Center for Internet Security

Last updated

Center for Internet Security
FoundedOctober 2000 [1]
Type 501(c)(3) nonprofit organization [2]
Legal statusActive
HeadquartersEast Greenbush, New York
Locations
  • Washington, DC
  • Clifton Park, New York
Coordinates42°36′44″N 73°41′58″W
President and CEO
John C. Gilligan [3] [4]
Affiliations ISACA, AICPA, IIA, ISC2, SANS Institute [1]
Website www.cisecurity.org

The Center for Internet Security (CIS) is a US 501(c)(3) nonprofit organization, [2] formed in October 2000. [1] Its mission statement professes that the function of CIS is to " help people, businesses, and governments protect themselves against pervasive cyber threats."

Contents

The organization is headquartered in East Greenbush, New York, US, with members including large corporations, government agencies, and academic institutions. [1]

Program areas

CIS has several program areas, including MS-ISAC, CIS Controls, CIS Benchmarks, CIS Communities, and CIS CyberMarket. Through these program areas, CIS works with a wide range of entities, including those in academia, the government, and both the private sector and the general public to increase their online security by providing them with products and services that improve security efficiency and effectiveness. [5] [6]

Multi-State Information Sharing and Analysis Center (MS-ISAC)

The Multi-State Information Sharing and Analysis Center (MS-ISAC) is a "round-the-clock cyber threat monitoring and mitigation center for state and local governments" operated by CIS under a cooperative agreement with the U.S. Department of Homeland Security [7] (DHS), Cybersecurity and Infrastructure Security Agency [8] (CISA). [9] The MS-ISAC was established in late 2002, and officially launched in January 2003, by William F. Pelgrin, then Chief Security Officer of the state of New York. [10] Beginning from a small group of participating states in the Northeast, MS-ISAC came to include all 50 U.S. States and the District of Columbia, as well as U.S. State, Local, Tribal, and Territorial (SLTT) governments. In order to facilitate its expanding scope, in late 2010, MS-ISAC "transitioned into a not-for-profit status under the auspices of the Center for Internet Security." The transition was facilitated by CIS having "an established reputation for providing cybersecurity resources to the public and private sectors". [10] [11]

MS-ISAC "helps government agencies combat cyberthreats and works closely with federal law enforcement", [12] [13] and is designated by DHS as a key cyber security resource for the nation's SLTT governments.

The main objectives of MS-ISAC are described as follows: [14]

The MS-ISAC offers a variety of federally funded, no-cost, cybersecurity products and services to its members through the DHS CISA cooperative agreement. It also offers fee-based products and services for SLTT members who want additional protection in addition to what is offered under the cooperative agreement. In 2021, the MS-ISAC announced [15] it was undergoing a digital transformation, making major infrastructure upgrades including the implementation of a new cloud-based threat intelligence platform, security information and event management (SIEM) capability, security orchestration, automation, and response (SOAR) tool, and data lake capabilities for threat hunting.

Some of the offerings for SLTTs include:

Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC)

The Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), as established by the Election Infrastructure Subsector Government Coordinating Council (GCC), is a critical resource for cyber threat prevention, protection, response and recovery for the nation's state, local, territorial, and tribal (SLTT) election offices. The EI-ISAC is operated by the Center for Internet Security, Inc. under the same cooperative agreement with DHS CISA as the MS-ISAC. By nature of election offices being SLTT organizations, each EI-ISAC member is automatically an MS-ISAC member and can take full advantage of the products and services provided to both ISACs.

The mission of the EI-ISAC is to improve the overall cybersecurity posture of SLTT election offices, through collaboration and information sharing among members, the U.S. Department of Homeland Security (DHS) and other federal partners, and private sector partners are the keys to success. The EI-ISAC provides a central resource for gathering information on cyber threats to election infrastructure and two-way sharing of information between and among public and private sectors in order to identify, protect, detect, respond and recover from attacks on public and private election infrastructure. And the EI-ISAC comprises representatives from SLTT election offices and contractors supporting SLTT election infrastructure. [20]

CIS Controls and CIS Benchmarks

Formerly known as the SANS Critical Security Controls (SANS Top 20) and the CIS Critical Security Controls, the CIS Controls as they are called today is a set of 18 prioritized safeguards to mitigate the most prevalent cyber-attacks against today's modern systems and networks. The CIS Controls are grouped into Implementation Groups [21] (IGs), which allow organizations to use a risk assessment in order to determine the appropriate level of IG (one through three) that should be implemented for their organization. The CIS Controls can be downloaded from CIS, as can various mappings to other frameworks such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework [22] (CSF), NIST Special Publication (SP) 800-53, [23] and many others. CIS also offers a free hosted software product called the CIS Controls Assessment Tool [24] (CIS-CAT) that allows organizations to track and prioritize the implementation of the CIS Controls.

