What are CIS Benchmarks and how to use them?

A list of 18 procedures (reduced from 20), or “controls,” recommended by the Center for Internet Security (CIS), must be followed to build an IT infrastructure resistant to cyberattacks. The CIS 4th Control advises to establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications) (4.1). These CIS baselines also advise implementing system configuration management technologies that automatically impose and reinstall network configuration to devices at predetermined periods. To stop the attacks that take advantage of weak services and configurations, the CIS advises organizations to implement strict configuration and modification control procedures.

In CIS 8 the number of controls is reduced to 18 from 20 in CIS 7. CIS 8 contains 153 Safeguards, which were called sub-controls in CS7 and they were 171 sub-controls

Source: https://www.cisecurity.org/controls/implementation-groups/

Along with this request, the CIS baselines are a collection of hardening guidelines known as the CIS Benchmarks for various hosts, platforms, and operating systems. Despite being the industry norm for system hardening, research demonstrates that almost all firms fall short on more than 50% of the CIS Benchmarks conformance assessments. High-severity concerns contributed to over half of these losses. Most restrictions make system hardening a must. The depth that these CIS baselines offer make following them a hardship.

WHAT ARE THE CIS BENCHMARKS?

The CIS (Center for Internet Security) benchmarks are a set of technical guidelines and best practices designed for securing computer systems and networks to help organizations harden the security of their digital assets. They provide specific configuration recommendations and security controls for various operating systems, software applications, and devices.

These CIS baselines are developed by a volunteering community of cybersecurity experts and are continuously updated to address emerging threats and vulnerabilities via the CIS Workbench. They outline specific security settings, parameters, and hardening measures to protect systems from common attack vectors and ensure compliance with industry standards.

CIS Hardening and Configuration Security Guide

The following sections are found in the identically constructed rules. Here is the breakdown for setting: Ensure ‘Access this computer from the network’ is set to ‘Administrators, Authenticated Users, ENTERPRISE DOMAIN CONTROLLERS’ (DC only) (Automated)

Headline: The advice is contained in the HEADLINE and the proposal’s significance level (L1). A proposal can be categorized as L1, which must be executed; L2, which can be executed at a later point of the hardening operation; or NA, which will be the least essential proposal.
Profile Applicability: Which system component will be impacted by this policy is indicated by “profile applicability.”
Description: A description of the rules of the setting.
Rationale: The justification for establishing the regulation in the suggested manner.
Impact: Any anticipated effect on your output.
Audit: Audit suggestions for this rule.
Remediation: Techniques you can use to make your machine comply with this guideline.
Default value: Refers to the setting’s default value as it is initially configured.
CIS Controls: With which this policy is associated.

According to newly identified intrusions, similar attacks, and system upgrades, the CIS Benchmarks are upgraded once or more per year.

How the CIS Baselines Are Developed

The CIS baselines are a unique consensus based process led by a group of IT Experts and Cybersecurity Professionals from around the world. There are more than 12,000 professionals in the CIS Benchmark Communities collaborating on one benchmark. Each benchmark undergoes two phases of consensus review.

THE FIRST PHASE:

How a CIS Benchmark is Developed:

Engage the Community: The process begins with the identification of a need for a new benchmark within the CIS community. This need serves as the catalyst for further exploration.
Define Scope: CIS then determine the scope of the Benchmark
Create a 1^st Draft: CIS then create a first draft of the benchmark
Consensus Begins: The draft is made available on the CIS Workbench for all to review and provide feedback
Discuss and Adjust: After feedback is provided, the CIS benchmark team discuss and adjust the recommendations
Feedback Process: This feedback process continues until all feedback is addressed
Consensus Met: The CIS benchmark team incorporates all the feedback to achieve a consensus, ensuring the benchmark attains its highest level of quality
Publish CIS Benchmark: After a consensus is met, the CIS Benchmark is then published

THE SECOND PHASE

In the second phase after the benchmark has been published, the consensus team reviews the feedback from the internet community for incorporation into the benchmark.

CIS Benchmark Levels

CIS benchmarks provide levels of security settings known as configuration profiles. These Levels are:

Level 1 This level offers basic security recommendations and requirements that can be configured on any system and should cause little or no interruption of service or reduced functionality.

