Category Archives: News

Authentication and Authorization Using Single Sign-On

Read Time:5 Minute, 52 Second

By: Kathleen M. Moriarty, CIS Chief Technology Officer

In order to prevent credential theft from phishing attacks, there is a push for multi-factor authentication (MFA). This is a very important step and should be considered if your organization has not yet made the transition. While MFA adds important protections, how you implement single sign-on, authorization, and/or federation also requires consideration.

The SolarWinds attack bypassed MFA through the use of a vulnerability in a federation technology, Security Assertion Markup Language (SAML), that allowed attackers to bypass end-user credentials entirely. Vulnerabilities in authorization frameworks like OAuth have led to compromise in the past as well. In the first blog of this series, we explored multi-factor authentication and a move away from credentials that can be stolen, as motivated by recent attacks. This blog will dive into authorization and single sign-on to aid in technology selection and deployment considerations. It provides a foundation for the following blog post that introduces emerging standards that have taken into account learnings from the challenges of past protocols, reducing points of vulnerability where possible..

Using Single Sign-on for Simple Authentication

Users want authentication to be simple, requiring less for them to remember and manage. But they also want it to be more secure, in order to protect both their own and their organization’s assets, including data. Environments where users have individual logins to each application are not only more difficult for the end user, but also add complexity when it comes to onboarding new employees, moving employees into new roles, and terminations. A system that unifies logins to a single-sign on, or one that ties the various accounts into an overarching access control system, eases the employee workflow processing. If an employee leaves the organization, the process to remove all account access is greatly simplified with some single sign-on methods.

Single sign-on or reduced sign-on is possible through several models where the user perception is the use of a single or reduced set of authentication methods to access applications:

Stored credentials are accessed using authentication to a cryptographic key or password store (e.g. WebAuthn or password containers). The credentials are then used to authenticate to the appropriate application or service.
Credentials are synchronized across platforms using Lightweight Directory Access Protocol (LDAP) servers.
In the case of public key infrastructure (PKI), an authorized authentication key and certificate are associated to individual services, where the public key is published in a directory service to validate use of the associated private key. For each application, the user account is associated to the appropriate user key and associated certificate.
One-time passwords (OTP) may be used in conjunction with password storage applications that proxy authentication for the user, providing the perception of single or reduced sign-on capabilities.

There are multiple methods that can be used to achieve single or reduced sign-on, with some methods being easier for an environment due to the set of applications and authentication technologies currently in play.

Authorization and Authentication

Authorization is used to grant access to resources. It is often coupled with authentication: in many systems, you must first prove who you are (authenticate) to gain access to capabilities (authorization).  Authorization is the access a user or role is granted to, or within, an application tied to access control models. Stated simply, authorization is about what you can do.

How is authorization to resources accomplished?

In the case of OAuth, a user may authenticate to an application and a second application may accept an authorization credential or token for that user from the first application. You’ve used OAuth if you have granted permissions for one application to ‘authenticate’ using your authorized login to another application such as from Facebook, Gmail, or other services.

Guidance on Authentication and Authorization

Authorization may tie to a more complex access control model where users could be assigned to roles and specific permissions are granted to particular roles.

Federation

Federation grants access across administrative domains. In other words, organizations or separated groups within an organization. An example of this is the use of the federation technology, Shibboleth, across university networks. This Federation technology allows students to use resources, such as library access, at other universities using their credentials from their own school. Federation bridges access across domains, where authentication and authorization are based on the originating organization’s policies. The Shibboleth federation uses the SAML standard to accomplish this today.

Other federation technologies include OpenID Connect, which is built on top of the OAuth authorization framework. Directory Services such as the Lightweight Directory Access Protocol (LDAP) and X.500 are supporting technologies to authentication and authorization frameworks, but are not in themselves authentication, authorization, or federation technologies. They are directory services capable of managing password authentication stores for services as well as synchronization of passwords across services. They are also necessary to enable access to public certificates and certificate revocation lists used in public key infrastructure (PKI).

Directory services enable access to information associated to an index. In the PKI example, properties of the issued certificate, such as the “common name” for a user, enable access to a user’s public encryption key. The functionality of a directory service is to provide an index to information made available publically, or to an access controlled set of data. The access controls could be a combination of users, roles, as well as parts of the directory structure. This distinction is important for understanding the supporting infrastructure and components in an identity and access management framework.

NIST Special Publication 800-63C

NIST Special Publication 800-63C provides detailed and technical explanations on Federation and assurance. This blog is intended to introduce the topics and current considerations at a higher level. In teaching Security Architecture and Design at Georgetown University, it has become apparent that more accessible documentation would be helpful as an introduction to these complex topics.

 

About the Author

Kathleen Moriarty
Chief Technology Officer

Kathleen Moriarty, Chief Technology Officer, Center for Internet Security has over two decades of experience. Formerly as the Security Innovations Principal in Dell Technologies Office of the CTO, Kathleen worked on ecosystems, standards, and strategy. During her tenure in the Dell EMC Office of the CTO, Kathleen had the honor of being appointed and serving two terms as the Internet Engineering Task Force (IETF) Security Area Director and as a member of the Internet Engineering Steering Group from March 2014-2018. Named in CyberSecurity Ventures, Top 100 Women Fighting Cybercrime. She is a 2020 Tropaia Award Winner, Outstanding Faculty, Georgetown SCS.

