CIS Benchmarks -What are They and How to Use Them

By Keren Pollack, on January 28th, 2019

The Center for Internet Security (CIS) published a set of 20 actions, or “controls”, that should be performed in order to achieve a cyber-attack resilient IT infrastructure. In the CIS 5th Control, the CIS recommends maintaining documented security configuration standards for all authorized operating systems and software (5.1). They also recommend deploying system configuration management tools that will automatically enforce and redeploy configuration settings to systems at regularly scheduled intervals (5.4). According to CIS, organizations must implement rigorous configuration and change control processes to prevent attacks that exploit vulnerable services and settings.

 

Accompanying this demand, the CIS also published a set of hardening recommendations for different hosts, platforms, and operating systems- the CIS Benchmarks. Although the CIS Benchmarks are considered to be the gold standard in system hardening, studies show that most organizations fail on over 50% of the CIS Benchmarks compliance checks. More than half of these failures were high-severity issues. System hardening is a mandatory requirement by most regulations. CIS benchmarks provide incredible depth – so following them can be considered a burden.

 

In this post we’ll try to answer these questions about the CIS Benchmarks:

  1. What are the CIS benchmarks?
  2. Why should you use the CIS benchmarks?
  3. How to use the CIS benchmark? 
  4. Which tool should I use for implementing the CIS Benchmarks?

 

 

What are the CIS Benchmarks?

The CIS Benchmarks are a collection of recommended hardening policies specifying different hosts, applications, and operating systems. Each platform has specific rules for each version which makes the CIS Benchmarks the most low-level and detailed framework out there. All in all, the CIS Benchmarks sum up to dozens of different files containing hundreds of pages of rules each. The rules are divided into categories and subcategories according to the rule’s type. For example, account policy rules will contain sections such as password policy and account lockout policy.

 

The rules all build the same and contain the following sections:

        CIS benchmarks

 

  1. The headline – which contains the actual recommendation, and the level (L1) that classifies the importance of the recommendation. A recommendation can be classified either as L1- mandatory recommendation, L2 – recommendations that can be implemented at a later stage of the hardening project, and NA- which will be the last one in its importance. 
  2. Profile Applicability – which system component will be affected by this policy. 
  3. Description – a description of the setting’s rule. 
  4. Rationale – The rationale behind setting the rule the way it is recommended.
  5. Audit – audit recommendations for this rule.
  6. Remediation – ways you can enforce this rule on your machine.
  7. Impact – any expected impact on your production.
  8. Default value – The default value of the setting as it set ‘out of the box’. 
  9. References – a reference to the relevant CCE
  10. CIS Controls – the relevant CIS Controls that this policy is related to. 

The CIS Benchmarks are updated once or more a year according to new vulnerabilities discovered, recent attacks, and platform updates. 

 

Why Should You Use the CIS Benchmarks?

 

As delivered from the manufacturer, the operating systems’ default configuration is aimed at usability, rather than security. Thereby, without taking measures to secure it, operating systems are highly vulnerable to cyber-attacks. It is not a rare sight to see attackers take advantage of the organization’s attack surface, penetrating the enterprise’s IT network, spreading malware, and causing extensive damage. For example, WannaCry malware, which first appeared in May 2017, is a Server Message Block (SMB) worm, which uses such a breach to access and distribute itself in the network. And although Microsoft released the relevant security updates during 2016 and 2017, WannaCry malware, as well as other SMB worms such as Brambul malwarecontinue to cause thousands of dollars worth of damage every day. Another popular target is the RDP protocol that can be significantly more secure once proper hardening actions are implemented. 

 

Besides the obvious need to reduce organizational attach surface, regulations should also be taken into consideration when deciding whether to use or not to use the CIS Benchmarks. IT is fair to say that almost all the major regulaitons require CIS Benchamrks compliance directly or indirectly. And by indirectly we mean that some regulations require compliance to other frameworks, such as NIST Cybersecurity Framework, but these frameworks refer to the CIS Benchmarks. 

 

PCI-DSS CIS Benchmarks
HIPAA CIS Benchmarks
CMMC CIS Benchmarks
ISO 27001 NIST
23 NYCRR Part 500   NIST

 

 

How to Use CIS Benchmarks:

As explained earlier, the CIS Benchmarks goal is to help organizations harden their machines, and by hardening we mean securing machines’ configurations. Implementing the CIS Benchmarks is a big step towards achieving a hardened infrastructure, but also one of the most complicated ones. 

