The Center for Internet Security

Transcription

1 The Center for Internet Security Measurably reducing risk through collaboration, consensus, & practical security management

2 Content of this Presentation: I. Background II. Univ. of CA Schools Rights and Benefits as a Member III. Consensus Benchmarks - their value for system and network security IV. Assessment Tools Primarily CIS CAT - use cases & features - specs & system requirements V. Consensus Security Metrics VI. Security Software Certification VII. Member Support & Contact Information VIII. Q & A

3 Background

4 The Center for Internet Security (CIS) Formed in October 2000 A not-for-profit consortium of users, security consultants, and vendors of security software (Members) Convenes and facilitates teams developing consensus Benchmarks for system & network security configuration Developed and distributes the Configuration Assessment Tool (CIS-CAT) to its members Convenes and facilitates teams developing consensus definitions for information security metrics

5 Univ. of CA Schools' Rights & Benefits of Membership

6 Benefits of Membership: Unlimited Number of Univ. of CA Schools Users The right to distribute and use all of the resources throughout Univ. of CA Schools Access to Members-Only CIS-CAT Tool (Configuration Assessment Tool) Member Updates - timely notification of new releases & updates

7 Benefits of Membership: Additional Benefits Members Only Site Unlimited number of Univ. of CA Schools users have access to the Members website for: Configuration Assessment Tool (CIS-CAT) (including technical specifications and User s Guide); XML Benchmark versions (including XML Editing Guide); Participation on the Member discussion forums; and Register at Support As Members, Univ. of CA Schools users receive free Benchmark/CIS-CAT implementation support: support@cisecurity.org

8 Consensus Benchmarks

9 The Consensus Benchmarks Are: Recommended technical control rules/values for hardening OSs, applications, and network devices. Downloaded hundreds of thousands of times per year. Distributed in.pdf to the general public (to propagate their use/adoption worldwide) Distributed in XML (XCCDF) format to Members. Used by thousands of organizations worldwide as the basis for their security configuration policies and the standard against which to compare them.

10 The Security Value of Consensus Benchmarks The Problem: The vast majority of cyber attacks exploit known software flaws for which a patch or security configuration control is known. The Solution: Research and Case studies show that 80-95% of known vulnerabilities are blocked by the technical security controls and actions recommended in the consensus benchmarks. (research reports & case studies are on the web site)

11 The Compliance Value of Consensus Benchmarks The Problem: FISMA, PCI, and other regulations require adoption of configuration best practices. The Solution: The benchmarks distributed by are consensus best practice standards for security configuration developed and accepted by business/industry and government internationally.

12 How the Consensus Process works: Each Benchmark development project is part of the community projects. To view or join community projects please go here: Each project includes volunteer subject matter experts who discuss configuration recommendations for the Benchmark(s). The technical discussions on these projects define the content of the Benchmark(s). Univ. of CA Schools users and subject matter experts are invited to participate in the Consensus Process. To learn more about how to get involved or to volunteer, go here: or contact us at

13 Univ. of CA Schools users and subject matter experts can be involved in any of the following roles: Benchmark Leader creates draft content for a new or significantly updated Benchmark and presents the draft to the consensus team for discussion and review. (This is the only formally assigned role) Contributor takes an active role in defining and extending Benchmark content in the consensus process. Tester has the resources available to technically implement and test the recommendations in the Benchmark to ensure validity, and provides feedback to participants on the list. Reviewer reviews the Benchmark draft for syntactical, grammatical, aesthetic, and readability issues.

