Minimize threats to your business with advanced security services.
CIS Benchmark – (Center of Internet Security)
Hardening Checklist and Guidelines to Implement Secure Baseline Configurations
Hardening IT Infrastructure with CIS standards OR CIS Best practices and Guidelines
CIS Controls and CIS Benchmarks are global standards and recognized best practices for securing IT systems and data against the most pervasive attacks.
The CIS Controls and CIS Benchmarks are the global standard and recognized best practices for securing IT systems and data against the most pervasive attacks.
To develop standards and best practices, including CIS benchmarks, controls, and hardened images, follow a harmony decision – making model.
Severe threats to safeguard the cyber community groups.
CIS is a forward – thinking, non – profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats.
By using its benchmarks, scoring methods and guidelines for your own business, you are also helping to safeguard the wider community against cyber threats.
CIS (Center for Internet Security, Inc.) is a forward – thinking, non – profit entity that harnesses the power of a global IT community to safeguard private and public organizations against cyber threats.
Base configuration, standard score
In the 5th Control, the CIS recommends maintaining documented security configuration standards for all authorized operating systems and software.
The Security Configuration Benchmarks are globally used and accepted as the de facto user – originated standard for IT security technical controls.
Configuring IT systems in compliance with these Benchmarks has been shown to eliminate 80 – 95 % of known security vulnerabilities.
The CIS benchmarks, considered as the gold standard, contain over 100 configuration guidelines for various systems, safeguarding them against attacks that target configuration vulnerabilities.
A Security Technical Implementation Guideline ( STIG ) is used as the configuration standard for the Department of Defense Information Assurance ( IA ) and IA – enabled devices / systems.
CyberArt Consensus community developed Grade A
Security Configuration Benchmarks – 94 Benchmarks which describe best practices for the secure configuration of target systems and are developed via extensive collaboration with the CIS volunteer consensus community.
The CIS Benchmark is a great baseline standard for AWS and continuously evolves with the help of the CIS Secure Suite members and Consensus Community.
Security Configuration Benchmarks – describe consensus best practices for the secure configuration of target systems and are developed via extensive collaboration with our volunteer consensus community.
CIS benchmarks are created and continually improved by groups known as CIS communities, which are made up of volunteers and IT professionals.
The release of revised CIS Benchmarks 2020 changes depending on the community of IT professionals who developed it and on the release schedule of the technology the benchmark supports.
Industry wide benchmark standards for organizations and compliance
Azure customers seeking to implement compliance with CIS Benchmarks should note that although this Azure Blueprint may help customers assess compliance with configuration recommendations, it does not ensure full compliance with all requirements of the CIS Benchmark and CIS Controls.
A recent study and analysis indicate organizations fail on over 50 % of the compliance checks established by the CIS in their benchmarks.
The CIS Benchmarks from The Center for Internet Security (CIS) are consensus – based secure configuration guidelines that help organizations around the globe meet common compliance framework requirements.
Organizations in regulated industries can rely on the industry – recognized, community – developed CIS Benchmarks to help them meet their various cybersecurity compliance requirements.
Although the DoD references CIS Benchmarks specifically, CIS recognizes that many organizations are still required to align with STIGs as the configuration standards for DOD IA and IA – enabled devices / systems.
#Systems Images Hardening
- CIS Hardened Images are securely configured virtual machine images based on CIS Benchmarks hardened to either a Level 1 or Level 2 CIS benchmark profile.
- CIS Hardened Images are pre – configured virtual machine (VM) images based on the security recommendations of the CIS Benchmarks.
- There are more than top 10 CIS Hardened Images available on AWS Marketplace, Azure Marketplace, Google Cloud Platform, and Oracle Cloud Marketplace.
- In addition to the benchmarks for Microsoft products and services, CIS has also published CIS Hardened Images for use on Azure virtual machines configured to meet CIS benchmarks.
- Also, a new CIS Hardened Image that maps to this CIS RHEL 7 STIG Benchmark is available in AWS Marketplace, Google Cloud Marketplace, and soon to be released on Microsoft Azure.
Compliance, Requirements, PCI-Industry Meeting
Customers are ultimately responsible for meeting the compliance requirements applicable to their environments and must determine for themselves whether relative information helps meet their compliance needs.
Because of the reputation, these benchmarks are recommended as industry – accepted system hardening standards and are used by organizations in meeting various compliance requirements such as PCI and HIPAA.
CIS Benchmarks are recommended as industry – accepted system hardening standards and are used by organizations in meeting compliance requirements for Federal Information Security Management Act, PCI, Health Insurance Portability Accountability Act and other security requirements.
