CIS Benchmarks: best practices, guidelines and recommendations for information security
The Internet Security Center (CIS) is a non-profit organization that develops its own benchmarks and recommendations that enable organizations to improve their security and compliance programs. This initiative aims to create basic levels of system security configuration that are commonly found in all organizations.
Several dozens of guidelines are available for downloading to securely configure various systems: Windows, Linux, OSX, MySQL, Cisco and many others: learn.cisecurity.org/benchmarks
In this article I will discuss the “Critical Security Controls Version 6.1” - a checklist of system security checks.
Critical Security Controls
Inventory of authorized and unauthorized devices
Deploy automatic device discovery systems and use them to create a preliminary inventory of systems connected to your organization’s public and private networks. Use both active tools that scan IPv4 or IPv6 network address ranges and passive tools that identify hosts based on an analysis of their traffic. Use a combination of active and passive tools and use them as part of a continuous monitoring program.
If your organization dynamically assigns addresses using DHCP, use this information to improve device inventory and detect unknown systems.
Make sure that all purchased equipment will be added to inventory lists.
Maintaining inventory lists of all systems connected to the network and the network devices themselves, recording at least network addresses, machine names, the destination of each system, the owner responsible for each device, and the department associated with each device.
The inventory should include every system with an IP address on the network, including, but not limited to, workstations, laptops, servers, network equipment (routers, switches, firewalls, etc.), printers, network drives, IP phones and etc.
Deploy 802.1x network level verification to restrict and control the connectivity of devices to the network. Devices using 802.1x must be tied to inventory data to identify authorized or unauthorized systems.
Use certificates to authenticate systems before connecting to a private network.
Inventory of authorized and unauthorized software
Create a list of authorized software and versions that are required by the enterprise for each type of system, including servers, workstations and laptops for various purposes and uses. This list should be monitored by file integrity checkers to confirm that authorized software has not been modified. File integrity is checked as part of a continuous monitoring program.
Use application whitelisting technology, which allows systems to run software only if it is included in the whitelist and prevents the execution of all other software on the system. The whitelist can be very extensive so that users do not experience inconvenience when using common software. Or, for some special systems (which require only a small number of programs to achieve the necessary business functionality), the whitelist can be quite narrow.
The software inventory system should track the version of the underlying operating system, as well as the applications installed on it. Software inventory systems should be tied to hardware inventories, so all devices and related software are tracked from a single source.
Secure hardware and software configurations
Install standard secure configurations for your operating systems and software applications. (you can download them from the link at the beginning of the article).
Track configurations by creating secure installation images that are used to create all new systems deployed in the enterprise. Regular updates or exceptions for this image should be integrated into organizational change management processes. Images must be created for workstations, servers, and other systems used by the organization.
Store master images on securely configured servers that have been verified with integrity checking tools. Alternatively, these images can be saved on standalone machines.
Image file integrity is verified as part of a continuous monitoring program.
Perform all remote administration of servers, workstations, network devices and similar equipment through secure channels. Protocols such as telnet, VNC, RDP, or others that do not support encryption should only be used if they are run on a secondary encryption channel, such as SSL, TLS, or IPSEC.
Use file integrity verification tools to ensure that critical system files (including sensitive system and application executables, libraries, and configurations) are not modified. Integrity checks should identify suspicious system changes, such as: owner rights and permissions to modify files or directories; use of alternative data streams that can be used to hide malicious actions; and the introduction of additional files in key system areas (which may indicate malicious payload left by cybercriminals or additional files inadvertently added during batch distribution). File integrity of important system files is checked as part of a continuous monitoring program.
Run automatic vulnerability detection tools for all systems on the network on a weekly or more frequent basis and send priority lists of the most critical vulnerabilities to each responsible person.
Subscribe to the newsletters on vulnerability information (security-list, bugtraq) in order to be aware of emerging risks and quickly respond. In addition, ensure that your vulnerability detection tools are updated regularly.
Deploy automated patch management tools to update software for your operating system and software / applications on all systems. Patches should apply to all systems, even standalone ones.
Using Administrative Privileges
Minimize administrative privileges, use administrative accounts only when they are needed. Implement a focused audit of administrative privileged accounts and monitor abnormal behavior.
Use automatic tools to inventory all administrative accounts and confirm that each employee with administrator rights is fully vested with these rights as part of his activities.
Before deploying any new devices in a networked environment, change all the default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems.
Set up logging and warning systems when an account is added or removed from the domain administrators group or when a new local administrator account is added to the system.
Set up logging and warning systems for any unsuccessful logon to the administrative account.
Use multi-factor authentication for all administrative access, including access to the domain administrator. Multi-factor authentication may include many methods, including the use of smart cards, certificates, tokens, biometric data, or other similar authentication methods.
Administrators must use a dedicated computer for all administrative tasks or tasks requiring increased access. This machine must be isolated from the organization’s main network and not have access to the Internet. This machine should not be used to read e-mail, compose documents or surf the Internet.
Maintenance, monitoring, and analysis of audit logs
Turn on at least two synchronized time sources from which all servers and network equipment should regularly receive time information so that the time stamps in the logs are consistent.
