The Center for Internet Security

Similar documents
The CIS Security Metrics & Benchmarking Service. Clint Kreitner The Center for Internet Security

Security Metrics Establishing unambiguous and logically defensible security metrics. Steven Piliero CSO The Center for Internet Security

Oracle Business Intelligence Publisher. 1 Oracle Business Intelligence Publisher Certification. Certification Information 10g Release 3 (

Compatibility matrix: ServiceCenter 6.2

Hyperion System 9 BI+ Analytic Services

Compatibility matrix: HP Service Manager Software version 7.00

The following table shows supported platforms for servers running CA Clarity PPM server software (application and background servers).

What's new in IBM Rational Build Forge Version 7.1

IBM United States Software Announcement , dated October 4, 2011

CoreMax Consulting s Cyber Security Roadmap

Hyperion System 9 Financial Management release

Oct 02, 2017 Page 1. Tripwire, Inc. Tripwire Enterprise Platform Support Policy October 2017

CimTrak Product Brief. DETECT All changes across your IT environment. NOTIFY Receive instant notification that a change has occurred

ArcExplorer -- Java Edition 9.0 System Requirements

Client Automation v8.10 Enterprise, Standard, Starter*

vrealize Business System Requirements Guide

Sonic Supported Platforms

Microsoft Windows Apple Mac OS X

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

HRSD Position Description: UNIX Systems Administrator

The Global Information Security Compliance Packet (GISCP): The World's most In-Depth set of professionally researched and developed information

vrealize Hyperic Supported Configurations and System Requirements vrealize Hyperic 5.8.4

SNOW LICENSE MANAGER (7.X)... 3

Perceptive DataTransfer

vrealize Hyperic Supported Configurations and System Requirements

SNOW LICENSE MANAGER (7.X)... 3

McAfee Database Security

eroom 7.x: Supported Configuration Matrix last updated: 9 August 2005

Hyperion System 9 Strategic Finance release

IPLocks Vulnerability Assessment: A Database Assessment Solution

Perceptive Nolij Web. Technical Specifications. Version: 6.8.x

BusinessObjects Enterprise XI Linux Multiple Language Build

ASG-Software Compatibility Guide

Cisco Prime Service Catalog Compatibility Matrix

Introduction to Operating Systems. Note Packet # 1. CSN 115 Operating Systems. Genesee Community College. CSN Lab Overview

Crystal Reports XI Release 2 for Windows

Platforms Supported. Windows Version Supported. Windows 2008 AIX HPUX. Linux Solaris Windows Server Name

Belarc Product Description

Supported Platforms for Alfresco Workdesk 4.x

QuickSpecs HP Network Automation 7.60

Pulse Connect Secure. Supported Platforms Guide. Product Release 8.1. Document Revision 3.0 Published:

CA Identity Governance Platform Support Matrix

Product Information for etrust Audit Components

Perceptive Nolij Web. Technical Specifications. Version:

Pulse Policy Secure. Supported Platforms Guide. PPS 9.0R3 Build For more information, go to

Perceptive DataTransfer

The Business Case for Security in the SDLC

InstallAnywhere: Requirements

EMC CUSTOMER UPDATE. 12 juni 2012 Fort Voordorp. WHAT S NEW IN EMC AVAMAR 6.1 Arjo de Bruin. Copyright 2012 EMC Corporation. All rights reserved.

IBM BigFix Compliance

DevPartner Java Edition System Requirements Release

CA Service Desk Manager Release 12.9 Certification Matrix

Security Content Update Release Notes for CCS 12.x

The Center for Internet Security

BigFix 2018 Roadmap. Aram Eblighatian. Product Manager IBM BigFix. 14 May, 2018

1.1 Oracle Identity Analytics Certification

TIME NAVIGATOR. Compatibility Guide for Time Navigator Version November 2017

Websphere Force Uninstall Application Server 7 Linux Installation

LANDesk and Lenovo ThinkVantage Technologies Bundle available for commercial, government, and education customers

Veritas NetBackup Enterprise Server and Server 6.x OS Software Compatibility List

<Insert Picture Here> Oracle Policy Automation 10.0 System Requirements

IBM Tivoli Application Dependency Discovery Manager Version Sensors and supported target systems

Fouad Riaz Bajwa. Co-Founder & FOSS Advocate FOSSFP - ifossf International Free and open Source Software Foundation, MI, USA.