Kathleen achieved over twenty years of experience driving positive outcomes across Information Technology Leadership, IT Strategy and Vision, Information Security, Risk Management, Incident Handling, Project Management, Large Teams, Process Improvement, and Operations Management in multiple roles with MIT Lincoln Laboratory, Hudson Williams, FactSet Research Systems, and PSINet. Kathleen holds a Master of Science Degree in Computer Science from Rensselaer Polytechnic Institute, as well as, a Bachelor of Science Degree in Mathematics from Siena College.

Read More

End of Life Update: CIS-CAT Pro Assessor v3

Read Time:3 Minute, 8 Second

CIS-CAT Pro is a tool used to evaluate the cybersecurity posture of a system against the recommended policy settings outlined in the CIS Benchmarks. Following the release of CIS-CAT Pro Assessor v4, the Center for Internet Security (CIS) will cease support for CIS-CAT Pro Assessor v3. Its final release will occur in November 2021.

What End of Life Means for Assessor v3

CIS will stop delivering and supporting CIS-CAT Pro Assessor v3. Version 3.0.76 will mark the final delivery of this tool. This release also contains updated third-party dependencies to resolve security vulnerabilities. See our knowledge base article for more information on security risk.

Changes in the Final Release

This final release of CIS-CAT Pro Assessor v3 requires a Java Runtime Environment (JRE), Java Development Kit (JDK), or open JDK versions of Java 8. We have updated third party libraries that support assessor activities in this release. These new updates require Java 8, at a minimum.

The Assessor v3 dissolvable version has been updated to operate with Java 8.

Still Need Assessor v3?

CIS-CAT Pro Assessor v3 will remain available until November 2022.

The CIS Support Team will assist CIS SecureSuite Members with questions regarding the availability of the tool, but will no longer offer support on the function of the tool.

Read about Assessor v3’s limited use guidelines in our knowledge article.

Assessor v3 and CIS Benchmarks

Assessor v3 will include CIS Benchmarks officially supported for use with this final version. Future and past CIS Benchmark versions for the technologies supported by Assessor v3 may work with the final tool version, but are not guaranteed and should be used at the Member’s discretion.

Members requiring the ability to assess against older Benchmarks that aren’t supported in Assessor v4 can continue to utilize v3 until the Benchmark is supported in v4 or reaches its end of life (HP UX, Cisco ASA Firewall, Oracle Solaris OS, IBM AIX). If Member demand supports the need for the tool to support these CIS Benchmarks after November 2022, CIS will evaluate extending the availability date.

Other Assessor v3 Functions

Members are advised to no longer utilize Assessor v3 for vulnerability assessments. Since Assessor v3 will not be updated monthly with new CVE information, the vulnerabilities will quickly go out-of-date. Members are encouraged to utilize Assessor v4 for vulnerability assessments going forward.

CIS-CAT Pro Assessor v3 is a Security Content Automation Protocol (SCAP) validated tool. Members requiring some use of a NIST validated tool can continue to use Assessor v3 when necessary. CIS-CAT Pro Assessor v4 is architected in compliance with SCAP, but has not yet been formally SCAP validated. CIS currently plans to pursue SCAP 1.3 validation for CIS-CAT Pro Assessor v4 in 2022.

The Assessor v3 dissolvable bundle includes Java version 8 in this final release. With CIS-CAT Pro Assessor v4, we plan to offer an embedded Java for command line activities in 2022.

Still have questions?

Join the CIS-CAT Discussion Community on CIS WorkBench and start a discussion! Reach out to CIS Support and ask for the feedback ticket to be directed to the CIS-CAT Product Owner.

Where to Get CIS-CAT Pro Assessor

CIS-CAT Pro Assessor and Dashboard save you hours of configuration review by scanning against a target system’s configuration settings and reporting the system’s compliance to the corresponding CIS Benchmark. These tools are available as part of a CIS SecureSuite Membership. Members can download these tools and other resources on CIS WorkBench.

Not a Member yet? Learn more about CIS-CAT Pro Assessor at one of our free webinars.

You can also try CIS-CAT Lite v4 at no cost.

Read More

How to Meet the Shared Responsibility Model with CIS

Read Time:3 Minute, 53 Second

In 2020, the shift to a global remote workforce demonstrated just how difficult securing a cloud environment can be. Now organizations face the challenge of securing hybrid environments. To address these challenges, many companies migrate to the cloud and leverage cloud service providers (CSPs) such as Amazon Web Services, Microsoft Azure, Google Cloud Platform, and Oracle Cloud. These public cloud providers offer cost-effective, scalable cloud computing solutions.

Among the many benefits of operating on the public cloud, users share the security responsibilities with the CSP. Typically, the CSP is responsible for the physical security of the cloud infrastructure, while the customer is responsible for securing the services and/or applications they use. The division of these responsibilities is known as the shared responsibility model for cloud security.

