The Center for Internet Security (CIS) is best known for it's Security Benchmarks. These are security standards for hardening various products and services, making them more resistant to attack, setting them to log and alert better and so on. There are a few attractions to using benchmarks from an organization like CIS:
- The benchmarks are written by volunteers, most of whom do not work for the vendor in question. This means that each security setting will have seen scrutiny from many people who are NOT the vendor. Recommended security settings will often match the vendor's recommendations, but you'd be surprised how much further a group of dedicated volunteers will take things!
- The benchmarks are written collaboratively by consensus. There may be a project lead (or leads), but most points see spirited debated before they reach their final form. A change doesn't get committed to the final document until everyone is convinced that it is "the right thing to do", presented the right way.
- The benchmarks will usually discuss specific situations where any change is appropriate (or just as important, not appropriate)
- As each recommended change is considered in the document, there's a discussion about how making that change might affect the service delivered
- Recommended settings or changes will usually have references for additional background and reading
Discussion of the CIS Benchmarks is particularly timely, as they released updates to several benchmarks earlier this week, for:
- CIS Apache HTTP Server 2.2.x
- Google Android 4.0
- IBM AIX 5.3-6.1
- Microsoft IIS 7.5
- Oracle Solaris 10
The focus today will be on the Cisco Device benchmarks, which I use almost daily. These include standards for both IOS based Routers/Switches and for Firewalls from Cisco.
The benchmark is divided into 2 sections (these are pasted right from the benchmark document):
The Level-1 Benchmark for Cisco IOS represents a prudent level of minimum due care.
• Can be easily understood and performed by system administrators with any level of security knowledge and experience
• Are unlikely to cause an interruption of service to the operating system or the applications that run on it
The Level-2 Benchmark for Cisco IOS represents an enhanced level of due care for system security.
• Enhance security beyond the minimum due care level, based on specific network architectures and server function
• Contain some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments
Each section is in turn divided up in hierarchical fashion, breaking each area of configuration into logical groups. Each specific setting has a description of the change, the rationale for the change (usually describing any attack vector), as well as the configuration command to make the change. An audit command is also included, to verify if the setting in question has been made successfully or not. Finally, references are included for each change - these give you additional reading on other sites and documents such as the NSA's Security Configuration guide, the Cisco documentation site (of course, for the complete documentation of the commands being discussed), or the Cisco Guide for Hardening IOS Devices.
A final win is the Router Assessment Tool (RAT), which is an audit tool that accompanies the benchmark. RAT will take a saved configuration and assess it against each of the Benchmark settings, either at Level 1 or Level 2. RAT can also be configured to collect configurations from live devices prior to the audit. The completed audit ends up being a colour coded HTML doc, which can be used to help in remediation of the platform (Red for non-compliance really gets the attention of the non-technical folks).
As with most standards of this type, the recommendation is to either:
- Audit your environment against the benchmark documents
- Make changes to your environment as suggested in the document, considering each change individually on it's own merits with an eye towards how it will affect both security and service delivery (ie - a risk assessment).
What you DON'T want to do is implement changes from any security benchmark without this risk assessment - as discussed, going this route can have some dire consequences!
Often organizations will take several security documents like this, and distill them down to a single Corporate Standard for Internal Compliance and Auditing. This is a great approach, but it also means that the internal standard will need to be re-addressed as the source document
Happy auditing everyone !
The CIS home page ==> http://www.cisecurity.org/
Security Benchmarks available for Download ==> https://benchmarks.cisecurity.org/en-us/?route=downloads.multiform
Benchmark Assessment Tools (includes RAT) ==> https://benchmarks.cisecurity.org/en-us/?route=downloads.audittools
NSA Router Security Configuration Guide ==> http://www.nsa.gov/ia/_files/routers/C4-040R-02.pdf
Cisco Guide to Harden Cisco IOS Devices ==> http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml