A guide to CIS Benchmarks

CIS benchmarks are specifically followed to secure applications at the configuration level. These activities include server hardening, cloud configuration reviews, browser or database hardening, etc. While OWASP provides insight on application security and common vulnerabilities from an external point of view, CIS benchmarks offer a set of checklists that focus on hardening the system internally from the software point of view through configuration reviews. NIST standards complement configuration reviews by exclusively working on encryption and decryption. 

CIS is the Center for Internet Security, a non-profit organization that works with a global IT community to safeguard organizations against cyber threats. CIS benchmarks have over 100 configuration guidelines across more than 25 vendor product families helping to safeguard IT systems. For example, with cloud-based applications, a set of configuration guidelines exists for each popular cloud service provider, such as AWS or Alibaba.

Let’s say you’ve opted for cloud services from AWS, CIS will provide checklists that you can use to verify and secure your app in the Alibaba cloud infrastructure. Likewise, you will also be able to acquire a list of recommendations to harden application servers, web servers, database servers, and operating systems. You can also harden browsers like Chrome, Mozilla, Firefox, Safari, etc.

A thorough configuration audit is critical, as once the application is deployed, the teams that manage it may not be aware of the best security practices that are to be followed. These CIS benchmarks define the set of standards and security best practices to address all security-related gaps & vulnerabilities.

A guide to CIS Benchmarks

What makes CIS Benchmarks the industry standard?

CIS benchmarks are the only globally acknowledged industry best-practice security configuration guide both developed and accepted by the government, business, industry and academia. CIS benchmarks are developed via the inputs of the expert global community of cyber security professionals, technology vendors, subject matter experts, public and private community members, and the CIS Benchmark Development Team. The community actively provides research inputs to establish new comprehensive benchmarks, staying up to date with our ever-evolving industry.

CIS benchmarks offer both manual and automated solutions for misconfigurations. Although it is ideal to programmatically address misconfigurations, certain limitations may inhibit interacting with the system through a programmatic approach. Rather than overlooking these misconfigurations, CIS benchmarks provide manual remediation actions to ensure the security of the system is thoroughly configured.

CIS benchmarks are publicly available for anyone to access, download and implement in their own systems. They are crucial for auditors and internal security teams to comprehensively test cloud infrastructure from a configuration perspective. The checklists provided by CIS Benchmarks ensure your company is not solely relying on a checklist based on the key strengths of your internal employees.

How are CIS Benchmarks used for cybersecurity configuration audits?

  • Firstly, go to the CIS portal and provide company details such as the name and size of your organization, etc.
  • Then identify the component involved (cloud provider, browser, etc.) and download the relevant CIS benchmarks
  • An audit team will then go through the benchmarks and verify your company’s configuration against CIS standard checklists.

These configuration audits using CIS benchmarks are done using automated solutions as well as through manual interventions. A combination of both is ideal, as automated solutions test based on programmable aspects, while cyber security experts usually look at audits from a business context and a human angle. 

The experts will then provide a comprehensive report describing misconfigurations identified in the application and the rational impact these vulnerabilities may have. The report will also state the best practices regarding how you should address these issues, with either manual or automated solutions, or remediation steps to secure cloud infrastructure along with references for each solution.

CIS benchmarks

How do CIS Benchmarks secure configuration and address vulnerabilities?

Below are some of the typical vulnerabilities that CIS benchmarks are able to identify along with the best practices to address them.

  1. In a configuration audit, let’s take Azure Kubernetes Service (AKS), which is one of the service offerings from cloud service provider Azure. You have built an app based on the current version which is 1.1, using microservices architectures, container technologies, and orchestration solutions like Kubernetes.  There are chances that your development teams or configuration teams, are not following the security best practices during configuration on AKS. In that case, you must download the respective CIS benchmarks, which also contain recommendations. The report will have master components recommendations, logging recommendations, worker nodes recommendations, policies, and manager services. There are also categories & subcategories of recommendations. These are the aspects of configuration that IT ops teams can then look into with details on each and every component. The report also specifies if the audit or checks needed are manual or automated. For example 4.2.6: minimize the admission of root containers is an automated approach, meaning there are solutions in the market that can do this check in an automated way. This is the checklist to follow in order to verify the Azure Kubernetes service in your infrastructure and your cloud environment.
  2. To limit unauthorized access, the CIS benchmarks for role based access control (RBAC) can be downloaded. They provide all the descriptions, rational impacts that could happen, how you should audit, remediation steps and references. All you have to do is identify the component and read the description on the CIS benchmark to see if it’s aligned with CIS standards. In this case, it reads “The RBAC row cluster admin provides wide ranging powers over the environment and should be used only where and when needed.” This clearly states that RBAC cluster admin is not to be provided for a normal user or for any anonymous user. You should ensure that it’s only provided to the intended person. Sometimes administrators would assign these roles to everyone – which is a misconfiguration and a vulnerability that could be exploited.
  3. When dealing with a web browser, the checklists on CIS benchmarks inform you of the aspects required to protect a browser from rogue attacks. The CIS benchmarks might say to disable JavaScript – when you disable JavaScript in a browser, there will be no cross-site scripting attacks that could take place because cross-site scripting attacks would take place only when JavaScript is enabled on your browser.

CIS benchmark-based configuration audits with Entersoft

Entersoft’s team of cyber security experts and white-hat hackers engage in configuration-level audits for enterprises, startups and small businesses, among a host of other premium cybersecurity services. We rely on CIS benchmarks and other industry standards, as well as our business and domain knowledge to ensure that any vulnerabilities are identified and addressed. The set of components in CIS benchmarks enables Entersoft to verify web servers, database servers, application servers, and other software components which are required for the server to remain fully functional.

The scope of CIS benchmarks allows Entersoft to offer the following services:

  • Cloud configuration review
  • Server hardening
  • Software component hardening

Entersoft is now also able to offer hardening on your operating systems including:

  • Red Hat OS
  • Linux OS
  • Microsoft OS
  • Mac OS.
  • Azure

Although these audits can be done internally, our security specialists draw on extensive expertise to accurately prioritize configuration recommendations, in order to provide best-in-class guidance for solutions that are often cumbersome to implement.