The CIS Benchmarks are useful, free tools for jumpstarting your cybersecurity. They pave the way for deeper security through the CIS Controls, which in turn map onto other regulatory needs. To get the most out of them, you need to know which ones to use—and why.
Are the CIS Benchmarks right for your organization? Schedule a consultation to find out!
How CIS Benchmarks Impact Your Security
The Center for Internet Security (CIS) is an institution dedicated to optimizing cybersecurity for organizations of every kind and size, globally. It develops frameworks, educational resources, and tools to help organizations recognize and minimize threats. The CIS Benchmarks are recommended settings and configurations, applicable to common software and hardware.
Putting the CIS Benchmark tools to use requires:
- Understanding the different levels of implementation
- Selecting the appropriate categories of Benchmarks
- Using the Benchmarks to streamline your compliance
Working with a security program advisor will help you select and implement the right Benchmarks for your organization, streamlining and strengthening your security.
Understanding the CIS Benchmark Levels
Like many other cybersecurity frameworks and governing bodies, CIS envisions its benchmarks as a maturity model. This means organizations may implement them to different extents of depth and breadth, for relatively greater security, rather than a binary of secure/unsecured.
The two primary levels of CIS Benchmark implementation are:
- Level 1 – Recommendations form foundational protections, reducing your attack surface and giving cybercriminals fewer ways to compromise your data. They’re easy to install, but they do not offer robust protections from the most advanced persistent threats (APT).
- Level 2 – Recommendations are much more advanced, utilizing threat intelligence to prevent attacks proactively. Controls are more difficult to install and manage, but they offer much greater security assurance—and mappings to regulatory requirements.
Beyond these, there is also a separate designation for Security Technical Implementation Guide (STIG) baselines developed in accordance with the Department of Defense (DoD). The Defense Information Systems Agency (DISA) has worked with CIS to create a profile commensurate to certain Military needs. However, many organizations seeking DoD contracts will also have to pursue other implementations, such as Cybersecurity Maturity Model Certification (CMMC).
CIS Hardening and Pre-Configured Security
The process of improving your organization’s security maturity, adding more and better controls to cover for a greater variety and severity of risks, is often referred to as “hardening.” One way to achieve a hardened posture is to manually install the controls from the CIS Benchmarks or other cybersecurity resources—or work with a service provider who will install them for you.
But CIS makes another, far simpler approach possible: pre-configured Hardened Images.
Organizations can install “images” of fully-functional configurations, generated by virtual machines (VM), to meet all the recommendations of Level 1 or 2 (or STIG) by default. Some CIS Hardened Images are also pre-configured to meet compliance requirements of various regulations. And even if they don’t meet them by default, they facilitate mapping (see below).
Utilizing Specific CIS Benchmark Categories
At present, CIS hosts over 100 individual Benchmarks, all available for free download in PDF form. The individual Benchmarks account for over 25 vendor-specific ecosystems, categorized by software type (Operating Systems, etc.). Getting the most out of them comes down to selecting the right ones, based on the software you use, and meeting their recommendations.
The following is a breakdown of what to expect from each category of Benchmark.
CIS Benchmarks for Operating Systems
The first category of Benchmarks concerns operating systems, and it prescribes specific controls for segmentation, browser configuration, access control, and more. CIS covers a wide range of systems, including Microsoft Windows (all the way back to XP), Apple’s macOS (built on UNIX), and several Linux-based OS (Debian, Ubuntu, Amazon, Oracle, Red Hat, etc.).
There are subtle differences in the recommendations made for each system. For example, CIS’s recommendations for Windows 11 Enterprise begin with account and password management, whereas the MacOS 13 Benchmark starts with patch management. The CIS Benchmarks for OS make strong distinctions between standalone and enterprise software—more so than any other Benchmark category. For these reasons, it’s critical to consult the appropriate set.