Junos Pulse Secure Access Service Supported Platforms Guide

IBM Tivoli Monitoring for Databases. Release Notes. Version SC

HPE Operations Bridge Reporter

<Insert Picture Here> Oracle Policy Automation System Requirements

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

LANDesk for ThinkVantage Technologies ecosystem now expanded to include enhanced offerings

WebCenter Interaction 10gR3 Overview

HP Data Protector 8.00 Platform and Integration Support Matrix

Supported Platforms for Alfresco Enterprise 4.1.x

SFTPPlus Client SFTPPlus Server 1.5.1

HPE Security ArcSight. ArcSight Data Platform Support Matrix

How to manage evolving threats on evolving ICT assets across Enterprise

IBM Tivoli Risk Manager Provides Protection for the Enterprise through Intrusion and Protection Management

Supported OS, Application Servers, and Databases Guide

etrust Antivirus Release 7.1

IPv6 in the Enterprise

Oracle Retail WebTrack Release Notes Release September 2007

TABLE OF CONTENTS 1. INTRODUCTION DEFINITIONS Error! Bookmark not defined REASON FOR ISSUE 2 3. RELATED DOCUMENTS 2 4.

Java Plugin Update Windows 7 32 Bit To 64 Bit

Cisco Integration Platform

Continuous Monitoring & Security Authorization XACTA IA MANAGER: COST SAVINGS AND RETURN ON INVESTMENT IA MANAGER

SYMANTEC DATA CENTER SECURITY

Host. Computer system #1. Host Hardening

PROFESSIONAL SERVICES (Solution Brief)

Foglight for DB2 LUW Hardware Sizing Guide

Revised: February 14, 2012

Network Configuration Manager

Axway Validation Authority Suite

CA Records Manager 12.6

Symantec Enterprise Support Services Manage IT Risk. Maximize IT Performance.

CRYPTTECH. Cost-effective log management for security and forensic analysis, ensuring compliance with mandates and storage regulations

January 8, 2018 Page 1. Tripwire, Inc. Tripwire Enterprise Platform Support Policy January 2018

IBM WebSphere Application Server V3.5, Advanced Edition Expands Platform Support and Leverages the Performance of the Java 2 Software Development Kit

Oracle Fusion Middleware Oracle WebCenter Collaboration

Jboss Enterprise Platform & Red Hat Partnering

Total Content Integrator Support Matrix Updated: January 8, 2016

ORACLE SERVICES FOR APPLICATION MIGRATIONS TO ORACLE HARDWARE INFRASTRUCTURES

Transcription:

The Center for Internet Security Measurably reducing risk through collaboration, consensus, & practical security management

Content of this Presentation: I. Background II. Univ. of CA Schools Rights and Benefits as a Member III. Consensus Benchmarks - their value for system and network security IV. Assessment Tools Primarily CIS CAT - use cases & features - specs & system requirements V. Consensus Security Metrics VI. Security Software Certification VII. Member Support & Contact Information VIII. Q & A

Background

The Center for Internet Security (CIS) Formed in October 2000 A not-for-profit consortium of users, security consultants, and vendors of security software (Members) Convenes and facilitates teams developing consensus Benchmarks for system & network security configuration Developed and distributes the Configuration Assessment Tool (CIS-CAT) to its members Convenes and facilitates teams developing consensus definitions for information security metrics