14 U.S. Federal Government Agencies and Commercial Vendors are Fully Engaged in the Consensus Process Government Agencies NSA DISA NIST Commercial Vendors Microsoft IBM HP Juniper Cisco Novell Oracle Checkpoint Apple Red Hat

15 54 Benchmarks are Now Available In.pdf Format on the Public Web Site: Twenty-two are for operating systems Twenty-five are for middleware and applications Six are for network devices One Mobile Device

16 Operating System Benchmarks WinXP Pro (SP1/SP2) Windows Server 2003 Windows Server 2008 Windows 2000 Pro Windows 2000 Server Windows 2000 Windows 7 Windows NT Mac OS X 10.5 (Leopard) Mac OS X 10.4 (Tiger) FreeBSD 4.1 Solaris 10 11/06 and 8/07 Solaris Sun Solaris 10 Benchmark v5.0.0 HP-UX 11i v2/v3 update 4 AIX Red Hat Linux 5 (RHEL 5) Red Hat Linux 4 (for RHEL 2.1, 3.0, 4.0 and Fedora Core 1,2,3,4, & 5) SUSE Linux 9/10 Slackware Linux 10.2 Debian Linux Novell OES: Netware

17 Application Benchmarks Apache Web Server 1.3/2.2 OpenLDAP 2.4 Apache Tomcat Opera Benchmark v1.0.0 Apache HTTP Server Oracle Database 8i Benchmark v3.0.0 Oracle Database 9i/10g BIND Oracle Database 11g Exchange Server 2003 Safari Benchmark v1.0.0 Exchange Server 2007 SQL Server 2005 FreeRADIUS SQL Server 2000 IIS 5/6IBM DB Sybase ASE 15.0 Microsoft Office 2007 Virtual Machine Mozilla Firefox 3.5 VMWare ESX Server 3.0 MySQL 4.1/5.0/5.1 VMWare ESX Server 3.5 Novell edirectory 6.5 Xen Server 3.2

18 Network Device Benchmarks Cisco IOS Router Cisco ASA, FWSM, and PIX Check Point Firewall Juniper OS Benchmark v1.0.0 Multi-Function Devices Wireless Networks Mobile Device Benchmarks Apple iphone OS

19 Benchmark Roadmap Apple OS Benchmark Blackberry Enterprise Server Benchmark Cisco Firewalls Benchmark Cisco IOS Benchmark IIS 7 Benchmark v1.0.0 IBM AIX Benchmark v1.0.0 Internet Explorer 8 Benchmark v1.0.0 Microsoft SQL Server 2005 v2.0.0 Microsoft Windows 2003 Benchmark v3.0.0 Microsoft Windows XP Benchmark v3.0.0 MySQL Benchmark v2.0.0 Red Hat Enterprise Linux Benchmark v3.0.0 SuSE Enterprise Linux Benchmark v3.0.0 VMWare ESX Server 4.1 Benchmark v1.0.0 Microsoft SQL Server 2008 Benchmark v1.0.0 Microsoft Office SharePoint Server Benchmark v1.0.0

20 21 of the 54 Benchmarks are Available To Members Only In Machine-Readable XML (XCCDF) Format For Use With CIS-CAT And Tools that Members Develop The XML Benchmarks are Available On the Members Web Site at:

21 Assessment Tools Primarily CIS-CAT (CIS-Configuration Assessment Tool)

22 CIS-CAT Tools Use Cases Improve security awareness by comparing security of out-ofthe-box vs. hardened systems. Create standard configuration images for hardening systems prior to deployment Periodically audit and/or routinely monitor the configuration of individual production systems compared to the Benchmark and/or enterprise policies. Audit/monitor multiple systems simultaneously using system management utilities (CIS provides supplemental scripts that support CIS-CAT in assessing multiple systems simultaneously.)

23 CIS-CAT (CIS-Configuration Assessment Tool) Host based, configuration assessment/audit software tool Available ONLY to Members distributed via the Members web site Distributed with GUI & CLI The ONLY tool CIS is currently developing & supporting Requires JRE v1.5 or later CIS-CAT and JRE can reside on target system, removable drive, or network drive, provided it is accessible from the target of evaluation.