Shared Responsibility Model Characteristics

Based on the type of cloud environment required by an organization, the delineation of security responsibilities will differ. Responsibilities vary according to the four main types of cloud environments:

Infrastructure as a Service (IaaS)
Software as a Service (SaaS)
Platform as a Service (PaaS)
Function as a Service (FaaS)

Ultimately however, the protection of an organization’s data lies with the organization itself. That’s where the Center for Internet Security (CIS) can help. CIS strives to make the connected world a safer place by developing, validating, and promoting best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats. Thus, our vision is to lead the global community to secure our ever-changing connected world. A portion of that is providing organizations with resources that can help them meet their part of the shared responsibility model for cloud security.

Cloud Security Resources Available from CIS

CIS works with a global community to develop three main security best practices that can help cloud consumers meet the shared responsibility model:

CIS Controls

A prioritized set of 20 actions that collectively form a defense-in-depth set of best practices. The CIS Controls are practical and prescriptive actions that organizations should take to prevent common cyber-attacks.

The CIS Controls Cloud Companion Guide is a free resource that can help users apply the CIS Controls in the cloud. Notably, the guide maps the CIS Controls to the four main types of cloud environments.

CIS Benchmarks

The CIS Benchmarks are configuration guidelines for technologies, operating systems, containers, and more. There are more than 100 CIS Benchmarks covering 25+ vendor product families.

In particular, the CIS Foundations Benchmarks provide prescriptive guidance for configuring, deploying, and securing services in public cloud environments. This resource can assist cloud users with the shared responsibility model, notably identity and access management. A free CIS Foundations Benchmark is available for the following cloud environments:

Amazon Web Services (AWS)
Microsoft Azure
Google Cloud Platform (GCP)
Oracle Cloud Infrastructure
Alibaba Cloud
IBM Cloud

CIS Hardened Images

Lastly, CIS Hardened Images are virtual machine images for operating systems, containers, and applications. They’re pre-configured to CIS Benchmark recommendations. Backed by a global community of cybersecurity experts and built off of the base image provided by CSPs, CIS Hardened Images seamlessly integrate into an organization’s security procedures. Because they’re an IaaS environment, CIS Hardened Images can help with the host infrastructure part of the shared responsibility model.

What’s more, CIS updates and patches these Hardened Images on a monthly basis to ensure the latest security configurations are in place. Every CIS Hardened Image includes a CIS-CAT Pro report showing conformance to the CIS Benchmark. It also includes an exception report showing configurations that cannot be applied in the cloud.

CIS Hardened Images are available on four major CSP marketplaces:

AWS Marketplace including AWS GovCloud (US) region
Microsoft Azure Marketplace including Azure Government
Google Cloud Platform Marketplace
Oracle Cloud Marketplace

View all CIS Hardened Images

CIS Shared Responsibility Model Resource

The shared responsibility model for cloud security provides clarity on security expectations for public cloud users. However, an understanding of the expectation is just the first step. Users must act on these responsibilities by creating policies and procedures for their portion of cloud security. In order to do this, cloud consumers should use cloud security tools and resources that directly address the needs of their cloud environment.

In sum, whether they’re used together or individually, CIS Controls, CIS Benchmarks, and CIS Hardened Images provide organizations operating in the cloud prescriptive guidance to secure their environments. They also help organizations conform to the shared responsibility model with ease. In this guide, we provide a deep dive into the shared responsibility model for cloud security, the division of user and CSP responsibilities, and how CIS resources help meet those responsibilities.

Read More

For Data Compliance, Automation is Key

Read Time:2 Minute, 41 Second

In this edition of Cybersecurity Where You Are, CIS Senior VP and Chief Evangelist, Tony Sager welcomes Thordis Thorsteins, Senior Data Scientist at Panaseer. Panaseer provides a controls monitoring platform and has played a valuable role in the development of the CIS Critical Security Controls, as well as the implementation of the CIS Controls Assessment Specification. Together, Tony and Thordis discuss the role that data collection and automation play in cybersecurity.

When It Comes to Data, More Doesn’t Always Mean Better

When it comes to cybersecurity, an enterprise must start by listing the assets it needs to protect, select controls to protect those assets, and institute a system to monitor those controls. Simple steps in theory – but complex and time consuming to implement in reality.

Examples of some types of data sources and tools include:

In-house vulnerability management tools
Patching tools
Phishing tools for employee training

By using a wide variety of sources, an enterprise can create a more expansive picture of its cybersecurity posture. The challenge with using all these data sources is that it creates an immense amount of data that need to be analyzed. This leads to what Sager refers to as “The Fog of More”. The collected data set is inevitably messy and noisy, and that creates an overwhelming task for teams to pore through and uncover any discrepancies.

Cybersecurity Frameworks are Open to Interpretation

The difficulty with cybersecurity frameworks is that they provide the criteria for compliance, yet no advice to implement the framework itself. This places the burden of interpreting the framework on the enterprise, making it difficult to measure compliance effectively. While frameworks are valuable, they can be interpreted by different enterprises in different ways. Then an auditor or governing body comes in and applies their own interpretation. This multitude of opinions makes it difficult to know when something is truly being done right.

