CIS Benchmark Hardening/Vulnerability Checklists
The Center for Internet Security is the primary recognized industry-standard for secure configuration guidance, developing comprehensive, consensus-derived checklists to help identify and mitigate known security vulnerabilities across a wide range of platforms.
Each CIS Benchmark provides prescriptive guidance for establishing a secure configuration posture for your IT Infrastructure, including a detailed description and rationale of potential vulnerabilities together with clear auditing and remediation steps. As such, the CIS Benchmarks are the overwhelming option of choice for auditors worldwide when advising organizations on the adoption of a secure build standard for any governance and security initiative, including PCI DSS, HIPAA, NIST 800-53, SOX, FISMA, ISO/IEC 27002, Graham Leech Bliley and ITIL.
As part of the CIS community, NNT has access to consensus security configuration benchmarks, software, metrics, and discussion forums where NNT is an integral stakeholder in collaborating on security best practices. NNT has leveraged these resources and best practices in our products to measure and improve the security posture of our customers. As of May 2014, NNT Change Tracker has been awarded CIS Security Software Certification for CIS Security Benchmarks across all Linux and Windows platforms, Unix and Database Systems, Applications and Web Servers - see section below for CIS Benchmark Downloads
Note: NNT is also an Official OVAL Adopter and can equally utilize any 3rd party source of SCAP, OVAL or XCCDF content, for example DISA STIG checklists.
CIS Benchmark documents available for download below, but why not sign up for a Change Tracker trial and get all the auditing and reporting done automatically in just a few minutes!
PCI DSS Requirements
Sample PCI DSS reports
PCI DSS Requirement 2.2 Develop configuration standards for all systems components. Assure that the standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardening standards may include, but are not limited to
Center for Internet Security (CIS)
2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
Sources of industry-accepted system hardening standards may include, but are not limited to:
- Center for Internet Security (CIS)
- International Organization for Standardization (ISO)
- SysAdmin Audit Network Security (SANS) Institute
- National Institute of Standards Technology (NIST).
Testing Procedures
2.2.a Examine the organization's system configuration standards for all types of system components and verify the system configuration standards are consistent with industry-accepted hardening standards.
2.2.b Examine policies and interview personnel to verify that system configuration standards are updated as new vulnerability issues are identified, as defined in Requirement 6.1.
2.2.c Examine policies and interview personnel to verify that system configuration standards are applied when new systems are configured and verified as being in place before a system is installed on the network.
2.2.d Verify that system configuration standards include the following procedures for all types of system components:
- Changing of all vendor-supplied defaults and elimination of unnecessary default accounts
- Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server
- Enabling only necessary services, protocols, daemons, etc., as required for the function of the system
- Implementing additional security features for any required services, protocols or daemons that are considered to be insecure
- Configuring system security parameters to prevent misuse
- Removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.
Guidance
There are known weaknesses with many operating systems, databases, and enterprise applications, and there are also known ways to configure these systems to fix security vulnerabilities. To help those that are not security experts, a number of security organizations have established system-hardening guidelines and recommendations, which advise how to correct these weaknesses.
Examples of sources for guidance on configuration standards include, but are not limited to: www.nist.gov, www.sans.org, and www.cisecurity.org, www.iso.org, and product vendors.
System configuration standards must be kept up to date to ensure that newly identified weaknesses are corrected prior to a system being installed on the network.
Find out more about NNT's PCI DSS compliance solutions »
For a free automated system compliance audit:
NIST 800-53
Sample NIST 800-53 reports
Much emphasis is placed on the need to use an SCAP scanning solution powered by content from the National Checklist Repository https://web.nvd.nist.gov/view/ncp/repository
However, many auditors now direct organizations to use CIS Benchmark Checklists directly, because the NCP is either
- Incomplete/Out of date (for example, the latest VMWare ESX content is for 5.1, with no content for later versions)
- Refers to the CIS Benchmark anyway (for example, see RHEL 7 – the prose version (ie manual, non-automated content) of the CIS Benchmark is referenced)
NNT Change Tracker Gen 7 is one of a few CIS Certified Vendor solutions, but any other SCAP, xccdf, OVAL or STIG content can be used too.
Find out more about NNT's NIST 800-53 SP compliance solutions »
For a free automated system compliance audit:
NIST 800-171
Sample NIST 800-171 reports
Windows Server
DISA STIGs
DISA STIG Reports
In addition to support for CIS Benchmarks, NNT Change Tracker Gen 7 can utilize STIG SCAP content to validate compliance with STIG hardened configuration requirements.
