Systems Hardening with CIS Standards

Why does this topic matter?

• This topic matters because the CIS benchmarks are a collection of best practices for securely configuring IT systems, software, networks, and cloud infrastructure.
• CIS involves communities of cybersecurity professionals and subject matter experts that continuously identifies, refines, and validates security best practices within their areas of focus. In the end, its a good fountain of resources and best practices to be aware of.

What are three benefits of following CIS Benchmarks?

• The Center for Internet Security (CIS) has benchmarks that provide the following benefits.
  • Publishes documentation about benchmarks that has been developed through a community of cybersecurity professionals and subject matter experts that identifies, refines, and validates security best practices within their areas of focus.
  • CIS benchmarks organizes recommended configuration based on profile levels based on user needs.
  • CIS benchmarks are align closely with security and data privacy regulatory frameworks to include the National Institute of Standards and Technology (NIST), the Cybersecurity Framework, the Payment Card Industry Data Security Standard (PCI DSS), and many others.

What are the seven core categories of CIS Benchmarks?

• Here are the seven core categories of the CIS benchmarks.

1. Operating systems benchmarks: This covers security configurations and best practice's for OS such as Windows, Linux, and Apple OSX.
2. Server software benchmarks: This covers security configurations for server software such as Windows server, SQL server, and others. This benchmark also covers recommended configurations for Kubernetes, PKI certifications, and other controls and policies.
3. Cloud provider benchmarks: This addresses security configurations for popular cloud providers such as AWS, Azure, and Google cloud. This benchmark includes guidelines for configuring identity and access management (IAM), system logging protocols, network configurations, and regulatory compliance safeguards.
4. Mobile device benchmarks: This addresses mobile OS such as IOS and Android. This benchmark focuses on areas such as developer options and settings, OS privacy configurations, browser settings, and app permissions.
5. Network device benchmarks: This offers general and vendor-specific security configuration guidelines for network devices and applicable hardware from Cisco, Palo Alto networks, Juniper, and others.
6. Desktop software benchmarks: This cover security configurations for some of the most commonly used desktop software applications such as, Microsoft Office, Exchange Server, and others. These benchmarks focus on email privacy and server settings, mobile device management, default browser settings, and third party software blocking.
7. Multi-function print device benchmarks: This outlines security best practices for configuring multi-function printers in office settings and cover such topics as firmware updating, TCP/IP configurations, wireless access configuration, user management, and file sharing.

How would you convince your manager that applying CIS Benchmarks could fast-track your organization's compliance?

• I would convince my manager of the benefits of applying CIS benchmarks to the organization. Not only will we be in a better security posture by covering base level configurations that are easy to implement and have minimal impact on business functionality, but we will be in good standing for security and data privacy regulatory frameworks.
• I would explain to management that the CIS Benchmarks closely align with NIST, Cybersecurity framework, and other types of government regulations.

Things I would like to know more about.

• I would like to know who verifies the auditing done for companies that want to show that they are compliant with regulations. Is it the government that sends someone to check? Is it a self report type of thing? Or is it based on a third parties auditing report?