The Center for Internet Security has updated its set of safeguards for warding off the five most common types of attacks facing enterprise networks\u2014web-application hacking, insider and privilege misuse, malware, ransomware, and targeted intrusions.\nIn issuing its CIS Controls V8 this month, the organization sought to present practical and specific actions businesses can take to protect their networks and data. These range from making an inventory of enterprise assets to account management to auditing logs.\nIn part the new version was needed to address changes to how businesses operate since V7 was issued three years ago, and those changes guided the work. \u201cMovement to cloud-based computing, virtualization, mobility, outsourcing, work-from-home, and changing attacker tactics have been central in every discussion,\u201d the new controls document says.\n\nCIS changed the format of the controls a bit, describing actions that should be taken to address threats and weaknesses without saying who should perform those tasks. That put the focus on the tasks without tying them to specific teams within the enterprise.\nThe controls each come with detailed procedures for implementing them along\u00a0 with links to related resource. Here is a brief description of the 18 controls.\nControl 1: Inventory and control of enterprise assets\nThis calls for actively manage inventories, tracking, and correcting all end-user devices, including portable and mobile; network devices; non-computing\/Internet of Things (IoT) devices; and servers that connect to the infrastructure physically, virtually, remotely, and those within cloud environments. The inventory will help identify devices to remove or remediate.\nControl 2: Inventory and control of software assets\nEnterprises should actively inventory, track, and correct all operating systems and applications on the network to spot and block unauthorized and unmanaged software so that only authorized software is installed and can execute.\nControl 3: Data protection\nData processes and technical controls should be put in place to identify, classify, securely handle, retain, and dispose of data.\nThe ideal for this is to put data of the same sensitivity level on the same network and isolated from data with other sensitivity levels. Firewalls would control access to each segment, and access would be granted only to users with a business need to access them.\nControl 4: Secure configuration of assets and software\nSecure configuration of end-user devices, including portable and mobile; network devices; non-computing\/IoT devices; servers; operating systems and applications should be established, stored, and maintained. Installing VPNs in front of servers and using DNS servers that are controlled by the enterprise are recommended.\nContol 5: Account management\nThis recommends using processes and tools to manage authorization to enterprise assets and software. These include administrator and service accounts. One recommendation calls for restricting administrator privileges to dedicated administrator accounts and granting those privileges only to those who actually administer network assets. These admins should also have separate accounts that they use for accessing email, web\u00a0 browsing and productivity apps.\nControl 6: Access-control management\nEnterprises should use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software. Role-based access should be assigned to each account based on need-to-know, least privilege, privacy requirements, and separation of duties.\nControl 7: Continuous vulnerability management\nVulnerabilities should be continuously assessed and tracked on enterprise infrastructure so they can be remediated in a timely fashion that minimizes the window of opportunity for attackers to exploit them. Public and private industry sources of new threat and vulnerability information should be used to help this process.\nControl 8: Audit log management\nAudit logs should be collected, reviewed and retained to document events and help detect, understand, and recover from attacks. Logs can show when and how attacks occur, what information was accessed, and if data was exfiltrated. Retention of logs is critical for follow-up investigations or to understand attacks that remain undetected for a long period of time.\nControl 9: Email and web browser protections\nThis control urges improving protections and detections of email and web threats that can manipulate human behavior through direct engagement; these are prime targets for both malicious code and social engineering. Safeguards include use of DNS-filtering services to reduce exposure and enforcement of network-based URL filters>\nControl 10: Malware defenses\nEnterprises should prevent or control the installation, spread, and execution of software on enterprise assets, using methods that include anti-malware software on all enterprise assets, scanning for malware on removable media such as thumb drives, and enabling anti-exploitation features \u201csuch as Microsoft\u00ae Data Execution Prevention (DEP), Windows\u00ae Defender Exploit Guard (WDEG), or Apple\u00ae System Integrity Protection (SIP) and Gatekeeper\u2122.\u201d\nControl 11: Data recovery\nData-recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state should be put in place. Because configuration changes can create vulnerabilities for attackers to exploit, it is important to have recent backups to recover enterprise assets and data back to a known trusted state.\nControl 12: Network infrastructure management\nEnterprises should track, report, and correct network devices, to prevent attackers from exploiting network services and points of access. The infrastructure includes physical and virtual gateways, firewalls, wireless access points, routers, and switches. These measures should address vulnerabilities that can be introduced by using default settings, monitoring for changes, and reassessing current configurations. One example is running the latest stable release of software or using currently supported network-as-a-service (NaaS) offerings.\nFurther, enterprises should maintain network diagrams and other system documentation, and review and update them annually. Computing resources used for administrative tasks should be physically or logically separated from the primary enterprise network and isolated from internet access.\nControl 13: Network monitoring and defense\nComprehensive network monitoring and defenses against threats should be established, including intrusion detection, traffic filtering between network segments, and deploying port-level controls such as those supported by 802.1x authentication.\nControl 14: Security-awareness and skills training\nA security awareness program should be established create security consciousness among the workforce and provide them the skills to reduce cybersecurity risks.\nControl 15: Service provider management\nA process to evaluate service providers who hold sensitive data or are responsible critical enterprise-IT platforms or processes should be set up to ensure they are providing appropriate protection. Enterprises should set requirements for service providers, which might include minimum security programs, security incident and data-breach notification and response, data-encryption requirements, and data-disposal commitments. Enterprises should review service provider contracts annually to ensure they include the requirements.\nControl 16: Application software security\nEnterprises should manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they affect the enterprise. Organizations should also use standard, industry-recommended configuration templates to harden underlying servers, databases, and web servers. This also applies to cloud containers, platform-as-a-service components, and SaaS components.\nControl 17: Incident-response management\nKey roles and responsibilities should be assigned for incident response, including staff from legal, IT, information security, facilities, public relations, human resources, incident responders, and analysts, as applicable. The plan should be review annually or when significant enterprise changes occur that could affect incident response.\nControl 18: Penetration testing\nA penetration testing program should simulate the actions of an attacker to identify and exploit weaknesses among people, processes, and technology. The program should be appropriate to the size, complexity, and maturity of the enterprise. Vulnerabilities should be remediated based on the enterprise\u2019s policy for remediation scope and prioritization.