CIS Baseline Hardening and Security Configuration Guide

By John Gates

December 28th, 2022

The Center for Internet Security (CIS) provides benchmarks for securely configuring a system. Each of the guidance recommendations references one or more CIS Controls that were developed to help organizations improve their cyber defense capabilities. The CIS Baseline Hardening and Security Configuration Guide is a document that provides prescriptive guidance for establishing a secure baseline configuration for systems. We will discuss the CIS solutions and provide an overall description about their importance and impact on security configuration. In this article we'll be providing an overview of the following CIS Resources:

CIS Benchmarks
CIS Controls
CIS Build kits
CIS SCAT
CIS-CAT Pro
CIS RAM
CIS Hardened Images
Cybersecurity Best Practices
CIS Information Sharing and Collaboration
CIS SecureSuite Membership
Automating System Hardening

What are CIS Benchmarks?

CIS Benchmarks provide recommended security configurations for various software applications, operating systems, and network devices. They offer detailed and prescriptive guidelines to help organizations harden their systems and protect against known vulnerabilities. CIS Benchmarks are prescriptive configuration recommendations for more than 25+ vendor product families and are categorized into seven groups, including Operating System Benchmarks which cover security configurations of core operating systems such as Microsoft Windows, Linux, and Apple OSX.

Learn more about CIS Benchmarks: HERE

What are CIS Controls?

CIS Controls provide a structured framework of security best practices that guide organizations in effectively configuring their systems and enhancing overall security. CIS Controls provide a prioritized set of security best practices for system hardening broken into 18 Controls with each having their own safeguard for cyber hygiene and Implementation Groups (IGs) and prioritization.

Learn more about CIS Controls: HERE

What are CIS Build Kits?

The CIS Build Kits are resources that help organizations implement secure configurations more quickly. They are automated, efficient, repeatable, and scalable. They can be applied via the group policy management console in Windows or through a shell script in Linux (Unix,*nix) environments. They can be customized to an organization's particular use case. CIS Build Kits offer pre-configured templates and guidelines for system hardening to streamline the process and improve security.

What is CIS SCAT?

CIS SCAT stands for CIS Controls Self Assessment Tool. It is a web application that enables security leaders to track and prioritize their implementation of the CIS Controls. There are two versions of CIS CSAT: Pro and Hosted.

CIS CSAT Pro is the on-premises version of the tool and is available exclusively to CIS SecureSuite Members.

CIS-hosted CSAT is a web-based portal version of CSAT hosted by CIS. It is free to every organization for use in a non-commercial capacity to conduct an assessment of their organization’s own implementation of the CIS Controls

CIS also released a CIS CSAT Ransomware Business Impact Analysis tool. This allows organizations to evaluate their likelihood of experiencing a ransomware attack and its potential impacts by using the CIS CSAT Ransomware Business Impact Analysis (BIA) tool.

What is CIS-CAT Pro?

CIS-CAT Pro is a configuration assessment tool that supports host-based (local) assessments and remote-based assessments. In order to perform assessments of remote endpoints, the target system must be configured to accept a remote connection. CIS-CAT Pro Assessor is a Java-based tool that scans against your target system's configuration settings and shows you the system's compliance to the corresponding CIS Benchmark.

What is CIS RAM?

The Center for Internet Security Risk Assessment Method (CIS RAM) is a methodology designed to assist organizations in implementing and evaluating their information security risk posture in relation to the CIS Critical Security Controls (CIS Controls). The CIS RAM Family of Documents offers a comprehensive set of resources, including instructions, examples, templates, and exercises, to facilitate the process of conducting a thorough cyber risk assessment.

CIS RAM offers three distinct security approaches tailored to accommodate varying levels of organizational capability. The three approaches are tailored for Novice, Experienced or Expert cybersecurity personnel. CIS RAM assists in identifying and addressing vulnerabilities through its risk assessment methodology, contributing to effective system hardening.

What are CIS Hardened Images?

CIS Hardened Images are virtual machine (VM) images that are pre-configured to meet the robust security recommendations of the associated CIS Benchmark for that operating system. These VMs built to CIS Benchmarks standards can help organizations meet compliance with common frameworks like NIST, HIPAA, PCI DSS, DISA STIGs, and more. CIS Hardened Images provide pre-hardened and securely configured operating system and software images to aid in system hardening and enhance security.

Does CIS have Cybersecurity Best Practices?

CIS publishes a wide range of resources, including whitepapers, case studies, and guides, to help organizations improve their cybersecurity practices. They focus on emerging threats, trends, and solutions to provide valuable insights to the cybersecurity community.

What is ISAC?

The Information Sharing and Analysis Center (ISAC) is an organization that collects, analyzes, and shares actionable threat information with its members. It also provides them with tools to mitigate risks and improve resiliency. CIS facilitates information sharing and collaboration among its members and partners. They host conferences, workshops, and webinars to foster communication and knowledge exchange within the cybersecurity industry.

The Multi-State Information Sharing and Analysis Center (MS-ISAC) and the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) are both part of the Center for Internet Security (CIS). They provide a variety of services that augment and enhance members' cybersecurity teams.

isac

Resource: CIS ISAC

What are the CIS SecureSuite Membership benefits?

CIS SecureSuite: CIS offers a subscription-based service called CIS SecureSuite, which provides access to various cybersecurity tools and resources. Members can quickly and effectively assess endpoint configurations, measure compliance to the CIS Benchmarks, and conduct, track, and assess their implementation of the CIS Critical Security Controls (CIS Controls). Additionally, members have access to CIS-CAT Pro which is a configuration assessment tool that scans systems and reports on their levels of compliance with the best practices of the CIS Benchmarks and CIS Controls.

Learn More HERE

Why automation is important when system hardening?

Some of the CIS benchmarks are over a 1,000 pages in length and offer hundreds of recommendations. When applying the benchmarks going through the CIS Benchmarks for each server environment, each role and version is time consuming. A lab environment then needs to be created to simulate the impact of security policies on the servers which is labor intensive and costly.

CalCom Hardening Suite (CHS) is an automated solution for server hardening, with the goal of enhancing server security and compliance while reducing operational expenses. By assessing the effects of security hardening modifications on production services, CHS establishes a robust, continuously fortified, and actively monitored server environment. CHS enforces server security policies in real time, thus, ensuring that the servers are proactively protected.

CalCom is also a CIS SecureSuite Member which means that your entire enterprise IT estate can be audited against the range of CIS Benchmarks. Ask for a FREE DEMO to learn more.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.