Confirm the audit log settings for each hardware device and software installed on it so that the logs include date, time stamp, source addresses, destination addresses, and any other system information. Systems should record logs in a standardized format, such as system log records or those described in the Common Expression initiative (on the CIS website). If systems cannot generate logs in a standardized format, you need to use tools to normalize and convert logs to that format.
Ensure that all systems that store logs have enough space to store logs. Journals should be archived and digitally signed on a periodic basis.
Configure network edge devices, including firewalls, network IPS, inbound and outbound proxies, in order to register in sufficient detail all traffic (both allowed and blocked).
Deploy SIEM (Security Information and Event Management) for both aggregating and consolidating logs from multiple computers and for correlating and analyzing logs. Using the SIEM tool, system administrators and security personnel must develop common event profiles from specified systems to configure anomaly detection.
Email and web browser protection
Make sure that your organization is allowed to use only fully supported web browsers and email clients, ideally only the latest version of browsers, in order to use the latest security features and fixes.
Remove or disable any unnecessary or unauthorized browsers or email client plug-ins / applications.
The organization must support and apply URL network filters that restrict the system’s ability to connect to websites not approved by the organization. An organization must subscribe to the categorization services (black listing) of URLs to ensure they are up to date using the latest website category definitions. Uncategorized sites are blocked by default. This filtering should be applied to each of the organization’s systems.
To reduce the likelihood of email spoofing, implement SPF.
Turn on email content filtering and web content filtering. Y
Use automated tools to continuously monitor workstations, servers, and mobile devices with antivirus software, firewalls, and IPS. All malware detection events should be sent to server-side anti-virus protection administration tools and event log servers.
Use malware protection software that offers a centralized infrastructure that collects file reputation information. After applying the update, automated systems should verify that each system has received the update.
Configure laptops, workstations, and servers so that they cannot automatically run content from removable media such as USB sticks, USB hard drives, CD / DVDs, FireWire devices, and mounted network resources. Configure systems to automatically scan removable media.
Use online antimalware tools to identify executable files in all network traffic and use methods other than signature-based detection to identify and filter out malicious content before it reaches the endpoint — use preventative protection measures.
Network Port Restriction and Control
Make sure that only ports, protocols, and services with the necessary business needs work on each system.
Perform automatic port scans on a regular basis across all key servers. If a change is found that is not specified in the approved organization server profile, you must create a warning check port.
Place application firewalls in front of any critical servers to check traffic going to the server. Any unauthorized access attempts or traffic should be blocked and a warning.
Data Recovery Ability
Make sure that a regular backup is automatically created for each system, and for systems that store sensitive information, this is done even more often.
To ensure the possibility of quick recovery of the system from backup, the operating system, application software and data on the workstation should be included in the general backup procedure. These three system components do not have to be included in the same backup file or use the same backup software. Over time, there should be several backups, so that in case of malware infection, recovery can be carried out from the version that precedes the initial infection. All backup policies must comply with regulatory or official requirements.
Make sure that backups are reliably protected by physical security or encryption when they are saved, as well as when moving across the network. This includes remote backups and cloud services.
Secure configurations for network devices
Compare the configuration of the firewall, router, or switch with the standard secure configurations defined for each type of network device used in your organization. The security configuration of such devices must be documented, verified and approved by the IT / IS service. Any deviations from the standard configuration or updates to the standard configuration must be documented and approved by the change management system.
All new configuration rules, in addition to the basic configuration, which allow traffic to pass through network security devices, such as firewalls and network IPS, should be documented and recorded in the configuration management system with a specific business reason for each change and the person responsible for the business need .
Use automated tools to check standard device configurations and detect changes. All changes to such files should be logged and automatically reported to security personnel.
Install the latest stable version of any security-related updates on all network devices.
Network engineers must use a dedicated computer for all administrative tasks or tasks requiring increased access. This machine must be isolated from the organization’s main network and not have access to the Internet. This machine should not be used to read e-mail, compose documents or surf the Internet.
Deploy IDS network agents in DMZ systems and networks that detect anomalies and compromise these systems. They can detect attacks by using signatures, behavior analysis, or other mechanisms to analyze traffic.
Perform a data assessment to identify sensitive information that requires encryption and integrity.
Deploy approved hard drive encryption software for devices and systems containing sensitive data.
Use DLP network solutions to monitor and control the flow of data within the network. Any anomalies that exceed normal traffic patterns should be noted and appropriate measures taken to address them.
The above material can be adapted to one degree or another for use in your organization. In the next article of this series, I will supplement this list with control systems, penetration testing, wireless network analysis, and incident handling systems.
Continuation of publication: https://habr.com/post/339206/
Only registered users can participate in the survey. Please come in.
Your organization uses a security control system:
- 22.2% Yes, there are own IS policies. 6
- 14.8% Yes, we use the best practices from the methodologies. 4
- 25.9% Partially used. 7
- 25.9% No, we are not using it. 7
- 11.1% We have nothing to fear who needs us. 3