CIS | Compliance | Fluid Attacks Help

CIS

logo

Summary

The Center for Internet Security Controls are a prioritized set of safeguards to mitigate the most prevalent cyberattacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory and policy frameworks. The version used in this section is CIS Controls v8.

Definitions

Definition Requirements
2_1. Establish and maintain a software inventory 262. Verify third-party components
2_5. Allowlist authorized software 041. Scan files for malicious code
2_7. Allowlist authorized scripts 186. Use the principle of least privilege
265. Restrict access to critical processes
3_3. Configure data access control lists 096. Set user's required privileges
176. Restrict system objects
3_6. Encrypt data on end-user devices 147. Use pre-existent mechanisms
3_10. Encrypt sensitive data in transit 181. Transmit data using secure protocols
224. Use secure cryptographic mechanisms
3_11. Encrypt sensitive data at rest 134. Store passwords with salt
185. Encrypt sensitive information
3_12. Segment data processing and storage based on sensitivity 259. Segment the organization network
4_1. Establish and maintain a secure configuration process 062. Define standard configurations
213. Allow geographic location
221. Disconnect unnecessary input devices
4_2. Establish and maintain a secure configuration process for network infrastructure 062. Define standard configurations
221. Disconnect unnecessary input devices
4_3. Configure automatic session locking on enterprise assets 023. Terminate inactive user sessions
4_4. Implement and manage a firewall on servers 273. Define a fixed security suite
4_5. Implement and manage a firewall on end-user devices 255. Allow access only to the necessary ports
4_7. Manage default accounts on enterprise assets and software 142. Change system default credentials
4_8. Uninstall or disable unnecessary services on enterprise assets and software 221. Disconnect unnecessary input devices
255. Allow access only to the necessary ports
5_1. Establish and maintain an inventory of accounts 095. Define users with privileges
5_2. Use unique passwords 143. Unique access credentials
5_3. Disable dormant accounts 130. Limit password lifespan
144. Remove inactive accounts periodically
5_5. Establish and maintain an inventory of service accounts 154. Eliminate backdoors
6_2. Establish an access revoking process 034. Manage user accounts
6_4. Require MFA for remote network access 181. Transmit data using secure protocols
6_5. Require MFA for administrative access 181. Transmit data using secure protocols
7_3. Perform automated operating system patch management 353. Schedule firmware updates
7_4. Perform automated application patch management 262. Verify third-party components
8_2. Collect audit logs 075. Record exceptional events in logs
8_4. Standardize time synchronization 363. Synchronize system clocks
8_5. Collect detailed audit logs 075. Record exceptional events in logs
079. Record exact occurrence time of events
376. Register severity level
377. Store logs based on valid regulation
378. Use of log management system
9_2. Use DNS filtering services 258. Filter website content
259. Segment the organization network
9_4. Restrict unnecessary or unauthorized browser and email client extensions 266. Disable insecure functionalities
9_6. Block unnecessary file types 118. Inspect attachments
9_7. Deploy and maintain email server anti-malware protections 116. Disable images of unknown origin
10_6. Centrally manage anti-malware software 273. Define a fixed security suite
12_2. Establish and maintain a secure network architecture 249. Locate access points
12_6. Use of secure network management and communication protocols 257. Access based on user credentials
13_4. Perform traffic filtering between network segments 273. Define a fixed security suite
13_9. Deploy port-level access control 088. Request client certificates
253. Restrict network access
257. Access based on user credentials
13_10. Perform application layer filtering 062. Define standard configurations
273. Define a fixed security suite
16_1. Establish and maintain a secure application development process 158. Use a secure programming language
16_4. Establish and manage an inventory of third-Party software components 262. Verify third-party components
16_5. Use up-to-date and trusted third-party software components 262. Verify third-party components
16_10. Apply secure design principles in application architectures 152. Reuse database connections
173. Discard unsafe inputs
284. Define maximum number of connections
16_11. Leverage vetted modules or services for application security components 147. Use pre-existent mechanisms
Free trial message
Free trial
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.