24 CIS-CAT A Java tool that reads the Benchmark XML files (XML files specify the Benchmark rules and values, and the checks that the tool executes to assess & report configuration status) Also reads customized XML files - compare the configuration of systems with both the Benchmarks and customized configuration policies NIST validated FDCC Scanner ( cis.cfm)

25 CIS-CAT Supports These Benchmarks: Apache Tomcat Benchmark v1.0.0 Apple OSX 10.5 Benchmark v Debian Linux Benchmark v1.0.0 HP-UX 11i Benchmark v1.4.2 IBM AIX Benchmark v1.0.1 Microsoft Windows 2003 MS DC Benchmark v2.0.0 Microsoft Windows 2008 Server Benchmark v1.0.0 Microsoft Windows 7 Benchmark v1.0.0 Microsoft Windows XP Benchmark v2.0.1 Oracle Database 11g Benchmark v1.0.1 Oracle Database 9i-10g Benchmark v2.0.1 RedHat Enterprise Linux 4 Benchmark v1.0.5 RedHat Enterprise Linux Benchmark v1.1.2 Slackware Linux 10.2 Benchmark v1.1.0 Solaris Benchmark v4.0.0 Solaris 10 Benchmark v2.1.3 Solaris Benchmark v1.3.0 SUSE Linux Enterprise Server 10 Benchmark v2.0.0 SUSE Linux Enterprise Server 9 Benchmark v2.0.0 VMware ESX 3.5 Benchmark v1.2.0 Mozilla Firefox Benchmark v1.0.0

26 CIS-CAT Documentation README file in the download package Specification document distributed via the members site. CIS-CAT Users Manual distributed via the members site. A guide to assist users in modifying the Benchmark XML files for use with CIS-CAT Additional guidance is provided via the member discussion forum

27 CIS-CAT Roadmap XCCDF Target Completion Date VMware ESX 4.1 Benchmark v1.0.0 December 2010 Microsoft SQL Server 2008 Benchmark v1.0.0 December 2010 IBM AIX Benchmark v1.0.0 December 2010 Windows Server 2003 Benchmark v3.0.0 December 2010 Apple OS Benchmark v2.0.0 December 2010 Red Hat Enterprise Linux 5.4 Benchmark v3.0.0 December 2010 Sun Solaris 10 Benchmark v5.0.0 October 2010

28 Other Assessment Tools Currently Available Router Audit Tool (RAT Tool) Currently being updated. Help us test it. Apache Benchmark Tool Will be updated once Apache Benchmark is complete Use CIS-CAT instead of the following tools as they are unsupported and no longer maintained. Perl tools for Unix operating systems Oracle Database 8i tool

29 Security Software Certification

30 Certification Overview CIS Certified Security Software Tested to accurately measure and report system status against recommendation in CIS Benchmarks Why use Certified Security Software? Independently validated to accurately audit systems CIS Benchmark content integrated into software Enterprise scale security auditing

31 Consensus Security Metrics

32 Security Metrics Initiative Organizations struggle to make cost-effective security investment decisions; Information Security Professionals lack widely accepted and unambiguous metrics for decision support. To address this need, established a consensus team of over 100 industry experts from leading commercial, government and academic organizations of varying sizes. The result was a set of unambiguous, user originated, consensus-based standard metrics and data definitions that can be used across organizations to define, collect and analyze data on security process benefits and outcomes.

33 Example Data Set

34 Example Metric Definition

35 Security Metrics Definitions There are 20 Security Consensus Metrics Definitions covering 6 important business functions: Incident Management; Vulnerability Management; Patch Management; Application Security; Configuration Management; and Financial Metrics Download the Document here:

36 Four simple goals: Phase II Consensus Effort Enhance existing Consensus Security Metrics v1.0.0; Develop additional community metrics and taxonomies; Develop a prescriptive, quick-start implementation guide; Develop electronic schemes for sharing metric definitions, data sets and results. Accelerate vendor adoption and integration of standard metrics on behalf of end-organizations. For more information about the Security Metrics or to be involved in the metrics consensus process, contact Steven Piliero, Chief Security Officer, at spiliero@cisecurity.org

37 Member Support & Contact Information

38 Member Support for Univ. of CA Schools As a benefit of membership, Univ. of CA Schools users are eligible to receive support service, at no charge, from staff: support@cisecurity.org Telephone, after initial contact Discussion forums on Members web site Primary Membership Contact Michelle Vogeler, Representative, mvogeler@cisecurity.org

39 Q & A