There are numerous CIS benchmarks which provide system administrators and other IT technicians with configuration baselines and best practices across the various levels of different CIS criteria to allow them to secure the configuration of any systems and devices they use within an organisation.
Here we will provide you with a detailed overview of what CIS benchmarks and controls should mean to you, along with useful references for further reading where needed, as part of this guide.
What are CIS Benchmarks?
The Center for Internet Security (CIS) Benchmarks are a group of globally accepted, consensus-driven methods for securing and managing cyber defences. They are created to assist with constructing and controlling cyber-security measures. As a result of collaboration with a broad group of global security experts, the guidelines are designed to help organizations proactively safeguard against new and emerging risks. To ensure that their digital assets are protected from configuration-based security vulnerabilities, many companies utilize CIS Benchmark recommendations.
Why are CIS Benchmarks so important?
The CIS Benchmarks are a vital tool as they outline security best practices for deploying over 25 different vendor products (including AWS, Alibaba Cloud, Cisco, and IBM Cloud Foundations). When creating a newly developed product or service deployment plan, or when verifying that existing deployments are secure, it is a wise idea to start with these best practices as a reliable reference point.
The adoption of CIS Benchmarks can offer your organization several advantages in terms of cybersecurity, including the following:
Cybersecurity guidelines provided by experts
The CIS Benchmarks provide organisations with the foundation for evaluating security configurations that have been vetted and proven by highly qualified security experts. In this way, companies can avoid trial-and-error methods which may compromise security as they can instead benefit from the expertise of a diverse group of IT and cybersecurity experts.
Standards of security that are globally recognized
The CIS Benchmarks are the only recognized best practice guides, that are accepted worldwide by numerous governments, companies, academic institutions, and research institutes alike. It should be noted that CIS Benchmarks are often more applicable than regional laws and security standards due to the international and diverse community that works to create these guides.
Threat prevention that is cost-effective
The CIS Benchmark documentation is freely available for any individual to download and implement at their discretion. With free step-by-step instructions for all kinds of IT systems (including operating systems and network devices), your company will be able to get up-to-date information at no cost. As a result, you can avoid financial and reputational damage caused by preventable cyber threats and achieve IT governance.
A number of major security and privacy frameworks are aligned with CIS Benchmarks, including the following:
- PCI DSS
It is important to remember that while the above privacy frameworks are aligned with CIS, they are by no means interchangeable and should be compared on a case-by-case basis.
What types of IT systems are covered by the CIS Benchmarks?
As of December 2022, CIS has published over 100 benchmarks of over 25 different product lines distributed by a variety of vendors, from Google Chrome to Safari and from Palo Alto Networks through to Oracle Cloud Infrastructure. As a general guideline, the technologies covered by CIS Benchmarks can broadly be classified into the following seven categories.
It is possible to implement security configurations for popular operating systems including Linux using the CIS Benchmarks for Operating Systems.
In order to configure cloud environments securely, companies can use the CIS Benchmarks for cloud infrastructure and services. Among the guidelines are best-practice recommendations for virtual network settings, Identity and Access Management (IAM) configurations as well as various other compliance and security controls.
There are a number of CIS benchmarks for server software that provide configuration baselines and recommendations for different aspects of server settings, server admin controls, storage settings, as well as vendor-specific guidelines
There are CIS Benchmarks that cover the most common desktop software that businesses typically use on their desktop computers. There are a number of best practices that can be followed when managing desktop software features. A few of these best practices often apply to browser settings, access privileges, and user account settings, for example.
The CIS Benchmarks for mobile devices include security configurations for operating systems that run on cell phones, tablets, and other portable devices with touch screens. They also include recommendations for mobile browser settings, application permissions, privacy settings, and others.
CIS Benchmarks also provide security configurations for network devices such as firewalls, routers, switches, and virtual private networks. This provides a comprehensive picture of how these devices should be configured to enhance their security. These recommendations include both vendor-neutral advice and vendor-specific advice to ensure that these network devices are properly configured and managed in a secure and efficient manner.
Securely configuring multi-function printing devices (printers, scanners, photocopiers) according to CIS Benchmarks includes implementing steps to access restrictions and user permissions as well as regularly installing any available firmware updates.
What are the levels of CIS Benchmarks?
To ensure that each CIS Benchmark is tailored to meet the individual needs of the organization, the CIS assigns a profile level to each guideline. It is important to note that each CIS profile includes recommendations that provide a different level of security. In order to meet their requirements for security and compliance, organizations can choose a profile that best suits their needs.
The configuration recommendations for the Level 1 profile are the easiest to follow CIS security recommendations which are also the most unlikely to negatively impact the functionality of the business or its availability. The recommendations in this profile will help you reduce the number of entry points into your IT systems and thereby reduce the risk of cyberattacks.
In the case of highly sensitive data, Level 2 profile configuration recommendations may work best in cases where security is a high priority. As a result of implementing these recommendations, you will need professional expertise and meticulous planning in order to achieve comprehensive security with the least amount of disruption to day-to-day business operations. Furthermore, implementing Level 2 profile recommendations can also help make sure that regulatory compliance is more easily ensured.
The Defense Information Systems Agency (DISA) has created a set of configuration baselines known as the Security Technical Implementation Guide (STIG). It is the duty of the US Department of Defense to publish and maintain these benchmarks. It is pertinent to note that STIGs are specially designed to meet US government requirements.
As part of the CIS Benchmarks, there is also a Level 3 STIG profile which is designed to assist organizations in complying with the STIG. In addition to the recommendations that are provided in the STIG profile, there are also recommendations that are contained in the Level 1 and Level 2 profiles that are STIG-specific, as well as more recommendations not included in the other two profiles but required by DISA's STIGs.
By configuring your systems in accordance with the CIS STIG Benchmarks, you will ensure your IT environment meets both the CIS and STIG compliance requirements when it comes to security.
How can you implement CIS Benchmarks?
As part of the CIS Benchmarks, each recommendation is accompanied by a description, an explanation of why the recommendation is being made, and instructions on how to implement that recommendation in the correct way. Additionally, the CIS offers other resources that can be used to help improve the safety and security of an organization's internet-connected devices and services, including CIS Controls.
Prior versions of the CIS benchmarks did recommend deploying a SIEM tool to make it easier to manage all audit logs in a centralised manner. There has since been a redaction of this advice. This is due to the fact that it is possible for organisations to achieve CIS benchmarks whilst using just a centralised log management service or similar CIS Compliance Solution.
As a result of the latest published guidelines, CIS practitioners are now taking a number of steps to ensure that they aren't overly prescriptive when it comes to recommending which tools can be used to comply with them. As long as you are committed to regularly reviewing your logs (Safeguard 8.11: Conduct audit log reviews), you can avoid the need to use a SIEM solution. This is because a full SIEM service may be more complicated than what is necessarily required to comply with CIS benchmarks.
There are many cases where you will want to keep some audit logs for as long as possible, especially regarding topic 8.10 - retain audit logs. Within large organizations, especially those where compromises have been discovered months or even years after they happened, having logs to help identify and identify them is vital for identifying when the compromise took place.
The CIS Controls are yet another resource from the CIS that can serve as a comprehensive guide for system and network security best practices. The CIS Controls is a checklist of 20 safeguards and actions that are of utmost importance and have proven to be reliable against the most common and destructive cybersecurity risks to IT networks.
CIS Benchmarks vs CIS Controls
CIS Controls are more general guidelines for ensuring the security of entire systems and networks. In contrast, the CIS Benchmarks are a very specific set of recommendations for secure system configurations.