Working with the Controls Assessment Specification

Panaseer was an early adopter of the Controls Assessment Specification and played an integral role in developing its components. It was created to provide a comprehensive list of specifications available to work against, as well as assessments to suit companies at different maturities. This allows for a more uniform system for compliance, with the goal of having enterprises improve their assessment and monitoring activities.

Automate for Success

The Controls Assessment Specification enables any sized enterprise to develop guidelines for viewing how it is measuring and monitoring their cybersecurity posture. The next step would be to identify opportunities to automate these activities. While some frameworks require a degree of self-attestation performed by a cybersecurity expert, frequent and repetitive requirements can be labor-intensive and costly. In addition to saving time and money, automation creates consistency by:

Enabling data to be measured the same way every time
Enabling the process to be clear for the person responsible for interpreting the outcomes
Creating a roadmap for anyone performing the assessment in the future
Driving consistency in how data is collected, analyzed, and interpreted

By continuing to find new and better ways for companies to automate their cybersecurity posture, compliance will become more achievable and interpretations of these frameworks will become more uniform.

Resources:

CIS Critical Security Controls
About Panaseer

Read More

Top 10 Malware October 2021

Read Time:4 Minute, 19 Second

In October 2021, the Top 10 stayed consistent with the previous month with the exception of GravityRAT which made its first appearance in the Top 10. GravityRAT is a RAT that affects Windows, MacOS, and Android. GravityRAT’s abilities include file exfiltration, remote command execution, keystroke logging. screenshot capture, and anti-analysis techniques. The Top 10 Malware variants comprise 71% of the total malware activity in October 2021, decreasing 3% from September 2021. Shlayer and CoinMiner continue to lead the Top 10 Malware and are likely to continue their prevalence in the Top 10 Malware for the coming months.

 

In October 2021, malvertisement accounted for the greatest number of alerts. Malvertisement continues as the top initial infection vector due to Shlayer activity. Activity levels for all initial infection vectors decreased. Shlayer and CoinMiner continue to be in the top two spots. The activity from these malware is due to the education sector resuming all activity as summer vacation ended. Shlayer is a downloader and dropper for MacOS malware. It is primarily distributed through malicious websites, hijacked domains, and malvertizing posing as a fake Adobe Flash updater. CoinMiner is a cryptocurrency miner that uses Windows Management Instrumentation (WMI) and EternalBlue to spread across a network. CoinMiner uses the WMI Standard Event Consumer scripting to execute scripts for persistence. CoinMiner spreads through malspam or is dropped by other malware.

 

 

Dropped – Malware delivered by other malware already on the system, an exploit kit, infected third-party software, or manually by a cyber threat actor. Jupyter the only malware dropped.

Multiple – Malware that currently favors at least two vectors. Currently, CoinMiner, CryptoWall, GravityRAT, Hupigon, and ZeuS  are the malware utilizing multiple vectors.

Malspam – Unsolicited emails, which either direct users to malicious web sites or trick users into downloading or opening malware. Top 10 Malware using this technique Agent Tesla, Blaknight, and NanoCore.

Malvertisement – Malware introduced through malicious advertisements. Currently, Shlayer is the only Top 10 Malware using this technique.

Top 10 Malware and IOCs

Below are the Top 10 Malware ranked in order of prevalence. The respective indicators of compromise (IOCs) are provided to aid in detecting and preventing infections from these Top 10 Malware variants. Note: The associated URIs are aligned with malware’s respective domain(s) or IP(s) and increase the likelihood of maliciousness when found together. The URIs alone are not inherently malicious.

1. Shlayer

Shlayer is a downloader and dropper for MacOS malware. It is primarily distributed through malicious websites, hijacked domains, and malvertizing posing as a fake Adobe Flash updater.

All Shlayer domains follow the same pattern . Below area several examples of domains Shlayer uses.

Domains

api[.]interfacecache[.]com
api[.]scalableunit[.]com
api[.]typicalconfig[.]com
api[.]standartanalog[.]com
api[.]fieldenumerator[.]com
api[.]practicalsprint[.]com
api[.]searchwebsvc[.]com
api[.]connectedtask[.]com
api[.]navigationbuffer[.]com
api[.]windowtask[.]com

 

2. CoinMiner

CoinMiner is a cryptocurrency miner that uses Windows Management Instrumentation (WMI) and EternalBlue to spread across a network. CoinMiner uses the WMI Standard Event Consumer scripting to execute scripts for persistence. CoinMiner spreads through malspam or is dropped by other malware.

3.Agent Tesla

Agent Tesla is a RAT that exfiltrate credentials, log keystrokes, and capture screenshots from an infected computer.

4. NanoCore

NanoCore is a RAT spread via malspam as a malicious Excel XLS spreadsheet. As a RAT, NanoCore can accept commands to download and execute files, visit websites, and add registry keys for persistence.

