological maturity and readiness to help them enhance their cybersecurity posture. How does CIS (the Centre for Internet Security) use the Pareto Principle to create CIS Controls, a prioritized list of actions that boost cybersecurity? In this paper, we will answer this question.
The Fog of More
How complex protecting data appears as technologies grow more sophisticated and interconnected is a question on many minds. A DDOS attack, phishing, ransomware, data leaks, and IT security breaches are just a few examples of the kinds of threats facing organizations. In order to recognize their current standing, many organizations begin with a cybersecurity audit. In some cases, these audits are mandatory. However, while conducting a cybersecurity audit as a result of regulatory requirements, organizations often encounter what CIS refers to as “the fog of more.” The fog of more obscures the multitude of issues and solutions organizations encounter when safeguarding digital assets such as intellectual property and trade secrets, as well as client/employee data. Consequently, it is not surprising that the majority of cyber assaults are not sophisticated, complex activities are shown on the screen or in the movies.
The concept behind cyber defense has often been to generate and display as many potential cybercrime activities and mishaps as possible, in order to prompt experts to think about what they can do to defend against such activities. Although there are many things one can do to safeguard themselves, experts describe all the things that criminals may do. The CIS Controls focus on the actions criminals take today, in order to ask 'What are the critical, fundamental, key steps I should take to protect my organization’s assets and prevent attacks?' Those are the kinds of issues that gave rise to and continue to drive CIS Controls. The idea for CIS Controls was created as a grassroots effort to cut through the fog and focus on the most critical and valuable actions any enterprise should take. The CIS Controls' value is based on data and knowledge, which allows organizations to detect, warn, and react to attacks like those plaguing organizations and businesses. No matter what the industry's requirements are, it is critical that organizations evaluate their security programs.
Source - CIS Controls
Applying the Pareto Principle
Once you have completed the initial cybersecurity assessment, you must begin making improvements. You probably noticed a lot of issues with your network; unauthorized applications, gaps in incident response plans, or employee training, for instance. Where should you begin to make improvements? Because of the Pareto Principle's application to a wide range of activities, roughly 20% of activities account for 80% of the outcomes. In 2002, Microsoft detected that 20% of all bugs accounted for 80% of reported errors, allowing them to concentrate their resources on the most necessary repairs.
CIS has developed the CIS Controls to help any organization improve its cyber defenses by applying the Pareto Principle. How does CIS narrow down all the possible cyber defense actions that an organization can take?
A Community Approach
The CIS Controls are developed by a community of cybersecurity specialists around the world, and deciding which tasks to include is not a job for one individual or company. The community includes cybersecurity specialists from everywhere in the cyber world (companies, governments, individuals, and so on). Every role (threat responders and analysts, technologists, vulnerability-finders, tool makers, solution providers, defenders, users, policy-makers, and auditors, among others) in every sector (government, power, defense, finance, and transportation, among others) is represented. These experts cannot be hired, as they provide knowledge and expertise you don't have. You couldn't build content on your own.
Managing Corporate Risk
The CIS Controls document is filled with specialized technical jargon, but it is important to remember that any successful cybersecurity improvement programme should be able to cross the divide from technical security requirements to crucial corporate risk management issues, such as:
- Do we know what is connected to our systems and networks?
- Do we know what software is running (or attempting to run) on our systems and networks?
- Are we continually monitoring our systems using “good” configurations?
- Are we continually hunting down and dealing with “bad” software?
- Are we aware of the most common threats to our business or mission, and what our people can do about them?
- Do we track and minimize the number of people who can bypass, rewrite, or exceed our security defenses?
Corporate leaders already ask about physical inventory, safety, and financial matters, among other things, in the same way these questions are asked. Each of these queries links to one or more of the CIS Controls. In addition, CIS Controls correlate with other popular cybersecurity regulatory and compliance frameworks, including NIST CSF and PCI DSS. As you implement the CIS Controls, you can track and demonstrate their benefits to auditors, vendors, business partners, and other cybersecurity professionals.
The first five CIS Controls
The CIS Controls community has reduced the “Fog of More” in cybersecurity by prioritizing and organizing the most critical steps an organization can take to improve its cyber defense. Pareto’s Principle was used to select the most critical and foundational cybersecurity actions, which have been condensed into the CIS Controls. We will examine how the first five CIS Controls can strengthen a company's security and prepare for a cybersecurity audit.
CIS Control 1 | Inventory of Authorized and Unauthorized Devices
An inventory of authorized and unauthorized devices is one of the things that must be safeguarded. How can you protect a device if you don't know it's there? Your network must be scanned as comprehensively as possible, and scanners (both active and passive) that can detect devices are a good place to start. In addition to scanning your network for devices, establish a strict organizational policy to help track and manage devices as they move around the company. Include company-affiliated mobile phones, printers, and other network devices.
CIS Control 2 | Inventory of Authorized and Unauthorized Software
This CIS Control is one of the most effective defense measures against cyberattacks, even if it is not a silver bullet. Application whitelisting is crucial to ensuring that only authorized software is installed on an organization’s systems. While creating an inventory of software is critical, application whitelisting is important because it restricts the use of software to only those programs that have been specifically authorized. This CIS Control might require reexamining a company's policies and culture, as employees will no longer be able to install software without prior approval. Because this CIS Control has already been successfully implemented by numerous companies, it will likely have positive consequences for an organization trying to defend against and detect cyberattacks.
CIS Control 3 | Secure Configurations for Hardware and Software
Most systems are set up for simplicity, not security, out of the box. An organization must alter its hardware and software to a secure setting to satisfy CIS Control 3. There are already technologies, like Microsoft Active Directory Group Policy Objects and Unix Puppet or Chef, that may be used to securely configure systems at scale. The CIS Benchmarks are available for free in PDF format for over 150 technologies, including operating systems, middleware, and software applications, and network equipment.
CIS Control 4 | Continuous Vulnerability Assessment and Remediation
It is the purpose of CIS Control 11 to identify and eradicate technical issues in an organization’s information systems. Patch management systems that maintain operating systems and third-party application bugs are an excellent option. Patch management systems provide automated, continuous, and proactive updates to fix software flaws, in addition to vulnerability management systems. To detect and fix exploitable software weaknesses, organizations should install a commercial vulnerability management system.
CIS Control 5 | Controlled Use of Administrative Privileges
The purpose of CIS Control 5 is to ensure that workforce members only have the system rights, privileges, and permissions they require to do their job—no more, no less. In order to save time and effort, many organizations allow staff to have local system or even domain administrator rights, which are too generous and open the door for abuse, accidental or otherwise. The straightforward answer is to eliminate unnecessary system rights or permissions.
Taking the Next Steps
It's often hard to believe how much ground you can cover by starting with an audit and implementing the most effective strategies first when it comes to cybersecurity at an organization. Working with global subject matter experts and applying the Pareto Principle, CIS has helped draw attention to the world of cyber defense. It can be both confusing and intimidating.