Fluid Attacks Database

CIS

Last updated: 2023/09/18

The Center for Internet Security Controls are a prioritized set of safeguards to mitigate the most prevalent cyberattacks against systems and networks. They are mapped to and referenced by multiple legal, regulatory and policy frameworks. The version used in this section is CIS Controls v8.

Control-Requirement Mapping

Definition	Requirements
2_1. Establish and maintain a software inventory	262. Verify third-party components
2_5. Allowlist authorized software	041. Scan files for malicious code
2_7. Allowlist authorized scripts	186. Use the principle of least privilege 265. Restrict access to critical processes
3_3. Configure data access control lists	176. Restrict system objects 096. Set user's required privileges
3_6. Encrypt data on end-user devices	147. Use pre-existent mechanisms
3_10. Encrypt sensitive data in transit	181. Transmit data using secure protocols 224. Use secure cryptographic mechanisms
3_11. Encrypt sensitive data at rest	134. Store passwords with salt 185. Encrypt sensitive information
3_12. Segment data processing and storage based on sensitivity	259. Segment the organization network
4_1. Establish and maintain a secure configuration process	213. Allow geographic location 221. Disconnect unnecessary input devices 062. Define standard configurations
4_2. Establish and maintain a secure configuration process for network infrastructure	221. Disconnect unnecessary input devices 062. Define standard configurations
4_3. Configure automatic session locking on enterprise assets	023. Terminate inactive user sessions
4_4. Implement and manage a firewall on servers	273. Define a fixed security suite
4_5. Implement and manage a firewall on end-user devices	255. Allow access only to the necessary ports
4_7. Manage default accounts on enterprise assets and software	142. Change system default credentials
4_8. Uninstall or disable unnecessary services on enterprise assets and software	221. Disconnect unnecessary input devices 255. Allow access only to the necessary ports
5_1. Establish and maintain an inventory of accounts	095. Define users with privileges
5_2. Use unique passwords	143. Unique access credentials
5_3. Disable dormant accounts	130. Limit password lifespan 144. Remove inactive accounts periodically
5_5. Establish and maintain an inventory of service accounts	154. Eliminate backdoors
6_2. Establish an access revoking process	034. Manage user accounts
6_4. Require MFA for remote network access	181. Transmit data using secure protocols
6_5. Require MFA for administrative access	181. Transmit data using secure protocols
7_3. Perform automated operating system patch management	353. Schedule firmware updates
7_4. Perform automated application patch management	262. Verify third-party components
8_2. Collect audit logs	075. Record exceptional events in logs
8_4. Standardize time synchronization	363. Synchronize system clocks
8_5. Collect detailed audit logs	376. Register severity level 377. Store logs based on valid regulation 378. Use of log management system 075. Record exceptional events in logs 079. Record exact occurrence time of events
9_2. Use DNS filtering services	258. Filter website content 259. Segment the organization network
9_4. Restrict unnecessary or unauthorized browser and email client extensions	266. Disable insecure functionalities
9_6. Block unnecessary file types	118. Inspect attachments
9_7. Deploy and maintain email server anti-malware protections	116. Disable images of unknown origin
10_6. Centrally manage anti-malware software	273. Define a fixed security suite
12_2. Establish and maintain a secure network architecture	249. Locate access points
12_6. Use of secure network management and communication protocols	257. Access based on user credentials
13_4. Perform traffic filtering between network segments	273. Define a fixed security suite
13_9. Deploy port-level access control	253. Restrict network access 257. Access based on user credentials 088. Request client certificates
13_10. Perform application layer filtering	273. Define a fixed security suite 062. Define standard configurations
16_1. Establish and maintain a secure application development process	158. Use a secure programming language
16_4. Establish and manage an inventory of third-Party software components	262. Verify third-party components
16_5. Use up-to-date and trusted third-party software components	262. Verify third-party components
16_10. Apply secure design principles in application architectures	152. Reuse database connections 173. Discard unsafe inputs 284. Define maximum number of connections
16_11. Leverage vetted modules or services for application security components	147. Use pre-existent mechanisms

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan.If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.