CIS Benchmark

CIS Benchmark

With more and more systems directly connected to the Internet, having the right security settings on those systems becomes an important issue. To tackle this issue, we need to answer at least two questions:

What configuration settings are needed to make my systems secure?

How do I make and keep my system secure?

What is secure?

Let’s first dive into the question: “What configuration settings are needed to get my system secure?”. Many people have asked themselves this question. The Centre for Internet Security (CIS) is one of the means to get an answer. To that question. Here is a quote from their site:

What is a CIS Security Benchmark?

The CIS Security Benchmarks program provides well-defined, unbiased, and consensus-based industry best practices to help organizations assess and improve their security. Resources include secure configuration benchmarks, automated configuration assessment tools and content, security metrics, and security software product certifications. The Security Benchmarks program is recognized as a trusted, independent authority that facilitates the collaboration of public and private industry experts to achieve consensus on practical and actionable solutions. Because of the reputation, our resources are recommended as industry-accepted system hardening standards and are used by organizations in meeting compliance requirements for FISMA, PCI, HIPAA, and other security requirements.

The CIS has many benchmarks. It has benchmarks for Operating System settings, benchmarks for several Server-based software packages

CIS benchmarks are created and continually improved by groups known as CIS communities, which are made up of volunteers and IT professionals.

The founding organizations of the CIS include some of the world's most respected IT security leaders, such as ISACA, the American Institute of Certified Public Accountants (AICPA), the Institute of Internal Auditors (IIA), the International Information Systems Security Certification Consortium (ISC2) and the SANS Institute. 

CIS benchmarks are configuration baselines and best practices for securely configuring a system. Each of the guidance recommendations references one or more CIS controls that were developed to help organizations improve their cyber defense capabilities. CIS controls map to many established standards and regulatory frameworks, including the NIST Cybersecurity Framework (CSF) and NIST SP 800-53, the ISO 27000 series of standards, PCI DSS, HIPAA, and others.

Each benchmark undergoes two phases of consensus review. The first occurs during initial development when experts convene to discuss, create, and test working drafts until they reach a consensus on the benchmark. During the second phase, after the benchmark has been published, the consensus team reviews the feedback from the internet community for incorporation into the benchmark.

CIS benchmarks provide two levels of security settings:

Level 1 recommends essential basic security requirements that can be configured on any system and should cause little or no interruption of service or reduced functionality.

Level 2 recommends security settings for environments requiring greater security that could result in some reduced functionality.

Who Needs Server Hardening?

• Have high-value servers that operate significant business functions.

• Need an assessment of a “gold” image

• Review for compliance or adherence to security frameworks

• Installing new operating systems on servers

• Deploying a new server or server environment

• Currently utilizing default configurations (software, usernames, logins, and services) 

• Currently running default or “free” software or applications without proper patching schedule 

• Lack of established server hardening policies

• Need to minimize unnecessary software running on the server

A study done in 2017 showed that organizations failover 50% of the compliance checks established by the CIS in their benchmarks. More than half of these failures were high severity issues. System hardening should be a mandatory requirement. CIS benchmarks provide incredible depth so following them often consider a burden.

For Windows 2019, 384 checks need to be implemented. On average 200 to 250 checks need to be implemented per operating system and it varies with OS versions.

Being such a complex task, difficulties often arise and production is often harmed. To establish a new configuration, lab testing should be performed before implementing the change in production. These tests demand long labor hours for every change being made in the system. As the enterprise’s network constantly changes, keeping track of hardening statutes and implementing the benchmarks is almost impossible to perform flawlessly.

Automating the hardening process is mandatory to overcome this challenge

Need any assistance on the CIS hardening automation, 

please reach us at [email protected]

Relevant Blogs:

OS Hardening: 10 Best Practices

Center for Internet Security (CIS) Benchmarks for OS Security

OS Hardening vs. Data Protection

Operating system(OS) hardening