CIS_v8CIS Control 4voice-validated
CIS_v8 4: CIS Control 4
CIS_v8
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1190 | 1. Secure configuration reduces the attack surface by disabling unnecessary services and applications, limiting opportunities for exploitation as per CIS Control 4. | 90% |
| T1133 | 1. Secure configuration restricts external remote services, ensuring only essential services are exposed and properly secured, as mandated by CIS Control 4. | 90% |
| T1543.003 | 1. Secure configuration prevents unauthorized service creation or modification by enforcing strict system permissions and hardening operating systems, directly addressing CIS Control 4. | 80% |
| T1547.001 | 1. Secure configuration hardens operating systems to prevent unauthorized modification of autostart execution points, reducing persistence mechanisms as per CIS Control 4. | 80% |
| T1068 | 1. Secure configuration reduces the likelihood of exploitation for privilege escalation by removing unnecessary software and applying security baselines, as required by CIS Control 4. | 90% |
| T1548.002 | 1. Secure configuration can restrict UAC bypasses by enforcing stricter security policies and application controls on endpoints, aligning with CIS Control 4. | 70% |
| T1027 | 1. Secure configuration enforces execution policies and application whitelisting, making it harder for obfuscated files to execute and evade defenses, as per CIS Control 4. | 70% |
| T1070.004 | 1. Secure configuration enforces strict file and directory permissions, preventing unauthorized file deletion and hindering indicator removal efforts, as specified in CIS Control 4. | 80% |
| T1003 | 1. Secure configuration enables credential protection features like LSA protection and restricts access to credential stores, making OS credential dumping more difficult, as per CIS Control 4. | 80% |
| T1552.001 | 1. Secure configuration policies prohibit and detect insecure storage of credentials in files, reducing opportunities for attackers to find them, as mandated by CIS Control 4. | 80% |
| T1087.001 | 1. Secure configuration involves removing or disabling default and unnecessary local accounts, limiting the scope for account discovery, as per CIS Control 4. | 90% |
| T1046 | 1. Secure configuration hardens network devices and servers, ensuring only necessary ports and services are open, thereby reducing the attack surface for network service scanning, as per CIS Control 4. | 90% |
| T1021.001 | 1. Secure configuration restricts Remote Desktop Protocol (RDP) access to authorized users and networks, limiting lateral movement opportunities, as specified in CIS Control 4. | 90% |
| T1071.001 | 1. Secure configuration of network devices and endpoints can restrict outbound connections to known malicious or unauthorized web protocols, disrupting C2 channels, as per CIS Control 4. | 80% |
| T1041 | 1. Secure configuration can enforce data egress policies and network segmentation, making it harder for attackers to exfiltrate data over C2 channels, as per CIS Control 4. | 80% |
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1028 | 1. Operating System Configuration is the core defensive logic of CIS Control 4, directly mandating the hardening of operating systems to reduce vulnerabilities. | 100% |
| M1025 | 1. Disabling or Removing Features or Programs is a key defensive logic of CIS Control 4, reducing the attack surface by eliminating unnecessary software and services. | 100% |
| M1022 | 1. Restricting File and Directory Permissions is a fundamental defensive logic of CIS Control 4, preventing unauthorized access and modification of critical system resources. | 90% |
| M1019 | 1. Credential Access Protection is enhanced by CIS Control 4 through secure configuration of systems, enabling features that safeguard credentials from theft. | 90% |
| M1056 | 1. Privileged Account Management is directly supported by CIS Control 4, which requires secure configuration to limit and control the use of administrative accounts. | 90% |
| M1050 | 1. Exploit Protection is a defensive logic enabled by CIS Control 4 through the secure configuration of operating systems and applications, activating built-in security features. | 80% |
| M1032 | 1. Standard User Account usage is promoted by CIS Control 4's secure configuration, limiting the impact of compromised accounts by restricting privileges. | 80% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-276 | 1. Incorrect Default Permissions are directly addressed by CIS Control 4, which mandates establishing and maintaining secure configurations to correct insecure defaults. | 100% |
| CWE-732 | 1. Incorrect Permission Assignment for Critical Resource is mitigated by CIS Control 4, which requires secure configuration to ensure proper access controls on critical assets. | 90% |
| CWE-269 | 1. Improper Privilege Management is a weakness mitigated by CIS Control 4, as secure configuration enforces the principle of least privilege across enterprise assets. | 90% |
| CWE-522 | 1. Insufficiently Protected Credentials are addressed by CIS Control 4, which requires secure configuration to implement robust credential protection mechanisms. | 90% |
| CWE-200 | 1. Exposure of Sensitive Information to an Unauthorized Actor is reduced by CIS Control 4, as secure configuration limits unnecessary data exposure and access. | 80% |
| CWE-668 | 1. Exposure of Resource to Wrong Sphere is prevented by CIS Control 4, which mandates secure configuration to ensure resources are only accessible from appropriate network segments. | 80% |
| CWE-798 | 1. Use of Hard-coded Credentials is a weakness that secure configuration, as per CIS Control 4, aims to eliminate by enforcing policies against such practices. | 70% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0185 compute · voice-rubric self-validated