The cybersecurity industry gives a lot of attention to protective solutions like firewalls and EDRs. Though these technologies are important for a powerful security program, over-focusing on these solutions can lead some to believe that security is something your team does to a network environment.
In reality, if a network environment isn’t intrinsically secure, there aren’t enough security solutions on earth to keep it safe from cyber attacks. Instead, you need to focus on system hardening processes to keep your network safe.
To be intrinsically secure, a network environment must be properly designed and configured. This is where the Center for Internet Security (CIS) benchmarks come in.
This post covers the following information:
- What are CIS Benchmarks?
- What are CIS Benchmark Levels?
- Who Uses CIS Benchmarks?
- Importance of CIS Benchmarks
- Additional Security Resources and CIS Benchmarks
- How to Implement Benchmarking in Your Organization
- Implementing and Maintaining CIS Benchmarks
What are CIS Benchmarks?
When a new operating system or application is installed, it comes with default settings. Usually, all ports are open, and all application services are turned on. In other words, freshly installed assets are highly insecure.
CIS benchmarks are a set of configuration standards and best practices designed to help organizations ‘harden’ the security of their digital assets. Currently, over 100 benchmarks are available for assets in 14 technology groups, including Microsoft, Cisco, AWS, and IBM.
Three things separate CIS benchmarks from other security standards:
- They relate specifically to the configuration of existing assets. They don’t cover security defenses like firewalls and EDRs.
- They are developed by consensus between experts that include SMEs, security vendors, the CIS benchmarking team, and even the global security community via the CIS Workbench.
- While not a regulatory requirement, most prominent compliance frameworks point to CIS benchmarks as the industry standard, making them an excellent means of achieving both security and compliance objectives.
How CIS Benchmarks Are Developed
CIS Benchmark development occurs through a process designed to design, approve, and maintain benchmarks that will help organizations maintain best practices for security across multiple systems.
To create a new benchmark, the community identifies a need for such an addition. Next, they identify the necessary scope and parameters for that new benchmark. Experts from various parts of the CIS community review and iterate upon the benchmark until they reach an agreement.
The new benchmark is then published on the CIS site and made available for feedback. If revisions are needed, the experts involved in the earlier stages of the process will undertake those revisions and republish them.
The collaborative nature of this process ensures that the benchmarks put into place are useful and attainable across industries and use cases.
What Are CIS Benchmark Levels?
CIS maintains two separate levels of benchmarks. Your level will depend upon your organization’s security and compliance needs. Let’s take a closer look at both levels to help you determine where your organization falls.
- Level 1:
This level offers basic security recommendations. These benchmarks are designed to rapidly minimize an organization's attack surface without hindering usability or business functionality. These standards can be considered the minimum level of security and compliance that all organizations should aim to meet or exceed.
- Level 2 :
This level offers a more stringent set of standards designed to maximize an organization’s security posture through ‘defense in depth’. These standards are intended for environments where security is essential and are more costly and labor-intensive to implement.
All CIS benchmarks are freely available as PDF downloads from the CIS website. These guidance documents are extremely thorough, with some running to 800+ pages. Each recommendation maps to at least one of the CIS Controls, a set of broader security requirements that look beyond asset configuration.
Related Read: System Hardening with DISA STIGs and CIS Benchmarks
Who Uses CIS Benchmarks?
Organizations across all industries and geographies use CIS benchmarks to help them achieve security and compliance objectives.
The CIS benchmarks are the only best-practice security configuration guides that are both developed and accepted by government, business, industry, and academic institutions. Globally recognized, this also makes them more wide-reaching than country-specific standards like HIPAA or FedRAMP.
With that said, the benchmarks are especially important in heavily regulated industries and industries governed by a regulatory framework. In particular, organizations in healthcare, financial services, and government sectors are likely to use them.
Why are CIS benchmarks so widely used? Aside from the security and compliance value they provide, the benchmark documentation is freely available to all industries and organizations. To get started, all an organization must do is download the relevant PDFs from the CIS website.
Importance of CIS Benchmarks
Cybersecurity is a broad and complex field. To make matters worse, operating systems and applications are often highly customizable, with thousands of ports, services, and settings to configure. If organizations were forced to decide on the ideal configuration of every asset, it would take years to build a secure business environment.
CIS benchmarks provide a clear set of standards for configuring common digital assets — everything from operating systems to cloud infrastructure. This removes the need for each organization to ‘reinvent the wheel’ and provides them with a clear path to minimizing their attack surface.
From a security perspective, the benchmarks help organizations:
- Build and maintain a security profile in line with industry best practices.
- Eliminate configuration settings that are known to be insecure.
- Protect the organization from known threats.
- Offload unnecessary cyber risk by narrowing the attack surface to only what is necessary.
From a compliance perspective, CIS benchmarks map directly to many major standards and regulatory frameworks, including NIST CSF, ISO 27000, PCI DSS, HIPAA, and more.
For organizations governed by a security framework, maintaining configuration in line with the CIS benchmarks is a huge step toward compliance. This also helps to protect organizations against financial hardship, as non-compliance can lead to costly fines — particularly in the event of a breach.
Additional Security Resources and CIS Benchmarks
In addition to the CIS Benchmarks, the Center for Internet Security offers two additional resources.
Firstly, they offer CIS Controls. This resource consists of a checklist of twenty different safeguards your organization should prioritize to combat pressing cyber security threats. Where the CIS Benchmarks are specific recommendations, CIS Controls are designed more as a generic starting point for compliance frameworks like NIST, HIPAA, and more.
CIS also offers CIS Hardened Images. These virtual machine images are pre-configured operating system configurations that already meet CIS Benchmark baselines. CIS updates and patches these images regularly and are available in profiles for both CIS Benchmark levels.
How to Implement Benchmarking in Your Organization
When it comes to implementing CIS benchmarks, there are two options:
- Download the benchmarking documents and implement the suggestions manually.
This approach has the advantage of being free to get started. However, it is often extremely labor-intensive, and it's difficult to ensure continual compliance — particularly as configurations are updated, and new assets added.
- Use an automated solution to identify and resolve areas of non-compliance.
While it is theoretically possible to implement CIS benchmarks manually, most organizations use an automated CIS benchmark tool. An automated solution makes it faster and easier to implement and maintain compliance with the CIS benchmarks.
Solutions typically include scanning functionality to quickly identify areas of non-compliance. By running scans regularly, an organization can prevent misconfigurations from creeping in.
Implementing and Maintaining CIS Benchmarks
As an IT integrity, security, and compliance tool, CimTrak makes it easy for any organization to quickly reach and maintain compliance with CIS benchmarks.
Using continuous scanning, CimTrak assesses the current state of configurations throughout your environment and compares it against all relevant CIS benchmarks. When CimTrak identifies a misconfiguration or non-conformance issue, it raises an alert and provides clear action steps to re-establish control.
If a benchmark result is not in the expected state, CimTrak makes it easy to remediate any identified issues.
This functionality makes it easy for organizations to:
- Achieve and maintain compliance with CIS benchmarks. CimTrak saves organizations countless hours compared to a manual implementation of benchmark PDFs.
- Ensure continuous compliance. Manual implementation of the benchmarks (and even most toolsets) only ensures ‘point-in-time’ compliance. CimTrak ensures continuous compliance by providing real-time monitoring and alerts across your entire environment.
- Reduce and eliminate entry points that an attacker could exploit. For example, by removing files, closing ports, and disabling services that aren’t needed.
- Improve performance. Systems work more efficiently when unnecessary files and functions are removed.
December 22, 2022