CIS Benchmarks for Server Software
CIS also provides Benchmarks for prominent server software, or technology used to constitute, support, or secure servers. Platforms and solutions covered include but are not limited to:
- Database servers, like MongoDB, IBM Db2, and Microsoft SQL
- Web servers, like NGINX, Apache HTTP, and IBM Websphere
- Virtualization tools, like VMware and Kubernetes
- Collaboration, DNS, and Authentication servers
The controls recommended in these Benchmarks focus on interactions between software and hardware connected via the servers. For example, they govern application programming interface (API) and public key infrastructure (PKI) settings, along with storage and access.
CIS Benchmarks for Cloud Providers
CIS’s set of Cloud Provider Benchmarks is intended to bolster security for all stakeholders that use cloud solutions in an organization. Platforms covered include the most popular platforms, like Amazon Web Services (AWS), Microsoft Azure, and Google. CIS provides guidance for cloud administrators and other technical staff who build and maintain cloud resources. But there are also end-user-focused Benchmarks that facilitate secure use of Google Workspace, Microsoft 365, and other infrastructure. Consider utilizing the latter for staff training.
A major point of emphasis across the cloud Benchmarks is Identity and Access Management (IAM). CIS provides several options for securely configuring user accounts and authentication methods, like multi-factor authentication (MFA), to monitor and restrict access to the cloud.
CIS Benchmarks for Mobile Devices
There are also Benchmarks for secure use of cell phones, tablets, and other smart devices. CIS specifically provides Benchmarks for Apple iOS (dating back to iOS 10) and Google Android (going back to Android 2.3). The Android recommendations are less broad and deep than those for iOS, emphasizing specific security, privacy, and browser settings. Meanwhile, on the Apple side, entire sections are devoted to sub-categories like Restrictions, Apps, and Domains.
Another distinctive factor about CIS’ iOS Benchmarks is that they distinguish between policies for institutionally-owned devices and user-owned devices. If your organization is choosing between a bring-your-own-device (BYOD) or corporate-owned, personally-enabled (COPE) strategy, the added flexibility for iPhone and iPad security in both use cases is beneficial.
CIS Benchmarks for Network Devices
CIS provides Benchmarks for secure configurations on network devices, or software that helps network hardware operate. Their guidance concerns several proprietary network devices:
- Cisco IOS, ASA Firewall, NX-OS, and more
- Palo Alto Firewalls 6, 7, 8, 9, and 10
- Check Point Firewall
- Juniper OS
- Fortinet’s Fortigate
- F5 Networks
- Sophos XG Firewall
- pfSense Firewall
These recommendations vary widely, depending on the specific kind of software (i.e., OS vs. firewall) and the specific security vulnerabilities germane to the hardware in question. For example, several begin with checks that the hardware in question is running a current version of the software (Juniper OS) or system logging to a remote host (Palo Alto Firewall 10). Others begin from a governance perspective, establishing local Authentication, Authorization, and Accounting (AAA) rules. Be sure to select Benchmarks that align with the software you use.
CIS Benchmarks for Desktop Software
These Benchmarks provide security best practices and recommendations for some of the most commonly used software in every industry. Currently, they are organized into two subcategories:
- Web Browsers – CIS recommends baseline configurations for network connectivity, servers, filtering, and communications, in the following supported web browsers:
- Microsoft’s Edge Internet Explorer
- Google Chrome
- Mozilla Firefox
- macOS Safari
- Productivity Software – CIS recommends a host of third-party restrictions, mobile device management, and other controls applicable in the following supported software:
- Microsoft Office Suite
- Microsoft Exchange Server
Chances are, your organization uses a combination of these and other tools, and devices owned or operated by your employees are likely to have some or all of them installed. Given this ubiquity, you might consider CIS hardening through pre-configured images, as described above.
CIS Benchmarks for Multi-Function Print Devices
The last category of Benchmarks applies to printers. Specifically, it targets common security vulnerabilities and other threats facing large, multifunctional printers found in traditional office settings. Given the (literally) central and inter-connected position they occupy, printers are riddled with inputs from devices they communicate with—and human operators using them.