Univ. of CA Schools' Rights & Benefits of Membership

Benefits of Membership: Unlimited Number of Univ. of CA Schools Users The right to distribute and use all of the resources throughout Univ. of CA Schools Access to Members-Only CIS-CAT Tool (Configuration Assessment Tool) Member Updates - timely notification of new releases & updates

Benefits of Membership: Additional Benefits Members Only Site Unlimited number of Univ. of CA Schools users have access to the Members website for: Configuration Assessment Tool (CIS-CAT) (including technical specifications and User s Guide); XML Benchmark versions (including XML Editing Guide); Participation on the Member discussion forums; and Register at https://members.cisecurity.org/forums/register.php Support As Members, Univ. of CA Schools users receive free Benchmark/CIS-CAT implementation support: support@cisecurity.org

Consensus Benchmarks

The Consensus Benchmarks Are: Recommended technical control rules/values for hardening OSs, applications, and network devices. Downloaded hundreds of thousands of times per year. Distributed in.pdf to the general public (to propagate their use/adoption worldwide) Distributed in XML (XCCDF) format to Members. Used by thousands of organizations worldwide as the basis for their security configuration policies and the standard against which to compare them.

The Security Value of Consensus Benchmarks The Problem: The vast majority of cyber attacks exploit known software flaws for which a patch or security configuration control is known. The Solution: Research and Case studies show that 80-95% of known vulnerabilities are blocked by the technical security controls and actions recommended in the consensus benchmarks. (research reports & case studies are on the web site)

The Compliance Value of Consensus Benchmarks The Problem: FISMA, PCI, and other regulations require adoption of configuration best practices. The Solution: The benchmarks distributed by are consensus best practice standards for security configuration developed and accepted by business/industry and government internationally.

How the Consensus Process works: Each Benchmark development project is part of the community projects. To view or join community projects please go here: http://cisecurity.org/enus/?route=community.projects Each project includes volunteer subject matter experts who discuss configuration recommendations for the Benchmark(s). The technical discussions on these projects define the content of the Benchmark(s). Univ. of CA Schools users and subject matter experts are invited to participate in the Consensus Process. To learn more about how to get involved or to volunteer, go here: http://cisecurity.org/en-us/?route=community or contact us at support@cisecurity.org.

Univ. of CA Schools users and subject matter experts can be involved in any of the following roles: Benchmark Leader creates draft content for a new or significantly updated Benchmark and presents the draft to the consensus team for discussion and review. (This is the only formally assigned role) Contributor takes an active role in defining and extending Benchmark content in the consensus process. Tester has the resources available to technically implement and test the recommendations in the Benchmark to ensure validity, and provides feedback to participants on the list. Reviewer reviews the Benchmark draft for syntactical, grammatical, aesthetic, and readability issues.

U.S. Federal Government Agencies and Commercial Vendors are Fully Engaged in the Consensus Process Government Agencies NSA DISA NIST Commercial Vendors Microsoft IBM HP Juniper Cisco Novell Oracle Checkpoint Apple Red Hat

54 Benchmarks are Now Available In.pdf Format on the Public Web Site: www.cisecurity.org Twenty-two are for operating systems Twenty-five are for middleware and applications Six are for network devices One Mobile Device

Operating System Benchmarks WinXP Pro (SP1/SP2) Windows Server 2003 Windows Server 2008 Windows 2000 Pro Windows 2000 Server Windows 2000 Windows 7 Windows NT Mac OS X 10.5 (Leopard) Mac OS X 10.4 (Tiger) FreeBSD 4.1 Solaris 10 11/06 and 8/07 Solaris 2.5.1 9.0 Sun Solaris 10 Benchmark v5.0.0 HP-UX 11i v2/v3 update 4 AIX 4.3 5.1 Red Hat Linux 5 (RHEL 5) Red Hat Linux 4 (for RHEL 2.1, 3.0, 4.0 and Fedora Core 1,2,3,4, & 5) SUSE Linux 9/10 Slackware Linux 10.2 Debian Linux Novell OES: Netware