STIG configuration guidance is intended to provide DoD systems with a level of confidentiality, integrity, authentication, non-repudiation, and availability in line with the relative risk of cyber attack to the system balanced against the sensitivity and importance of the information asset.
The NNT STIG solution is superior to any provided by a standard SCAP scanner in that, in addition to delivering a snapshot STIG scan, a non-stop monitoring template can be created from the STIG compliance report checklist. This approach provides continuous, real-time monitoring of STIG compliance, reporting any drift within seconds of changes occurring. System-wide file integrity monitoring can also be operated continuously with changes reported in real-time to maximize breach detection awareness.
Example NNT Change Tracker Gen 7 report for NNT DISA STIG Compliance
Find out more about NNT's DISA STIG compliance solutions »
For a free automated system compliance audit:
SOX Sarbanes Oxley 404
In common with many Security Controls Frameworks and Corporate Governance mandates, SOX is non-prescriptive when it comes to defining exactly what is needed to prove 'SOX Compliance'.
Your auditor will want to see evidence that sound security controls are in place, for example, to head-off fraud. However, the risk and opportunity for fraud depends on your organizations individual circumstances, systems and processes – its never a 'one size fits all' assessment.
In the absence of any prescriptive guidance you should therefore be going for the most comprehensive and up to date security vulnerability assessment and secure configuration guidance, which is where the CIS Benchmark assessments come to the fore.
NNT Change Tracker Gen 7 is one of a few CIS Certified Vendor solutions that has been used successfully on a global basis for Sarbanes-Oxley 404 audits
Find out more about NNT's Sarbanes-Oxley (SOX) compliance solutions »
For a free automated system compliance audit:
NERC CIP
When reviewing NERC CIP-005 R4 and CIP-007 R8, your auditor will want to see evidence of controls relating to secure configuration practices. How do you ensure Default accounts have been changed/removed for all systems? Have you disabled any ports and services or daemons that are not necessary for regular operation of systems? Do you have a Gold Standard build for all systems and a Baseline report for each device?
Crucially, how do you initially assess whether systems are vulnerable to begin with, and how do you then continue to prove that the latest advice on vulnerabilities is being assimilated into your build standard?
The CIS Benchmarks are the primary reference for any NERC CIP Auditor – by showing that this is your source for secure configuration guidance, presentation of evidence becomes much straightforward. Change Tracker Gen 7 combines real-time system integrity monitoring with automated open port scanning and the baselining/tracking of all firmware/software versions and patches.
Example NNT Change Tracker Gen 7 reports for NERC CIP Compliance
Find out more about NNT's NERC CIP compliance solutions »
For a free automated system compliance audit:
ISO 27K
Report Downloads
As with other GRC mandates discussed here, the value of ISO 27K is often seen by its practitioners as being undermined for its non-prescriptive guidance. High-level objectives for security best practice adoption are comprehensively covered by the standard but for detailed guidance for sections such as
A-10-4 Controls against malicious code
A-11-1 Business requirement for access control
A-12-6-1 Control of technical vulnerabilities
it is necessary to seek advice beyond the standard itself. ISO 27K auditors will typically recommend basing any Corporate Hardened Build-Standard on CIS Benchmark secure configuration guidance, and NNT Change Tracker Gen 7 provides a range of ISO 27K reports alongside the wide-range of CIS Benchmark reports.
Sample ISO 27 K report from NNT Change Tracker Gen 7
Find out more about NNT's ISO 27001/27K compliance solutions »
For a free automated system compliance audit:
State of California Data Security Breach Reporting
California Attorney General Kamala D. Harris recently released a Data Breach Report, delving into the 657 data breaches that have been reported to her office since 2012- the same year that the state of California began requiring businesses and government agencies alike to notify the office of breaches affecting more than 500 California residents.