CIS benchmarks are often a system hardening choice recommended by auditors for industries requiring PCI – DSS and HIPPA compliance, such as banking, telecommunications and healthcare.
CIS benchmarks have a solid reputation and are recommended as system hardening procedures; they’re also used to meet various compliance requirements, including PCI and HIPAA.
- Most organizations have a centralized authentication system (often based on Active Directory) that should be used for all production Unix and Windows systems.
- Additional organization – specific security infrastructure such as Active Directory Federation Services and system – to – system virtual private networks (including Microsoft’s DirectAccess) should be part of hardening guidelines where settings are common to many systems.
Similarly, there are guidelines created by organizations specifics that help system administrators understand the common holes in operating systems and environments they want to integrate.
Common hardening guidelines focus on systems as stand – alone elements, but the network environment also must be considered in building a secure system.
While hardening guidelines are top of mind for new Unix and Windows deployments, they can apply to any common environment, including network devices, application stacks and database systems.
What is the CIS Security Benchmarks Division and why are information security policies so critical in today’s I.T. world, and do you offer comprehensive I.T. security documentation?
Cyber Security Implementation Best Practice in alignment to ISO 27001 or Information Security Management System (ISMS)
List of mandatory and standard set of operating policy, procedure and guidelines requirements
- Information Security Framework or InfoSec Mother Policy
- Network Security Policy
- Information Classification Policy
- Security Operations governance
- Cyber Security policy
- Cloud Computing Security Policy
- Mobile Computing Security Policy (BYOD)
- IT Assets management policy
- Risk Management Policy
- Internet Usage Policy
- IT Assets Acceptable Use Policy (Including Email)
- Incident management and response Policy
- Change Management Policy
- Access Control Policy
- Administrative Privilege Access policy and framework (Application/Systems/Network/Endpoints)
- Clear Desk & Clear Screen Policy
- Data Protection, Privacy and disposal Policy
- Data Sharing & Transfer Policy
- Password Policy
- Project Management Framework
- Vendor Management and Supplier Relations Policy
- Systems Security Policy
- Network Security Policy
- Human Resource Security Policy
- Physical & Environmental Security Policy
- Backup and retention policy
- IT Business Continuity and Disaster Recovery plan
- Anti-Malware Policy
- Cryptography Policy
- Ecommerce Security Policy
- Information Systems Acquisition, Development & Maintenance Policy
The Ubuntu CIS hardening tool allows customers to select the desired level of hardening against a profile (Level1 or Level 2) and the work environment (server or workstation) for a system. The Ubuntu CIS benchmarks are organized into different profiles, namely ‘Level 1’ and ‘Level 2’ intended for server and workstation environments.
A Level 1 profile is intended to be a practical and prudent way to secure a system without too much performance impact.
The first, a Level 1 profile, is considered to be a “base security configuration” which has recommendations that are considered easier to set up and overall lower the potential attack surface of a system.
CIS Level 2 is equivalent to the VMware Risk Profile 1, and / or 2 but not 3).
A Level 2 profile is used where security is considered very important and it may have a negative impact on the performance of the system.
A new Level 3 profile that includes additional requirements from the STIG that aren’t covered in the Level 1 and Level 2 profiles.
How to use the guide for Ubuntu 18.04 Server to increase the security posture or harden an Ubuntu 18.04 server clean installation depends on security specific applicability alignment.
Mix of settings and options, hardening guidelines cover the space between a newly installed operating system and the minimum-security level an organization considers acceptable.
The High Security, or Specialized Security – Limited Functionality, level is designed specifically for very hostile environments under significant risk of attack.
How to protect, applications , services, intrusion
In reality system hardening is all about locking, protecting, and strengthening components of the actual system, not protecting it by adding new security software and hardware.
Many falsely believe firewalls and data security software layers are enough to protect systems and to comply with system hardening requirements.
Third – party security and management applications such as anti – malware tools, host intrusion prevention products and file system integrity checkers also require organization – specific settings.
Hardening is a process that helps protect against unauthorized access, denial of service, and other cyberthreats by limiting potential weaknesses that make systems vulnerable to cyberattacks.
By ensuring only necessary services, protocols, and applications are enabled, a business reduces the risk of an attacker compromising a vulnerability to get into a system.
- Patching 2. Administration 3. Vulnerabilities 4. Information tool
In addition to detailing missing patches, this tool also performs checks on basic security settings and provides information on remediating any issues found.
The STIGs contain technical guidance to “lock down” information systems / software that might otherwise be vulnerable to a malicious computer attack.
