WIXLIB

“Measurably reducing risk through collaboration, consensus &practical security management” 2013 CIS Security Benchmarks1

BackgroundCity University of New York’s Rights and Benefits as a CISSecurity Benchmarks MemberConsensus Benchmarks their value for system and network securityAssessment Tools – Primarily CIS–CAT use cases & featuresspecs & system requirements Security Software Certification Consensus Security Metrics Member Support & Contact Information Q&A 2013 CIS Security Benchmarks2

2013 CIS Security Benchmarks3

Formed in October 2000A not-for-profit consortium of users, security consultants,and vendors of security software (Members)Convenes and facilitates teams developing consensus CISBenchmarks for system & network security configuration anddefinitions for information security metricsDeveloped, maintains and distributes the ConfigurationAssessment Tool (CIS-CAT) to its members 2013 CIS Security Benchmarks4

2013 CIS Security Benchmarks5

The right to distribute and use the CIS resources throughout CityUniversity of New YorkAccess to Member Only Resources via the CIS Community Siteincluding but not limited to: Configuration Assessment Tool (CIS-CAT) Bundle CIS-CAT Application XML/XCCDF Benchmark versions User’s Guide and XML/XCCDF Policy Customization Guide Remediation Kits Tutorials/Webcasts (IBM AIX 5.3-6.1, RHEL Puppet Modules, MS Windows 7 & 8, MSWindows Server 2008 & 2012, MS Internet Explorer 9 &10, MS Outlook 2010)Participation on the Member only discussion areasRegister for access http://benchmarks.cisecurity.org/register 2013 CIS Security Benchmarks6

Member Updates - timely notification of new releases& updatesCIS Member Logo – use of the CIS Member Logo to showyour membership support. Learn more here:http://benchmarks.cisecurity.org/trademarks Support – As Members, City University of New Yorkemployees receive free Benchmark/CIS-CATimplementation support. Submit requests atsupport@cisecurity.orgTo view complete list of benefits, please visit:http://benchmarks.cisecurity.org/membership 2013 CIS Security Benchmarks7

Use of CIS resources in the classroom environment foreducational purposes.Redistribution of CIS resources to enrolled students foruse on students’ laptops and desktops. A universitymay not redistribute CIS resources on its public-facingweb site, but may redistribute CIS resources to enrolledstudents by means which require students to receiveand accept the CIS Terms of Use as defined athttp://benchmarks.cisecurity.org/downloads.

2013 CIS Security Benchmarks9

What’s in your environment? Databases, Mail, WWW Server OSs Network Gear Endpoint SoftwareWhich Benchmarks have you looked at? Any feedback?Which Benchmarks do you plan to leverage next? 2013 CIS Security Benchmarks10

Consensus ConfigurationRecommendations for SecurityIT Resources Examples: Ensure Firewall is Enabled Disallow SSH Protocol 1 Ensure echo Service isDisabledSpecifically called out byFISMA and PCI for securingsystems. 2013 CIS Security Benchmarks11

What it applies to 2013 CIS Security Benchmarks12

What it applies to Who helped make it 2013 CIS Security Benchmarks13

What it applies to Who helped make it How to interpret 2013 CIS Security Benchmarks14

What it applies to Who helped make it How to interpret What to do Why to do it How to do it How do you knowyou did it 2013 CIS Security Benchmarks15

Authentication Servers Novell eDirectory 8.7OpenLDAP Server 2.3.39/2.4.6DNS Servers BIND DNS Server 9.0-9.5 Microsoft Exchange 2003/2007Operating Systems - Servers Mobile Platforms Apple Mobile Platform iOS 5.0.xGoogle Mobile Platform Checkpoint FirewallCisco Firewall DevicesCisco Routers/Switches IOS 12.xCisco Wireless LAN Controller 7Juniper Routers/Switches JunOS8/9/10Agnostic Print DevicesProductivity Software Network Devices Directory Servers IBM DB2 Server 8/9/9.5Microsoft SQL Server2000/2005/2008 R2MySQL Database Server4.1/5.0/5.1Oracle Database Server8i/9i/10g/11g R2Sybase Database Server 15Mail Servers Microsoft SharePoint Server2007Database Platforms FreeRADIUS 1.1.3MIT Kerberos 1.0Collaboration Servers Virtualization Platforms Microsoft Office 2007Microsoft Outlook 2010Operating Systems - Desktop Apple Safari Browser 4.xMicrosoft Internet Explorer 9/10Mozilla Firefox Browser 3.6Opera Browser 10Web Servers 2013 CIS Security BenchmarksVMware Server 3.5/4.1Xen Server 3.2Agnostic VM ServerWeb Browsers Apple Desktop OSX 10.4/10.5Microsoft Windows DesktopXP/NT/7/8Debian Linux ServerFreeBSD Server 4.1.0HP-UX Server 11iv2/3 Update 4IBM AIX Server4.3.2/4.3.3/5L/5.1/5.3/6.1/7.1Microsoft Windows Server 2000Pro/2003 DC & MS/2008 DC & MS/2012 DC & MSNovel NetwareOracle Solaris Server 2.5.1-11/ 10updates 3-8Red Hat Linux Server 4/5/6Slackware Linux Server 10.2SUSE Linux Enterprise Server 9/10Apache HTTP Server 2.2/2.4Apache Tomcat Server 5.5/6.0Microsoft IIS Server 5/6/7/7.516