The CIS Controls advocate "a defense-in-depth model to help prevent and detect malware". [25] A May 2017 study showed that "on average, organizations fail 55% of compliance checks established by the Center for Internet Security", with more than half of these violations being high severity issues. [26] In March 2015, CIS launched CIS Hardened Images for Amazon Web Services, in response to "a growing concern surrounding the data safety of information housed on virtual servers in the cloud". [27] The resources were made available as Amazon Machine Images, for six "CIS benchmarks-hardened systems", including Microsoft Windows, Linux and Ubuntu, with additional images and cloud providers added later. [27] CIS released Companion Guides to CIS Controls, recommendations for actions to counter cybersecurity attacks, with new guides having been released in October and December 2015. [28] In April 2018, CIS launched an information security risk assessment method to implement CIS Controls, called CIS RAM which is based upon the risk assessment standard by the DoCRA (Duty of Care Risk Analysis) Council. [29] Version of CIS RAM v2.0 [30] was released October 2021. [31] CIS RAM v2.1 was released in 2022.

CIS Benchmarks are a collaboration of the Consensus Community and CIS SecureSuite members (a class of CIS members with access to additional sets of tools and resources). [32] The Consensus Community is made up of experts in the field of IT security who use their knowledge and experience to help the global Internet community. CIS SecureSuite members are made up of several different types of companies ranging in size, including government agencies, colleges and universities, nonprofits, IT auditors and consultants, security software vendors and other organizations. CIS Benchmarks and other tools that CIS provides at no cost allow IT workers to create reports that compare their system security to universal consensus standard. This fosters a new structure for internet security that everyone is accountable for and that is shared by top executives, technology professionals and other internet users throughout the globe. Further, CIS provides internet security tools with a scoring feature that rates the configuration security of the system at hand. For example, CIS provides SecureSuite members with access to CIS-CAT Pro, a "cross-platform Java app" which scans target systems and "produces a report comparing your settings to the published benchmarks". [5] This is intended to encourage and motivate users to improve the scores given by the software, which bolsters the security of their internet and systems. The universal consensus standard that CIS employs draws upon and uses the accumulated knowledge of skillful technology professionals. Since internet security professionals volunteer in contributing to this consensus, this reduces costs for CIS and makes it cost effective. [33]

CIS CyberMarket

CIS CyberMarket is a "collaborative purchasing program that serves U.S. State, Local, Tribal, and Territorial (SLTT) government organizations, nonprofit entities, and public health and education institutions to improve cybersecurity through cost-effective group procurement". [34] The intent of the CIS CyberMarket is to combine the purchasing power of governmental and nonprofit sectors to help participants improve their cybersecurity condition at a lower cost than they would have been able to attain on their own. The program assists with the "time intensive, costly, complex, and daunting" task of maintaining cybersecurity by working with the public and private sectors to bring their partners cost-effective tools and services. The combined purchasing opportunities are reviewed by domain experts. [14]

There are three main objectives of the CIS CyberMarket:

CIS CyberMarket, like the MS-ISAC, serves government entities and non-profits in achieving greater cyber security. On its "resources" page, multiple newsletters and documents are available free of charge, including the "Cybersecurity Handbook for Cities and Counties". [35]