Once a system is hardened and deployed into an environment, it’s critical to maintain its level of security through proactively updating or patching it to mitigate new vulnerabilities and weaknesses that are discovered.
With the recent news coming out of the Equifax breach which disclosed that admin: admin was used to protect the portal used to manage credit disputes, the importance of hardening standards is becoming more apparent.
Purpose of Docker, Its’ containers & Kubernetes
Docker has its own document repo as well including Introduction to Container Security and the CIS Benchmark for the Docker Community Edition.
That initial exploration was covered in Part 1 of this series on container security, “Quick Dive into Containers, Kubernetes and Security “.
And an additional note that although this article focuses heavily on CIS, there are other places to find good benchmarks for securing Docker and Kubernetes.
As with any benchmark, there is an audit section of all the docker daemon activities (basically advanced logs of what is going on in the containers).
However, there are recommendations on the way docker is installed and configured on the host, such as limiting the docker user from being able to alter the host system.
How Azure ATP definitions, policy help assigns SOAR capability.
- Assigns Azure Policy definitions that help you monitor when multi – factor authentication isn’t enabled on privileged Azure Active Directory accounts.
- Assigns an Azure Policy definition that helps you monitor when multi – factor authentication isn’t enabled on non – privileged Azure Active Directory accounts.
- Assigns an Azure Policy definition that helps you ensure that key vault objects are recoverable in the case of accidental deletion.
- Assigns Azure Policy definitions that help you monitor for guest accounts and custom subscription roles that may need to be removed.
- assigns Azure Policy definitions that help you ensure that system updates are installed, and endpoint protection is enabled on virtual machines.
- Assigns Azure Policy definitions that help you ensure a log profile exists and is properly configured for all Azure subscriptions, and activity logs are retained for at least one year.
Highly privileged account, Generic-Individual User
configuration , changes, sudo , root
Disabling unneeded filesystems, restricting user permissions to files and directories, disabling unneeded services, configuring network firewalls are some examples of configuration changes recommended in a Level 1 profile.
The tool should show the history of configuration changes over time and identify who made them (including the user’s original login account in the event of a user ID switch, as can be performed using the su or sudo command).
Use automated configuration monitoring that can check all remotely – testable secure configuration elements and raises alerts if unauthorized changes occur (new listening ports, new admin users, changes in the group and local policy objects, and new services running on the system).
How to implement systems hardening
- Change implementation in test environment
To be sure that your system hardening is viable, extensive testing of your system hardening changes should be performed in a test environment.
In the test environment, apply each change methodically, one at a time, and test the system frequently to ensure that the system functions as desired.
Once all desired changes have been verified and the test environment has been tested with an exhaustive set of use cases, it is time to apply the changes to your production systems.
Once you have selected the benchmark and the specific changes you want to apply, changes should be made in a test environment.
The test environment is useful for exploring how the desired changes will affect the production systems, without the risk of disrupting normal business operations, and helps determine which changes will be rolled out in the production environment.
Hack registry , access, users credentials , and tasks
If remote registry access is required, the remotely accessible registry paths should still be configured to be as restrictive as possible.
SpyBot Search and Destroy – Automatic update tasks can be created inside the program itself and are scheduled using the Windows Task Scheduler.
No privileged containers should be able to run by default, and user access to the ones that are running in privileged mode should not be allowed.
Therefore, it is recommended that this value be reduced so that fewer credentials will be placed at risk, and credentials will be cached for shorter periods of time in the case of devices that are logged into frequently by multiple users.
It’s unlikely that non – administrative users require this level of access and, in cases where the server is not physically secured, granting this right may facilitate a compromise of the device.
Kubernetes configurations, cluster , certificate , components and audit
An Audit Policy and backends that record audit events must be configured for each Kubernetes cluster at the API Server level.
All communications to / from a cluster and between inner components must be encrypted and authenticated, always verifying the component’s certificate.
All Kubernetes certificates must be signed by a Certificate Authority (CA), however, the CA itself can be self – signed.
For an enterprise deployment, it is important to have a certificate management policy in place which ensures that Kubernetes certificates can be easily managed across clusters.
However, what should be fairly obvious is that enterprise – wide Kubernetes security requires a management plane that is constantly validating, auditing, and ensuring configurations and compliance across clusters to ensure that Kubernetes is correctly configured and secured.
High precision Cloud Container platform
Cyber Security IT services and Freelance Consultants work to secure their container and cloud – native applications from development to production, accelerating application deployment and bridging the gap between DevOps and IT security.
Provides full visibility into container activity, allowing organizations to detect and prevent suspicious activity and attacks in real time.
Source : CIS Introduces V7.1 of CIS Controls Featuring www.cisecurity.org