Database Platforms Agnostic Wireless Devices Operating Systems - Servers Microsoft Exchange 2010 Microsoft Outlook 2010 - RELEASEDApple Desktop OSX 10.7 & 10.8Microsoft Windows Desktop 8 – RELEASED Linux AgnosticIBM AIX Server 7.1- RELEASEDMicrosoft Windows Server 2012 - RELEASEDSUSE Linux Enterprise Server 11Virtualization Platforms Productivity Software Operating Systems - Desktop Mail Servers Microsoft SQL Server 2012Network Devices VMware Server vSphere 5Web Browsers Microsoft Internet Explorer 10 - RELEASED 2013 CIS Security Benchmarks17

Decide what to make Ask CIS members Survey communityBuild a consensus team CIS Members Subject Matter Experts Public security community Technology vendors .com, .edu, .gov, .org, .tld 2013 CIS Security Benchmarks18

Define scopeContractors and volunteerswrite recommendationsRecommendations arereviewed by consensusteamTickets are created forissueswhile(tickets.Count 0){discussTickets();} 2013 CIS Security Benchmarks19

After a Benchmark release, a new milestone is created 3 months outBenchmark adopters filter feedback to CIS via: support@cisecurity.org (members) feedback@cisecurity.org (non member) Web site bug report form Open ticket in consensus platformTickets are assigned to a release milestoneTechnology point releases are accounted forMaintainer teams work/close tickets with consensus groupWhere no maintainer team exists, staff and/or contractorswork tickets. 2013 CIS Security Benchmarks20

Technology Vendors Individuals Earn CPE credits for ISC2/ISACA certsLearn from other SMEs/skill buildingMembers Many don’t have their own securityguidesThey want to ensure guidance does notintroduce unsupported stateThey’ve bought in to the modelIt’s in their best interestRFP bid fodder for securityconsultanciesAttributionSome just want to help 2013 CIS Security Benchmarks21

Join a Consensus Team Log in to the member communitysite:https://community.cisecurity.org Click Profile Click Manage Projects Add yourself to the project(s)Begin Participation Review Drafts Answer Questions Test Configurations Report Bugs/Suggestions 2013 CIS Security Benchmarks22

All downloads can be found under the Downloads Tab 2013 CIS Security Benchmarks23

When: How: Roadmap is Updated Automatically from Project Milestones e to our Download RSS Feed http://benchmarks.cisecurity.org/rssMember Updates Via email Update your ‘receive newsletter’ setting on the community site Profile - Update Profile 2013 CIS Security Benchmarks24

All Portable Document Format (PDF)Select Microsoft Word Microsoft Excel eXtensible Configuration Checklist Description Format (XCCDF) OVAL and ECLAutomated Remediation Formats Group Policy Objects (GPO) MS Windows 7 & 8 and MS Windows Server 2008 & 2012 and MSInternet Explorer 9 & 10, MS Outlook 2010 AIXPert XML IBM AIX 5.3 – AIX 6.1 RedHat Linux Enterprise RHEL 6 Puppet Modules Bastille Configuration HP-UX 11i 2013 CIS Security Benchmarks25

2013 CIS Security Benchmarks26

2013 CIS Security Benchmarks27

Host based, configuration assessment toolAssesses a target system against recommendationsmade in CIS benchmarksRequires Java Runtime Environment (JRE) v1.5 or laterHas graphical (GUI) and command line (CLI) userinterfaces Reads XML policy that can be customized NIST FDCC Validated Scanner Available to CIS members only 2013 CIS Security Benchmarks28

