CIS Benchmarks. PHOTO: Cybercrime Magazine.

Why Networks Aren’t Intrinsically Secure… And What To Do About It

The Critical Piece of Security and Compliance: CIS Benchmarks

Robert Johnson, III, President & CEO at Cimcor, Inc

Chicago, Ill. – Jun. 17, 2020

Though protective solutions such as firewalls and endpoint detection and response solutions (EDRs) are important for a powerful security program, many times the overfocus on these solutions can lead some to believe that cybersecurity, and security in general, is an action, or something that is done to a network. The reality of the situation is, if a network environment isn’t intrinsically secure, there wouldn’t be enough security solutions to keep it safe from cyberthreats.

For a network environment to be intrinsically secure, proper configuration and design must occur, and the Center for Internet Security (CIS) Benchmarks can aid with the configuration and design.

What are CIS Benchmarks?

As a new OS or application is installed, default settings many times include all ports being opened, or all applications services turned on. Essentially, these newly installed assets are extremely vulnerable, and as noted by Verizon, with 43 percent of breaches occurring as attacks on web applications, vulnerabilities are not decreasing anytime soon.

As a set of configuration standards and best practices designed to help organizations “harden” the security of its digital assets, CIS benchmarks are available in more than a dozen technology groups, including Cisco, AWS, IBM, and Microsoft. 

What separates CIS Benchmarks from other security standards are three separate factors:

CIS Benchmarks Factors

  • Developed by consensus between experts including security vendors, SMEs, the CIS benchmarking teams, and a global security community via CIS Workbench.
  • Multiple compliance frameworks point to CIS Benchmarks as an industry standard, allowing for them to become a means of achieving compliance and security objectives.
  • Related specifically to configurations of existing assets. Security defenses like firewalls and EDRs are not covered.

Levels

Two levels of benchmarks exist and dependent upon security and compliance needs for an organization may dictate the level needed.

Level 1 is designed to rapidly minimize the attack surface of an organization without hindering usability or business functionality. These standards can be considered the minimum level of security and compliance that all organizations should aim to meet or exceed.

Level 2 is a more stringent set of standards designed to maximize an organization’s security posture through “defense in depth.” These standards are intended for environments where security is essential and are more costly and labor intensive to implement.

All CIS benchmarks are freely available as PDF downloads from the CIS website. These guidance documents are extremely thorough, with some running to 800+ pages. Each recommendation maps to at least one of the CIS controls, a set of broader security requirements that look beyond asset configuration.

Who Uses CIS Benchmarks?

Organizations across all industries and geographies use CIS benchmarks to help them achieve security and compliance objectives.

The CIS benchmarks are the only best-practice security configuration guides that are both developed and accepted by government, business, industry, and academic institutions. Globally recognized, this also make them more wide-reaching than country-specific standards like HIPAA or FedRAMP.

With that said, the benchmarks are especially popular in heavily regulated industries, and industries governed by a regulatory framework. In particular, organizations in sectors such as healthcare, financial services, and government are likely to use them.

Why are CIS benchmarks so widely used? Aside from the security and compliance value they provide, the benchmark documentation is freely available to all industries and organizations.

Importance of CIS Benchmarks

Cybersecurity is a broad and complex field, and to make matters worse, operating systems and applications are often highly customizable, with thousands of ports, services, and settings to configure. If organizations were forced to decide on the ideal configuration of every asset, it would take years to build a secure business environment.

CIS benchmarks provide a clear set of standards for configuring common digital assets — everything from operating systems to cloud infrastructure. This set of standards removes the need for each organization to “reinvent the wheel” and provides organizations with a clear path to minimizing their attack surface.

SECURITY PERSPECTIVE

From a security perspective, the benchmarks help organizations:

  • Build and maintain a security profile in line with industry best practices.
  • Eliminate configuration settings that are known to be insecure.
  • Protect the organization from known threats.
  • Offload unnecessary cyber risk by narrowing the attack surface to only what is necessary.

COMPLIANCE PERSPECTIVE

From a compliance perspective, CIS benchmarks map directly to many major standards and regulatory frameworks, including NIST CSF, ISO 27000, PCI DSS, HIPAA, and more.

For organizations governed by a security framework, maintaining configuration in line with the CIS benchmarks is a huge step towards compliance. This also helps to protect organizations against financial hardship, as non-compliance can lead to costly fines — particularly in the event of a breach.

How to Implement Benchmarking in Your Organization

When it comes to implementing CIS benchmarks, there are two options for organizations:

  • Download the benchmarking documents and implement the suggestions manually.

This approach has the advantage of being free to get started. However, it is often extremely labor intensive, and it can be difficult to ensure continual compliance — particularly as configurations are updated and new assets added.

  • Use an automated solution to identify and resolve areas of non-compliance.

While it is theoretically possible to implement CIS benchmarks manually, most organizations use an automated CIS benchmark tool.  An automated solution makes it faster and easier to implement and maintain compliance with the CIS benchmarks.

Solutions typically include scanning functionality to quickly identify areas of non-compliance. By running scans regularly, an organization can prevent misconfigurations from creeping in.

Implementing and Maintaining CIS Benchmarks

As an IT integrity, security, and compliance tool, CimTrak makes it easy for any organization to quickly reach and maintain compliance with CIS benchmarks.

Using continuous scanning, CimTrak assesses the current state of configurations throughout your environment and compares it against all relevant CIS benchmarks. When CimTrak identifies a misconfiguration or non-conformance issue, it raises an alert and provides clear action steps to re-establish control.

If a benchmark result is not in the expected state, CimTrak makes it easy to remediate any identified issues.

This functionality makes it easy for organizations to:

  • Achieve and maintain compliance with CIS benchmarks.CimTrak saves organizations countless hours compared to a manual implementation of benchmark PDFs.
  • Ensure continuous compliance.Manual implementation of the benchmarks (and even most toolsets) only ensure “point-in-time” compliance. CimTrak ensures continuous compliance by providing real-time monitoring and alerts across your entire environment.
  • Reduce and eliminate entry points that an attacker could exploit.For example, by removing files, closing ports, and disabling services that aren’t needed.
  • Improve performance.Systems work more efficiently when unnecessary files and functions are removed.

To find out more about how CimTrak can help your organization achieve security and compliance objectives with CIS Benchmarks, download the solution brief today.

Robert Johnson, III, President & CEO at Cimcor, Inc

Data Security Archives


Sponsored by Cimcor

Founded in 1997, Cimcor is an industry leader in developing innovative security, integrity and compliance software solutions. The firm is on the front lines of global corporate, government and military initiatives to protect critical IT infrastructure and has consistently brought IT integrity innovations to market.

Cimcor’s flagship software product, CimTrak, helps organizations to monitor and protect a wide range of physical, network and virtual IT assets in real-time. Built around leading-edge file integrity monitoring capabilities, CimTrak gives organizations deep situational awareness including who is making changes, what is being changed, when changes are occurring, and how changes are being made. This, coupled with the ability to take instant action upon detection of change, gives organizations assurance that their IT assets are always in a secure and compliant state. 

Cimcor is headquartered right outside of the Chicago, IL market with business operations worldwide.