Center for Internet Security's Updated Critical Controls Equal Improved Cyberhealth

The center has been an outspoken proponent of advancing what it calls critical security controls, which serve as a substantive starting point for organizations looking to beef up their organizational cybersecurity standing.

The Center for Internet Security released the 6.0 version of its well-regarded critical security controls earlier this year. 

Despite fairly limited changes to the nonprofit’s advisements, officials with the groups said the updated Controls for Effective Cyber Defense Version 6.0 serves as a substantive starting point for organizations looking to beef up their organizational cybersecurity standing.

Senior Vice President and Chief Evangelist Tony Sager, who formerly worked for the National Security Agency (NSA) as an information assurance professional, said the regularly updated list is meant to establish foundational guidelines and best practices for better cyberhygiene.

The prioritized list, released in mid-October, offers a means for bolstering enterprise security in addition to existing software and protocols, said Sager. 

“One of the problems with this business is… there are literally thousands of things you can do, but you’re never going to do them all," he said. "The issue for me was always about priority. What do I do first?”

By taking a collaborative, industrywide approach to the development and regular update of priorities, Sager said the 20 recommendations can be a key part in combating the unavoidable “soup of bad things” that exist in cyberspace today.

“I believe strongly … that 80 to 90 percent of what is going on out there in the wild, all these attacks and hacks, affects everybody," he said. "We all face this soup of bad things going on out there, and we have to deal with it whether we believe it’s targeted at us today or not."

One of the more noticeable changes made to this rendition of the critical security controls was the increased importance placed on administrative privilege. 

Sager said organizations without a clear chain of administrative command risk a patchwork of software and devices that may allow for easier access on the part of malicious hackers.

“The reason that’s a big problem is that people who have that level of control can delete files, install things and, for example, if someone with administrative privilege gets hit with a hack … then that malware now gets to act with their privilege,” he said. “If you don’t have control over the devices, hardware and software, it’s pretty hard to recover from a bad thing. A lot of other things happen if you don’t have good foundational things done. It’s like trying to rebuild your house without the original floorplans.”

Foundational Controls

The Center for Internet Security’s prioritized list of foundational controls aims to bolster not just enterprise security, but also existing software and protocols. The first five controls, listed below, are considered the most important, according to CIS Senior Vice President and Chief Evangelist Tony Sager.

1. Inventory of Authorized and Unauthorized Devices
2. Inventory of Authorized and Unauthorized Software
3. Secure Configurations for Hardware and Software
4. Continuous Vulnerability Assessment and Remediation
5. Controlled Use of Administrative Privilege

According to the group’s vice president, the list has not been dramatically altered in the last three years. While he said there are undoubtedly threats evolving in the online environment, he pointed out that the threats are really not evolving as quickly as many people think.

“The list is fairly stable and has not changed dramatically in the last, I’d say, three years. We are keeping an eye on what’s going on out there and adding things and moving things up and down … We’re not trying to readjust every month,” he said. “The bad guys aren’t changing that fast either, frankly. There are a lot of things going on out there. It feels like there are millions of attacks, and there are, but they’re not all magical, special attacks. What we are really seeing is millions of repeats of a very small number of things over and over again, slight variations on the theme over and over again.”

Sager cited numbers from the U.S. Computer Emergency Readiness Team that put the small, repetitive attacks near the top of the list of risk factors. When systems are not adequately protected, he said these attacks can result in serious damage to connected systems.

“Their official number is that 85 percent of the uncountable number of things that they have to deal with are basically based on same roughly five things over and over again or the failure or absence of a small number of things that are not being done or are being done badly.”

Included in these minor repetitive attacks is the unstoppable phishing scheme, which Sager points to as a substantial to internal security. The seemingly random attacks are aimed at spreading malware via email. Additionally, spear phishing, or highly tailored phishing scams, are also a very real threat to an organization’s cyberhealth.

Eyragon Eidam is the Web editor for Government Technology magazine, after previously serving as assistant news editor and covering such topics as legislation, social media and public safety. He can be reached at