5. Jupyter

Jupyter, aka SolarMarker, is an infostealer that is downloaded by masquerading as legitimate software. It primarily targets browser data in browsers such as Chrome, Chromium, and Firefox and has full backdoor functionality.

IPs

104[.]223.123[.]7
146[.]70.24[.]173
146[.]70.41[.]157
149[.]255.35[.]179
167[.]88.15[.]115
188[.]241.83[.]61
192[.]121.87[.]53
23[.]29.115[.]175
37[.]120.247[.]125
37[.]120.247[.]199
37[.]221.114[.]23
45[.]42.201[.]248
69[.]46.15[.]151

6. ZeuS

ZeuS is a modular banking trojan which uses keystroke logging to compromise victim credentials when the user visits a banking website. Since the release of the ZeuS source code in 2011, many other malware variants have adopted parts of its codebase, which means that events classified as ZeuS may actually be other malware using parts of the ZeuS code.

7. Blaknight

Blaknight, also known as HawkEye, is an Infostealer known for its keylogging capabilities for credential and banking theft.

8. CryptoWall

CryptoWall is a ransomware commonly distributed through malspam with malicious ZIP attachments, Java Vulnerabilities, and malicious advertisements. Upon successful infection, CryptoWall will scan the system for drive letters, network shares, and removable drives. CryptoWall runs on both 32-bit and 64-bit systems.

9. GravityRAT

GravityRAT is a RAT that affects Windows, MacOS, and Android. GravityRAT’s abilities include file exfiltration, remote command execution capabilities, record keystrokes. take screenshots, and anti-analysis techniques.

10. Hupigon

Hupigon is a backdoor trojan that is usually dropped by other malware or is unknowingly downloaded via a malicious website. Some of this malware’s abilities include: allowing remote users to connect to the affected system and execute commands on the system, logging keystrokes, and stealing information such as credentials.

 

Read More

Cyber-Attack Defense: CIS Benchmarks + CDM + MITRE ATT&CK

Read Time:4 Minute, 3 Second

By Jennifer Jarose, CIS Cybersecurity Engineer, CIS Benchmarks

Six trillion dollars…that’s the amount global cybercrime is expected to cost this year, according to Cyber Security Ventures. The Center for Internet Security (CIS) is committed to validating our standards against recognized cyber defense frameworks in the hopes to help reduce this amount in the future. Starting today, with the CIS Microsoft Windows 10 Benchmark, the CIS Benchmarks will map to the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework and CIS Community Defense Model (CDM) 2.0. These mappings will improve the use, understanding, and effectiveness of the CIS Benchmarks, in turn strengthening security posture and providing more support to prevent top cyber-attacks.

CIS Benchmarks and CIS Community Defense Model

CIS Benchmarks are consensus-developed, industry best practices for securely configuring operating systems, cloud services, applications, networks, and more. A global community of information technology (IT) security professionals that range from academia, government, industry, and individuals drive the development and maintenance of the CIS Benchmarks. CIS relies on the contributions of passionate industry experts to create and maintain the CIS Benchmarks. Interested in contributing? Sign up for CIS WorkBench and join a community.

The CIS CDM v2.0 can be used to design, prioritize, implement, and improve an enterprise’s cybersecurity program. Enterprises naturally want to know, “how effective are the CIS Critical Security Controls (CIS Controls) against the top cyber-attacks?” The CDM can help answer that. This model leverages industry threat data to determine the top five cyber-attack types and creates comprehensive attack patterns (the set of attacker (sub-)techniques that are required to execute an attack). CDM v2 builds on the original version, by mapping the Safeguards from the CIS Controls v8 to the MITRE Enterprise ATT&CK® v8.2 framework. This methodology measures which Safeguards are most effective overall for defense across attack types.

Unifying the CIS Benchmarks, CDM, and MITRE ATT&CK Against Cyber-Attacks

To start these new mappings, CIS focused on two of the most downloaded CIS Benchmarks – Microsoft Windows 10 and Red Hat Enterprise Linux 7 – and drilled in to MITRE ATT&CK (sub-)techniques. This level of granularity provides CIS Benchmarks users a more detailed look into the effectiveness of the CIS Benchmarks against the top five attack types found in the CIS CDM. Combining technology-specific, security focused configuration settings from the CIS Benchmarks, with the prioritized, enterprise cyber defense guidance from the CIS CDM allows users a more holistic view of their cybersecurity program.

With the addition of mapping the MITRE ATT&CK framework to the CIS Benchmarks, this highlights the effectiveness of the CIS Microsoft Windows 10 v1.11.0 Benchmark, not only as security focused configuration recommendations, but quantifies its ability to reduce the risk and impact of a range of cyber-attacks. Additionally, CIS SecureSuite Members can visit CIS WorkBench to view the MITRE ATT&CK framework mappings, which can be found in the Excel version of the Benchmarks. CIS will continue refining and expanding this methodology which will further support unification across other frameworks as CIS updates and expands the mappings offered.

