CIS controls and benchmarks provide IT staff and security analysts around the world with a set of tips and methodologies to ensure good cybersecurity practices and reduce risks on the Internet
The merging of the physical world with the digital world is a process that has no way back. Our lives take place simultaneously in both dimensions. In such a way that a problem in one of them has repercussions in the other. That is why security on the Internet, the great agora of our time, is just as important as on the street. CIS controls and benchmarks offer a set of cybersecurity best practices to help systems managers protect organizations.
Consensus standards for dealing with cyber risks
Let’s start at the beginning: What does CIS stand for? It stands for the Center for Internet Security, a non-profit organization whose mission is to help make the cyber world safer for everyone by reducing cyber risks.
To achieve this goal, the organization connects the best experts in the field globally, strengthening the exchange of experiences and fostering the creation of synergies between professionals and researchers and between companies, institutions, and universities.
All the work and wisdom of the collective mind, born out of these exchanges, is poured into the two major tools that make up the CIS guides: the controls and the benchmarks.
They form a node of information and technological knowledge that allows organizations to control the resilience of their systems and prioritize some areas over others. This results in an optimization of human and technical resources.
Furthermore, controls and benchmarks facilitate the implementation of actions that have already proven to be successful in other cases. Thus configuring the security of the systems according to the recommendations of the best experts.
For all these reasons, the CIS guides are used by system managers all over the world and are recognized by the main institutions. In the European Union, the European Telecommunications Standards Institute (ETSI) has adopted them, consolidating them as cybersecurity standards, as has the OWASP methodology.
The following is a brief description of what they consist of and how they work.
CIS Controls: key activities to prevent attacks
The CIS critical security controls are 18 (formerly 20) key actions that organizations must execute to strengthen their cyber defense and protect themselves from potential attacks. They form a set of defensive actions and countermeasures that help systems to be optimized in terms of security.
Version 8 of these CIS controls are currently in force, published in May 2021, and focused on Cloud solutions, mobile and remote work. Particularly sensitive issues in the pandemic era.
The complete list of the 18 CIS controls includes various activities ranging from inventory and control of company assets and software to malware defenses, through continuous management of vulnerabilities, development of penetration tests, or data protection.
A set of actions covering the main areas of cybersecurity, enabling organizations to prepare their systems for potential attacks.
As of version 7.1, the controls have been divided into three groups to facilitate their implementation by all types of organizations.
- Group 1: controls applicable to all companies, whether large or small.
- Group 2: additional CIS controls for the storage of sensitive information.
- Group 3: additional controls for the storage of very sensitive information.
In this way, the CIS guides become useful tools not only for large organizations but also for small companies that need to safeguard their business against cyber attacks.
Group 1 is made up of the most basic controls, which the CIS considers to be «basic cyber hygiene» and fundamental for the defense of any system.
Group 2, on the other hand, is made up of controls designed for organizations with more complex security needs and risks.
Group 3 consists of all the controls designed and developed.
The advantages of automation
It’s clear to no one, in the midst of 2022, that process automation is a key issue for any company. When it comes to CIS controls, automation brings with it multiple advantages, both in terms of productivity and cybersecurity.
Critical security controls provide any entity with an excellent foundation on which to proceed to protect its systems. Hence, repeatability is a feature that facilitates automation.
This facilitates continuous maintenance of the systems and continuous monitoring of the controls. At the same time, productivity is improved and the human and time resources spent on cybersecurity are reduced. This is because the controls make it possible to quickly define the starting point of each organization’s defenses.
In addition, through automation, accurate change management can be carried out. All companies make changes to their systems to keep them fully optimized and protected. Mistakes can happen, so it is essential to be prepared for them. Hence, managing deconfigurations is key.
Through automation, you can plan and schedule the changes to be implemented, as well as carry out an exhaustive control of their implementation and results. This safeguards compliance with CIS controls and, ultimately, the system’s cyber defense.
