Find out more about our phishing simulations and awareness training courses.
Discover the possible applications for your company
Nikolas Rösener
Security Expert
- cyber-security@ohb-ds.de
- 0421220950
When we talk about cyber security risk, most people first think of large-scale, targeted hacker attacks on large companies and countries. We talk about advanced persistent threats (APTs ), zero-day vulnerabilities, spear phishing and CEO fraud.
In fact, cyber security here simply means that the risk is not limited to IT, but affects the entire company and originates in the cyber domain, i.e. primarily the internet. Every small and medium-sized enterprise (SME) is exposed to a considerable cyber security risk on a daily basis, simply because it has systems and employees that interact with the internet. However, the biggest risk for these companies is not (nationally-motivated) targeted attacks with unknown vulnerabilities, but global malware, phishing and ransomware campaigns by profit-oriented cyber criminals. These use simple scams and known vulnerabilities to cause damage and extort money quickly and on a large scale.
The effects can be devastating. The damage caused by a malware or ransomware attack is often life-threatening for small and medium-sized companies alike. It is therefore essential for every decision-maker in a company to know what risk their employees and resources are exposed to and what options are available to effectively reduce this risk.
The first and most important step is to analyze the threats and challenges to cyber security. Security frameworks can enable systematic recording but, like the BSI's IT baseline protection in Germany, are often too extensive for SMEs to cope with. With the CIS Controls, the Center for Information Security (CIS) provides a framework whose scope can also be tailored to small and medium-sized companies.
The 20 critical control points of the CIS Controls Framework are divided into three categories:
The Basic category contains basic control points for managing hardware and software, as well as authorization, configuration and vulnerability management.
The Foundational category contains important defense measures for data, software, firewalls, routers, switches, as well as mobile and stationary end devices.
The Organizational category deals with organizational measures such as awareness training, incident response and the implementation of penetration tests.
There is no "one-size-fits-all" solution for adequate security. The CIS also recognizes this and divides the measures for assessing and dealing with risks into three implementation groups.
The first group, IG1 , contains solutions for companies with limited resources and little experience in the area of cyber security. The aim here is to create an appropriate basic level of control options on which further controls and measures can be built.
IG2 contains controls for medium-sized companies and companies that have already taken measures and gained experience in the area of cyber security. These include efficient and pragmatic protection against malware, phishing and ransomware.
Finally, IG3 is for companies that have sufficient expertise and resources to arm themselves against the APTs and zero-day hacks mentioned at the beginning.
In practice, this looks like this: In order to use control number 6 Maintenance, Monitoring and Analysis of Audit Logs to ensure that the necessary log files are available for a post-mortem analysis after an IT incident, IG1 requires the audit logs of all relevant systems to be activated. This usually only requires a one-off effort. In IG2 , a central log management system with analysis functions is to be introduced so that security personnel can quickly identify new threats such as a malware infection or a DDoS attack and track them retrospectively. Finally, to protect large infrastructures and detect new types of attacks with zero-day vulnerabilities, IG3 will consolidate the information in a SIEM and partially automate the response.
For companies of all sizes, the Implementation Groups also provide a good guideline for prioritizing security measures. This ensures that the core problems are tackled first and the cyber security risk is optimally reduced from the outset. More information on the Implementation Groups can be found in the associated CIS white paper.
CIS offers the CIS Controls Self-Assessment Tool (CSAT) for anyone who wants a quick overview of their current cyber security situation. With this free tool, anyone who has the necessary overview of the measures currently implemented can theoretically carry out a cyber risk assessment.
The CIS controls offer a quick and effective introduction to analyzing cyber security risks. However, if you run the CSAT and take a look at the sub-controls, you will notice that this is not an "out-of-the-box" checklist. For each control point, the generically formulated requirement must be adapted to the technological and organizational circumstances of the company's IT and, if necessary, unsuitable requirements must be revised or replaced appropriately.
In particular, companies that have made the leap to the Microsoft cloud already have all the technological prerequisites to implement the basic control points of Implementation Groups 1 and 2. However, they usually lack the expertise and the guidelines with which the objectives of the controls can be achieved.
For example, the sub-controls in IG1 require the ongoing inventory of all hardware as well as the selective release of software, in IG2 a tracking of the software actually installed and in IG3 an integration that brings this information together. All three controls are technologically covered by the use of Microsoft Intune for their end devices. However, it must also be ensured operationally that all devices are included and that a software blacklist or whitelist is maintained and enforced!
We therefore offer a cyber security analysis that is fully customized to the Microsoft 365 cloud offering. With our questionnaire on the implementation status and usage behaviour of the various Microsoft security tools such as Microsoft Intune, Microsoft Information Protection or Azure AD Security Defaults , you can clearly visualize your treated and untreated risks and develop a concrete action plan for your company's cyber security strategy in consultation with us.
The CIS Controls also offer small and medium-sized companies the opportunity to quickly assess their cyber security risk and identify opportunities for improvement through generic measures.
Our cyber security analysis also gives you the opportunity to show the concrete implementation status of technological measures in Microsoft 365 and to clearly visualize the cyber security risk addressed.
You are currently viewing a placeholder content from Vimeo. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from YouTube. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from reCAPTCHA to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from hCaptcha to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou need to load content from reCAPTCHA to submit the form. Please note that doing so will share data with third-party providers.
More InformationYou are currently viewing a placeholder content from Turnstile. To access the actual content, click the button below. Please note that doing so will share data with third-party providers.
More Information