CIS Benchmarks: best practices, guidelines and recommendations for information security

The Internet Security Center (CIS) is a non-profit organization that develops its own benchmarks and recommendations that allow organizations to improve their security and compliance programs. This initiative aims to create basic levels of system security configuration, which are commonly found in all organizations.

There are several dozens of guides available for downloading on the safe setup of various systems: Windows, Linux, OSX, MySQL, Cisco and many others: learn.cisecurity.org/benchmarks

In this article I will review the "Critical Security Controls Version 6.1" - checklist security systems.
')

Critical Security Controls

Inventory of authorized and unauthorized devices

Deploy automatic device discovery systems and use them to create a preliminary inventory of systems connected to the organization’s public and private networks. You should use both active tools that scan IPv4 or IPv6 network address ranges, and passive tools that identify hosts based on an analysis of their traffic. Use a combination of active and passive instruments and apply them as part of a continuous monitoring program.

If your organization dynamically assigns addresses using DHCP, use this information to improve device inventory and detect unknown systems.

Make sure that all purchased equipment will be added to inventory lists.

Maintain inventory lists of all systems connected to the network and the network devices themselves, recording at least network addresses, machine names, the purpose of each system, the owner responsible for each device, and the department associated with each device.
Inventory should include every system with an IP address on the network, including, but not limited to, AWS, laptops, servers, network equipment (routers, switches, firewalls, etc.), printers, network drives, IP phones and etc.

Deploy 802.1x network level checking to limit and control device connectivity to the network. Devices using 802.1x should be tied to inventory data to determine authorized or unauthorized systems.

Use certificates to authenticate systems before connecting to a private network.

Inventory of authorized and unauthorized software

Create a list of authorized software and versions that are required in the enterprise for each type of system, including servers, workstations and laptops for various purposes and uses. This list should be monitored by means of file integrity checks to confirm that the authorized software has not been changed. The integrity of the file is verified as part of the continuous monitoring program.

Use the “white list” technology of applications that allows systems to run software only if it is included in the white list and prevents all other software from running on the system. The whitelist can be very extensive so that users do not experience inconvenience when using common software. Or, for some special systems (which require only a small number of programs to achieve the necessary business functionality), the white list can be quite narrow.

The software inventory system should track the version of the base operating system, as well as the applications installed on it. Software inventory systems should be tied to hardware inventory, so all devices and related software are tracked from a single source.

Secure configurations for hardware and software

Set standard secure configurations for your operating systems and software applications. (you can download them at the link at the beginning of the article).

Track configurations by creating secure installation images that are used to create all new systems deployed in the enterprise. Regular updates or exceptions for this image should be integrated into the organization’s change management processes. Images must be created for workstations, servers, and other systems used by the organization.

Store master images on securely configured servers checked with integrity checking tools. Alternatively, these images can be stored on autonomous machines.

The integrity of the image files is checked as part of the continuous monitoring program.

Perform all remote administration of servers, workstations, network devices and similar equipment through secure channels. Protocols such as telnet, VNC, RDP, or others that do not support encryption should be used only if they are performed over a secondary encryption channel, such as SSL, TLS, or IPSEC.

Use file integrity checking tools to ensure that critical system files (including sensitive system and application executables, libraries, and configurations) are not changed. Integrity checks should identify suspicious system changes, such as: the rights of the owner and permissions to change files or directories; use of alternative data streams that can be used to hide malicious actions; and the introduction of additional files into key system areas (which may indicate malicious payloads left by attackers or additional files unintentionally added during the batch distribution process). The file integrity of important system files is checked as part of the continuous monitoring program.

Run automatic vulnerability detection tools for all systems on the network on a weekly or more frequent basis and send priority lists of the most critical vulnerabilities to each responsible person.

Sign up for newsletters on vulnerability information (security-list, bugtraq) to keep abreast of emerging risks and respond promptly. Also, make sure that your vulnerability detection tools are updated regularly.

Deploy automated patch management tools to update the operating system software and software / applications on all systems. Patches should be applied to all systems, even autonomous.

Use of administrative privileges

Minimize administrative privileges, use administrative accounts only when they are needed. Implement a focused audit of administrative privileged accounts and monitor abnormal behavior.

Use the automatic tools to inventory all administrative accounts and confirm that each employee with administrative rights is empowered with these rights within his or her activities.

Before deploying any new devices in a networked environment, change all default passwords for applications, operating systems, routers, firewalls, wireless access points, and other systems.

Configure logging and warning systems when an account is added or removed from the domain administrators group or when a new local administrator account is added to the system.

Set up logging and warning systems for any unsuccessful login to an administrative account.

Use multi-factor authentication for all administrative access, including access to a domain administrator. Multifactor authentication can include many methods, including the use of smart cards, certificates, tokens, biometric data or other similar authentication methods.

Administrators should use a dedicated computer for all administrative tasks or tasks requiring increased access. This machine must be isolated from the organization’s main network and not have access to the Internet. This machine should not be used for reading emails, writing documents or surfing the Internet.