Level 2 This level recommends a more stringent security setting that includes additional security settings and configurations that provide increased security measures and reduce the potential attack surface.

STIG (replaces what was Level 3) profile includes additional requirements from the STIG that were not covered in the Level 1 and Level 2 profiles.

Users who apply CIS baseline recommendations and require STIG compliance can easily bridge the gaps between the original CIS Benchmark profiles and STIGs by utilizing the three available profiles. All CIS benchmarks are freely available as PDF downloads from the CIS website.

WHY YOU SHOULD USE THE CIS BENCHMARKS?

The standard setup of the operating systems, as they are shipped from the vendor, prioritizes usability over security. Operating systems are thus highly susceptible to cyberattacks if security precautions aren’t taken. Attackers frequently penetrate an organization’s IT network, distribute malware, and do significant harm by making use of the threat landscape. For instance, the Server Message Block (SMB) worm WannaCry, which initially surfaced in May 2017, makes use of such a compromise to get access to the network and spread itself. Additionally, despite the fact that Microsoft delivered the appropriate security upgrades in 2016 and 2017, the WannaCry malware and other SMB worms like Brambul malware still inflict daily losses of thousands of dollars. Another popular target is the RDP protocol that can be significantly more secure once proper hardening actions are implemented.

Restrictions must also be taken into account to limit organizational connect surface when determining whether or not to use CIS baselines. It is accurate to claim that practically all significant regulations directly or indirectly call for CIS basline adherence. Indirect means that specific laws demand adherence to other frameworks, such as the NIST Cybersecurity Framework, but these frameworks make reference to the CIS Baselines.

These regulations and frameworks each have their specific objectives and requirements, however, they often overlap or can be used in conjunction with each other to achieve comprehensive cybersecurity and compliance. Organizations often review multiple frameworks to ensure they fulfill the requisite requirements and adhere to established best practices and compliance.

HOW TO USE CIS BENCHMARKS:

The baseline of a CIS Benchmark is to assist businesses in “hardening” existing systems, which means safeguarding their configurations. One of the most challenging steps toward establishing a hardened infrastructure is putting the CIS baselines into practice.

There are two options for implementing CIS baselines:

Manual Implementation: This option involves downloading the CIS Benchmark PDF and manually implementing the suggested configurations. This approach is labor-intensive and challenging to ensure ongoing compliance, especially as configurations change and new assets are added.

Automated Solution: Most organizations opt for an automated CIS benchmark tool to simplify the implementation process. Using an automated solution makes it faster and easier to achieve and maintain compliance with the CIS benchmarks.

TOOLS TO IMPLEMENT CIS BENCHMARKS?

Scanners and Assessment Tools

Scanners and Assessment tools will indicate your CIS Benchmark compliance posture. When they are used they indicate the gap between your current policy and the CIS Benchmarks but do not provide any solution for overcoming this gap. You will have to test and enforce the changes to improve your compliance posture. CIS offers its own developed scanner - the CIS CAT.

Hardening Automation Tools

Hardening automation tools streamline the process of hardening systems by automating repetitive and time-consuming tasks. They can quickly apply security configurations, saving significant manual effort and reducing the chances of human error. When hardening, the most time consuming and inefficient use of resources is monitoring potential drifts. The largest advantage of hardening automation tools is that they eliminate the need to check what will be the impact of each configuration change on your network.

Hardening automation tools should offer the following solution:

- Scan to discover the gap between your current policy and your desired policy.
- Learn the network and indicate what will be the impact of each configuration change.
- Implement the new policy directly on production without testing or breaking anything.
- Monitor, control and prevent configuration changes, all from a single point of control.

CHS by CalCom is a server hardening automation tool. CHS learns the production environment and analyzes the impact of every configuration change. Thereby eliminating the need for lab testing and allowing the CIS baselines to be implemented directly on the environment without the risk of production outages. Learn more about CHS benefits.

Configuration Management Tools

Configuration management tools are not necessarily specific for security purposes, but they allow implementation of configuration changes on an infrastructure. These tools are relevant only after you scanned and found the gap between the policy and the baseline of the CIS Benchmark and test the predicted impact of each configuration change.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.