How Configuration Assessments Help Improve Cyber Defenses
There's an old adage in business: If you're not measuring, you're not managing. These days, information technology (IT) and information security professionals know this all too well, especially when it comes to configuration assessments.
Network performance requires constant monitoring. Cyber threats demand identification and remediation. Systems need to be securely configured upon implementation and then assessed frequently to ensure they stay that way.
Hackers are constantly on the lookout for poorly configured or unsecured systems. The 2020 Verizon Data Breach Investigations Report (DBIR) notes that vulnerabilities accounted for nearly 20% of hacking breaches. And, while vulnerabilities are a distant second to credential theft, hackers will try to exploit these weaknesses when found. After all, when one system is left unsecured, it often means that others have been left unsecured as well.
Identifying configuration vulnerabilities is a key element of a strong cybersecurity program. If you're not conducting configuration assessments regularly, you're not keeping your enterprise safe from cyber threats.
The Need for Ongoing Configuration Assessments
Improper configurations can put your organization at risk. While configuration assessment is essential, it can also be difficult to execute. First off, systems very rarely come securely configured right out of the box. The sheer number of systems that need to be hardened is enormous, and the volume of settings that require configuration can be daunting. As teams try to meet deadlines or business needs, systems can be put into production without basic hardening. Upgrades and other changes can lead to configuration drift, creating new vulnerabilities over time.
For IT teams, system configuration can be a big focus at the time of implementation. However, effective protection against cyber threats requires more frequent attention. Secure configuration assessments should be performed regularly to reduce opportunities for hackers.
Establishing Secure Configurations
Assessment is an important step in system hardening. To understand how well your current environment matches up to industry best practices, compare your configurations to the recommendations in the CIS Benchmarks. The CIS Benchmarks are consensus-developed, best practice secure configuration guidelines that are used to harden target systems. There are 100+ CIS Benchmarks covering more than 25 vendor product families. The PDF versions are available to download at no cost.
Each CIS Benchmark describes – in simple language – the security benefit of each recommendation and the steps for secure configuration. CIS Benchmarks map to the CIS Controls where applicable, making it possible to develop an actionable remediation plan with a high-level view.
Configuring systems to Benchmarks recommendations is a proven way to assess and remediate configuration vulnerabilities.
Scaling Configuration Assessments
Knowing what your desired end state for secure configuration should be is only part of the picture. Assessing system configuration at scale is also important.
To understand how your system configurations conform to the CIS Benchmarks, you can use the CIS Configuration Assessment Tool (CIS-CAT). CIS-CAT scans against a target system’s configuration settings and reports the system’s compliance to the corresponding Benchmark. With hundreds of recommendations in each CIS Benchmark, automated assessment is the key to faster implementation of secure configuration at scale.
CIS-CAT Pro, available to CIS SecureSuite Members, has two components: the easy-to-use CIS-CAT Pro Assessor v4 GUI and the CIS-CAT Dashboard. CIS-CAT Pro Assessor v4 supports 80+ CIS Benchmarks for automated configuration assessments and remote endpoints. CIS-CAT Pro Dashboard is a companion application for CIS-CAT Pro Assessor, and is a great way to visualize assessment results, tracking conformance over time.
Configuration Assessment Leads to Remediation
Analyzing security configuration assessment results is paramount to remediation planning efforts. The latest update to CIS-CAT Pro Assessor includes configuration assessment evidence in the HTML report. The evidence provides an "in-depth" view of an endpoint's state and assists in remediation planning.
Assess at Scale with CIS SecureSuite
CIS-CAT Pro Assessor and CIS-CAT Pro Dashboard are both included in CIS SecureSuite Membership. To get a feel for how CIS-CAT works, try CIS-CAT Lite, our free configuration assessment tool. The free version produces only HTML reports and supports a subset of CIS Benchmark assessments. To access CIS-CAT Lite, download it here.
Register for one of our upcoming CIS Benchmarks webinars, which includes a demo of CIS-CAT Pro.