CIS Benchmarks and Auditing - PDF

Summary

This document explores CIS Benchmarks and their role in auditing. It covers how to use CIS Benchmarks for secure configuration and interpreting/applying the guidelines. The document also examines operating systems, cloud platforms, and network devices in relation to audits.

Full Transcript

CIS
BENCHMARKS
AND THEIR ROLE
IN AUDITING
Leolourraine M. Mistula
INTRODUCTION TO CIS
BENCHMARKS
ABOUT CIS BENCHMARKS
The Center for Internet Security (CIS) is a nonprofit
organization that helps protect computers, networks,
and data from cyber threats. It works with experts from
government, businesses, and universities to create
security best practices that anyone can follow.

3
WHAT ARE CIS BENCHMARKS
CIS Benchmarks are security checklists that provide
step-by-step guidance on how to set up computers,
servers, and software securely. These guidelines are
based on CIS Controls, which are security rules that
help organizations defend against cyberattacks.

4
WHAT ARE CIS BENCHMARKS
CIS Benchmarks follow well-known security
standards, such as:

NIST Cybersecurity Framework (CSF) – Used by
governments and businesses.
ISO 27000 – A global security standard.
PCI DSS – Protects credit card data.
HIPAA – Protects healthcare data.

5
HOW ARE CIS BENCHMARKS CREATED?
CIS uses a team of security experts who:

1. Discuss and test different security settings.
2. Agree on the best security practices and create the
benchmarks.
3. Listen to feedback from the public and update the
benchmarks when needed.

6
LEVELS OF SECURITY
CIS provides two levels of security
recommendations:

Level 1 – Basic security settings that can be
applied with little to no impact on how the system
works.
Level 2 – Stronger security settings for high-risk
environments, but they may limit some system
functions.

7
ABOUT CIS BENCHMARKS
CIS Benchmarks are like a rulebook for keeping
computers, servers, and software safe from hackers.
They are created by a group called the Center for
Internet Security (CIS) and provide step-by-step
guidelines on how to secure operating systems, cloud
services, applications, and networks.

8
OPERATING
SYSTEMS

9
OPERATING SYSTEMS
An operating system (OS) is the main software that manages a computer’s
hardware and software. It acts as a bridge between the user and the computer,
making it possible to run applications and perform tasks.

Examples of Operating Systems:
Windows (used in most personal computers)
macOS (used in Apple computers)
Linux (used in servers and some personal computers)
Android (used in smartphones and tablets)
iOS (used in iPhones and iPads)

10
OPERATING SYSTEMS BENCHMARKS AND ITS ROLE IN AUDITING
Three mains taks of operating System

1. Translate high-level languages into the machine-level language that the
computer can execute.
2. The OS allocates computer resources to users, workgroups, and
applications.
3. The OS manages the tasks of job scheduling and multiprogramming.

11
OPERATING SYSTEMS BENCHMARKS AND ITS ROLE IN AUDITING
Five fundamental operating system objectives

1. The operating system must protect itself from users.
2. The operating system must protect users from each other.
3. The operating system must protect users from themselves.
4. The operating system must be protected from itself.
5. The operating system must be protected from its environment.

12
OPERATING SYSTEMS BENCHMARKS AND ITS ROLE IN AUDITING
Operating System Control and Audit Tests

1. Access Privileges
2. Password Control
3. Virus Control
4. Audit Trail Control

13
OPERATING SYSTEMS BENCHMARKS AND ITS ROLE IN AUDITING
1. Controlling Access Privileges

User access privileges are assigned to individuals and to entire workgroups
authorized to use the system.

For example, a cash receipts clerk who is granted the right to access and make
changes to the accounts receivable file.

14
OPERATING SYSTEMS BENCHMARKS AND ITS ROLE IN AUDITING
Audit Objectives Relating to Access Privileges

The auditor's objective is to verify that access privileges are granted in a
manner that is consistent with the need to separate incompatible functions and
is in accordance with the organization's policy,

15
OPERATING SYSTEMS BENCHMARKS AND ITS ROLE IN AUDITING
2. Password Control

A password is a secret code the user enters to gain access to systems,
applications, data files, or a network server.

Types of passwords
1. Reusable Passwords
2. One-Time Passwords

16
OPERATING SYSTEMS BENCHMARKS AND ITS ROLE IN AUDITING
Audit Objectives Relating to Passwords

The auditor's objective here is to ensure that the organization has an adequate
and effective password policy for controlling access to the operating system.

17
OPERATING SYSTEMS BENCHMARKS AND ITS ROLE IN AUDITING
3. Malicious and Destructive Programs

Malicious and destructive programs are responsible for millions of dollars of
corporate losses annually. This class of programs includes viruses, worms, logic
bombs, back doors, and Trojan horses.

