Join HSToday for a conversation about the Center for Internet Security’s New Community Defense Model.
Curtis W. Dukes joined CIS as the Executive Vice President and General Manager of the Best Practices and Automation Group in January 2017. The CIS Benchmarks™ and CIS Controls™ program provides vendor-agnostic, consensus-based best practices to help organizations assess and improve their security. Prior to CIS, Curtis served as the Deputy National Manager (DNM) for National Security Systems (NSS). On behalf of the Director of NSA, the DNM is charged with securing systems that handle classified information or are otherwise critical to military and intelligence activities.
Gen. Stefanie Horvath of the Minnesota National Guard, a long-time supporter of the Controls who is now also dual hatted as the Mobilization Assistant to the Director, J-2, U.S. Cyber Command—and—works full-time for the State of Minnesota as the Chief Business Technology Officer for the Minnesota Boards, Councils and Commissions; and
Rob Morgus, currently a senior director on the staff of the Cybersecurity Solarium Commission, and who has served as an expert advisor for the World Economic Forum among other significant contributions to improve cybersecurity in the U.S. and abroad. CIS’s collaboration with Rob began when he worked at New America, which hosted a webinar in 2017 on the release of privacy guide to the Controls.
COMMUNITY DEFENSE MODEL:
The Center for Internet Security released Version 2.0 of its Community Defense Model shows that the CIS Critical Security Controls, which act as a blueprint for network operators to implement specific safeguards in priority order, defend against 86% of the top five attack types identified in the MITRE ATT&CK framework.
Further, the CIS Controls Implementation Group 1 (IG1), the group that is least costly and difficult to implement and that serves as essential cyber hygiene, defends against the top five attack types in the MITRE ATT&CK framework as follows:
Malware: 77% of Malware ATT&CK (sub-)techniques can be defended through the implementation of IG1.
Web Application Hacking: 86%
Insider Privilege and Misuse: 86%
Targeted Intrusions: 83%