CIS Benchmark SYSTEM HARDENING VULNERABILITY MANAGEMENT

CIS Benchmark

The Center for Internet Security is the primary recognized industry-standard for secure configuration guidance, developing comprehensive, consensus-derived checklists to help identify and mitigate known security vulnerabilities across a wide range of platforms.

Each CIS Benchmark provides prescriptive guidance for establishing a secure configuration posture for your IT Infrastructure, including a detailed description and rationale of potential vulnerabilities together with clear auditing and remediation steps. As such, the CIS Benchmarks are the overwhelming option of choice for auditors worldwide when advising organizations on the adoption of a secure build standard for any governance and security initiative, including PCI DSS, HIPAA, NIST 800-53, SOX, FISMA, ISO/IEC 27002, Graham Leech Bliley and ITIL.

As part of the CIS community, NNT has access to consensus security configuration benchmarks, software, metrics, and discussion forums where NNT is an integral stakeholder in collaborating on security best practices. NNT has leveraged these resources and best practices in our products to measure and improve the security posture of our customers. As of May 2014, NNT Change Tracker has been awarded CIS Security Software Certification for CIS Security Benchmarks across all Linux and Windows platforms, Unix and Database Systems, Applications and Web Servers - see section below for CIS Benchmark Downloads

Note: NNT is also an Official OVAL Adopter and can equally utlilize any 3rd party source of SCAP, OVAL or XCCDF content, for example DISA STIG checklists.

CIS Benchmark documents available for download below, but why not sign up for a Change Tracker trial and get all the auditing and reporting done automatically in just a few minutes!

PCI DSS Requirements

Sample PCI DSS report
pdf NNT PCI DSS Compliance Report 2012R2 Member Server

PCI DSS Requirement 2.2 Develop configuration standards for all systems components. Assure that the standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. Sources of industry-accepted system hardening standards may include, but are not limited to
Center for Internet Security (CIS)

PCI DSS Security Council

2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards.

Sources of industry-accepted system hardening standards may include, but are not limited to:

  • Center for Internet Security (CIS)
  • International Organization for Standardization (ISO)
  • SysAdmin Audit Network Security (SANS) Institute
  • National Institute of Standards Technology (NIST).

Testing Procedures

2.2.a Examine the organization's system configuration standards for all types of system components and verify the system configuration standards are consistent with industry-accepted hardening standards.

2.2.b Examine policies and interview personnel to verify that system configuration standards are updated as new vulnerability issues are identified, as defined in Requirement 6.1.

2.2.c Examine policies and interview personnel to verify that system configuration standards are applied when new systems are configured and verified as being in place before a system is installed on the network.

2.2.d Verify that system configuration standards include the following procedures for all types of system components:

  • Changing of all vendor-supplied defaults and elimination of unnecessary default accounts
  • Implementing only one primary function per server to prevent functions that require different security levels from co-existing on the same server
  • Enabling only necessary services, protocols, daemons, etc., as required for the function of the system
  • Implementing additional security features for any required services, protocols or daemons that are considered to be insecure
  • Configuring system security parameters to prevent misuse
  • Removing all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.

Guidance

There are known weaknesses with many operating systems, databases, and enterprise applications, and there are also known ways to configure these systems to fix security vulnerabilities. To help those that are not security experts, a number of security organizations have established system-hardening guidelines and recommendations, which advise how to correct these weaknesses.

Examples of sources for guidance on configuration standards include, but are not limited to: www.nist.gov, www.sans.org, and www.cisecurity.org, www.iso.org, and product vendors.

System configuration standards must be kept up to date to ensure that newly identified weaknesses are corrected prior to a system being installed on the network.

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Find out more about NNT's PCI DSS compliance solutions »

NIST 800-53 SP

Much emphasis is placed on the need to use an SCAP scanning solution powered by content from the National Checklist Repository https://web.nvd.nist.gov/view/ncp/repository

However, many auditors now direct organizations to use CIS Benchmark Checklists directly, because the NCP is either

  • Incomplete/Out of date (for example, the latest VMWare ESX content is for 5.1, with no content for later versions)
  • Refers to the CIS Benchmark anyway (for example, see RHEL 7 – the prose version (ie manual, non-automated content) of the CIS Benchmark is referenced)

NNT Change Tracker Gen 7 is one of a few CIS Certified Vendor solutions, but any other SCAP, xccdf, OVAL or STIG content can be used too.

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Find out more about NNT's NIST 800-53 SP compliance solutions »

DISA STIGs

In addition to support for CIS Benchmarks, NNT Change Tracker Gen 7 can utilize STIG SCAP content to validate compliance with STIG hardened configuration requirements.

STIG configuration guidance is intended to provide DoD systems with a level of confidentiality, integrity, authentication, non-repudiation, and availability in line with the relative risk of cyber attack to the system balanced against the sensitivity and importance of the information asset.

