The Center for Internet Security is the primary recognized industry-standard for secure configuration guidance, developing comprehensive, consensus-derived checklists to help identify and mitigate known security vulnerabilities across a wide range of platforms.
Each CIS Benchmark provides prescriptive guidance for establishing a secure configuration posture for your IT Infrastructure, including a detailed description and rationale of potential vulnerabilities together with clear auditing and remediation steps. As such, the CIS Benchmarks are the overwhelming option of choice for auditors worldwide when advising organizations on the adoption of a secure build standard for any governance and security initiative, including PCI DSS, HIPAA, NIST 800-53, SOX, FISMA, ISO/IEC 27002, Graham Leech Bliley and ITIL.
As part of the CIS community, NNT has access to consensus security configuration benchmarks, software, metrics, and discussion forums where NNT is an integral stakeholder in collaborating on security best practices. NNT has leveraged these resources and best practices in our products to measure and improve the security posture of our customers. As of May 2014, NNT Change Tracker has been awarded CIS Security Software Certification for CIS Security Benchmarks across all Linux and Windows platforms, Unix and Database Systems, Applications and Web Servers - see section below for CIS Benchmark Downloads
Note: NNT is also an Official OVAL Adopter and can equally utilize any 3rd party source of SCAP, OVAL or XCCDF content, for example DISA STIG checklists.
CIS Benchmark documents available for download below, but why not sign up for a Change Tracker trial and get all the auditing and reporting done automatically in just a few minutes!
PCI DSS Requirements
Sample PCI DSS report
NNT PCI DSS Compliance Report 2012R2 Member Server
PCI DSS Requirement 2.2 Develop configuration standards for all systems components. Assure that the standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardening standards may include, but are not limited to
Center for Internet Security (CIS)
2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.
Sources of industry-accepted system hardening standards may include, but are not limited to:
- Center for Internet Security (CIS)
- International Organization for Standardization (ISO)
- SysAdmin Audit Network Security (SANS) Institute
- National Institute of Standards Technology (NIST).
Testing Procedures
2.2.a Examine the organization's system configuration standards for all types of system components and verify the system configuration standards are consistent with industry-accepted hardening standards.
2.2.b Examine policies and interview personnel to verify that system configuration standards are updated as new vulnerability issues are identified, as defined in Requirement 6.1.
2.2.c Examine policies and interview personnel to verify that system configuration standards are applied when new systems are configured and verified as being in place before a system is installed on the network.
2.2.d Verify that system configuration standards include the following procedures for all types of system components:
- Changing of all vendor-supplied defaults and elimination of unnecessary default accounts
- Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server
- Enabling only necessary services, protocols, daemons, etc., as required for the function of the system
- Implementing additional security features for any required services, protocols or daemons that are considered to be insecure
- Configuring system security parameters to prevent misuse
- Removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.
Guidance
There are known weaknesses with many operating systems, databases, and enterprise applications, and there are also known ways to configure these systems to fix security vulnerabilities. To help those that are not security experts, a number of security organizations have established system-hardening guidelines and recommendations, which advise how to correct these weaknesses.
Examples of sources for guidance on configuration standards include, but are not limited to: www.nist.gov, www.sans.org, and www.cisecurity.org, www.iso.org, and product vendors.
System configuration standards must be kept up to date to ensure that newly identified weaknesses are corrected prior to a system being installed on the network.
Find out more about NNT's PCI DSS compliance solutions »
For a free automated system compliance audit:
DISA STIGs
In addition to support for CIS Benchmarks, NNT Change Tracker Gen 7 can utilize STIG SCAP content to validate compliance with STIG hardened configuration requirements.
STIG configuration guidance is intended to provide DoD systems with a level of confidentiality, integrity, authentication, non-repudiation, and availability in line with the relative risk of cyber attack to the system balanced against the sensitivity and importance of the information asset.
The NNT STIG solution is superior to any provided by a standard SCAP scanner in that, in addition to delivering a snapshot STIG scan, a non-stop monitoring template can be created from the STIG compliance report checklist. This approach provides continuous, real-time monitoring of STIG compliance, reporting any drift within seconds of changes occurring. System-wide file integrity monitoring can also be operated continuously with changes reported in real-time to maximize breach detection awareness.
Example NNT Change Tracker Gen 7 report for NNT DISA STIG Compliance
Find out more about NNT's DISA STIG compliance solutions »
For a free automated system compliance audit:
NERC CIP
When reviewing NERC CIP-005 R4 and CIP-007 R8, your auditor will want to see evidence of controls relating to secure configuration practices. How do you ensure Default accounts have been changed/removed for all systems? Have you disabled any ports and services or daemons that are not necessary for regular operation of systems? Do you have a Gold Standard build for all systems and a Baseline report for each device?
Crucially, how do you initially assess whether systems are vulnerable to begin with, and how do you then continue to prove that the latest advice on vulnerabilities is being assimilated into your build standard?
The CIS Benchmarks are the primary reference for any NERC CIP Auditor – by showing that this is your source for secure configuration guidance, presentation of evidence becomes much straightforward. Change Tracker Gen 7 combines real-time system integrity monitoring with automated open port scanning and the baselining/tracking of all firmware/software versions and patches.
Example NNT Change Tracker Gen 7 reports for NERC CIP Compliance
Find out more about NNT's NERC CIP compliance solutions »
For a free automated system compliance audit:
ISO 27K
As with other GRC mandates discussed here, the value of ISO 27K is often seen by its practitioners as being undermined for its non-prescriptive guidance. High-level objectives for security best practice adoption are comprehensively covered by the standard but for detailed guidance for sections such as
A-10-4 Controls against malicious code
A-11-1 Business requirement for access control
A-12-6-1 Control of technical vulnerabilities
it is necessary to seek advice beyond the standard itself. ISO 27K auditors will typically recommend basing any Corporate Hardened Build-Standard on CIS Benchmark secure configuration guidance, and NNT Change Tracker Gen 7 provides a range of ISO 27K reports alongside the wide-range of CIS Benchmark reports.
Sample ISO 27 K report from NNT Change Tracker Gen 7
Find out more about NNT's ISO 27001/27K compliance solutions »
For a free automated system compliance audit:
State of California Data Security Breach Reporting
California Attorney General Kamala D. Harris recently released a Data Breach Report, delving into the 657 data breaches that have been reported to her office since 2012- the same year that the state of California began requiring businesses and government agencies alike to notify the office of breaches affecting more than 500 California residents.
Find out how NNT can help with State of California Data Security Breach Reporting »
For a free automated system compliance audit:
