Category Archives: News

News

Join the Center for Internet Security at AWS re:Invent 2021

Read Time:4 Minute, 13 Second

This year, Amazon Web Services (AWS) returns to hosting its cloud computing conference, AWS re:Invent 2021, in person. Cloud professionals from around the globe will gather in Las Vegas to learn the latest news in AWS cloud computing. The five-day conference is packed with sessions on containers, DevOps, end user computing, IoT, and much more.

The Center for Internet Security (CIS) is a proud sponsor of AWS re:Invent, which will be held November 29 – December 3. Find us at Booth #732 on the Expo Floor at The Venetian. Not only is CIS sponsoring the event, but we’ve also highlighted several must-see sessions that leverage our best practices.

AWS re:Invent 2021 Essential Sessions

Workshop | WPS203 – Simplifying compliance with AWS GovCloud (US)

Tuesday, November 30 | 5:00 – 7:15 P.M.

AWS GovCloud (US) gives customers the flexibility to architect secure cloud workloads that comply with some of the strictest U.S. compliance regulations. From Controlled Unclassified Information (CUI), personally identifiable information (PII), sensitive patient medical records, and financial data to law enforcement data and export-controlled data, AWS GovCloud (US) can help address some of the most stringent security and compliance requirements. Join this workshop to dive into the basics of how AWS and AWS GovCloud (US) Regions can help address these stringent security, compliance, and governance requirements.

Furthermore, CIS offers CIS Hardened Images, pre-hardened virtual machine (VM) images, a trusted resource to help secure cloud workloads on AWS Cloud in the AWS GovCloud (US) Region. They’re available for Windows and Linux operating systems.

See full list of CIS Hardened Images on AWS Cloud – Free trials available

Chalk Talk | SEC312 – Develop a strategy for automated remediation and response

Wednesday, December 1 | 12:15 – 1:15 P.M.

In this chalk talk, you’ll consider a framework to use with AWS Security Hub to determine which findings should be auto-remediated. For example, the CIS AWS Foundations Benchmark is available within AWS Security Hub. This framework provides recommendations to securely configure your AWS account. It covers actions like identity and access management, networking, and more.

This session will explore whether a remediation is a destructive action and how to tag findings to automate these decisions. When auto-remediation isn’t appropriate or should include approvals, learn how to auto-respond to findings. You’ll learn how to enrich these findings with assignee information based on resource tags; you can then use that assignee information in email, Slack, or ticket notifications.

Chalk Talk | SEC305 – Automate vulnerability management with Amazon Inspector

Thursday, December 2 | 11:30 A.M. – 12:30 P.M.

Amazon Inspector is a vulnerability management service that scans AWS workloads for software vulnerabilities and unintended network exposure. In this chalk talk, learn how to get the most out of Amazon Inspector. This includes how to prioritize the most critical vulnerabilities to help increase remediation response efficiency.

Windows and Linux users can apply the knowledge from this session and run assessments to check the configurations of their Amazon EC2 instances against CIS Benchmarks. The findings within the Amazon Inspector assessment will detail the steps needed to remediate vulnerabilities.

From the CIS Booth: New CIS AWS Resources to Secure Cloud Workloads

Foundational Security for AWS

CIS Benchmarks are a set of prescriptive guides to help organizations securely configure a variety of technologies. They cover more than 25 vendor product families, helping to safeguard systems against today’s evolving cyber threats. Because of CIS’s deep partnership with AWS, CIS Benchmarks are integrated with several AWS services:

AWS Audit Manager
AWS Config
AWS Inspector
AWS Security Hub

These integrations allow AWS customers to audit and test the security of their AWS environments against CIS Benchmarks. Within these four AWS services, cloud consumers will find the CIS AWS Foundations Benchmark and CIS Benchmarks for various operating systems.

AWS Graviton2

At AWS re:Invent 2021, stop by our booth to learn how to implement the latest cloud security resources and provide feedback to the CIS team. First, CIS built two CIS Hardened Images on AWS Graviton2 processors. In addition to the compliance they offer to CIS Benchmarks standards, they also deliver 40% better price performance compared to current generation x86-based instances.

DISA STIG Compliance

For organizations and industries that require compliance to DISA Security Technical Implementation Guides (STIGs), CIS has created four Benchmarks. These are also available as pre-configured CIS Hardened Images in AWS Marketplace. Notably, CIS recently released a new hardened VM secured to STIG standards for Microsoft Windows Server 2019. STIG Benchmarks and CIS Hardened Images are also available for:

Amazon Linux 2
Microsoft Windows Server 2016
Red Hat Enterprise Linux 7
Ubuntu Linux 20.04

The team plans to release additional STIG Benchmarks and VMs for Apple macOS 11 and Red Hat Enterprise Linux 8 in the coming months.

These are just a few of the many cloud security resources that CIS provides. Stop by Booth #732 at AWS re:Invent 2021 to learn how you can incorporate CIS cloud security resources into your cybersecurity program.

Read More

News

CIS Benchmarks November 2021 Update

Read Time:2 Minute, 13 Second

The following CIS Benchmark updates have been released.  We’ve highlighted the major updates below. Each Benchmark includes a full changelog that can be referenced to see all changes made.

CIS AlmaLinux OS 8 Benchmark v1.0.0

Prescriptive guidance for establishing a secure configuration posture for AlmaLinux OS 8 Linux distribution systems running on x86_64 platforms.

Special thanks to Jack Aboutboul and Simon John for their contributions to the initial development of the benchmark and thanks to the CIS AlmaLinux Community for their time and expertise toward this release. Your contributions are invaluable to our consensus process.

Download the AlmaLinux OS 8 Benchmark PDF

CIS SecureSuite Members can visit CIS WorkBench to download other formats and related resources.

CIS PostgreSQL 14 Benchmark v1.0.0

Prescriptive guidance for establishing a secure configuration posture for PostgreSQL 14. This guide was tested against PostgreSQL 14 running on RHEL 8, but applies to other Linux distributions as well.

Special thanks to Doug Hunley and Crunchy Data for their significant contributions, and thanks to the CIS PostgreSQL Community who participated in general and ticket-specific discussions.

Download the PostgreSQL 14 PDF

CIS SecureSuite Members can visit CIS WorkBench to download other formats and related resources.

CIS MongoDB 5 Benchmark v1.0.0

Prescriptive guidance for establishing a secure configuration posture for MongoDB version(s) 5.x. This guide was tested against MongoDB 5.0.2 running on Ubuntu Linux, Linux Red Hat, and Windows, but applies to other distributions as well.

Download the MongoDB 5 PDF

CIS SecureSuite Members can visit CIS WorkBench to download other formats and related resources.

CIS MongoDB 3.6 Benchmark v1.1.0

Prescriptive guidance for establishing a secure configuration posture for MongoDB version 3.6. This guide was tested against MongoDB 3.6 running on Ubuntu Linux and Windows, but applies to other distributions as well.

Thanks to the CIS Mongo DB community for their support, and special thanks to Vinesh Redkar, Pralhad Chaskar, Emad Al-Mousa, and Matthew Reagan

Download the MongoDB 3.6 PDF

CIS SecureSuite Members can visit CIS WorkBench to download other formats and related resources.

Volunteers Needed for CIS Benchmarks

Get involved by helping us develop content, review recommendations, and test CIS Benchmarks. Join a community today! We’re looking for contributors for the following technologies:

Google Kubernetes Engine
Google Cloud Computing – Container-Optimized OS Benchmark
IBM AIX
Microsoft Windows

EMS Gateway
Windows Server 2022
Windows 11
Windows 10 21H

Interested in learning more about the CIS Benchmarks development process or how you can get involved? Reach out to us at benchmarkinfo@cisecurity.org. You can also learn more on the CIS Benchmarks Community page.

Read More

News

CIS Risk Assessment Method (RAM) v2.0 for CIS Controls v8

Read Time:5 Minute, 30 Second

Risk assessments are valuable tools for understanding the threats enterprises face, allowing them to organize a strategy and build better resiliency and business continuity, all before a disaster occurs. Preparation is key – after all, the worst time to plan for a disaster is during a disaster.

The Center for Internet Security (CIS) recently released the CIS Risk Assessment Method (RAM) v2.0, an information security risk assessment method to help enterprises justify investments for reasonable implementation of the CIS Critical Security Controls (CIS Controls). CIS RAM helps enterprises define their acceptable level of risk, and then manage that risk after implementation of the Controls. Few enterprises can apply all Controls to all environments and information assets. Some Controls offer effective security, but at the cost of necessary efficiency, collaboration, utility, productivity, or available funds and resources.

When enterprises conduct a cyber risk assessment for the first time, it can be challenging to know where to start. CIS RAM is a powerful, free tool to guide the prioritization and implementation of the CIS Controls, and to complement an enterprise’s technical ability with a sound business risk-decision process. It is also designed to be consistent with more formal security frameworks and their associated risk assessment methods. Most importantly, CIS RAM lets enterprises of varying security capabilities navigate the balance between implementing security controls, risks, and enterprise needs.