CIS Communities

CIS Communities are "a volunteer, global community of IT professionals" who "continuously refine and verify" CIS best practices and cybersecurity tools. [36] To develop and structure its benchmarks, CIS uses a strategy in which members of the organization first form into teams. These teams then each collect suggestions, advice, official work and recommendations from a few participating organizations. Then, the teams analyze their data and information to determine what the most vital configuration settings are that would improve internet system security the most in as many work settings as possible. Each member of a team constantly works with their teammates and critically analyzes and critiques a rough draft until a consensus forms among the team. Before the benchmark is released to the general public, they are available for download and testing among the community. After reviewing all of the feedback from testing and making any necessary adjustments or changes, the final benchmark and other relevant security tools are made available to the public for download through the CIS website. This process is so extensive and so carefully executed that thousands of security professionals across the globe participate in it. According to ISACA, "during the development of the CIS Benchmark for Sun Microsystems Solaris, more than 2,500 users downloaded the benchmark and monitoring tools." [37]

Participating organizations

The organizations that participated in the founding of CIS in October 2000 include ISACA, the American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA), the International Information Systems Security Certification Consortium (ISC2) and the SANS Institute (System Administration, Networking and Security). CIS has since grown to have hundreds of members with varying degrees of membership and cooperates and works with a variety of organizations and members at both the national and international levels. Some of these organizations include those in both the public and private sectors, government, ISACs and law enforcement. [1]

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

The United States Computer Emergency Readiness Team (US-CERT) is an organization within the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Specifically, US-CERT is a branch of the Office of Cybersecurity and Communications' (CS&C) National Cybersecurity and Communications Integration Center (NCCIC).

<span class="mw-page-title-main">National Cyber Security Division</span>

The National Cyber Security Division (NCSD) is a division of the Office of Cyber Security & Communications, within the United States Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. Formed from the Critical Infrastructure Assurance Office, the National Infrastructure Protection Center, the Federal Computer Incident Response Center, and the National Communications System, NCSD opened on June 6, 2003. The NCSD mission is to collaborate with the private sector, government, military, and intelligence stakeholders to conduct risk assessments and mitigate vulnerabilities and threats to information technology assets and activities affecting the operation of the civilian government and private sector critical cyber infrastructures. NCSD also provides cyber threat and vulnerability analysis, early warning, and incident response assistance for public and private sector constituents. NCSD carries out the majority of DHS’ responsibilities under the Comprehensive National Cybersecurity Initiative. The FY 2011 budget request for NCSD is $378.744 million and includes 342 federal positions. The current director of the NCSD is John Streufert, former chief information security officer (CISO) for the United States Department of State, who assumed the position in January 2012.

ISACA is an international professional association focused on IT governance. On its IRS filings, it is known as the Information Systems Audit and Control Association, although ISACA now goes by its acronym only. ISACA currently offers 8 certification programs, as well as other micro-certificates.

CISA or Cisa may refer to:

<span class="mw-page-title-main">Jeff Moss (hacker)</span> American computer security expert

Jeff Moss, also known as Dark Tangent, is an American hacker, computer and internet security expert who founded the Black Hat and DEF CON computer security conferences.

The EINSTEIN System is a network intrusion detection and prevention system that monitors the networks of US federal government departments and agencies. The system is developed and managed by the Cybersecurity and Infrastructure Security Agency in the United States Department of Homeland Security (DHS).

The National Cybersecurity Center (NCC) was founded in 2016 as a 501(c)(3) nonprofit organization in Colorado Springs, Colorado. It was started from a vision of then Governor John Hickenlooper, in coordination with several people from the University of Colorado Colorado Springs (UCCS) and the community. The NCC serves both public and private organizations and individuals through training, education, and research.

<span class="mw-page-title-main">DHS Cyber Security Division</span>

The Cyber Security Division (CSD) is a division of the Science and Technology Directorate (S&T Directorate) of the United States Department of Homeland Security (DHS). Within the Homeland Security Advanced Research Projects Agency, CSD develops technologies to enhance the security and resilience of the United States' critical information infrastructure from acts of terrorism. S&T supports DHS component operational and critical infrastructure protections, including the finance, energy, and public utility sectors, as well as the first responder community.

<span class="mw-page-title-main">National Cybersecurity and Critical Infrastructure Protection Act of 2013</span>

The National Cybersecurity and Critical Infrastructure Protection Act of 2013 is a bill that would amend the Homeland Security Act of 2002 to require the Secretary of the Department of Homeland Security (DHS) to conduct cybersecurity activities on behalf of the federal government and would codify the role of DHS in preventing and responding to cybersecurity incidents involving the Information Technology (IT) systems of federal civilian agencies and critical infrastructure in the United States.

