“Critical Security Controls,” a phrase coined by the Center for Internet Security (CIS), is a high-tech, nerdy way of saying, “super-important things you really, really, really, really need to do.” They’re not kidding around, either; you really do need to do them.
The biggest hurdle to Internet safety and security is that people just don’t take the issue seriously. That is, they don’t take the issue seriously until they get in trouble, discover their online accounts have been hacked, their passwords stolen, their bank accounts drained and new cars charged to their credit line. Then, they become total tin-foil hat-wearing ultra-cautious security nuts. Until then, though, they usually have a devil-may-care, lah-de-dah, “it could never happen to me” attitude. The bad guys of the Internet are aware of this lackadaisical attitude; they count on it as a key to their success.
The Center for Internet Security (www.cisecurity.org) is “an internationally recognized nonprofit organization focused on raising the level of cybersecurity preparedness globally.” This highly-respected group caters mainly to large business enterprises and government agencies in an effort to develop standards and “best practices” that can make the Internet a safer place. That’s all well and good, but leaves most “normal” computer users out in the cold. This is an unfortunate situation, but I feel it is important to take the high-end cybersecurity principles set forth by groups like CIS and apply them to the rest of us out here in Internetland.
CIS lists 20 “critical security controls” that should be implemented before one can consider their computer systems to be protected. Some of the controls, such as “Limitation and Control of Network Ports, Protocols, and Services,” are designed for network administrators and I.T. professionals, and are beyond the ability of most mainstream users to figure out and enforce. Others, like “Malware defenses” and “Email and web browser protections” are completely doable by regular computer users.
CIS calls the first five security controls in the list “Foundational cyber hygiene.” Numerous security experts have agreed that if people, including giant companies and government agencies, would just implement the first five controls, the large majority of hacks and attacks from the Internet bad guys would be thwarted. In fact, in the majority of successful hack attacks and network break-ins, the bad guys gained an advantage because someone at the messy end of the stick was ignoring one of the five “foundational cyber hygiene” controls.
Over the next few weeks, this column will look at the first five CIS security controls and how they can be understood and utilized by anyone of normal intelligence who uses a computer. It does not take a genius computer brainiac mind to take care of these things; only a willingness to try. I urge you to follow along and make up your mind that you not only will understand what is being discussed, but you will also take action on what is presented.