CIS RAM Can Help Your Enterprise Demonstrate “Due Care”

If you experience a breach and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonableness.” Enterprises must use safeguards to ensure that risk is reasonable to the enterprise and appropriate to other interested parties at the time of the breach. CIS RAM provides a method to “draw a line” at an enterprise’s acceptable risk definition, with risks below the line adhering to “due care,” and risks above the line requiring risk treatment. At the core of CIS RAM is the Duty of Care Risk (DoCRA) methodology, which allows enterprises to weigh the risks of not implementing the controls and its potential burden on the enterprise.

CIS RAM helps you answer questions like:

What are my enterprise’s risks?
What constitutes “due care” or “reasonableness?”
How much security is enough?

What’s New for CIS RAM v2.0

CIS RAM is made up of a family of documents, with CIS RAM Core at the foundation of it all. CIS RAM Core is a “bare essentials” version of CIS RAM that provides the principles and practices of CIS RAM risk assessments to help users rapidly understand and implement CIS RAM. It is also useful for enterprises and cybersecurity practitioners who are experienced at assessing risk, and who are able to quickly adopt RAM’s principles and practices for their environment.

As previously mentioned, CIS RAM uses DoCRA, which presents risk evaluation methods that are familiar to legal authorities, regulators, and information security professionals to create a “universal translator” for these disciplines. The standard includes three principles and 10 practices that guide risk assessors in developing this universal translator for their enterprise.

And now, CIS RAM v2.0 helps enterprises estimate the likelihood of security incidents by using data about real world cybersecurity incidents. We have evolved our thinking about threat likelihood so instead of asking, “how likely is it that this risk will occur” we now ask, “when a security incident occurs, what is the most likely way it will happen here?” CIS RAM now uses data from the Veris Community Database to help each enterprise automatically estimate that likelihood by comparing the real-world incident data to the resilience of their deployment of each CIS Safeguard.

CIS RAM v2.0 provides three different approaches to support enterprises of three levels of capability, in alignment with the CIS Controls Implementation Groups: IG1, IG2, and IG3. One document for each Implementation Group will be the anchors in the CIS RAM family and will be available for both v8 and v7.1 of the CIS Critical Security Controls. Each document will have a workbook with a corresponding guide. The first of many documents in the CIS RAM v2.0 family, CIS RAM v2.0 for Implementation Group 1 and CIS RAM v2.0 for Implementation Group 1 Workbook are now available for download and will help enterprises in IG1 to build their cybersecurity program. These IG1 documents automate much of the risk assessment process so that enterprises with little or no cybersecurity expertise can become aware of their risks, and know which to address first.

All CIS RAM documents have material to help readers accomplish their risk assessments, and include the following: examples, templates, exercises, background material, and further guidance on risk analysis techniques. We are actively working on CIS RAM v2.0 for IG2 and IG3.

The CIS RAM Core Process

CIS RAM Core risk assessments involve the following activities:

Developing the Risk Assessment Criteria and Risk Acceptance Criteria: Establish and define the criteria for evaluating and accepting risk.
Modeling the Risks: Evaluate current implementations of the CIS Safeguards that would prevent or detect foreseeable threats.
Evaluating the Risks: Estimate the likelihood and impact of security breaches to arrive at the risk score, then determine whether identified risks are acceptable.
Recommending CIS Safeguards: Propose CIS Safeguards that would reduce unacceptable risks.
Evaluating Recommended CIS Safeguards: Risk-analyze the recommended CIS Safeguards to ensure that they pose acceptably low risks without creating an undue burden.

Enterprises that use CIS RAM and CIS RAM Core can then develop a plan, as well as expectations for securing an environment reasonably, even if the CIS Safeguards are not comprehensively implemented for all information assets.

CIS RAM was developed by HALOCK Security Labs in partnership with CIS. HALOCK has used CIS RAM’s methods for several years with positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM v1.0 in 2018, and now v2.0 in 2021. CIS is a founding member of the non-profit DoCRA Council that maintains the risk analysis standard that CIS RAM is built upon.

Taking the Next Step

Ready to conduct a cyber risk assessment? Download CIS RAM for step-by-step processes, example walk-throughs, and more. It’s free for any organization to use to conduct a cyber risk assessment.

 
CIS has recently released CIS RAM v2.1.Click here to see what’s new.
 
Join the CIS RAM Community on CIS WorkBench.
 
Questions about CIS RAM? Email controlsinfo@cisecurity.org.

Read More