Server admins/operations teams use CIS-CAT toperform self assessments.Build teams use CIS-CAT to validate a system beforeproduction rollout.Security teams use CIS-CAT as part of their assessmentprocess.Auditors use CIS-CAT as part of compliance andgovernance processes.Run CIS-CAT via Group Policy to assess MicrosoftWindows environment on reoccurring basis. 2013 CIS Security Benchmarks29

Authentication Servers MIT Kerberos 1.10 Benchmark v1.0.0Operating Systems - Desktop Database Platforms Oracle Database 11g Benchmark v1.0.1Oracle Database 9i-10g Benchmark v2.0.1Virtualization Platforms VMware ESX 3.5 Benchmark v1.2.0VMware ESX 4.1 Benchmark v1.0.0Operating Systems - Servers Web Browsers Web Servers Mozilla Firefox Benchmark v1.0.0Microsoft Internet Explorer 10 Benchmarkv1.0.0Apache Tomcat Benchmark v1.0.0Apple OSX 10.5 Benchmark v1.1.0Apple OSX 10.6 Benchmark v1.0.0Microsoft Windows 7 Benchmark v1.2.0 (domainjoined/oval)Microsoft XP Benchmark v2.0.1 Debian Linux Benchmark v1.0.0FreeBSD Server 4.1.0HP-UX 11i Benchmark v1.4.2IBM AIX 4.3-5.1 Benchmark v1.0.1IBM AIX 5.3-6.1 Benchmark v1.1.0IBM AIX 7.1 Benchmark v1.0.0Microsoft Windows 2003 MS DC Benchmark v2.0.0Microsoft Windows 2008 Server Benchmark v1.2.0(domain joined/oval)Oracle Solaris Server 2.5.1-11/ 10 updates 3-8Red Hat Enterprise Linux Server 4 Benchmark v1.0.5Red Hat Enterprise Linux Server 5 Benchmark v2.0.0Red Hat Enterprise Linux Server 6 Benchmark v1.2.0Slackware Linux10.2 Benchmark v1.1.0Solaris 10 Benchmark v5.1.0Solaris 11 Benchmark v1.0.0SUSE Linux Enterprise Server 10 Benchmark v2.0.0SUSE Linux Enterprise Server 9 Benchmark v1.0.0 2013 CIS Security Benchmarks30

Databases Apple Desktop OSX 10.8Microsoft Windows Desktop 8Productivity Software Cisco coverageOperating Systems - Desktop Microsoft SQL 2008Network Devices Virtualization Platforms Microsoft Outlook 2010VMware Server vSphere 5Web Browsers Microsoft Internet Explorer 10 - RELEASEDOperating Systems - Servers Microsoft Windows Server 2012Oracle Database 11gR2SUSE Linux Enterprise Server 11 2013 CIS Security Benchmarks31

CIS-CAT Users Guide Executing CIS-CAT via GUI and CLIUnderstanding CIS-CAT Reports & Customization ofReportsUsing the CIS-CAT DashboardCIS-CAT XML Adaptation Guide How to add/remove/modify checks 2013 CIS Security Benchmarks32

2013 CIS Security Benchmarks33

1.2.3.4.DownloadUnzip*Double ClickSelect a Benchmark*P.S. – Unzip CIS-CAT on a networkdrive and invoke it via Group Policyfor 10 scalability points. 2013 CIS Security Benchmarks34

5. Select a Profile 2013 CIS Security Benchmarks35

6. Scan(WEEEEEE!!!) 2013 CIS Security Benchmarks36

7. “Find The Fail” 2013 CIS Security Benchmarks37

8. “Fix The Fail” 2013 CIS Security Benchmarks38

9. Monitor Progress 2013 CIS Security Benchmarks39

10. Measure Configuration Change Management usingthe CIS Security Metrics 2013 CIS Security Benchmarks40

2013 CIS Security Benchmarks41

Router Audit Tool (RAT Tool) PERL based tool Assesses Cisco ASA, FWSM, PIX and IOS devices against CISCisco benchmarks.Apache Benchmark Tool PERL based tool Assesses Apache HTTP Server instances against the CISApache HTTP Server benchmark. 2013 CIS Security Benchmarks42

2013 CIS Security Benchmarks43

2013 CIS Security Benchmarks44

CIS Certified Security Software Tested to accurately measure and report system statusagainst recommendation in CIS Benchmarks http://benchmarks.cisecurity.org/certifiedWhy use Certified Security Software? Independently validated to accurately audit systems CIS Benchmark content integrated into software Enterprise scale security auditing Leverage deployed management tools 2013 CIS Security Benchmarks45

2013 CIS Security Benchmarks46