18
OPERATING SYSTEMS BENCHMARKS AND ITS ROLE IN AUDITING
Audit Objectives Relating to Viruses and other Destructive Programs

The key to computer virus control is prevention through strict adherence to
organizational policies and procedures that guard against virus infection. The
auditor's objective is to verify that effective management policies and
procedures are in place to prevent the introduction and spread of destructive
programs, including viruses, worms, back doors, logic bombs, and Trojan
horses.

19
OPERATING SYSTEMS BENCHMARKS AND ITS ROLE IN AUDITING
4. System Audit Trail Controls System

System audit trails are logs that record activity at the system, application, and
user level. Audit trails typically consist of two types of audit logs:

Detailed logs of individual keystrokes
Keystroke Monitoring.
Keystroke monitoring involves recording both the user's keystrokes
and the system's responses.

20
OPERATING SYSTEMS BENCHMARKS AND ITS ROLE IN AUDITING
4. System Audit Trail Controls System

System audit trails are logs that record activity at the system, application, and
user level. Audit trails typically consist of two types of audit logs:

Event-oriented logs
Event Monitoring.
Event monitoring summarizes key activities related to system
resources.

21
OPERATING SYSTEMS BENCHMARKS AND ITS ROLE IN AUDITING
Setting Audit Trail Objectives

Audit trails can be used to support security objectives in three ways:

1. Detecting unauthorized access to the system.
2. Facilitating the reconstruction of events.
3. Promoting personal accountability

22
OPERATING SYSTEMS BENCHMARKS AND ITS ROLE IN AUDITING
Implementing a System Audit Trail

The information contained in audit logs is useful to accountants in measuring
the potential damage and financial loss associated with application errors,
abuse of authority, or unauthorized access by outside intruders.

23
OPERATING SYSTEMS BENCHMARKS AND ITS ROLE IN AUDITING
Audit Objectives Relating to System Audit Trails

The auditor’s objective is to ensure that the established system audit trail is
adequate for preventing and detecting abuses, reconstructing key events that
precede systems failures, and planning resource allocation.

24
CLOUD
PLATFORMS

25
CLOUD PLATFORMS
In CIS Benchmarks, cloud platforms refer to public cloud services like Amazon
Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). These
platforms provide virtual computing resources, such as servers, databases,
and storage, over the internet.

Since cloud environments are shared, scalable, and accessible from anywhere,
they require strong security settings to prevent cyber threats. The CIS Cloud
Benchmarks help organizations secure their cloud accounts, services, and
data by providing step-by-step security recommendations.

26
CLOUD PLATFORMS
Examples of Cloud Platforms:
AWS (Amazon Web Services)
Microsoft Azure
Google Cloud Platform (GCP)

27
CLOUD PLATFORMS AND ITS ROLE IN AUDITING
1. Tracking Everything That Happens
Ex. AWS has a tool called CloudTrail that tracks all actions taken in your
AWS account and creates logs that auditors can review.

2. Helping You Stay Compliant
Ex. Azure has Security Center, which checks if your cloud setup meets
industry standards and regulatory requirements like GDPR or ISO 27001.

3. Identifying and Fixing Issues
Ex. Google Cloud's Security Command Center helps detect
misconfigurations in your cloud services and suggests fixes.

28
CLOUD PLATFORMS AND ITS ROLE IN AUDITING
4. Managing Who Can Access Data
Ex. AWS and Azure allow you to manage user permissions through tools
like IAM (Identity and Access Management). Auditors can check if only the
right people have access to sensitive resources.

5. Automating Security Checks
Ex. Azure has a feature called Azure Policy that automatically checks if
your resources comply with set security rules, like ensuring data is
encrypted.

29
CLOUD PLATFORMS AND ITS ROLE IN AUDITING
6. Investigating Security Breaches
Ex. AWS's CloudTrail can help auditors trace all activities leading up to a
security incident, making it easier to understand and respond to the
breach.

30
NETWORK
DEVICES

31
NETWORK DEVICES
In CIS Benchmarks, network devices refer to hardware and software that
help connect and secure computer networks.
Since network devices are essential for connecting businesses and users to
the internet, they need strong security settings to prevent cyber threats. The
CIS Network Device Benchmarks provide best practices to help organizations
harden these devices against attacks.

32
CLOUD PLATFORMS
Examples of Network Devices:
Firewalls – Control incoming and outgoing internet traffic.
Routers – Direct network traffic between different systems.
Switches – Connect multiple devices within a network.
VPNs (Virtual Private Networks) – Encrypt internet connections for
security.
Wireless Access Points (WAPs) – Provide Wi-Fi connectivity.

33
NETWORK DEVICES AND ITS ROLE IN AUDITING
1. Monitoring Network Traffic
Ex. Firewalls log all internet activity. If a hacker tries to break in, auditors
can check firewall logs to find out how they got in.

2. Controlling Who Can Access the Network
Ex. Routers and firewalls can be set to allow only authorized employees to
access company systems, blocking outsiders.

