![]() CIS provides a scanning tool called CIS CAT, available in two levels. Once you apply the benchmarks, you need to make sure they stick. Once you have that experience under your belt, think about strategically retrofitting some existing systems. If you are not facing an immediate requirement to retrofit, I recommend incorporating them into a new technology rollout first. Retrofitting onto an existing system is possible, and sometimes necessary, but tends to be more challenging. ![]() Applying the CIS benchmark at that time allows you to assess the impact of any changes before they hit production. When deploying a new operating system, you already expect some compatibility issues, so testing your build with your existing software is probably already part of your process. The ideal time to deploy the CIS benchmarks is when rolling out a new operating system, such as when you build a corporate standard image running Windows 11 to replace Windows 10. The cost of a CIS membership isn’t prohibitive, so it is worthwhile to weigh the cost and benefits of membership versus the amount of time and labor it takes to implement each control on a one-by-one basis. It generally makes more sense to script out the changes, buy the build kit from CIS, or buy one of their hardened images. For Windows 11, for example, is 1239 pages long. It is possible to download the CIS benchmarks, log into a system, and make the changes by mousing around and/or running commands. Level 2 may have some impact, and the STIGs can have a greater degree of impact. Implementing level 1 is intended to have minimal impact to system functionality or compatibility. Organizations frequently choose to start with CIS level 1, then move up to stricter standards selectively when they need to meet stricter regulatory or contractual requirements. The STIGs are a government standard, but some organizations outside the government use them. The CIS STIGs are CIS’s own reimplementation of the originals. The STIGs are a security standard originally created by the United States military, based on the requirements in the US Government publication NIST 800-53. CIS level 2 provides enhanced security over level 1. Most organizations start with CIS level 1, then progress to higher levels when needed for stricter security. The higher levels sacrifice a degree of compatibility for enhanced security. The lower the number, the less impact you can expect to compatibility. The CIS benchmarks come in three different levels. They also exist for many popular applications, including the four major web browsers, Microsoft Office, and Zoom. The CIS benchmarks are available for popular desktop and server operating systems, including Microsoft Windows, Mac OS, and the most popular Linux distributions. Applying the benchmarks to any system that is in scope for Sarbanes-Oxley is a good way to demonstrate to regulators that you are configuring and protecting your computer systems in a prudent and responsible manner. The requirements for Sarbanes-Oxley regarding computer systems tend to be rather vague. If your remediation teams wish they didn’t have to patch as frequently, applying the appropriate benchmarks across your enterprise may be part of the cure they are looking for.Īnother use I have seen in my role at Nucleus is Sarbanes-Oxley compliance. This system change makes it much more difficult for an attacker to be in the position to do that. The thing an attacker wants to target isn’t running, so the attacker first has to enable the vulnerable component and then attack it. The number of participants have grown over the years, and now include some vulnerability scanner vendors, as well as operating system vendors.īy using these benchmarks to disable components of a system that you are not using, you make the system much more difficult to exploit. CIS is an acronym for Center for Internet Security, which is a vendor neutral consortium who collect best practices for system hardening and configuration to improve security. Think policy as in ‘Group Policy’ in Microsoft Windows, not security policy or remediation policy. The CIS benchmarks are a common standard used for system hardening, which is sometimes also called policy compliance. The CIS benchmarks, however, are proactive. ![]() And while vulnerability management prevents breaches, it is still a reactive process. It’s a never ending cycle of vulnerabilities being discovered, vendors releasing patches, and remediation teams applying patches to remediate those vulnerabilities. While vulnerability management is one of the few preventative practices in security, vulnerability patching is still reactive. Using CIS Benchmarks in your Vulnerability Management Strategy ![]()
0 Comments
Leave a Reply. |