CIS Benchmarks: best practices and recommendations for information security

The Internet Security Center (CIS) is a non-profit organization that develops its own benchmarks and recommendations that allow organizations to improve their security and compliance programs. This initiative aims to create basic levels of system security configuration, which are commonly found in all organizations. In this article, I will continue to publish best practices and tips for organizing information security.

The first part: https://habr.com/post/338532/

Critical Security Controls

Access control

Segment networks based on user roles, level of access, or classification of information stored on servers. Store sensitive information about separated VLANs with a configured firewall; check that only authorized persons have access to the information necessary to perform their specific duties.
')
All confidential information communications should use encryption.

All information stored in systems must be protected at the file system level, network access, applications, or access control lists. Only authorized persons must have access to information based on the need to access information within their responsibilities.

Sensitive information stored in systems must be encrypted and use a secondary authentication mechanism that is not integrated into the operating system.

It is necessary to keep a detailed audit log of access to non-public information and special authentication for confidential data.

Backup storage systems should be used as stand-alone systems.

Wireless Access Control

Ensure that each wireless device connected to the network matches the allowed configuration and security profile. The organization must deny access to these wireless devices.

Configure network vulnerability detection tools to detect wireless access points connected to a wired network. Identified devices must be matched with a list of authorized wireless access points.

Use intrusion detection systems (WIDS) to identify unauthorized wireless devices and detect attack attempts.

Make sure that you use at least Advanced Encryption Standard (AES) encryption and at least Wi-Fi Protected Access 2 (WPA2) protection level.

Make sure that wireless networks use authentication protocols such as Extensible Authentication Protocol-Transport Layer Security (EAP / TLS), which provide credential protection.

Create separate virtual local area networks (VLANs) for BYOD systems or other unreliable devices. Access to this VLAN should be considered unreliable.

User Account Control

View all system accounts and disable accounts that are not related to business processes.

Make sure all accounts have an expiration date, which is monitored and applied.

Immediately block accounts of laid-off employees. Disabling instead of deleting accounts allows you to save audit data.

Regularly monitor the use of all accounts, automatic logout after a standard period of inactivity.

Set up a screen to block access to unattended workstations.

Watch out for using accounts to identify inactive accounts. Disable accounts that are not assigned to existing employees.

Use and configure account lockout so that after a certain number of failed login attempts, the account is blocked.

Monitor attempts to access deactivated accounts.

Configure access for all accounts using a centralized authentication point, such as Active Directory or LDAP.

Use multifactor authentication for all user accounts that have access to sensitive data or systems.

If multifactor authentication is not supported, accounts must have strong encryption passwords in the system (more than 14 characters).

Ensure that all accounts and authentication credentials are transmitted over the network using encrypted channels.

Make sure that all authentication files are encrypted or hashed and that these files cannot be accessed by anyone other than administrators.

Monitoring staff awareness

Analyze the skills of employees in the field of practical information security.

Provide proper training for missing skills.

Implement a safety improvement program, conduct regular trainings.

Check and raise awareness through periodic checks, including the socio-technical vectors of attacks and mailings.

Use competitive events to achieve greater results in the field of practical information security.

Application Software Control

For all purchased versions of the application software, make sure that the version you are using is still supported by the provider. If not, upgrade to the latest version and install all the necessary patches and security recommendations.

Protect web applications with web application firewalls.

Do not show system error messages to end users, not the system administrator.

Enter separate conditions for production and non-production systems. Developers should not have uncontrolled access to the production environment.

Make sure that all software development personnel know and apply safe code writing techniques for a specific development environment.

Use testing tools (including automated) developed applications, document and keep a history of releases and bug fixing.

Incident Response

Ensure that there are written incident response procedures that include defining the roles of personnel and determine the steps involved in handling the incident.

Describe duties and circle of persons for handling incidents, as well as making decisions on them.

Develop organizational standards for reporting abnormal events, mechanisms for such reporting, and such information to be included in the incident notification. This reporting should also include notifications for responsible persons.

Publish information on identified incidents within the organization.

Perform periodic training alerts to detect speed and control incident handling.

Penetration Testing

Regularly conduct external and internal penetration tests to identify vulnerabilities and attack vectors that can be successfully used to operate corporate systems. Penetration testing should occur outside the perimeter of the network), as well as within its borders (ie, on the internal network), in order to simulate insider attacks.

Perform periodic teamwork during penetration testing — Red Team to test the organization’s readiness for a quick and effective response.

Use automatic vulnerability scanning and penetration testing tools. Scan vulnerability assessment results should be used as a starting point for penetration testing.

Enter a point system for assessing the security of systems and carefully document the results of each test.

Create test benches for testing supercritical infrastructure elements.

Completion

The above material can be adapted to varying degrees for use in your organization.