Maintenance, monitoring and analysis of audit logs

Include at least two synchronized time sources, of which all servers and network equipment should regularly receive time information so that the time stamps in the logs are consistent.

Confirm the audit log settings for each hardware device and software installed on it so that the logs include the date, timestamp, source addresses, destination addresses, and any other system information. Systems should write logs in a standardized format, such as syslog entries or those described in the Common Expression initiative (on the CIS site). If the systems cannot generate logs in a standardized format, you need to use the tools to normalize and convert the logs into such a format.

Ensure that all systems in which the logs are stored have sufficient storage space for the logs. Journals should be archived and digitally signed on a periodic basis.

Configure network edge devices, including firewalls, network IPS, incoming and outgoing proxies, in order to register all the traffic in sufficient detail (both allowed and blocked).

Deploy Security Information and Event Management (SIEM) for both aggregation and consolidation of logs from multiple computers and for correlation and analysis of logs. Using the SIEM tool, system administrators and security personnel must develop profiles of common events from given systems to configure anomaly detection.

Email and Web Browser Protection

Make sure that your organization is allowed to use only fully supported web browsers and email clients, ideally only the latest version of browsers, to use the latest security features and fixes.

Remove or disable any unnecessary or unauthorized browsers or email client plugins / applications.

Limit the use of unnecessary scripting languages ​​in all web browsers and email clients. This includes the use of languages ​​such as ActiveX and JavaScript in systems where there is no need to support such features.

An organization must maintain and apply URL network filters that limit the system’s ability to connect to websites that are not approved by the organization. An organization must subscribe to URL categorization services (blacklisting) to ensure that they are up-to-date using the latest definitions of website categories. Uncategorized sites are blocked by default. This filtering should be applied to each of the systems of the organization.

To reduce the likelihood of email spoofing, implement SPF.

Enable email content filtering and web content filtering. Y

Malware Protection

Use automated tools to continuously monitor workstations, servers, and mobile devices with antivirus, firewall, and IPS. All malware detection events must be sent to the server anti-virus protection administration tools and event log servers.

Use anti-malware software that offers a centralized infrastructure that collects file reputation information. After applying the update, automated systems should verify that each system received an update.

Configure laptops, workstations, and servers so that they cannot automatically launch content from removable media, such as USB flash drives, USB hard drives, CD / DVDs, FireWire devices, and mounted network resources. Set up your systems to automatically scan removable media.

Use network malware protection tools to identify executable files in all network traffic and use methods other than signature-based detection to identify and filter out malicious content before it reaches the end point — use preventive protection measures.

Limit and control network ports

Make sure that only ports, protocols, and services with the necessary business needs are running on each system.

Perform automatic port scans on a regular basis across all key servers. If a change is detected that is not specified in the organization’s approved server profile, you must create a warning to check the port.

Place application firewalls in front of any critical servers to check the traffic going to the server. Any unauthorized access attempts or traffic must be blocked and warned.

Ability to recover data

Make sure that a regular backup is automatically created for each system, and for systems that store confidential information this is done even more often.

To ensure the ability to quickly restore the system from a backup, the operating system, application software and data on the AWS should be included in the general backup procedure. These three components of the system do not need to be included in the same backup file or use the same backup software. Over time, there should be several backups, so that in the event of malware infection, recovery can be carried out from the version that precedes the initial infection. All backup policies must comply with regulatory or official requirements.

Ensure that backups are securely protected with physical security or encryption when they are saved, as well as when navigating the network. This includes remote backups and cloud services.

Secure configurations for network devices

Compare the firewall, router or switch configuration with the standard secure configurations defined for each type of network device used in the organization. The security configuration of such devices must be documented, verified and approved by the IT / IB service. Any deviations from the standard configuration or updates of the standard configuration must be documented and approved in the change management system.

All new configuration rules, in addition to the basic settings that allow traffic to pass through network security devices, such as firewalls and network IPS, must be documented and recorded in the configuration management system with a specific business reason for each change and the person responsible for the business need. .

Use automated tools to check standard device configurations and detect changes. All changes to these files should be recorded and automatically reported to security personnel.

Install the latest stable version of any security-related updates on all network devices.

Network engineers should use a dedicated computer for all administrative tasks or tasks requiring increased access. This machine must be isolated from the organization’s main network and not have access to the Internet. This machine should not be used for reading emails, writing documents or surfing the Internet.

Deploy IDS network agents to DMZ systems and networks that detect anomalies and detect the compromise of these systems. They can detect attacks through the use of signatures, behavior analysis or other mechanisms for analyzing traffic.

Data protection

Evaluate the data to identify confidential information requiring encryption and integrity.

Deploy approved hard disk encryption software for devices and systems containing sensitive data.

Use DLP network solutions to monitor and control the flow of data within the network. Any anomalies that exceed normal traffic patterns should be noted and appropriate measures taken to eliminate them.

Completion

The above material can be adapted to varying degrees for use in your organization. In the next article in this series, I will add to this list - control systems, penetration testing, analysis of wireless networks, incident handling systems.

---

Continued publication: https://habr.com/post/339206/