There is a number of actions you need to perform in order to make sure that your machines are hardened:

  1. Establish standard secure configurations of the operating systems and software. Configurations should be updated and validated in light of the latest vulnerabilities and attack vectors. It is recommended to base your policy on the CIS Benchmarks. 

  2. Apply strict configuration management to all new systems deployed in the enterprise. For an existing system that has been compromised, update the security image that will address its vulnerabilities. Different types of systems (servers, workstations, etc.) should have their own security images.

  3. Store the master security image on securely configured servers that have been validated with integrity testing tools. Make sure that only authorized changes to the image are possible. Another option is to store the master image in offline machines, air-gapped from the production network. Use secure media to move the image from its storage to the production network.

  4. Use only secured channels to perform all remote administration activities. Protocols that do not actively support strong encryption (telnet, VNC, RDP, etc.) should only be used if they are activated over a secondary encryption channel, such as SSL, TLS or IPSEC.

  5. Use file integrity checking tools to ensure that critical files have not been changed. The checking tool should have the ability to accept routine and expected changes and to alert regarding unusual or unexpected changes. The tool should show the history of configuration changes over time and identify who made them (including the user’s original login account in the event of a user ID switch, as can be performed using the su or sudo command). The integrity checking tools should identify suspicious system changes such as: owner and permissions changes to files or directories; usage of alternate data streams that could be used to hide malicious activities; and the introduction of new files into key system areas (which could also indicate malicious activities).

  6. Use automated configuration monitoring that can check all remotely-testable secure configuration elements, and raises alerts if unauthorized changes occur (new listening ports, new admin users, changes in the group and local policy objects, and new services running on the system). Tools that integrate with Security Content Automated Protocol are (SCAP) recommended.

  7. Deploy system configuration management tools that will automatically enforce system configuration settings – periodically, or preferably, in real-time.  Using them, you should be able to redeploy or have real-time control over the configuration settings on a scheduled, manual, or event-driven basis.

It is likely that you will need to support a variety of standardized security images, due to the organization’s complexity and its range of supported functionalities.  The number of image variations should be kept to a minimum in order to better understand and manage the security properties of each, but the organization must be able to manage multiple baselines.

 

As with such complex tasks, difficulties often arise and production systems are often harmed. In order to establish a new configuration, lab testing should be performed before implementing the change in production. These tests require long hours of testing for every change to be made in the system. As the enterprise’s network constantly changes, keeping track of hardening status and implementing the benchmarks is almost impossible to perform without hitches.

 

Which Tool Should You use for Implementing the CIS Benchmarks?

Scanners and Assessment Tools 

This group of tools will indicate your CIS Benchmark compliance posture. Using them will indicate the gap between your current policy and the CIS Benchmarks. They will not provide any solution for overcoming this gap, and you will have to test and enforce the changes to improve your compliance posture. The CIS offers its own developed scanner – the CIS CAT.

 

Configuraiton Management Tools

Configuration management tools are not necessarily specific for security purposes, but they allow to implementation of configuration changes on your infrastructure. These tools are relevant only after you scanned and found the gap between your policy and the CIS Benchmark and tested the predicted impact of each configuration change. Examples of this kind of tool are Chef, Ansible, and Tripwire Configuration Manager

 

Hardening Automation Tools

Hardening automation tools basically provide a comprehensive solution for hardening. They do everything from scanning, through implementing and also monitoring and maintaining the compliance posture. Their biggest advantage is that they eliminate the need to check what will be the impact of each configuration change on your network. This is by far the most painful, time and resources consuming part of hardening. Hardening automation tools offer the following solution:

  1. Scanning and discover the gap between your current policy and your desired policy.
  2. Learning your network and indicating what will be the impact of each configuration change.
  3. Implement the new policy directly on production without testing or breaking anything.
  4. Monitoring, controlling, and preventing configuration changes, all from a single point of control. 

 

CHS by CalCom is a server hardening automation tool. CHS has the ability to learn your production environment and analyze the impact of every configuration change, thereby eliminating the need for lab testing, and allowing you to implement CIS benchmarks directly on the environment without the risk of production outages. Learn more about CHS benefits and features by downloading our datasheet.