Application Benchmarks Apache Web Server 1.3/2.2 OpenLDAP 2.4 Apache Tomcat 5.5 6.0 Opera Benchmark v1.0.0 Apache HTTP Server Oracle Database 8i Benchmark v3.0.0 Oracle Database 9i/10g BIND 9.0 9.5 Oracle Database 11g Exchange Server 2003 Safari Benchmark v1.0.0 Exchange Server 2007 SQL Server 2005 FreeRADIUS 1.1.3 SQL Server 2000 IIS 5/6IBM DB2 8-9.5 Sybase ASE 15.0 Microsoft Office 2007 Virtual Machine Mozilla Firefox 3.5 VMWare ESX Server 3.0 MySQL 4.1/5.0/5.1 VMWare ESX Server 3.5 Novell edirectory 6.5 Xen Server 3.2

Network Device Benchmarks Cisco IOS Router Cisco ASA, FWSM, and PIX Check Point Firewall Juniper OS Benchmark v1.0.0 Multi-Function Devices Wireless Networks Mobile Device Benchmarks Apple iphone OS

Benchmark Roadmap Apple OS Benchmark 2.0.0 Blackberry Enterprise Server Benchmark 1.0.0 Cisco Firewalls Benchmark 3.0.0 Cisco IOS Benchmark 3.0.0 IIS 7 Benchmark v1.0.0 IBM AIX 5.3-6.1 Benchmark v1.0.0 Internet Explorer 8 Benchmark v1.0.0 Microsoft SQL Server 2005 v2.0.0 Microsoft Windows 2003 Benchmark v3.0.0 Microsoft Windows XP Benchmark v3.0.0 MySQL Benchmark v2.0.0 Red Hat Enterprise Linux Benchmark v3.0.0 SuSE Enterprise Linux Benchmark v3.0.0 VMWare ESX Server 4.1 Benchmark v1.0.0 Microsoft SQL Server 2008 Benchmark v1.0.0 Microsoft Office SharePoint Server Benchmark v1.0.0

21 of the 54 Benchmarks are Available To Members Only In Machine-Readable XML (XCCDF) Format For Use With CIS-CAT And Tools that Members Develop The XML Benchmarks are Available On the Members Web Site at: http://members.cisecurity.org

Assessment Tools Primarily CIS-CAT (CIS-Configuration Assessment Tool)

CIS-CAT Tools Use Cases Improve security awareness by comparing security of out-ofthe-box vs. hardened systems. Create standard configuration images for hardening systems prior to deployment Periodically audit and/or routinely monitor the configuration of individual production systems compared to the Benchmark and/or enterprise policies. Audit/monitor multiple systems simultaneously using system management utilities (CIS provides supplemental scripts that support CIS-CAT in assessing multiple systems simultaneously.)

CIS-CAT (CIS-Configuration Assessment Tool) Host based, configuration assessment/audit software tool Available ONLY to Members distributed via the Members web site Distributed with GUI & CLI The ONLY tool CIS is currently developing & supporting Requires JRE v1.5 or later CIS-CAT and JRE can reside on target system, removable drive, or network drive, provided it is accessible from the target of evaluation.

CIS-CAT A Java tool that reads the Benchmark XML files (XML files specify the Benchmark rules and values, and the checks that the tool executes to assess & report configuration status) Also reads customized XML files - compare the configuration of systems with both the Benchmarks and customized configuration policies NIST validated FDCC Scanner (http://nvd.nist.gov/validation cis.cfm)

