These days system hardening is one area Infosec professionals give more importance. But how will we evaluate that our system configurations are good enough. This is where CIS security benchmarks can help you. CIS (Center of Internet Security) is an independent organization that constantly reviews system configuration setting across multiple vendors.
CIS benchmarks division was formed in October 2000, and it is a not for profit consortium of users, security consultants, and vendors of security software (members). They focused on enhancing the cyber security readiness and response of public and private sector entities. Through consensus, the CIS Security Benchmarks division provides frameworks to help organizations bolster their security.
According to CIS website, they define the program as below
The CIS Security Benchmarks program provides well-defined, un-biased and consensus-based industry best practices to help organizations assess and improve their security. Resources include secure configuration benchmarks, automated configuration assessment tools and content, security metrics and security software product certifications. The Security Benchmarks program is recognized as a trusted, independent authority that facilitates the collaboration of public and private industry experts to achieve consensus on practical and actionable solutions. Because of the reputation, our resources are recommended as industry-accepted system hardening standards and are used by organizations in meeting compliance requirements for FISMA, PCI, HIPAA and other security requirements.
The CIS Mission (as per CIS website)
- Identify, develop, validate, promote, and sustain best practices in cyber security;
- Deliver world-class security solutions to prevent and rapidly respond to cyber incidents; and
- Build and lead communities to enable an environment of trust in cyberspace.
Benchmarking in general is a process that compares your business activities to similar companies' or to accepted best practices. Here with the use of CIS, we are not going to exactly configure what other companies do; we can take this as a reference to set a minimum due care benchmark. These benchmarks are developed through the recommendations from security professionals around the world and will be kept up to dated when a new vulnerability is discovered and a good configuration management is followed.
We can compare or harden our active applications or systems with the help of CIS configuration audit tool. I have performed this manually before and it may take some time for manually evaluating this. While using configuration tool it gives you a score between 0 to 100, which gives an indication where you stand in terms of hardening and this will help you when you have discussions with your senior management.
CIS benchmarking will surely help you to evaluate where your asset security stands in terms of configuration as a minimum due care, however you might need to build your own security configuration based on your enterprise security framework.
Click here to download CIS benchmark free of charge.
Authored by Aju Nair