CIS Critical Security Control, known now as CIS Controls have recently been updated and revised in the CIS Controls v8 released by the Center for Internet Security (CIS). The CIS Controls are a collection of industry-recognized best practices for businesses dealing with data security risks.
Such measures were created to make things easier and keep the IT operations and security teams attention on crucial tasks. In v8, CIS changes a little the perspective around baseline security and system hardening. The following article provides an extensive description of CIS critical security control 4: Secure Configuration of Enterprise Assets and Software.
There are a total of 153 Safeguards in CIS Controls v8 which are prioritized into Implementation Groups (IGs). Every enterprise should start with IG1. Each IG then builds upon the previous one: IG2 includes IG1, and IG3 includes all CIS Safeguards in IG1 and IG2.
In CIS Control 4 the Implementation Guide score is:
- IGI 7/12
- IG2 11/12
- IG3 12/12
CIS Control 4 has 12 safeguards. This article breaks down these 12 safeguards and compares them to the previous CIS Controls v7.1.
CIS Control 04: SECURING CONFIGURATION OF ENTERPRISE ASSETS AND SOFTWARE
This Control is about protecting configuration for any configurable system, hardware, or software component. End-user devices including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications. To select the best choice, multi-disciplined employees must examine many prospective options. Once configuration settings are implemented, they must be maintained because the system is dynamic, and new threats are constantly being discovered.
Using a limited number of hardening tool alternatives achieves a hardened infrastructure. System hardening should be automated. Using unautomated tools will most likely result in one of two scenarios: 1. Critical machines not configured in the most secure fashion, increasing the organization's attack surface. 2. Critical machine downtime due to using manual tools for such complex tasks.
Let’s discuss CIS Control 4
According to the CIS Controls, the following 12 actions are required to achieve a secure baseline for CIS Control 4:
1) ESTABLISH AND MAINTAIN A SECURE CONFIGURATION PROCESS
All business resources (end-user hardware, non-computer/Internet of Things devices, and servers) and software are covered under this.
Configuration security goes through three levels:
- Creating configuration security policy – every system component type, role, version, and environment should have its own policies.Update the policies annually or in the event of a significant change within the organization, ensuring that they are based on configuration security best practices, such as the CIS Benchmarks.
- After authorizing the policy, apply it in the approved form, treating any deviations as exceptions.
- Monitoring the compliance posture – Putting effort into appropriately protecting servers is insufficient.
CIS Control V7.1 appearance:
5.1 Establish Secure Configurations.
5.4 Deploy System Configuration Management Tool.
14.3 Disable workstation-to-workstation communication.
2)ESTABLISH AND MAINTAIN A SECURE CONFIGURATION PROCESS FOR NETWORK INFRASTRUCTURE
Establish the same process mentioned previously on network devices.
CIS Control V7.1 appearance:
11.1 Maintain Standard Security Configurations for Network Devices,
11.3 Use Automated Tools to Verify Standard Device Configurations and Detect Changes
3) CONFIGURE AUTOMATIC SESSION LOCKING ON ENTERPRISE ASSETS
In most operating systems (OS), Automatic Session Locking possible values could be Disabled or Not Defined.
You should set the Locking time to a maximum of 15 minutes for general-purpose operating systems. However, for portable devices used by end-users, you should set the Locking time to a maximum of 2 minutes.
CIS Control V7.1 appearance:
16.11 Lock Workstation Sessions After Inactivity.
4) IMPLEMENT AND MANAGE A FIREWALL ON SERVERS
The cybersecurity underpinnings of the company include firewalls. But be careful that this tool has some security flaws of its own.
- Configuration errors: If your firewalls are misconfigured, an attacker will have no trouble using them to breach the network. It’s normal to notice mistakes like enabling dynamic routing.
- Missing patches: these are typically the result of poor firewall administration.
- Without the protection of an internal firewall, organizations remain vulnerable to internal threats. A perimeter firewall alone cannot effectively safeguard against malicious actions initiated from within the network.
CIS Controls V7.1 appearance:
9.2 Ensure Only Approved Ports, Protocols, and Services Are Running,
9.4 Apply Host-Based Firewalls or Port-Filtering,
12.4 Deny Communication Over Unauthorized Ports,
11.2 Document Traffic Configuration Rules
5) IMPLEMENT AND MANAGE A FIREWALL ON END-USER DEVICES
The initial line of protection against infiltration assaults is end-user device firewalls. The function of a personal firewall is to 1. filter incoming traffic and block suspicious code. 2. Check sent messages for threats to the recipient. 3. Prevent hackers from using logical ports.
CIS Controls V7.1 appearance:
9.2 Ensure Only Approved Ports, Protocols, and Services Are Running
9.4 Apply Host-Based Firewalls or Port-Filtering
12.4 Deny Communication Over Unauthorized Ports
11.2 Document Traffic Configuration Rules
6) SECURELY MANAGE ENTERPRISE ASSETS AND SOFTWARE
Some illustrations of best practices are as follows:
- Establish a hardening policy that is particular to the infrastructure’s type and version in addition to both. In other words, the hardening policy for Windows Server 2016 and 2019 should differ from one another.
