If there is one thing which unites us all in the world of IT security, it is the desire to eliminate known vulnerabilities so that we can continually improve and build upon what we already know. But did you know that a standard deployment of Microsoft Windows Server 2016 RTM, contains over 800 pages of known vulnerable configuration settings, according to the CIS (Centre for Internet Security)?
…and this is just one operating system out of the countless benchmark documents they produce for applications, network devices, mobile devices, cloud hosting services and more.
So, who is the CIS, what do their benchmarks provide and why should we be ensuring we take heed of their advice?
[You may also be interested to read "The Top 5 Cloud Security Challenges Haunting Every IT Manager"]
Who is the CIS?
The Centre of Internet Security, otherwise known as the CIS, is a non-profit organisation which was formed in 2000 by well-known industry players such as ISACA, ISC2 and the SANS Institute, among others.
Based in New York, its mission is to “identify, develop, validate, promote, and sustain best practice solutions for cyber defence; and build and lead communities to enable an environment of trust in cyberspace.”
What are the CIS Benchmarks?
One such way that it pursues this mission is to produce the CIS Controls and Benchmarks – which provide guidance to IT security teams on how to secure their IT systems against malicious attackers.
The benchmarks in particular, are a list of configurable settings in items such as, operating systems, applications, network devices, mobile devices, cloud hosting service and more – which when set in accordance to the benchmark will reduce the number of present exploitable vulnerabilities.
Each benchmark can run into hundreds of pages of configurable options, making the task of reviewing them and ensuring IT systems are compliant is a huge task. Which is why solutions such as Tripwire Enterprise can run CIS based audits against systems on an automated basis.
Why are the CIS Benchmarks so important?
As you may have gathered so far, the primary advantage is that CIS benchmarks provide an opportunity to eliminate known bad configuration settings, which pose security vulnerabilities your IT systems.
In fact, CIS themselves report that on average, organisations fail 55% of their compliance checks, with more than half of these being high severity issues.
While you or your customers may use firewalls, anti-virus and other solutions to protect your network, no amount of security guards can prevent an intruder faced with a wall full of holes.
It is also the case that some compliance standards such as ISO27001, PCI-DSS and SWIFT recommend the use of known benchmarking tools – while none of the listed compliance standards reference CIS benchmarks specifically, they have become the de-facto standard in the industry.
[You may also like "What are AS4 File Transfers and Why are they so Important"]
How can you make use of the CIS Benchmarks?
As a non-profit organisation, the CIS benchmarks are free to download from the CIS website. However, with multiple-hundreds of pages for each one, it can be quite a challenge to apply them to your IT systems.
Not to mention having to repeat this when the benchmark is revised or a new version is released.
Organisations who do apply CIS benchmarks to their IT systems typically do so using an automated tool instead. For example, Tripwire Enterprise has been mentioned previously in this blog as having the capability to scan all devices in the network, compare them against the CIS benchmarks and return a compliance report.
The usefulness of such reports cannot be underestimated as not only will they highlight a lack of compliance in particular areas, but they will order those items by severity, allowing for the most vulnerable systems to be rectified sooner.
Best of all, you can have these scans repeated regularly, alerting you to scenarios whereby changes to systems have reduced their compliance and possibly increased their vulnerability.
Ultimately, the CIS benchmarks are about putting your house in order against an agreed and known state. Just like a safety check on a car or the instructions and ingredient measurements in a recipe, it makes sense to follow best practices.
Security need not be difficult, when there is a well-trodden path to assist you.
