Beginning our series discussing each individual CIS Control, are controls 1 and 2. Both of which are absolutely critical points for securing your network. While these are extremely important, they are two steps a lot of people skip. The reasoning and intention behind these two controls is to prepare you for the remaining 18 controls suggested for securing your network. Controls 1 and 2 help you identify what you are working with so you can then proceed in how you can protect it. It is impossible to protect something you don’t know you have, which is why these first two steps are vital. These steps seem very straightforward, which they are, but that doesn’t mean they should be overlooked.
Control 1 is known as the Inventory and Control of Hardware Assessment. This assessment is looking for physical hardware. This includes desktops, laptops, access points, etc. For this control, we suggest running a software assessment as well as a manual assessment.
An inventory assessment can be done through a piece of software. This software will push out a script describing each documented device you have. This gives knowledge of not only what devices you have but also the details of them. Some devices may not show up through this form of assessment, which is where the manual assessment becomes key. The manual assessment is completed by physically and visually looking for all the devices you may have. This is especially important in scenarios where you may have spare hardware in a closet somewhere. While this hardware may not be turned on or active, you still need to know this hardware exists.
Control 1 is a step of inventorying everything you have. This will introduce you to what devices you are even working to protect.
Control 2 is titled Inventory and Control of Software Assessment. This is very similar to control 1. But rather than understanding what devices you have, its about knowing what is on those devices. As we explained in the first control, you can’t protect what you don’t know you have. So knowing what is on these devices will assist in protecting your network.
What is on your devices can often have dangerous risks. To protect devices from bad stuff getting in, the firewalls on your servers constantly need to be updated.. Additionally, a lot of servers have outward facing applications on them. Any applications from the outside will also need to be updated quite frequently. But you must know they are there to be able to do so. By taking an inventory of the software on the devices, it allows you to know what needs to be updated in order to keep your devices protected.
Essentially, controls 1 and 2 are the foundation of securing your devices. Without the knowledge of your hardware and software, it is nearly impossible to follow the steps of the remaining controls.
Before you start trying to figure out how to do these things, understand that these critical and effective steps are steps that should be taken by your IT department. At the IT Company our mission is to have happy customers. The CIS Controls are fairly new to us as well, and we are constantly seeking to implement them more, because we feel they are that crucial. The more we are able to implement these controls, the more we feel we are able to best protect our customers. The more protected our customer’s feel, the happier they can be.