Get enthusiastic about CIS Benchmarks

When I learned about CIS Benchmarks several years ago, I was delighted.

CIS Benchmarks are sets of recommended configurations for a variety of software that’s used in the enterprise. The idea is that by configuring your software applications according to CIS Benchmarks, you’re greatly improving the security posture of your applications and networks.

Yes, I was excited to learn about that. Call me a dork, but you try carefully configuring dozens of applications in a Microsoft Azure instance without guidance! It’s tedious work! I want to personally thank the Center for Internet Security (CIS) for the public service that they offer to the cybersecurity community.

“The CIS Benchmarks are community-developed secure configuration recommendations for hardening organizations' technologies against cyber attacks. Mapped to the CIS Critical Security Controls (CIS Controls), the CIS Benchmarks elevate the security defenses for cloud provider platforms and cloud services, containers, databases, desktop software, server software, mobile devices, network devices, and operating systems. They also help organizations demonstrate compliance with components of various industry regulations and frameworks.

Currently, there are more than 100 CIS Benchmarks across 25+ vendor product families that are available through free PDF download for non-commercial use.”

The full list of CIS Benchmarks that you may freely use is here. They have all the major cloud platforms, all the most frequently used operating systems, commonly used containerization technologies, and networking software, and database platforms, and you-name-it.

And later on, when I learned what the CIS-CAT Pro Assessor tool is, I giggled with delight:

“The CIS-CAT Pro Assessor tool scans against a target system’s configuration settings and reports the system’s compliance to the corresponding CIS Benchmark. While it’s great to know where your systems stand, manually implementing the recommendations can be a daunting task.”

I got to use it several times in networks that I’ve administrated, and it can be set up to automate configuration scans really easily. It’s one of my favorite vulnerability scanners, and CIS offers it to the community.

Lots of security vendors these days are also building CIS Benchmarks into their tools so that security practitioners have multiple useful ways to find vulnerabilities that are non-compliant with CIS Benchmarks.

As I said, you try deploying a DevOps application in a multi-cloud network and try to make all configurations as secure as possible without help from CIS Benchmarks, and you’ll deal with a ton of tedious and frustrating work.

Tools like CIS Benchmarks are genuinely exciting when you learn how tough security hardening cloud networks can be.

Less time scouring application configurations with a fine toothed comb is more time that can be spent watching funny YouTube videos. Or more realistically, sorting through the hundreds of emails that I haven’t read. CIS should make a tool for that.