Precisely, the keystone of the CIS guidelines is the improvement of cybersecurity. Automating the testing of controls contributes to this. Hardening and automatic vulnerability detection and analysis contribute to the reduction of areas that can be attacked.
Benchmarks, software, and hardware configuration guides
Benchmarks are guides to facilitate the security configuration of IT systems, software, and networks. They are a set of best practices resulting from the experience of the best professionals in the world. Their preparation is the result of a consensus reached by experts in each area.
Thus, more than 140 guides stipulate numerous recommendations in different technologies, which enables administrators to configure systems with maximum guarantees of cybersecurity. Each of these recommendations also refers to one of the CIS Controls.
Therefore, in contrast to the general actions stipulated by the critical security controls, the benchmarks are a set of precise guidelines for the implementation of a security system on specific hardware and software, in line with the former.
Main levels and categories
All currently existing guidelines provide two levels of security configuration and are divided into seven main categories, which form a broad overview of existing software and hardware.
In terms of levels we have:
- Level 1: minimum recommended security settings. It should be configured on any system, regardless of its size. It causes little or no impact on service or reduced functionality.
- Level 2: recommended security configuration for high-security environments. May result in some reduction in functionality.
In terms of categories we can find benchmarks of:
- Operating systems. These cover the security configurations of the main systems: Windows, Linux, OSX…
- Server software. They are used to implement security configurations in the most used server software: Microsoft SQL Server, Nginx, MySQL…
- Cloud providers. They focus on the security configurations of the most important clouds: Amazon Web Services, Microsoft Azure, Google Cloud…
- Mobile devices. Focused on mobile operating systems, including, of course, Android and iOS.
- Network devices. Gather a set of general and specific recommendations for network devices and applicable hardware such as Cisco, F5, or Palo Alto Networks.
- Desktop software. They deal with the security configuration of the most commonly used desktop programs such as Microsoft Office, Google Chrome, or Safari Browser.
- Multifunction printing devices. They include recommendations for configuring multifunction printers in office environments.
By categorizing the benchmarks, access to them is facilitated, systematizing them in a highly intuitive way.
The Tarlogic Security team uses the CIS controls and benchmarks to verify the two levels of security configuration in specific technologies such as Windows 10, Microsoft 365, Linux servers, databases…
The bulk of the benchmarks, which are lengthy documents given their level of detail, are the recommendations. These, in addition to being organized by areas of action, have a precise and functional structure.
Firstly, there is the profile to which the recommendation can be applied, i.e. whether it is a level 1 or level 2 recommendation, followed by a brief description and justification.
The next one, the security audit, is fundamental. It establishes how the checks should be carried out to determine whether there is a problem. For this purpose, a script is presented, which usually includes the exact command with which to perform the check. This makes the task much easier.
If any problems are detected after the audit, the benchmark proposes possible solutions to be evaluated and implemented by those responsible for the systems.
Finally, a notes section is included, specifying the critical security controls related to this recommendation in its latest versions.
CIS Hardened Images
If the 18 critical security controls need to be automated to facilitate testing and compliance, automation is even more important for the benchmarks. Since each of these guides includes, as we have just pointed out, hundreds of recommendations and best practices.
Automated assessment is therefore key to a successful and faster implementation of secure configuration.
It is already possible to deploy security systems that comply with the CIS guidelines. We are talking about CIS Hardened Images. These virtual images have been configured according to benchmark stipulations to guarantee a secure deployment.
According to CIS, these images provide users with a secure, on-demand, and scalable computing environment. Hardened images are available on the main cloud platforms: AWS, Azure, Google Cloud, etc…
Although these security systems comply with CIS controls and recommendations, this type of solution doesn’t ensure that CIS best practices will continue to be met over time, since it is possible to change its configuration.
In short, CIS guides are particularly useful tools in the world of cybersecurity. They combine general controls with specifications for the world’s leading software and hardware, all based on best practices.
As a result, their level of usability by any company or institution, regardless of size, is immense. And their standardization all over the world makes their knowledge, management, and automation essential for dealing with cyber risks.