The NNT STIG solution is superior to any provided by a standard SCAP scanner in that, in addition to delivering a snapshot STIG scan, a non-stop monitoring template can be created from the STIG compliance report checklist. This approach provides continuous, real-time monitoring of STIG compliance, reporting any drift within seconds of changes occurring. System-wide file integrity monitoring can also be operated continuously with changes reported in real-time to maximize breach detection awareness.

For a free automated system compliance audit:

Example NNT Change Tracker Gen 7 report for NNT DISA STIG Compliance

NNT DISA STIG Windows 2012R2 Report

Request a free trial of NNT Change Tracker

Find out more about NNT's DISA STIG compliance solutions »

SOX Sarbanes Oxley 404

In common with many Security Controls Frameworks and Corporate Governance mandates, SOX is non-prescriptive when it comes to defining exactly what is needed to prove ‘SOX Compliance’.

Your auditor will want to see evidence that sound security controls are in place, for example, to head-off fraud. However, the risk and opportunity for fraud depends on your organizations individual circumstances, systems and processes – its never a ‘one size fits all’ assessment.

In the absence of any prescriptive guidance you should therefore be going for the most comprehensive and up to date security vulnerability assessment and secure configuration guidance, which is where the CIS Benchmark assessments come to the fore.

NNT Change Tracker Gen 7 is one of a few CIS Certified Vendor solutions that has been used successfully on a global basis for Sarbanes-Oxley 404 audits

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Find out more about NNT's Sarbanes-Oxley (SOX) compliance solutions »

NERC CIP

When reviewing NERC CIP-005 R4 and CIP-007 R8, your auditor will want to see evidence of controls relating to secure configuration practices. How do you ensure Default accounts have been changed/removed for all systems? Have you disabled any ports and services or daemons that are not necessary for regular operation of systems? Do you have a Gold Standard build for all systems and a Baseline report for each device?

Crucially, how do you initially assess whether systems are vulnerable to begin with, and how do you then continue to prove that the latest advice on vulnerabilities is being assimilated into your build standard?

The CIS Benchmarks are the primary reference for any NERC CIP Auditor – by showing that this is your source for secure configuration guidance, presentation of evidence becomes much straightforward. Change Tracker Gen 7 combines real-time system integrity monitoring with automated open port scanning and the baselining/tracking of all firmware/software versions and patches.

Example NNT Change Tracker Gen 7 reports for NERC CIP Compliance

NNT NERC CIP 007-03 Ports and Services Report NNT NERC CIP 007-03 Required Services Report NNT NERC CIP Planned Change Report

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Find out more about NNT's NERC CIP compliance solutions »

ISO 27K

As with other GRC mandates discussed here, the value of ISO 27K is often seen by its practitioners as being undermined for its non-prescriptive guidance. High-level objectives for security best practice adoption are comprehensively covered by the standard but for detailed guidance for sections such as

A-10-4 Controls against malicious code

A-11-1 Business requirement for access control

A-12-6-1 Control of technical vulnerabilities

it is necessary to seek advice beyond the standard itself. ISO 27K auditors will typically recommend basing any Corporate Hardened Build-Standard on CIS Benchmark secure configuration guidance, and NNT Change Tracker Gen 7 provides a range of ISO 27K reports alongside the wide-range of CIS Benchmark reports.

Sample report
Sample ISO 27 K report from NNT Change Tracker Gen 7

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Find out more about NNT's ISO 27001/27K compliance solutions »

State of California Data Security Breach Reporting

California Attorney General Kamala D. Harris recently released a Data Breach Report, delving into the 657 data breaches that have been reported to her office since 2012- the same year that the state of California began requiring businesses and government agencies alike to notify the office of breaches affecting more than 500 California residents.

state of California data security breach recommendation

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Find out how NNT can help with State of California Data Security Breach Reporting »

CIS Benchmark Reports

CIS Releases New Resources to Further Reduce Cyber Security Risk to Healthcare Systems

Click to download new resources for healthcare systems

These consensus-based security recommendations may help medical device manufacturers and healthcare providers assess and mitigate cyber vulnerabilities. These mappings provide a detailed matrix aligning security configuration recommendations provided in the CIS Microsoft Windows 7 Benchmark v2.1.0 and Windows XP Benchmark v3.1.0 to the Security Capabilities included in a Technical Report (IEC/TR 80001-2-2) within International Electrotechnical Commission (IEC) 80001-1, a global standard for performing risk management of IT networks that include medical devices. NNT Change Tracker now delivers a fully automated assessment against these checklists and performs continuous compliance monitoring with real-time breach detection to maintain 24/7 security.

