The old adage says that you should not attempt to reinvent the wheel, as it is both a waste of time and has been perfected already. Instead, it is common accepted that wherever there is an existing standard, one should use that.
The IT security industry is no different. We have all experienced audits or penetration tests, whereby an external organisation will be contracted to perform tests, in order to highlight weaknesses for review. All such audits are conducted to a known standard for good security.
The CIS benchmarks are just that.
Available for a dizzying variety of operating systems, applications and network devices, CIS (Center for Internet Security) benchmarks are published guidelines which detail how to configure one of the aforementioned items so that they are in a known "good and secure" state.
In this blog, we explore our top pick of the six essential things to know about CIS benchmarks.
CIS benchmarks are created and continually improved by groups known as CIS communities, which are made up of volunteers and IT professionals.
The founding organisations of the CIS include some of the world's most respected IT security leaders, such asISACA, theAmerican Institute of Certified Public Accountants(AICPA), theInstitute of Internal Auditors(IIA), theInternational Information Systems Security Certification Consortium(ISC2) and theSANS Institute.
Huge Level of Depth with Thousands of Pages in Some Reports
The CIS benchmark for Microsoft Windows Server 2016 comes in at over 800 pages, alone. With everything from weakened encryption ciphers to be disabled to which permissions guest accounts should inherit when created upon logon.
For anyone tasked with hardening systems to CIS benchmark standards, will certainly have their work cut out for them.
Benchmarking Can Be Automated
With respect to the idea of not reinventing the wheel. Not Only should organisations look toward industry standards such as CIS benchmarking but they should also be auditing and hardening using automated tools, to save time and money. After all, external audits don't do this manually either.
A perfect example of this is NNT Change Tracker, which can assess operating systems, applications and network devices against the CIS benchmark requirements, plus others, in just minutes. Providing you with both an overview of current position and a list of items which need rectification. This solution is currently used by the likes of Universal Studios, RyanAir and Walmart.
System Hardening Can Be a Mandatory Requirement for Some
For some organisations and industries, system hardening against known standards is becoming a frequent requirement. As a long-standing example is PCI-DSS (the Payment Card Industry Data Security Standard), which has long required that any devices which exist in an environment with card data be hardened to a known standard.
Other standards such as the UK's Minimum Security Standard for public sector organisations and the EU's NIS (National and Information Security directive) have included the the same requirement. And although CIS benchmarks are not explicitly mentioned. They are considered the gold standard of system hardening benchmarks.
Statistically Half of All Organisations Would Fail Against CIS Benchmarks
A May 2017 study showed that on average, organisations fail around 55% of compliance checks established by the CIS in their benchmarks", with more than half of these failures being high severity issues.