CIS Benchmarks’ Effectiveness Against Common Cyber-Attacks

The following findings demonstrate the security value of the CIS Microsoft Windows 10 v1.11.0 Benchmark against the top five cyber-attack types found in the CIS CDM:

Malware: 67% of recommendations map to a parent or (sub-)technique
Ransomware: 74% of recommendations map to a parent or (sub-)technique
Web Application Hacking: 41% of recommendations map to a parent or (sub-)technique
Insider and Privilege Misuse: 64% of recommendations map to a parent or (sub-)technique
Targeted Intrusion: 59% of recommendations map to a parent or (sub-)technique
Combined Attack Types: 83% of recommendations map to a parent or (sub-)technique when the above attack types are combined

The CIS Microsoft Windows 10 v1.11.0 Benchmark incorporates all parents of (sub-)techniques mapped to a given recommendation. In addition, the Microsoft Windows 10 v1.11.0 Benchmark is mapped to a subset of techniques within the Community Defense Model as a number of them do not apply to the Windows operating system.

When a Benchmark recommendation maps to a given parent or (sub-)technique it means that the given recommendation potentially mitigates, or disrupts, that step in a cyber-attack.

This effort is ongoing to further support unity of CIS resources with industry frameworks. CIS is currently working to expand MITRE ATT&CK mappings to our catalog of technology specific CIS Benchmarks, starting with the most commonly used. Next up is Red Hat Enterprise Linux 7. Stay tuned for an even more detailed report on the effectiveness of the Microsoft Windows 10 and Red Hat Enterprise Linux mappings to the Community Defense Model’s top five cyber-attack types.

Read More

Join the Center for Internet Security at AWS re:Invent 2021

Read Time:4 Minute, 13 Second

This year, Amazon Web Services (AWS) returns to hosting its cloud computing conference, AWS re:Invent 2021, in person. Cloud professionals from around the globe will gather in Las Vegas to learn the latest news in AWS cloud computing. The five-day conference is packed with sessions on containers, DevOps, end user computing, IoT, and much more.

The Center for Internet Security (CIS) is a proud sponsor of AWS re:Invent, which will be held November 29 – December 3. Find us at Booth #732 on the Expo Floor at The Venetian. Not only is CIS sponsoring the event, but we’ve also highlighted several must-see sessions that leverage our best practices.

AWS re:Invent 2021 Essential Sessions

Workshop | WPS203 – Simplifying compliance with AWS GovCloud (US)

Tuesday, November 30 | 5:00 – 7:15 P.M.

AWS GovCloud (US) gives customers the flexibility to architect secure cloud workloads that comply with some of the strictest U.S. compliance regulations. From Controlled Unclassified Information (CUI), personally identifiable information (PII), sensitive patient medical records, and financial data to law enforcement data and export-controlled data, AWS GovCloud (US) can help address some of the most stringent security and compliance requirements. Join this workshop to dive into the basics of how AWS and AWS GovCloud (US) Regions can help address these stringent security, compliance, and governance requirements.

Furthermore, CIS offers CIS Hardened Images, pre-hardened virtual machine (VM) images, a trusted resource to help secure cloud workloads on AWS Cloud in the AWS GovCloud (US) Region. They’re available for Windows and Linux operating systems.

See full list of CIS Hardened Images on AWS Cloud – Free trials available

Chalk Talk | SEC312 – Develop a strategy for automated remediation and response

Wednesday, December 1 | 12:15 – 1:15 P.M.

In this chalk talk, you’ll consider a framework to use with AWS Security Hub to determine which findings should be auto-remediated. For example, the CIS AWS Foundations Benchmark is available within AWS Security Hub. This framework provides recommendations to securely configure your AWS account. It covers actions like identity and access management, networking, and more.

This session will explore whether a remediation is a destructive action and how to tag findings to automate these decisions. When auto-remediation isn’t appropriate or should include approvals, learn how to auto-respond to findings. You’ll learn how to enrich these findings with assignee information based on resource tags; you can then use that assignee information in email, Slack, or ticket notifications.

Chalk Talk | SEC305 – Automate vulnerability management with Amazon Inspector

Thursday, December 2 | 11:30 A.M. – 12:30 P.M.

Amazon Inspector is a vulnerability management service that scans AWS workloads for software vulnerabilities and unintended network exposure. In this chalk talk, learn how to get the most out of Amazon Inspector. This includes how to prioritize the most critical vulnerabilities to help increase remediation response efficiency.

Windows and Linux users can apply the knowledge from this session and run assessments to check the configurations of their Amazon EC2 instances against CIS Benchmarks. The findings within the Amazon Inspector assessment will detail the steps needed to remediate vulnerabilities.

From the CIS Booth: New CIS AWS Resources to Secure Cloud Workloads

Foundational Security for AWS

CIS Benchmarks are a set of prescriptive guides to help organizations securely configure a variety of technologies. They cover more than 25 vendor product families, helping to safeguard systems against today’s evolving cyber threats. Because of CIS’s deep partnership with AWS, CIS Benchmarks are integrated with several AWS services:

AWS Audit Manager
AWS Config
AWS Inspector
AWS Security Hub

These integrations allow AWS customers to audit and test the security of their AWS environments against CIS Benchmarks. Within these four AWS services, cloud consumers will find the CIS AWS Foundations Benchmark and CIS Benchmarks for various operating systems.