3. Checking for Security Weaknesses
Ex. If a Wi-Fi network is open without a password, auditors will flag it as a
security risk and fix it.

34
NETWORK DEVICES AND ITS ROLE IN AUDITING
4. Ensuring Compliance with Security Standards
Ex. A bank must secure customer data. Auditors check if firewalls are
properly configured to block unauthorized access.

5. Preventing Downtime and Failures
Ex. A network switch that is overloaded can slow down an entire office.
Auditing helps find these issues before they cause problems.

6. Investigating Cyber Attacks
Ex. If hackers break into a company, firewall logs might show which IP
address they used and what data they accessed.

35
HOW TO USE CIS
BENCHMARKS FOR
SECURE
CONFIGURATION
HOW TO USE CIS BENCHMARKS FOR SECURE CONFIGURATION
1. When beginning your server hardening project, the first thing you should
do is define a structured baseline based on industry best practices such as
the CIS benchmarks or DISA STIG’s

2. Applying security patches: Regularly update your servers with the latest
security patches to address vulnerabilities and protect against known
exploits.

3. Implementing strong access controls: Enforce strong authentication
mechanisms, such as complex passwords or multifactor authentication, to
prevent unauthorized access to your servers.

37
HOW TO USE CIS BENCHMARKS FOR SECURE CONFIGURATION
4. Regular reviews of User Rights Assignment settings are essential to
ensure that access privileges are current and aligned with organizational
requirements and security best practices

5. Disabling unnecessary services: Disable any unnecessary services or
protocols on your servers to minimize potential attack vectors.

38
HOW TO USE CIS BENCHMARKS FOR SECURE CONFIGURATION
6. Use automated configuration monitoring that can check all
remotely-testable secure configuration elements, and raise alerts if
unauthorized changes occur (new listening ports, new admin users,
changes in the group and local policy objects, and new services running on
the system). Tools that integrate with Security Content Automated
Protocol are (SCAP) recommended.

39
HOW TO USE CIS BENCHMARKS FOR SECURE CONFIGURATION
7. Deploy system configuration management tools that will automatically
enforce system configuration settings - periodically, or preferably, in
real-time. Using them, you should be able to redeploy or have real-time
control over the configuration settings on a scheduled, manual, or
event-driven basis.

40
INTERPRETING AND
APPLYING CIS
BENCHMARK
GUIDELINES
INTERPRETING AND APPLYING CIS BENCHMARK GUIDELINES
1. Understanding the CIS Benchmarks

CIS Benchmarks are security checklists created by cybersecurity experts.
They provide step-by-step guides on how to set up computers, networks,
and software securely to prevent hacking and data breaches. By following
these guidelines, organizations can strengthen their security and reduce
the risk of cyber threats.

42
INTERPRETING AND APPLYING CIS BENCHMARK GUIDELINES
2. Assessing Your Current Security Posture and Prioritizing
Benchmarks

Before applying CIS Benchmarks, it’s important to check how secure your
systems are right now. You can use tools like CIS-CAT to see where your
current security stands compared to the benchmarks. Once you know your
weaknesses, you can make a plan to fix the most important issues first.
Focus on the areas that matter most to your organization’s needs and
security goals, so you use your resources wisely.

43
INTERPRETING AND APPLYING CIS BENCHMARK GUIDELINES
3. Developing an Implementation Plan

After deciding which security areas to focus on, create a plan to make
changes. Work together with teams like IT, Security, and Compliance to
build a strategy. Break the plan into steps, starting with the most important
systems. Set clear goals, deadlines, and assign people to be in charge. Use
tools like CIS-CAT to help apply the changes and track progress. Make sure
to document all the changes you make, so it’s easier for future checks and
ongoing improvements.

44
INTERPRETING AND APPLYING CIS BENCHMARK GUIDELINES
4. Testing, Validation, and Continuous Monitoring

Before making changes to your live systems, test them in a safe
environment to make sure they work without causing problems. Use
automated tools to check your security settings regularly and ensure
they’re effective. Cybersecurity is an ongoing process, so keep monitoring
your systems in real time to make sure they stay secure. Set up regular
reviews and updates to keep your security measures up to date with new
threats.

45
INTERPRETING AND APPLYING CIS BENCHMARK GUIDELINES
5. Leveraging Your Team and Community

Your cybersecurity team is key to keeping your systems secure. Use CIS
training to teach them the importance of safe settings and how
benchmarks help protect the organization. Creating a security-aware
culture will encourage your team to stay proactive. Regular audits, using
tools like CIS-CAT, help ensure your systems stay up to date. Share audit
results with the team to keep everyone accountable. Also, connect with
others in the cybersecurity community to share tips and improve your
approach. This teamwork helps make security even stronger for everyone.

46
For Auditors, CIS Benchmarks serve as
invaluable tool to assess the system
configurations, identify vulnerabilities, and
provide actionable recommendations to
strengthen an organization’s security posture.

47