CIS-CAT Supports These Benchmarks: Apache Tomcat Benchmark v1.0.0 Apple OSX 10.5 Benchmark v.1.0.0 Debian Linux Benchmark v1.0.0 HP-UX 11i Benchmark v1.4.2 IBM AIX 4.3-5.1 Benchmark v1.0.1 Microsoft Windows 2003 MS DC Benchmark v2.0.0 Microsoft Windows 2008 Server Benchmark v1.0.0 Microsoft Windows 7 Benchmark v1.0.0 Microsoft Windows XP Benchmark v2.0.1 Oracle Database 11g Benchmark v1.0.1 Oracle Database 9i-10g Benchmark v2.0.1 RedHat Enterprise Linux 4 Benchmark v1.0.5 RedHat Enterprise Linux 5.0-5.1 Benchmark v1.1.2 Slackware Linux 10.2 Benchmark v1.1.0 Solaris 10 1106-10 0807 Benchmark v4.0.0 Solaris 10 Benchmark v2.1.3 Solaris 2.5.1-9 Benchmark v1.3.0 SUSE Linux Enterprise Server 10 Benchmark v2.0.0 SUSE Linux Enterprise Server 9 Benchmark v2.0.0 VMware ESX 3.5 Benchmark v1.2.0 Mozilla Firefox Benchmark v1.0.0

CIS-CAT Documentation README file in the download package Specification document distributed via the members site. CIS-CAT Users Manual distributed via the members site. A guide to assist users in modifying the Benchmark XML files for use with CIS-CAT Additional guidance is provided via the member discussion forum

CIS-CAT Roadmap XCCDF Target Completion Date VMware ESX 4.1 Benchmark v1.0.0 December 2010 Microsoft SQL Server 2008 Benchmark v1.0.0 December 2010 IBM AIX 5.3-6.1 Benchmark v1.0.0 December 2010 Windows Server 2003 Benchmark v3.0.0 December 2010 Apple OS Benchmark v2.0.0 December 2010 Red Hat Enterprise Linux 5.4 Benchmark v3.0.0 December 2010 Sun Solaris 10 Benchmark v5.0.0 October 2010

Other Assessment Tools Currently Available Router Audit Tool (RAT Tool) Currently being updated. Help us test it. Apache Benchmark Tool Will be updated once Apache Benchmark is complete Use CIS-CAT instead of the following tools as they are unsupported and no longer maintained. Perl tools for Unix operating systems Oracle Database 8i tool

Security Software Certification

Certification Overview CIS Certified Security Software Tested to accurately measure and report system status against recommendation in CIS Benchmarks http://cisecurity.org/enus/?route=membership.certified.overview Why use Certified Security Software? Independently validated to accurately audit systems CIS Benchmark content integrated into software Enterprise scale security auditing

Consensus Security Metrics

Security Metrics Initiative Organizations struggle to make cost-effective security investment decisions; Information Security Professionals lack widely accepted and unambiguous metrics for decision support. To address this need, established a consensus team of over 100 industry experts from leading commercial, government and academic organizations of varying sizes. The result was a set of unambiguous, user originated, consensus-based standard metrics and data definitions that can be used across organizations to define, collect and analyze data on security process benefits and outcomes.

Example Data Set

Example Metric Definition

Security Metrics Definitions There are 20 Security Consensus Metrics Definitions covering 6 important business functions: Incident Management; Vulnerability Management; Patch Management; Application Security; Configuration Management; and Financial Metrics Download the Document here: http://cisecurity.org/enus/?route=downloads.metrics.

Four simple goals: Phase II Consensus Effort Enhance existing Consensus Security Metrics v1.0.0; Develop additional community metrics and taxonomies; Develop a prescriptive, quick-start implementation guide; Develop electronic schemes for sharing metric definitions, data sets and results. Accelerate vendor adoption and integration of standard metrics on behalf of end-organizations. For more information about the Security Metrics or to be involved in the metrics consensus process, contact Steven Piliero, Chief Security Officer, at spiliero@cisecurity.org

Member Support & Contact Information

Member Support for Univ. of CA Schools As a benefit of membership, Univ. of CA Schools users are eligible to receive support service, at no charge, from staff: Email: support@cisecurity.org Telephone, after initial email contact Discussion forums on Members web site Primary Membership Contact Michelle Vogeler, Representative, mvogeler@cisecurity.org

Q & A

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback