Out of the box, most operating systems are configured insecurely. OS hardening minimizes an operating system's exposure to threats by properly configuring security settings and removing unnecessary applications and services. The Center for Internet Security (CIS) Benchmarks provides globally recognized configuration guidelines for OS image hardening. CIS hardened images help avoid specific threats and vulnerabilities and offer protection from malware, insufficient authorization, and intrusion.
What is System Hardening?
Out of the box, most operating systems are configured insecurely. OS hardening minimizes an operating system's exposure to threats by configuring security controls and removing unnecessary applications and services.
The hardening process ensures that the latest patches to operating systems, browsers, and other vulnerable applications are applied. It may also include disabling file sharing, establishing login passwords, and turning off unused ports and services. It often requires numerous actions such as correctly configuring system and network components, deleting unused files, and applying the latest patches.
System hardening is a dynamic and variable process. Therefore, one of the best ways to begin or expand upon the system hardening process is to follow a system hardening standard, such as the CIS Benchmarks.
Hardened Images and the CIS Benchmarks
The CIS Benchmarks are a collection of more than 100 system hardening configuration guidelines addressing vendor-specific server operating systems, web browsers, mobile devices, network devices, virtualization platforms, the cloud, and commonly used applications.
The CIS Center's system hardening standards are accepted by government, business, industry, and academia. Relevant CIS benchmarks are available for download on the organization's website.
CIS Hardened Images are configured according to CIS Benchmark recommendations, developed through consensus by a global community of cybersecurity experts. The CIS benchmarks are step-by-step guides to hardening operating systems.
Three Ways to Use CIS Benchmarks for OS Image Hardening
ONE – Use CIS Benchmarks to Harden an Out-of-box Operating System
Start with an out-of-box operating system and then apply the applicable hardening standards. For example, the CIS Microsoft Windows Server 2019 RTM (Release 1809) Benchmark provides guidance for establishing a secure configuration posture for Microsoft Windows Server 2019 based on the server use case and intended security level. The benchmark was created using a review process comprised of experts from diverse backgrounds, including government, software development, audit, and compliance, consulting, security research, operations, and legal.
TWO - Start with a Fully Hardened Image, then Relax the Controls if Necessary
Manual OS hardening is a rigorous process outside the capability and mission of many organizations. Fortunately, there are pre-hardened images available to deploy. For example, CIS offers virtual images hardened following the CIS Benchmarks. CIS Hardened Images provide a secure, on-demand, and scalable computing environment. Pre-hardened images are available from major cloud computing platforms, including AWS, Azure, Google Cloud Platform, and Oracle Cloud.
CIS Hardened Images are recognized by the Department of Defense, Payment Card Industry Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), Federal Risk and Authorization Management Program (FedRAMP), and the National Institute of Standards and Technology (NIST) as secure configurations.
THREE - Use the CIS-CAT hardening assessment tool
Hardening assessment tools are designed to provide a gap analysis of hardening standards against your configuration. For example, the CIS Configuration Assessment Tool (CIS-CAT) compares the actual configuration settings of target systems to the security configuration settings recommended in the CIS Benchmarks.
CIS-CAT uses automation to compare a target system's configuration settings to the recommended settings in more than 80 CIS Benchmarks. CIS-CAT outputs a dashboard and conformance report and offers remediation guidance for each supported CIS Benchmark within the report.
As part of security maintenance, you can use other Pen Testing techniques to find weaknesses, but pen testing is generally an opportunistic approach that may not discover everything. It is better to start with the hardening standards and then use pen testing to measure effectiveness and inform the risk management process.
The Center for Internet Security (CIS) Critical Controls are distinct security controls that CIOs, IGs, systems administrators, CISOs, and information security personnel can use to manage and measure the effectiveness of their cybersecurity defenses. They complement existing frameworks, standards, and compliance schemes by prioritizing the most critical threats and highest payoff defenses while providing a baseline for action against risks we all face.
Cybersecurity attacks are evolving so rapidly that it is more complicated than ever to prevent and defend against them. In addition to protecting their information systems, many organizations must comply with multiple cybersecurity and privacy standards and requirements as a prerequisite for doing business. Dozens of cybersecurity standards exist worldwide, and most organizations must comply with more than one such standard.
In February 2016, the California Attorney General stated that "the 20 controls in the Center for Internet Security's Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization's environment constitutes a lack of reasonable security."
Designed by private and public sector experts worldwide, implementing the CIS Critical Controls is a proven method to thwart known attacks and lint the damage from successful attacks. They have been adopted by private firms, the U.S. Department of Homeland Security, international governments, state governments, and universities.
As proud members of CIS and front-line cybersecurity veterans, Truvantis can help you to create a robust security foundation that complies with the CIS Controls standard.
Our CIS Controls Gap Analysis comprehensively assesses your system against this standard. In addition, we offer a vast array of security products and services to help you achieve the CIS Controls standard with custom recommendations that are right for your business.
Contact Truvantis today to learn more about the CIS Controls and CIS Benchmarks for your business.
Truvantis is a cybersecurity and privacy consulting organization with comprehensive expertise in implementing, testing, auditing, and operating information security programs. We specialize in helping our clients improve their cybersecurity and privacy posture through practical, effective, and actionable programs—balancing security, technology, business impact, and organizational risk tolerance. Contact us to get started today.