<span class="mw-page-title-main">Gabi Siboni</span>

Gabriel "Gabi" Siboni is a colonel in the Israel Defense Forces Reserve service, and a senior research fellow and the director of the Military and Strategic Affairs and Cyber Security programs at the Institute for National Security Studies. Additionally, he serves as editor of the tri-yearly published, Military and Strategic Affairs academic journal at INSS. Siboni is a senior expert on national security, military strategy and operations, military technology, cyber warfare, and force buildup. Siboni is an Associate Professor, working specifically in the management of Cyber Security and a part-time lecturer at the Francisco de Vitoria University in Madrid

<span class="mw-page-title-main">Cybersecurity Information Sharing Act</span>

The Cybersecurity Information Sharing Act is a United States federal law designed to "improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes". The law allows the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies. The bill was introduced in the U.S. Senate on July 10, 2014, and passed in the Senate on October 27, 2015. Opponents question CISA's value, believing it will move responsibility from private businesses to the government, thereby increasing vulnerability of personal private information, as well as dispersing personal private information across seven government agencies, including the NSA and local police.

An Information Sharing and Analysis Center(ISAC) is a nonprofit organization that provides a central resource for gathering information on cyber and related threats to critical infrastructure and providing two-way sharing of information between the private and public sectors.

A threat actor, bad actor or malicious actor is either a person or a group of people that take part in an action that is intended to cause harm to the cyber realm including: computers, devices, systems, or networks. The term is typically used to describe individuals or groups that perform malicious acts against a person or an organization of any type or size. Threat actors engage in cyber related offenses to exploit open vulnerabilities and disrupt operations. Threat actors have different educational backgrounds, skills, and resources. The frequency and classification of cyber attacks changes rapidly. The background of threat actors helps dictate who they target, how they attack, and what information they seek. There are a number of threat actors including: cyber criminals, nation-state actors, ideologues, thrill seekers/trolls, insiders, and competitors. These threat actors all have distinct motivations, techniques, targets, and uses of stolen data. See Advanced persistent threats for a list of identified threat actors.

The National Cybersecurity and Communications Integration Center (NCCIC) is part of the Cybersecurity Division of the Cybersecurity and Infrastructure Security Agency, an agency of the U.S. Department of Homeland Security. It acts to coordinate various aspects of the U.S. federal government's cybersecurity and cyberattack mitigation efforts through cooperation with civilian agencies, infrastructure operators, state and local governments, and international partners.

Election cybersecurity or election security refers to the protection of elections and voting infrastructure from cyberattack or cyber threat – including the tampering with or infiltration of voting machines and equipment, election office networks and practices, and voter registration databases.

<span class="mw-page-title-main">Cybersecurity and Infrastructure Security Agency</span> Agency of the United States Department of Homeland Security

The Cybersecurity and Infrastructure Security Agency (CISA) is a component of the United States Department of Homeland Security (DHS) responsible for cybersecurity and infrastructure protection across all levels of government, coordinating cybersecurity programs with U.S. states, and improving the government's cybersecurity protections against private and nation-state hackers.

<span class="mw-page-title-main">Chris Krebs</span> American cybersecurity and infrastructure security expert (born 1977)

Christopher Cox Krebs is an American attorney who served as Director of the Cybersecurity and Infrastructure Security Agency in the United States Department of Homeland Security from November 2018 until November 17, 2020, when President Donald Trump fired Krebs for contradicting Trump's claims of election fraud in the 2020 presidential election.

Operational collaboration is a cyber resilience framework that leverages public-private partnerships to reduce the risk of cyber threats and the impact of cyberattacks on United States cyberspace. This operational collaboration framework for cyber is similar to the Federal Emergency Management Agency (FEMA)'s National Preparedness System which is used to coordinate responses to natural disasters, terrorism, chemical and biological events in the physical world.

Rhysida is a ransomware group that encrypts data on victims' computer systems and threatens to make it publicly available unless a ransom is paid. The group uses eponymous ransomware-as-a-service techniques, targets large organisations rather than making random attacks on individuals, and demands large sums of money to restore data. The group perpetrated the notable 2023 British Library cyberattack and Insomniac Games data dump. It has targeted many organisations, including some in the US healthcare sector, and the Chilean army.

