Prioritizing Best Practices for the Level 2 and Level 3 maturities#
Level 2 and Level 3 Maturities#
More mature organizations should take a more sophisticated approach to prioritizing best practice implementation.
The CIS Community Defense Model#
To help organizations determine where to invest their next dollar in cybersecurity, CIS developed the Community Defense Model (CDM). The CDM was created to help answer that and other questions about the value of the CIS Controls based on currently available threat data from industry reports. Ready more about the CIS Controls in the CIS Controls best practice. In short, the Community Defense Model is a data-driven, prioritized approach to building yourself up to a defense-in-depth posture.
Using authoritative data sources like the Verizon Data Breach Investigations Report, CIS identified the top attack types that enterprises should defend against.
For CDM 2.0, the top five attack types are:
Malware
Ransomware
Web Application Hacking
Insider and Privilege Misuse
Targeted Intrusions
Certain techniques are used to execute each of these types of attacks. The CDM uses the MITRE ATT&CK framework to cateogize these techniques and sub-techniques. These are mapped to mitigations, such as the Safeguards contained with the CIS Controls and the actions within this Guide’s best practices, that protect against one or more sub-technique.
Using real world data, the CDM determines which Safeguards are the most efficient–the Safeguards that mitigate the most sub-techniques and thus, when implemented, are most likely to stop any given attack.
In the table below, we map the highest efficiency Safeguards from the CIS Controls to the best practices in this Guide to establish the priority best practices. For more details on the efficiency rankings, see Figure 13 of the CDM 2.0.
This efficiency ranking drives the ordering of the best practices in this Guide, with some exceptions particular to elections. While we recommend following the prescribed order, do what’s best for your environment and, most importantly, keep making progress!
Rank |
Safeguard |
Safeguard Title |
Essential Guide Best Practice |
|---|---|---|---|
1 |
4.1 |
Establish and Maintain a Secure Configuration Process |
|
2 |
4.7 |
Manage Default Accounts on Enterprise Assets and Software |
|
3 |
5.3 |
Disable Dormant Accounts |
|
4 |
6.1 |
Establish an Access Granting Process |
|
5 |
6.2 |
Establish an Access Revoking Process |
|
6 |
5.4 |
Restrict Administrator Privileges to Dedicated Administrator Accounts |
|
7 |
18.3 |
Remediate Penetration Test Findings |
|
8 |
18.5 |
Perform Periodic Internal Penetration Tests |
|
9 |
6.8 |
Define and Maintain Role-Based Access Control |
|
10 |
4.8 |
Uninstall or Disable Unnecessary Services on Enterprise Assets and Software |
|
11 |
3.12 |
Segment Data Processing and Storage Based on Sensitivity |
|
12 |
5.2 |
Use Unique Passwords |
|
13 |
6.4 |
Require MFA for Remote Network Access |
|
14 |
6.5 |
Require MFA for Administrative Access |
|
15 |
12.8 |
Maintain Dedicated Computing Resources for All Administrative Work |
|
16 |
2.3 |
Address Unauthorized Software |
|
17 |
2.5 |
Allowlist Authorized Software |
|
18 |
4.2 |
Maintain a Secure Configuration Process for Network Infrastructure |
|
19 |
4.4 |
Implement and Manage a Firewall on Servers |
|
20 |
6.3 |
Require MFA for Externally-Exposed Applications |
The best practices in the right column are listed as priority actions in the best practice index and should be implemented first for the Level 2 and Level 3 maturities.