CIS_v8CIS Control 3voice-validated
CIS_v8 3: CIS Control 3
CIS_v8
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1566.001 | 1. Adversaries use spearphishing to gain initial access, targeting employees with access to sensitive data. 2. Inadequate data classification, as addressed by CIS Control 3, increases the impact of such breaches by making it easier for attackers to identify valuable targets. 3. This technique exploits human factors to bypass technical controls. | 90% |
| T1003.001 | 1. Adversaries dump credentials to gain access to systems and data. 2. Weak data handling processes, contrary to CIS Control 3, mean these credentials might grant access to highly sensitive, unclassified data. 3. This compromises data confidentiality. | 80% |
| T1083 | 1. Adversaries actively search for sensitive data on compromised systems. 2. Poor data identification and classification, as mandated by CIS Control 3, makes it simpler for attackers to locate valuable information. 3. This facilitates data collection. | 90% |
| T1005 | 1. Adversaries collect sensitive data directly from local systems. 2. If data is not properly classified or securely handled per CIS Control 3, its collection becomes trivial for an attacker. 3. This leads to data exfiltration. | 90% |
| T1039 | 1. Adversaries collect sensitive data from network shares. 2. Improper classification and secure handling of data on shared drives, as required by CIS Control 3, exposes it to unauthorized collection. 3. This expands the scope of data theft. | 80% |
| T1041 | 1. Adversaries exfiltrate collected sensitive data through command and control channels. 2. Poor data classification and handling, contrary to CIS Control 3, makes detection of sensitive data leaving the network significantly harder. 3. This results in data loss. | 80% |
| T1486 | 1. Ransomware encrypts data, making it unavailable. 2. Proper data classification and secure retention practices, including backups as part of CIS Control 3, mitigate the impact of such attacks. 3. This ensures data availability. | 90% |
| T1485 | 1. Adversaries destroy data to disrupt operations. 2. Secure data retention and disposal policies, including robust backups as per CIS Control 3, are critical for recovery. 3. This prevents permanent data loss. | 90% |
| T1027 | 1. Adversaries obfuscate sensitive data to avoid detection during collection and exfiltration. 2. If data classification and secure handling are not robust, as required by CIS Control 3, obfuscation becomes more effective. 3. This evades security controls. | 80% |
| T1036.005 | 1. Adversaries rename or move sensitive files to appear legitimate. 2. This technique evades detection when data handling processes, specified in CIS Control 3, are not stringent in monitoring file integrity and location. 3. This facilitates covert data movement. | 70% |
| T1021.001 | 1. Adversaries use remote services to access other systems containing sensitive data. 2. Weak access controls related to data handling, contrary to CIS Control 3, enable lateral movement to data repositories. 3. This expands compromise scope. | 70% |
| T1012 | 1. Adversaries query the registry for sensitive information, such as application configurations or stored credentials. 2. This can expose data handling weaknesses or directly reveal sensitive data if not securely handled per CIS Control 3. 3. This aids discovery. | 70% |
| T1078 | 1. Adversaries use valid accounts to access systems and data. 2. Strong data handling, including managing access based on data classification as per CIS Control 3, limits the effectiveness of compromised accounts. 3. This restricts unauthorized access. | 80% |
| T1530 | 1. Adversaries target cloud storage for sensitive data. 2. This highlights the critical need for secure handling and classification in cloud environments, as mandated by CIS Control 3. 3. This protects cloud-resident data. | 80% |
| T1552.001 | 1. Adversaries find credentials stored insecurely in files. 2. This directly relates to failures in secure data handling, a core component of CIS Control 3, allowing access to sensitive systems and data. 3. This compromises authentication. | 90% |
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1035 | 1. This mitigation limits unauthorized access to sensitive data. 2. It directly enforces secure handling based on data classification, a key aspect of CIS Control 3. 3. This protects data confidentiality. | 100% |
| M1040 | 1. Data backup ensures data availability and recoverability. 2. This directly addresses the retention and impact aspects of CIS Control 3, safeguarding against data loss or encryption. 3. This supports business continuity. | 100% |
| M1047 | 1. Auditing detects unauthorized data access, modification, or deletion. 2. This supports secure handling and disposal processes outlined in CIS Control 3 by providing visibility into data activities. 3. This enables incident response. | 90% |
| M1030 | 1. Network segmentation isolates sensitive data. 2. This prevents unauthorized access and limits the scope of breaches, directly supporting the secure handling aspect of CIS Control 3. 3. This reduces attack surface. | 90% |
| M1028 | 1. Secure OS configurations reduce vulnerabilities that could expose data. 2. This ensures the underlying systems where data resides are protected, aligning with CIS Control 3's secure handling requirement. 3. This strengthens system integrity. | 80% |
| M1037 | 1. Filtering network traffic prevents unauthorized exfiltration of data. 2. This supports secure handling and prevents data loss, directly addressing a critical risk identified in CIS Control 3. 3. This protects data in transit. | 90% |
| M1013 | 1. This mitigation guides developers to build applications that securely handle data. 2. It ensures data classification, retention, and disposal are considered from design, aligning with CIS Control 3. 3. This embeds security by design. | 80% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-200 | 1. This weakness directly results from inadequate data classification, handling, retention, or disposal processes. 2. CIS Control 3 aims to prevent such exposure by mandating robust data lifecycle management. 3. This compromises data confidentiality. | 100% |
| CWE-284 | 1. Failure to implement proper access controls allows unauthorized access to sensitive data. 2. This directly violates the secure handling requirement of CIS Control 3, leading to data breaches. 3. This undermines data authorization. | 100% |
| CWE-312 | 1. Storing sensitive data without encryption is a critical failure in secure data handling. 2. CIS Control 3 requires secure handling, which includes protecting data at rest from unauthorized disclosure. 3. This exposes data confidentiality. | 100% |
| CWE-732 | 1. Improper permissions on data storage locations allow unauthorized access, modification, or deletion. 2. This directly contradicts the secure handling and classification principles of CIS Control 3. 3. This compromises data integrity. | 90% |
| CWE-532 | 1. Sensitive data appearing in logs indicates a failure in secure handling and classification. 2. CIS Control 3 requires processes to identify and securely handle all data, including logs. 3. This leads to information exposure. | 80% |
| CWE-201 | 1. Data sent without proper protection exposes it during transit. 2. This violates the secure handling aspect of CIS Control 3, which requires protection for data in transit. 3. This risks data interception. | 80% |
| CWE-548 | 1. Directory listings can reveal the presence and structure of sensitive data. 2. This indicates poor secure handling and identification practices, contrary to CIS Control 3. 3. This aids attacker discovery. | 70% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0207 compute · voice-rubric self-validated