pdf

CIS Microsoft Windows 7 Benchmark v2.1.0 Mapped to IEC 80001-1 15-Oct-2014

pdf

CIS Microsoft Windows XP Benchmark v3.1.0 Mapped to IEC 80001-1 15-Oct-2014

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Products
 Trusted by:
ucsandiego.jpgpowerchord.jpgghl.jpgScotRail.jpgnxgen.jpglark.jpgsunchemical.jpghhglobal.jpgkenneth-copeland.jpghp.jpgsiconns.jpgtheatreroyal.jpgnashville-int-airport.jpgeTranzact.jpgaspen.jpgzenithbank.jpgchaparral.jpgCompliance-360.jpgvnpay.jpgredwood.jpgaimia.jpgcboss.jpgwestern-financial-group.jpgbom.jpgBiaggis.jpgAWA-Collections.jpgStandard-Hotel.jpgveolia.jpgarqiva.jpgrentatoll.jpgderivco.jpgcua.jpglivetv.jpgcare.jpghbl.jpgnewlook.jpgbankofchina.jpgabrsm.jpgadvance2000.jpgaciconn.jpgdhl.jpgwhynotleaseit.jpgcsmartlive-casino.jpgforeshore.jpgeasystreet.jpgsymetra.jpgvoxgen.jpgaberdeen.jpgRed-Card-Systems.jpgwindsorandmaidenhead.jpgbowtie.jpgeon.jpgxerox.jpgequiant.jpgsimmons.jpgdeluxecorp.jpgdunelm.jpgwestfield-state-university.jpgbrightstar.jpgepay.jpgretail-lockbox.jpgonpoint.jpgtechnologypros.jpgbritish-museum.jpgingbank.jpgberkshireassociates.jpgacas.jpgmtrgaming.jpgnorcotek.jpghampshire.jpgentee.jpgiac.jpgdupont.jpg5thavetheatre.jpgcredimax.jpgislandbanki.jpgcrowedunlevy.jpgcuany.jpgushmm.jpgstpeters.jpgbarton-cooney.jpghotel-cholat.jpgselectcore.jpgeztaxreturn.jpggvec.jpggm.jpgodeon.jpgwizzair.jpgageas.jpgskipton.jpgnhs.jpgTotal-Card.jpgzen.jpgspar.jpgshearwater.jpgbobby-cox.jpglansare_logo.jpglandisgyr.jpgiridium.jpglivenation.jpgessex-police.jpgvmi.jpgduncansolutions.jpgnkwd.jpgmarwoodgroup.jpghub_logo.jpghph.jpgsymago.jpgunionbank.jpgrnib.jpgbnpparibas.jpgopportune.jpgspendvision.jpgclickandbuy.jpgBlackbird-Technologies.jpgcolliercounty.jpg4wheelparts.jpgcontinuum.jpgconcord.jpgRichland-Logistics.jpgticketmaster.jpgarmy.jpghepsiburada.jpgace.jpgMontrose-Travel.jpgwallashops.jpgfirst-quantum.jpgpurchase.jpghei-hotels.jpgraiffeisen.jpgzap.jpgpaymetric.jpgblakemore.jpggowireless.jpgpaypro-business.jpgrealec.jpgpicturehouse.jpgthewestbrom.jpgcentertheatre.jpgni.jpgvse.jpgnafsa.jpgsynergiecontact.jpgcablewire.jpgdublin-business.jpgford.jpgpkr.jpgnymbus.jpgwhsmith.jpgbchdigital.jpgbrocade.jpgkalmbachpublishing.jpgxap.jpgtravelodge.jpgstjoe.jpgamdocs.jpgShelby-County.jpgduoboots.jpgryanair.jpgdudley-nhs.jpgpunter-southall.jpgnhs-bury.jpgovec.jpgjet-blue.jpgxaxis.jpgactivetelesource.jpgzamir.jpgkennethhagin.jpggeneral-dynamics.jpgeuroffice.jpghandh.jpggolubcapital.jpgedm.jpgwett.jpgcornell.jpgharbouritau.jpgAeriandi.jpgorbcomm.jpgjack-wills.jpgpma.jpgNIBSS.jpgdatamatx.jpgboomkat.jpguniversal-orlando.jpgsajan.jpgSpanson.jpgpass.jpgnctm.jpgharrods.jpgleidos.jpginss.jpgcigna.jpgpartnerships.jpgpando.jpgfis.jpgenmax.jpgmaxwellpaper.jpgrayonier.jpgalamo-colleges.jpgwonga.jpgPenn-State-Uni.jpgprometric.jpgbriefing.jpgunifiedpayments.jpgseapines.jpgjohnsons.jpg
USA Offices
New Net Technologies Ltd
Naples
9128 Strada Place
Naples, Florida, 34108
Atlanta
201 17th Street, Suite 300
Atlanta, Georgia, 30363.

Tel: 1-888-898-0674
email USinfo@nntws.com
NNT Logo
UK Office
New Net Technologies Ltd
Spectrum House, Dunstable Road
Redbourn,
St Albans

Herts
AL3 7PR

Tel: 08456 585 005
Fax: 08456 122 031
email info@newnettechnologies.com
Connect with NNT
Google+ Linkedin Twitter - Change Tracker Facebook rss feed YouTube
Sign up to NNT's IT security and compliance monthly newsletter. Get breaking security news, how-to tips, trends and commentary direct to your inbox.

Sign up to the NNT newsletter