In April 2019 the Center for Internet Security published version 7.1 of the 20 CIS Controls. Like in the previous versions, the controls are divided into basic controls, foundational and organizational. The first 6 basic controls should be a top priority in the organizational cybersecurity plan, as most of the breaches will be prevented by implementing only the first basic controls.


There were changes in the controls themselves from previous versions. What used to be the 3rd Control is now the 5th Control. In addition, the new 5th Control has some structural and conceptual changes.


CIS 5th Control is all about securing configuration for any configurable component in your system, hardware, and software. Deploying secured configuration settings is extremely complex. It requires multi-discipliner staff that will analyze potentially hundreds or thousands of possibilities in order to make the right decision. Furthermore, after configurations settings are deployed, it must be continually managed as the system constantly changes and new vulnerabilities emerge.


CalCom offers the solution that will make your system hardened without the need for extended manpower and working hours, eliminating the need for any lab testing impact analysis. CalCom CHS will also keep your system hardened, updated to your IT network natural development and to the recent vulnerabilities and recommendations.


The 5th Control contains 5 requirements:


5.1. Establish Secure Configurations-

Maintain documented security configuration standards for all authorized operating systems and software.


Practically speaking: deploy known hardening benchmarks, such as the CIS Benchmarks or DISA STIGs, and follow known frameworks, such as NIST 800-53 to secure your environment. CalCom CHS will save you the need for lab testing and will automatically deploy your desired policy on your production.

CIS Benchmarks -What are They and How to Use Them

5.2 Maintain Secure Images-

Maintain secure images or templates for all systems in the enterprise based on the organization's approved configuration standards. Any new system deployment or an existing system that becomes compromised should be imaged using one of those images or templates.


Practically speaking: the main challenge here is to keep up with the frequent OS and application updates. As the master image should be stored offline, it might be difficult to update it immediately after every change in production.


5.3 Securely Store the Master Images-

Store the master images and templates on securely configured servers validated with integrity monitoring tools to ensure that only authorized changes to the images are possible.


Practically speaking:  an unsecured image could lead to extensive damage to the entire network. The master image should be treated as a top security concern. It should be encrypted, stored offline, monitored for changes and restricted to minimal access possible.


5.4 Deploy System Configuration Management Tools-

Deploy system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals.


Practically speaking: hardening your system should be a continuous process, as already proven in the previous requirement. In order to prevent any configuration drifts resulted from intended or unintended changes, configuration settings should be redeployed automatically at scheduled intervals. This process should be automated. CalCom CHS will inform you about any configuration drifts and will automatically redeploy your policy on your production.


5.5 Implement Automated Configuration Monitoring Systems-

Utilize a Security Content Automation Protocol (SCAP) compliant configuration monitoring system to verify all security configuration elements, catalog approved exceptions, and alert when unauthorized changes occur.


Practically speaking: keeping awareness of what's going on in your system is hard if there's no automation involved. This is the key component for any remediation process as mentioned in 5.4. CHS Policy Analysis Center will provide you all the information you need regarding your compliance level to your policy.

The Complete Guide for Server Hardening

You might be interested