Find out how NNT can help with State of California Data Security Breach Reporting »
For a free automated system compliance audit:
Windows Server
2016:
CIS Microsoft Windows Server 2016 RTM (Release 1607) Benchmark v1.0.0
2012R2:
CIS Microsoft Windows Server 2012 R2 Benchmark v2.3.0
2012:
CIS Microsoft Windows Server 2012 (non-R2) Benchmark v2.1.0
2008R2:
CIS Microsoft Windows Server 2008 R2 Benchmark v3.1.0
2008:
CIS Microsoft Windows Server 2008 (non-R2) Benchmark v3.1.0
2003:
CIS Microsoft Windows Server 2003 Benchmark v3.1.0
For a free automated system compliance audit:
Windows Desktop
Windows 10:
CIS Microsoft Windows 10 Enterprise Release 1703 Benchmark v1.3.0
CIS Microsoft Windows 10 Enterprise Release 1607 Benchmark v1.2.0
CIS Microsoft Windows 10 Enterprise Release 1511 Benchmark v1.1.0
Windows 8 & 8.1:
CIS Microsoft Windows 8.1 Workstation Benchmark v2.3.0
CIS Microsoft Windows 8.1 Benchmark v2.2.0
Windows 7:
CIS Microsoft Windows 7 Workstation Benchmark v3.1.0
Windows XP:
CIS Microsoft Windows XP Benchmark v3.1.0
For a free automated system compliance audit:
Apple OSX
CIS Apple OSX 10.12 Benchmark v1.0.0
CIS Apple OSX 10.11 Benchmark v1.1.0
CIS Apple OSX 10.10 Benchmark v1.2.0
CIS Apple OSX 10.9 Benchmark v1.3.0
CIS Apple OSX 10.8 Benchmark v1.3.0
For a free automated system compliance audit:
Cisco
CIS Cisco IOS 15 Benchmark v4.0.0
CIS Cisco IOS 12 Benchmark v4.0.0
CIS Cisco Firewall Benchmark v4.0.0
For a free automated system compliance audit:
Email Servers
CIS Microsoft Exchange Server 2016 Benchmark v1.0.0
CIS Microsoft Exchange Server 2013 Benchmark v1.1.0
For a free automated system compliance audit:
Office Applications
Office 2016
CIS Microsoft Office 2016 Benchmark v1.1.0
CIS Microsoft Office Excel 2016 Benchmark v1.0.1
CIS Microsoft Office Outlook 2016 Benchmark v1.1.0
CIS Microsoft Office PowerPoint 2016 Benchmark v1.0.1
CIS Microsoft Office Word 2016 Benchmark v1.1.0
CIS Microsoft Office Access 2016 Benchmark v1.0.1
For a free automated system compliance audit:
Virtualization - VMWare ESX
CIS VMware ESXi 5.5 Benchmark v1.2.0
CIS VMware ESXi 5.1 Benchmark v1.0.1
For a free automated system compliance audit:
Web Browsers
CIS Google Chrome Benchmark v1.2.0
CIS Microsoft Internet Explorer 11 Benchmark v1.0.0
CIS Microsoft Internet Explorer 10 Benchmark v1.1.0
CIS Mozilla Firefox 38 ESR Benchmark v1.0.0
CIS Mozilla Firefox 24 ESR Benchmark v1.0.0
CIS macOS Safari Benchmark v2.0.0
For a free automated system compliance audit:
Web Servers
Microsoft IIS Web Server
CIS Microsoft IIS 8 Benchmark v1.4.0
CIS Microsoft IIS 7 Benchmark v1.7.1
Apache Tomcat Web Server
CIS Apache Tomcat 8 Benchmark v1.0.1 CIS Apache Tomcat 7 Benchmark v1.1.0
Apache HTTP Server Web Server
CIS Apache HTTP Server 2.4 Benchmark v1.3.0
For a free automated system compliance audit:
CIS Releases New Resources to Further Reduce Cyber Security Risk to Healthcare Systems
Click to download new resources for healthcare systems
These consensus-based security recommendations may help medical device manufacturers and healthcare providers assess and mitigate cyber vulnerabilities. These mappings provide a detailed matrix aligning security configuration recommendations provided in the CIS Microsoft Windows 7 Benchmark v2.1.0 and Windows XP Benchmark v3.1.0 to the Security Capabilities included in a Technical Report (IEC/TR 80001-2-2) within International Electrotechnical Commission (IEC) 80001-1, a global standard for performing risk management of IT networks that include medical devices. NNT Change Tracker now delivers a fully automated assessment against these checklists and performs continuous compliance monitoring with real-time breach detection to maintain 24/7 security.
|
CIS Microsoft Windows 7 Benchmark v2.1.0 Mapped to IEC 80001-1 15-Oct-2014 |
|
CIS Microsoft Windows XP Benchmark v3.1.0 Mapped to IEC 80001-1 15-Oct-2014 |
For a free automated system compliance audit:
Critical Security Controls
Want clarity on what you really need to be doing by way of security best practice in your organization? Left scratching your head for clearer guidance after reading the PCI DSS, NERC CIP, GDPR or any other Governance, Risk and Compliance (GRC) standard? Still confused about what you must do and should do in terms of data protection for your business, and why? NNT recommend the CIS Critical Security Controls as an essential ‘go to’ resource for any data security and compliance professional. Our thanks to the Center for Internet Security for continuing to expand the world’s understanding of cyber security best practices.
