Compliance through CIS CSAT
Executive Summary
Cybersecurity attacks are increasing and evolving so rapidly that it is more difficult than ever to prevent and defend against them. In addition to defending their information systems, many organizations have to comply with a number of cybersecurity standards and requirements as a prerequisite for doing business. Dozens of cybersecurity standards exist throughout the world, and most organizations must comply with more than one such standard.
Designed by private and public sector experts from around the world, the CIS Critical Controls are the best way to block known attacks and mitigate damage from successful attacks. They have been adopted by international governments, the U.S. Department of Homeland Security, State governments, universities, and numerous private firms, the Center for Internet Security is a 501-nonprofit organization, formed in October 2000. Its mission is to make the connected world a safer place by developing, validating, and promoting timely best practice solutions that help people, businesses, and governments protect themselves against pervasive cyber threats.
Although the impact of COVID-19 on many businesses and enterprises is negative, respondent data show that the global pandemic helps retention. However, hiring talent in compliance remains challenging. Also, optimism surrounding cybersecurity budgets continues to slide despite a sizable number of respondents reporting pandemic-specific security spending.
ISACA and many others have been reporting cybersecurity workforce shortages that have not improved significantly in over five years and adding the financial constraints we have a case for a free application, as enables a security hardening program implemented through CIS Controls to improve the security posture of every organization if possible to manage the program as a Deming Cycle, an iterative design, and management method used in the organization for the control and continual improvement of cybersecurity mature level in every iteration.
Prerequisites
- Download and execution of the CIS Control Self Assessment Tool
- A person with Integrity
Introduction. Security for every organization
CIS CSAT is a free tool that can help organizations improve their security posture regardless of size or resources. With multiple reporting formats, collaboration functionality, and cross-mappings, it’s a powerful place to start understanding and implementing CIS Controls.
Assessing Implementation of CIS Critical Security Controls
The CIS Critical Security Controls is a community-built set of prioritized cybersecurity guidance. They have been growing in popularity over the past 10 years. CIS Controls are being used and developed by thousands of cybersecurity experts around the world. To help organizations adopt CIS Controls, CIS has developed a new web application. This tool makes the powerful security guidance of the CIS Controls easier for teams to implement, track, and document.
CIS CSAT
The CIS Controls Self-Assessment Tool, or CIS CSAT, is a free web application that enables security leaders to track and prioritize their implementation of the CIS Controls. CIS CSAT’s questions are based on the popular Critical Security Manual Assessment Tool Excel document, and the platform was developed by EthicalHat . For each CIS Control and sub-control, CSAT helps organizations track their documentation, implementation, automation, and reporting.
Hardening process
Define a policy and a process to implement the CIS controls, in this example we will implement the control of Account Policies, defining a password policy and an account lockout policy.
Step 1. Log into the server with your admin credentials
Step 2. Execute the cmd command with the option “Run as administrator”
Step 3. Type the command “gpedit”
Step 4. Navigate to “Computer Configuration>Windows Settings>Security Settings>Account Policies>Password Policy”
Step 5. Define a password policy that has the following parameters of the following variables
- Enforce password history = 24
- Maximum password age = 90
- Minimum password age = 3
- Minimum password length = 14
- Minimum password length audit = 10 characters
- Password must meet complexity requirements = Enable
- Relax minimum password length limits = Disabled
- Store passwords using reversible encryption = Disable
Step 6. Navigate to “Computer Configuration>Windows Settings>Security Settings>Account Policies>Account Lockout Policy”
Step 7. Define a password policy that has the following parameters of the following variables
- Account lockout duration = 180 minutes
- Account lockout threshold = 6 invalid logon attempts
- Allow Administrator account lockout = Enable
- Reset account lockout counter after = 30 minutes
Step 8. Once the changes have been applied you will see the assessment results on the CIS report as follow
Basic Audit Interview Guidelines
- Be on time for your scheduled interview
- Review your team’s documentation provided to the assessor
- Answer questions with a simple Yes or No, additional information or comments are not needed unless:
- If the assessor needs additional information, he/she will ask (that is their job)
- If you are not 100% (would you bet a large sum of your own money on the certainty of your answer?) certain, your answer is “I do not know, but I will find out”.
- The Project Manager will be taking interview notes and will work with you to follow up on items that could not be answered in the meeting.
Do not communicate directly with the Assessor outside the interview.
Do not lie or misrepresent the truth to the assessor
Assessor: Is the person conducting the audit, he/she will sign a Report of Compliance or Attestation of Compliance this documentation will help you to prove you are compliant in PCI-DSS, SOX, ISO, GDPR, or NIST.
A lastt word of advice, If you have any doubts about your understanding of the question, ask the assessor to be more specific.
Conclusion
The CIS CAT tool generates a report, and you prioritize the implementation of the controls on the Linux or Windows servers, research from the Center of Internet Security has proof that implementing the CIS controls can stop a hacker inside your network by 85%.
Implement a hardening program through the CIS controls in critical infrastructures like legacy servers. The reports are evidence of compliance with ISO27001 and NIST Cybersecurity Frameworks.
For example, the legacy server has a Password Policy and an Account Lockout Policy; Implementing these two controls prevent a hacker from using automated password brute force attacks.
You can increase compliance each time you implement each CIS control, is suggested to increase the compliance up to 60%, 80%, or 90%, by phases to have less impact on production.