- Implement only secure network protocols and try to avoid using HTTP wherever you can.
- Avoid utilizing insecure protocols whenever possible.
CIS Controls V7.1 appearance:
This section is new. Similar recommendations were not published in CIS Controls V7.
7) MANAGE DEFAULT ACCOUNTS ON ENTERPRISE ASSETS AND SOFTWARE
Standard accounts are automatically assigned unique passwords by built-in routines. This means that all devices using these accounts share the same password. This option is sometimes used to facilitate device setup or crisis recovery procedures.
When not in use for setup or recovery purposes, this shared password should be disabled to enhance security. However, if you need to use this account for troubleshooting, recovery, or booting into safe mode, it will be automatically re-enabled.
CIS Controls V7.1 appearance:
4.2 Change Default Passwords
8) UNINSTALL OR DISABLE UNNECESSARY SERVICES ON ENTERPRISE ASSETS AND SOFTWARE
Enabling all features on every system component may seem like a good idea for convenience, but it often compromises security. Implementing only the features that are essential for each component’s specific function enhances overall security posture.
The biggest problem in implementing this advice is producing an effect analysis report to determine which service is required where. You have two choices in this scenario:
- Utilize automation solutions that can understand your network and notify you automatically of the effects of any changes.
- Start manually assessing how each modification will affect your production. You will need to start testing each update while simulating various system components and situations. Extended hours will be required, and there will likely be human errors that cause disruption.
You can find here all the tools, paid and free, available for this task.
CIS Controls V7.1 appearance:
Some of the recommendations in this section are new. The rest appears here:
9.2 Ensure Only Approved Ports, Protocols, and Services Are Running.
15.6 Disable Peer-to-Peer Wireless Network Capabilities on Wireless Clients.
15.9 Disable Wireless Peripheral Access of Devices.
15.4 Disable Wireless Access on Devices if Not Required.
9) CONFIGURE TRUSTED DNS SERVERS ON ENTERPRISE ASSETS
An organization’s interface with the Internet and IP networks is mainly dependent on the Domain Name Server (DNS). Recommendations for DNS defense include:
- Stay up to date with the latest patches and builds being released.
- Separate between internal and external DNS servers.
- Disable recursion.
- Try to run DNS servers that are only dedicated to a single purpose.
- Diverse in the locations of your DNS servers to help to prevent DoS attacks.
- Restrict zone transfer.
- Authenticate zone transfer.
- Restrict dynamic updates.
- Hide the BIND version of the server.
- Restrict external access to the DNS servers by using queries for clients with public IP addresses.
CIS Controls V7.1 appearance:
This section is new. Similar recommendations were not published in CIS Controls V7.
10) ENFORCE AUTOMATIC DEVICE LOCKOUT ON PORTABLE END-USER DEVICES
Different devices have different recommended numbers of failed attempts. Limiting the number of unsuccessful tries for laptops shouldn’t go beyond 20. The maximum number of failed tries for tablets and smartphones is 10.
CIS Controls V7.1 appearance:
This section is new. Similar recommendations were not published in CIS Controls V7.
11) ENFORCE REMOTE WIPE CAPABILITY ON PORTABLE END-USER DEVICES
This is crucial in cases of lost or stolen equipment. It is also an intelligent practice when handling a former employee’s device who you wish to prevent from accessing the company’s data.
CIS Controls V7.1 appearance:
This section is new. Similar recommendations were not published in CIS Controls V7.
12) SEPARATE ENTERPRISE WORKSPACES ON MOBILE END-USER DEVICES
Try to keep work-related and personal usage separate for the employees’ mobile workspaces. There will be less chance that attackers will use employee activities to gain access to your network.
CIS Controls V7.1 appearance:
This section is new. Similar recommendations were not published in CIS Controls V7.
(BONUS) Tools for automating hardening as a game-changer for your project
Tools for hardening automation provide complete hardening solutions. They simplify this complicated procedure into a “click of a button” operation. You won’t need to write a single script or possess any specialized knowledge. They are equipped with impact analysis skills and all features of Security Configuration tools and Compliance Scanners.
CalCom Hardening Automation Suite (CHS) is a hardening automation platform designed to reduce operational costs and increase infrastructure security and compliance posture. CHS eliminates outages and reduces hardening costs by automating every stage in the hardening process:
- Automatic impact analysis: indicating the impact of a security hardening change on the production services.
- Automatic policy implementation: after setting a policy according to the impact analysis report, CHS will implement each policy on the right machine from a single point of control.
- Continuous compliance - CHS will monitor your compliance posture, alert, and remediate configuration drifts. CHS will ensure your compliance level remains high in the dynamic ever-changing infrastructure, so you won't need to perform hardening from scratch a few months post your initial hardening project.