Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Month - Day 11 - Vendor Agnostic Standards (Center for Internet Security)

Published: 2012-10-11
Last Updated: 2012-10-11 19:09:44 UTC
by Rob VandenBrink (Version: 1)
1 comment(s)

The Center for Internet Security (CIS) is best known for it's Security Benchmarks.  These are security standards for hardening various products and services, making them more resistant to attack, setting them to log and alert better and so on.  There are a few attractions to using benchmarks from an organization like CIS:

  • The benchmarks are written by volunteers, most of whom do not work for the vendor in question.  This means that each security setting will have seen scrutiny from many people who are NOT the vendor.  Recommended security settings will often match the vendor's recommendations, but you'd be surprised how much further a group of dedicated volunteers will take things! 
  • The benchmarks are written collaboratively by consensus.  There may be a project lead (or leads), but most points see spirited debated before they reach their final form.  A change doesn't get committed to the final document until everyone is convinced that it is "the right thing to do", presented the right way.
  • The benchmarks will usually discuss specific situations where any change is appropriate (or just as important, not appropriate)
  • As each recommended change is considered in the document, there's a discussion about how making that change might affect the service delivered
  • Recommended settings or changes will usually have references for additional background and reading

Discussion of the CIS Benchmarks is particularly timely, as they released updates to several benchmarks earlier this week, for:

  • CIS Apache HTTP Server 2.2.x
  • Google Android 4.0
  • IBM AIX 5.3-6.1
  • Microsoft IIS 7.5
  • Oracle Solaris 10

The focus today will be on the Cisco Device benchmarks, which I use almost daily.  These include standards for both IOS based Routers/Switches and for Firewalls from Cisco.

The benchmark is divided into 2 sections (these are pasted right from the benchmark document):


Level-1 Benchmark
The Level-1 Benchmark for Cisco IOS represents a prudent level of minimum due care.
These settings:
•  Can be easily understood and performed by system administrators with any level of security knowledge and experience
•  Are unlikely to cause an interruption of service to the operating system or the applications that run on it

Level-2  Benchmark
The Level-2 Benchmark for  Cisco  IOS   represents an enhanced level of due care for system security.
• Enhance security beyond the minimum due care level, based on specific network architectures and server function
• Contain some security configuration recommendations that affect functionality, and are therefore of greatest value to system administrators who have sufficient security knowledge to apply them with consideration to the functions and applications running in their particular environments

Each section is in turn divided up in hierarchical fashion, breaking each area of configuration into logical groups.  Each specific setting has a description of the change, the rationale for the change (usually describing any attack vector), as well as the configuration command to make the change.  An audit command is also included, to verify if the setting in question has been made successfully or not.  Finally, references are included for each change - these give you additional reading on other sites and documents such as the NSA's Security Configuration guide, the Cisco documentation site (of course, for the complete documentation of the commands being discussed), or the Cisco Guide for Hardening IOS Devices.

A final win is the Router Assessment Tool (RAT), which is an audit tool that accompanies the benchmark.  RAT will take a saved configuration and assess it against each of the Benchmark settings, either at Level 1 or Level 2.  RAT can also be configured to collect configurations from live devices prior to the audit.  The completed audit ends up being a colour coded HTML doc, which can be used to help in remediation of the platform (Red for non-compliance really gets the attention of the non-technical folks).

As always
As with most standards of this type, the recommendation is to either:

  • Audit your environment against the benchmark documents
  • Make changes to your environment as suggested in the document, considering each change individually on it's own merits with an eye towards how it will affect both security and service delivery (ie - a risk assessment).

What you DON'T want to do is implement changes from any security benchmark without this risk assessment - as discussed, going this route can have some dire consequences! 

Often organizations will take several security documents like this, and distill them down to a single Corporate Standard for Internal Compliance and Auditing.  This is a great approach, but it also means that the internal standard will need to be re-addressed as the source document

Happy auditing everyone !

Related Links:
The CIS home page ==> http://www.cisecurity.org/
Security Benchmarks available for Download ==> https://benchmarks.cisecurity.org/en-us/?route=downloads.multiform
Benchmark Assessment Tools (includes RAT) ==> https://benchmarks.cisecurity.org/en-us/?route=downloads.audittools
NSA Router Security Configuration Guide ==> http://www.nsa.gov/ia/_files/routers/C4-040R-02.pdf
Cisco Guide to Harden Cisco IOS Devices ==> http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
 

===============
Rob VandenBrink
Metafore

1 comment(s)
Diary Archives