References

  1. 1 2 3 4 5 Kreitner, Clint; Miuccio, Bert. "The Center for Internet Security: Global Security Benchmarks for Computers Connected to the Internet". Information Systems Audit and Control Association (ISACA). Archived from the original on 12 March 2014. Retrieved 25 July 2017.
  2. 1 2 Rulison, Larry (9 November 2016). "E. Greenbush group monitored election for hackers". Albany Times Union.
  3. Ackerman, Robert K.; Pendleton, Breann (28 June 2017). "More Than Just Your Regular Cyberthreats". Afcea International. Signal.
  4. "John M. Gilligan". Center for Internet Security. Retrieved 25 July 2017.
  5. 1 2 "Information Security and Policy: About The Center for Internet Security". University of California, Berkeley . Retrieved 25 July 2017.
  6. "CIS Security Benchmarks Tools". George Mason University . Retrieved 25 July 2017.
  7. "Home". dhs.gov.
  8. "Home". cisa.gov.
  9. "Partnership Engagement Branch | CISA". www.cisa.gov. Retrieved 13 July 2021.
  10. 1 2 Lohrmann, Dan (30 May 2015). "Interview with Retiring MS-ISAC Founder Will Pelgrin and Incoming CIS CEO Jane Lute". Government Technology.
  11. "Multi-State Information Sharing and Analysis Center". Center for Internet Security. Retrieved 21 March 2014.
  12. Nakashima, Ellen (29 August 2016). "Russian hackers targeted Arizona election system". The Washington Post .
  13. Robert M. Clark and; Simon Hakim (11 August 2016). Cyber-Physical Security | Protecting Critical Infrastructure at the State, Provincial, and Local Level: Issues in Cyber-Physical Security. Springer. p. 11. ISBN   9783319328249.
  14. 1 2 3 "Center for Internet Security". Center for Internet Security. Retrieved 25 July 2017.
  15. "Cybersecurity Quarterly (Summer 2021)". Issuu. 29 June 2021. Retrieved 13 July 2021.
  16. "Blog | Malicious Domain Blocking and Reporting (MDBR) Newest Service for U.S. SLTTS". 2 September 2020.
  17. "Albert Network Monitoring".
  18. "Blog | A New Vision for Cyber Threat Intelligence at the MS-ISAC". 25 June 2021.
  19. "Blog | A New Vision for Cyber Threat Intelligence at the MS-ISAC". CIS. 25 June 2021. Retrieved 13 July 2021.
  20. "EI-ISAC Charter". CIS. Retrieved 2 April 2023.
  21. Implementation Groups Handout
  22. "CIS Controls v8 Mapping to NIST CSF".
  23. "CIS Controls v8 Mapping to NIST SP 800-53 R5".
  24. "CIS Controls Self Assessment Tool (CIS CSAT)".
  25. Shelton, Debbie (December 2016). "A winning pair: governance and automated controls must work in tandem to achieve maximum results". Internal Auditor.
  26. Seals, Tara (26 May 2017). "Cloud Environments Suffer Widespread Lack of Security Best Practices". Infosecurity Magazine.
  27. 1 2 Seals, Tara (25 March 2015). "Center for Internet Security Aims at AWS". Infosecurity Magazine.
  28. Seals, Tara (23 December 2015). "Center for Internet Security Releases Companion Guides". Infosecurity Magazine.
  29. "CIS RAM FAQ". CIS® (Center for Internet Security, Inc.) website.
  30. "Blog | CIS Risk Assessment Method (RAM) v2.0 for CIS Controls v8". 28 October 2021.
  31. "CIS Risk Assessment Method (RAM) v2.0 for CIS Controls v8". October 2021. Archived from the original on 29 October 2021.
  32. "CIS SecureSuite Membership" . Retrieved 25 July 2016.
  33. "Center for Internet Security Takes Leading Role in Industry Efforts to Enhance Security Automation". Business Wire. 12 September 2013.
  34. "CIS CyberMarket" . Retrieved 25 July 2017.
  35. "Welcome to the MS-ISAC". Center for Internet Security. Retrieved 25 July 2017.
  36. "CIS Communities" . Retrieved 29 July 2017.
  37. "ISACA: Serving IT Governance Professionals". Archived from the original on 2 March 2013. Retrieved 7 March 2014.