The Critical Security Controls for Small to Medium Size Business.
DATE: May 18, 2021
The Center for Internet Security (CIS) is a non-profit organization dedicated to developing guidelines and standards to help organizations and individuals alike protect themselves from internet threats. Their main claim to fame is the Critical Security Control (CSC) Top 20 list, which is a prioritized list of controls designed to help organizations build a security program in a step by step fashion that builds a strong security foundation and reduces the greatest amount of risk by following the steps in order, based on current activity by hackers. If your organization falls under some regulatory requirement such as HIPAA for example, these steps will align to almost every regulation, they just follow a more logical risk-based structure.
For a small to medium sized business, however, implementing the controls can be extremely challenging, especially when there is often no dedicated information technology (IT) staff to assist. Because of this, CIS has developed the Implementation Guide for Small- and Medium-Sized Enterprises (SMEs). This list has the same objective and approach as the CSC Top 20, just designed for smaller organizations. The SME guide is divided into three implementation phases. This article will focus on the first phase: Know your environment.
As it sounds, phase one of the guide is all about knowing what you have. There are two parts to this, knowing what physical devices you have, and then knowing what software you have. Let's start with discussing physical devices.
The first thing to do is inventory the devices you want to connect to your network. This can be done manually, especially if the amount of devices is small, and tracked in a spreadsheet. If you have a large enough amount of devices then free automated software tools can assist with the inventory. Tools will be discussed later. All devices need inventoried, computers, printers, wireless routers, medical devices, anything connecting to your network. Ideally the devices are given distinct names, and hardware information is included to such as model numbers, etc. which becomes more important as devices age. If vendor support for physical devices ends, vulnerabilities discovered in the device will no longer be fixed and this will remain a problem for your organization until the device is replaced. Keeping track of model numbers will be an easy way to verify if your devices are still supported.
The second part of knowing what devices you have is preventing any unauthorized device from connecting to your network. If someone connects a device to your business WiFi without you knowing then you no longer can say you know what devices you have, and you can’t protect something if you don’t know it's there. You also can’t protect other devices from something you don’t know you have. Securing your WiFi router with a strong password, changing the password regularly, strictly limiting who has the password, keeping your router hardware current so that it is supported by the vendor are some ways to help with this. If you check with your ISP, they may have free security features for you that can help further. For example, with my home router, I get a notification to my phone every time a new device connects to it and I have the option to kick any device off at any time through their app. If this ISP has this option available to you I highly recommend using it, and if not I highly recommend considering switching to an ISP that does, or purchasing a WiFi router that has this as a feature.
There are free software tools to help do all of this. LANSweeper, Spiceworks, and ZenMap (or Nmap) are free tools that can inventory your network in an automated fashion so that you can verify without much effort that only authorized devices are on your network. Nessus Essentials can also help with this but only if you have fewer than 16 devices.
After you know your hardware, it is time to know your software. The idea here is exactly the same as with hardware. Inventory the software that is currently running on your devices, and add this information to your existing inventory list. Then it is time to make some decisions. You will need to verify that all the software you have is something you actually want to authorize. If you have not maintained positive control of your systems prior to this, it is likely there is some software on your systems that is not business-related or is no longer needed. Generally speaking, these should be removed. If you want to make an exception to some software that your employees don’t necessarily need is a “nice to have,” ensure that it is reputable and supported by the vendor. Unsupported software is a major source of risk to your organization and should be avoided if it's not a required business function. Even if it is a required business function, it is best to look for similar software that provides the same function and is still supported.
Once you have decided on which software you are keeping, removed the excess, and updated your inventory to list the software on each device, make a list of software you want to allow in your environment so that you can cross-reference it when an employee requests to add something. This also brings us to the next phase, preventing deviation from your approved software list.
Any new software brought into the organization brings new risk with it and should require approval accordingly. Employees should not be able to install software as they please. Remove administrator rights from all employees except for at least two so that only those two can install software on computers or make changes to devices. The number of individuals will vary based on the number of devices to maintain but should be at least two so that if someone is sick or on vacation everyone else is not stuck. These individuals should also be the only ones who have access to make changes to other devices such as printers, etc. as well. Administrators should have separate login names for administrator activity than normal work. All user names should be identifiably trackable to the person using the system. So if John Smith is an administrator, he should have a normal work account username something like JSmith, and a separate administrator account with a username something like JSmithAdmin.
To help aid with controlling software inventory it is recommended to add application whitelisting software to your systems, which will restrict software from being installed that is not approved. Windows 10 comes with Applocker free, it just needs to be turned on and is very easy to manage.
As with hardware, there are free tools to help maintain your software inventory as well and verify nothing unauthorized has snuck in. Netwrix is a free tool to help see which accounts have administrator access on your systems, and OpenAudIT is free software to help you see what software you have and when it changes.
Maintaining inventory and control of hardware and software is a critical first step to maintain a secure IT environment. Not only does it help to prevent potentially dangerous devices or software (including malware) from affecting your systems, but additional security measures depend highly on these two measures to be in place. You can’t secure something if you don’t know it is there, so it only makes sense that the first phase of securing your network is gaining and maintaining knowledge of what is there.
About the author
Senior Information Security Analyst
(850) 830-5654, email@example.com