AWS Graviton2

At AWS re:Invent 2021, stop by our booth to learn how to implement the latest cloud security resources and provide feedback to the CIS team. First, CIS built two CIS Hardened Images on AWS Graviton2 processors. In addition to the compliance they offer to CIS Benchmarks standards, they also deliver 40% better price performance compared to current generation x86-based instances.

DISA STIG Compliance

For organizations and industries that require compliance to DISA Security Technical Implementation Guides (STIGs), CIS has created four Benchmarks. These are also available as pre-configured CIS Hardened Images in AWS Marketplace. Notably, CIS recently released a new hardened VM secured to STIG standards for Microsoft Windows Server 2019. STIG Benchmarks and CIS Hardened Images are also available for:

Amazon Linux 2
Microsoft Windows Server 2016
Red Hat Enterprise Linux 7
Ubuntu Linux 20.04

The team plans to release additional STIG Benchmarks and VMs for Apple macOS 11 and Red Hat Enterprise Linux 8 in the coming months.

These are just a few of the many cloud security resources that CIS provides. Stop by Booth #732 at AWS re:Invent 2021 to learn how you can incorporate CIS cloud security resources into your cybersecurity program.

Read More

CIS Benchmarks November 2021 Update

Read Time:2 Minute, 13 Second

The following CIS Benchmark updates have been released.  We’ve highlighted the major updates below. Each Benchmark includes a full changelog that can be referenced to see all changes made.

CIS AlmaLinux OS 8 Benchmark v1.0.0

Prescriptive guidance for establishing a secure configuration posture for AlmaLinux OS 8 Linux distribution systems running on x86_64 platforms.

Special thanks to Jack Aboutboul and Simon John for their contributions to the initial development of the benchmark and thanks to the CIS AlmaLinux Community for their time and expertise toward this release. Your contributions are invaluable to our consensus process.

Download the AlmaLinux OS 8 Benchmark PDF

CIS SecureSuite Members can visit CIS WorkBench to download other formats and related resources.

CIS PostgreSQL 14 Benchmark v1.0.0

Prescriptive guidance for establishing a secure configuration posture for PostgreSQL 14. This guide was tested against PostgreSQL 14 running on RHEL 8, but applies to other Linux distributions as well.

Special thanks to Doug Hunley and Crunchy Data for their significant contributions, and thanks to the CIS PostgreSQL Community who participated in general and ticket-specific discussions.

Download the PostgreSQL 14 PDF

CIS SecureSuite Members can visit CIS WorkBench to download other formats and related resources.

CIS MongoDB 5 Benchmark v1.0.0

Prescriptive guidance for establishing a secure configuration posture for MongoDB version(s) 5.x. This guide was tested against MongoDB 5.0.2 running on Ubuntu Linux, Linux Red Hat, and Windows, but applies to other distributions as well.

Download the MongoDB 5 PDF

CIS SecureSuite Members can visit CIS WorkBench to download other formats and related resources.

CIS MongoDB 3.6 Benchmark v1.1.0

Prescriptive guidance for establishing a secure configuration posture for MongoDB version 3.6. This guide was tested against MongoDB 3.6 running on Ubuntu Linux and Windows, but applies to other distributions as well.

Thanks to the CIS Mongo DB community for their support, and special thanks to Vinesh Redkar, Pralhad Chaskar, Emad Al-Mousa, and Matthew Reagan

Download the MongoDB 3.6 PDF

CIS SecureSuite Members can visit CIS WorkBench to download other formats and related resources.

Volunteers Needed for CIS Benchmarks

Get involved by helping us develop content, review recommendations, and test CIS Benchmarks. Join a community today! We’re looking for contributors for the following technologies:

Google Kubernetes Engine
Google Cloud Computing – Container-Optimized OS Benchmark
IBM AIX
Microsoft Windows

EMS Gateway
Windows Server 2022
Windows 11
Windows 10 21H

Interested in learning more about the CIS Benchmarks development process or how you can get involved? Reach out to us at benchmarkinfo@cisecurity.org. You can also learn more on the CIS Benchmarks Community page.

Read More

CIS Risk Assessment Method (RAM) v2.0 for CIS Controls v8

Read Time:5 Minute, 30 Second

Risk assessments are valuable tools for understanding the threats enterprises face, allowing them to organize a strategy and build better resiliency and business continuity, all before a disaster occurs. Preparation is key – after all, the worst time to plan for a disaster is during a disaster.

The Center for Internet Security (CIS) recently released the CIS Risk Assessment Method (RAM) v2.0, an information security risk assessment method to help enterprises justify investments for reasonable implementation of the CIS Critical Security Controls (CIS Controls). CIS RAM helps enterprises define their acceptable level of risk, and then manage that risk after implementation of the Controls. Few enterprises can apply all Controls to all environments and information assets. Some Controls offer effective security, but at the cost of necessary efficiency, collaboration, utility, productivity, or available funds and resources.

When enterprises conduct a cyber risk assessment for the first time, it can be challenging to know where to start. CIS RAM is a powerful, free tool to guide the prioritization and implementation of the CIS Controls, and to complement an enterprise’s technical ability with a sound business risk-decision process. It is also designed to be consistent with more formal security frameworks and their associated risk assessment methods. Most importantly, CIS RAM lets enterprises of varying security capabilities navigate the balance between implementing security controls, risks, and enterprise needs.

CIS RAM Can Help Your Enterprise Demonstrate “Due Care”

If you experience a breach and your case goes to litigation, you will be asked to demonstrate “due care.” This is the language judges use to describe “reasonableness.” Enterprises must use safeguards to ensure that risk is reasonable to the enterprise and appropriate to other interested parties at the time of the breach. CIS RAM provides a method to “draw a line” at an enterprise’s acceptable risk definition, with risks below the line adhering to “due care,” and risks above the line requiring risk treatment. At the core of CIS RAM is the Duty of Care Risk (DoCRA) methodology, which allows enterprises to weigh the risks of not implementing the controls and its potential burden on the enterprise.

CIS RAM helps you answer questions like:

What are my enterprise’s risks?
What constitutes “due care” or “reasonableness?”
How much security is enough?

What’s New for CIS RAM v2.0

CIS RAM is made up of a family of documents, with CIS RAM Core at the foundation of it all. CIS RAM Core is a “bare essentials” version of CIS RAM that provides the principles and practices of CIS RAM risk assessments to help users rapidly understand and implement CIS RAM. It is also useful for enterprises and cybersecurity practitioners who are experienced at assessing risk, and who are able to quickly adopt RAM’s principles and practices for their environment.

As previously mentioned, CIS RAM uses DoCRA, which presents risk evaluation methods that are familiar to legal authorities, regulators, and information security professionals to create a “universal translator” for these disciplines. The standard includes three principles and 10 practices that guide risk assessors in developing this universal translator for their enterprise.

And now, CIS RAM v2.0 helps enterprises estimate the likelihood of security incidents by using data about real world cybersecurity incidents. We have evolved our thinking about threat likelihood so instead of asking, “how likely is it that this risk will occur” we now ask, “when a security incident occurs, what is the most likely way it will happen here?” CIS RAM now uses data from the Veris Community Database to help each enterprise automatically estimate that likelihood by comparing the real-world incident data to the resilience of their deployment of each CIS Safeguard.

CIS RAM v2.0 provides three different approaches to support enterprises of three levels of capability, in alignment with the CIS Controls Implementation Groups: IG1, IG2, and IG3. One document for each Implementation Group will be the anchors in the CIS RAM family and will be available for both v8 and v7.1 of the CIS Critical Security Controls. Each document will have a workbook with a corresponding guide. The first of many documents in the CIS RAM v2.0 family, CIS RAM v2.0 for Implementation Group 1 and CIS RAM v2.0 for Implementation Group 1 Workbook are now available for download and will help enterprises in IG1 to build their cybersecurity program. These IG1 documents automate much of the risk assessment process so that enterprises with little or no cybersecurity expertise can become aware of their risks, and know which to address first.

All CIS RAM documents have material to help readers accomplish their risk assessments, and include the following: examples, templates, exercises, background material, and further guidance on risk analysis techniques. We are actively working on CIS RAM v2.0 for IG2 and IG3.

The CIS RAM Core Process

CIS RAM Core risk assessments involve the following activities:

Developing the Risk Assessment Criteria and Risk Acceptance Criteria: Establish and define the criteria for evaluating and accepting risk.
Modeling the Risks: Evaluate current implementations of the CIS Safeguards that would prevent or detect foreseeable threats.
Evaluating the Risks: Estimate the likelihood and impact of security breaches to arrive at the risk score, then determine whether identified risks are acceptable.
Recommending CIS Safeguards: Propose CIS Safeguards that would reduce unacceptable risks.
Evaluating Recommended CIS Safeguards: Risk-analyze the recommended CIS Safeguards to ensure that they pose acceptably low risks without creating an undue burden.

Enterprises that use CIS RAM and CIS RAM Core can then develop a plan, as well as expectations for securing an environment reasonably, even if the CIS Safeguards are not comprehensively implemented for all information assets.

CIS RAM was developed by HALOCK Security Labs in partnership with CIS. HALOCK has used CIS RAM’s methods for several years with positive response from legal authorities, regulators, attorneys, business executives, and technical leaders. HALOCK and CIS collaborated to bring the methods to the public as CIS RAM v1.0 in 2018, and now v2.0 in 2021. CIS is a founding member of the non-profit DoCRA Council that maintains the risk analysis standard that CIS RAM is built upon.

Taking the Next Step

Ready to conduct a cyber risk assessment? Download CIS RAM for step-by-step processes, example walk-throughs, and more. It’s free for any organization to use to conduct a cyber risk assessment.

 
CIS has recently released CIS RAM v2.1.Click here to see what’s new.
 
Join the CIS RAM Community on CIS WorkBench.
 
Questions about CIS RAM? Email controlsinfo@cisecurity.org.

Read More