There are many ways an unsecured printer station could compromise sensitive information, and CIS provides several ways to minimize the likelihood of an attack or leak. This begins and ends with access monitoring and restriction, including detailed logs of user behavior and functions.
If your organization uses one or more office printers, consider implementing this Benchmark.
Streamlining Compliance with CIS Benchmarks
The CIS Benchmarks draw heavily from principles outlined across the CIS controls, which are the institution’s primary framework for cybersecurity. It’s adaptable to practically any use case, with robust and comprehensive protections addressable to various assets and components.
Namely, the CIS Controls comprise 153 individual practices split across these categories:
- CIS Control 1: Inventory and Control of Enterprise Assets
- CIS Control 2: Inventory and Control of Software Assets
- CIS Control 3: Data Protection
- CIS Control 4: Secure Configuration of Enterprise Assets and Software
- CIS Control 5: Account Management
- CIS Control 6: Access Control Management
- CIS Control 7: Continuous Vulnerability Management
- CIS Control 8: Audit Log Management
- CIS Control 9: Email and Browser Protections
- CIS Control 10: Malware Defenses
- CIS Control 11: Data Recovery
- CIS Control 12: Network Infrastructure Management
- CIS Control 13: Network Monitoring and Defense
- CIS Control 14: Security Awareness and Skills Training
- CIS Control 15: Service Provider Management
- CIS Control 16: Application Software Security
- CIS Control 17: Incident Response Management
- CIS Control 18: Penetration Testing
These areas of focus mirror the scope of several prominent cybersecurity regulations, and CIS publishes resources geared toward mapping CIS Controls onto other framework requirements.
Industry-Specific Data Protection Regulations
Some of the more widely applicable regulatory compliance frameworks are tied to specific industries. Organizations that work within or adjacent to them often come into contact with sensitive kinds of data that, if leaked, could cause harm to their clients or other stakeholders.
For example, consider these two industries and their frameworks, which CIS streamlines:
- Healthcare – Covered Entities in and adjacent to healthcare that come into contact with protected health information (PHI) are subject to the Health Insurance Portability and Availability Act (HIPAA). CIS provides CIS Controls to HIPAA mapping guidance.
- Government – Organizations that work with government agencies are often required to implement one or more National Institute of Standards and Technology (NIST) guides. CIS provides CIS to NIST CSF mapping and CIS to SP 800-53 mapping guidance.
- Military contractors should consult the CIS to SP 800-171 mapping guide.
Note that organizations do not have to be within the industry in question to be subject to its rules. HIPAA in particular has contractual obligations for Covered Entities’ Business Associates.
Industry-Agnostic Regulatory Compliance
Other regulations many organizations are subject to are those that apply to specific business models or functions, irrespective of industry or niche. Common examples include:
- Payment Processing – If you process credit card payments and come into contact with cardholder data (CHD), you likely need to comply with the Payment Card Industry (PCI) Data Security Standard (DSS). CIS provides CIS to PCI mapping guidance.
- Service Organizations – Service providers often have to certify their security assurance through a SOC 2 audit using the American Institute of Certified Public Accountants’ (AICPA) Trust Service Criteria (TSC). CIS provides CIS to SOC 2 mapping guidance.
In many cases, these and other regulations will all apply simultaneously. Mapping individual controls to the requirements from one framework to another can be challenging. But having a baseline in place from which to map (like the CIS Benchmarks or Controls) makes it easier.
Optimize Your Security Configurations Today
If your organization is aiming for a CIS baseline or other security maturity threshold, the Benchmarks are a great place to start. Choosing and implementing the right ones for your software, up to your desired level of maturity, will help optimize your defenses long-term.
RSI Security has helped organizations of all sizes in all industries rethink their security. We’re committed to serving you above all else, instilling discipline to create freedom. We’ll aid in the strategy and implementation of security controls you need for compliance or other purposes.
For further guidance on implementing the CIS benchmarks, contact RSI Security today!