The Center for Internet Security, or CIS, is a not-for-profit body based in the US that was established in 2000. They provide benchmarks that are consensus based configuration guides created by experts on different technologies. These are configuration settings that can be used by anyone to assist with hardening their systems.
CIS has global contributors. Richard Comeau, from CIS told us members of Australia’s DSD have been involved, having contributed to several guides. A number of Australian banks, universities and telcos are members of CIS.
The guides are provided for free in PDF format to the public. However, paid up members of CIS can access security automation content. As well as covering traditional on-premises deployments, they also produce guides for major virtualisation platforms as well as cloud services.
One of the newer standards they are working on is for Hadoop – this is a direct reaction to lack of hardening information in the market according to Comeau.
“So, they can access those benchmarks but in machine-readable format,” says Comeau. These are in SCAP format – an open source format that was originally developed by the NSA and NIST. The benchmarks, when ingested by a device or system, are then checked against the existing configuration and provide a report of what changes should be made to harden the system.
In addition the benchmarks, CIS also operates a Security Operations Centre, working with the Department of Homeland Security. This involves monitoring firewalls, IPS and other devices for a number of state and local governments in the US as well as some utilities and other critical infrastructure. In addition, CIS works with a number of other government and statutory authorities on threat monitoring and assessment.
“We really do have the threat and information sharing tools and we use a lot of that information for what we prescribe in the benchmarks. We see certain vulnerabilities and configuration issue that are being exploited. That helps inform how were putting together [our tools],” says Comeau.
Incredibly, CIS manages all of this with a team of fewer than 100 people.
A recently launched CIS service has been the deployment of pre-hardened virtual machines on Amazon’s EC2 platform. Coemau told us CIS is selling these services to non-members but, in keeping with their not-for-profit status, they are doing this cost effectively at $0.02 per additional compute hour.
Through his observations, Comeau says picking off the low hanging fruit can mitigate many significant risks. Regular patching and only giving users the system privileges they need are often either overlooked or their importance is understated. One of the statistics bandied the RSA Conference this year was Microsoft patched the most exploited vulnerability of 2014 in 2010.
Another challenge, says Comeau, is where business process often wins out over cyber-hygiene. For example, links between systems might be desirable for business reasons but can introduce risks that allow bad actors with a compromised account to move laterally between seemingly unrelated systems.
Given the complexity and scale of systems today, even those used by SMEs, Comeau says it’s imperative to look at using automation in order to properly secure systems.
Every OS has so many prescribed configuration settings to make it a baseline hardening level. You can’t do that all by hand. We put the standards out as guidance documents but we make our memberships cost effective and put the automation tools out there”.
Anthony Caruana attended RSA Conference as a guest of Symantec.