<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

What are CIS Benchmarks and Why are they so Important?

Topics: Vulnerability, Vulnerability Management, Network Monitoring, CIS

Posted: 24 February 2020


If there is one thing which unites us all in the world of IT security, it is the desire to eliminate known vulnerabilities so that we can continually improve and build upon what we already know. But did you know that a standard deployment of Microsoft Windows Server 2016 RTM, contains over 800 pages of known vulnerable configuration settings, according to the CIS (Centre for Internet Security)?

…and this is just one operating system out of the countless benchmark documents they produce for applications, network devices, mobile devices, cloud hosting services and more.

So, who is the CIS, what do their benchmarks provide and why should we be ensuring we take heed of their advice?

[You may also be interested to read "The Top 5 Cloud Security Challenges Haunting Every IT Manager"]

Who is the CIS?


The Centre of Internet Security, otherwise known as the CIS, is a non-profit organisation which was formed in 2000 by well-known industry players such as ISACA, ISC2 and the SANS Institute, among others.

Based in New York, its mission is to “identify, develop, validate, promote, and sustain best practice solutions for cyber defence; and build and lead communities to enable an environment of trust in cyberspace.”


What are the CIS Benchmarks?


One such way that it pursues this mission is to produce the CIS Controls and Benchmarks – which provide guidance to IT security teams on how to secure their IT systems against malicious attackers.

The benchmarks in particular, are a list of configurable settings in items such as, operating systems, applications, network devices, mobile devices, cloud hosting service and more – which when set in accordance to the benchmark will reduce the number of present exploitable vulnerabilities.

Each benchmark can run into hundreds of pages of configurable options, making the task of reviewing them and ensuring IT systems are compliant is a huge task. Which is why solutions such as Tripwire Enterprise can run CIS based audits against systems on an automated basis.


Why are the CIS Benchmarks so important?


As you may have gathered so far, the primary advantage is that CIS benchmarks provide an opportunity to eliminate known bad configuration settings, which pose security vulnerabilities your IT systems.

In fact, CIS themselves report that on average, organisations fail 55% of their compliance checks, with more than half of these being high severity issues.

While you or your customers may use firewalls, anti-virus and other solutions to protect your network, no amount of security guards can prevent an intruder faced with a wall full of holes.

It is also the case that some compliance standards such as ISO27001, PCI-DSS and SWIFT recommend the use of known benchmarking tools – while none of the listed compliance standards reference CIS benchmarks specifically, they have become the de-facto standard in the industry.

[You may also like "What are AS4 File Transfers and Why are they so Important"]


How can you make use of the CIS Benchmarks?


As a non-profit organisation, the CIS benchmarks are free to download from the CIS website. However, with multiple-hundreds of pages for each one, it can be quite a challenge to apply them to your IT systems.

Not to mention having to repeat this when the benchmark is revised or a new version is released.

Organisations who do apply CIS benchmarks to their IT systems typically do so using an automated tool instead. For example, Tripwire Enterprise has been mentioned previously in this blog as having the capability to scan all devices in the network, compare them against the CIS benchmarks and return a compliance report.

The usefulness of such reports cannot be underestimated as not only will they highlight a lack of compliance in particular areas, but they will order those items by severity, allowing for the most vulnerable systems to be rectified sooner.

Best of all, you can have these scans repeated regularly, alerting you to scenarios whereby changes to systems have reduced their compliance and possibly increased their vulnerability.

Ultimately, the CIS benchmarks are about putting your house in order against an agreed and known state. Just like a safety check on a car or the instructions and ingredient measurements in a recipe, it makes sense to follow best practices.

Security need not be difficult, when there is a well-trodden path to assist you.


Data Protection for Life GDPR Data Processing

Infinigate UK
Posted by: Infinigate UK
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts