The Evolution of CIS-CAT and a New GUI in CIS-CAT v4.1.0
This year, the Center for Internet Security (CIS) is celebrating its 20th anniversary. It’s been 20 years of making the connected world a safer place for people, businesses, and governments through our core competencies of collaboration and innovation.
The History of CIS Security Best Practices Tooling
In early 2000, a global community of cybersecurity experts began to participate in the development of the consensus-based CIS Benchmarks. Automation in security quickly became a motivating factor for the development of machine-readable CIS Benchmark content in XCCDF and OVAL schemas. We then developed a tool that could read this content in standard XML formats and score actual configuration of systems against each control in a CIS Benchmark, producing actionable results and a numeric score.
From the first tool, called NG Tool, released for Microsoft Windows operating systems in September 2005, to the current day CIS-CAT Pro, we’ve expanded automated assessment capabilities from just four operating systems to more than 80 operating system, device, and application CIS Benchmarks!
Those who have been using CIS tools over the past 20 years will recognize some of the old logos:
Our product teams continue to add features and functions to tools to help organizations support the execution of their security policies. In November 2020, CIS is releasing CIS-CAT Pro Assessor v4.1.0 with a graphical user interface (GUI).
Basic Configuration Assessment Tool Use
There are many reasons why a configuration assessment tool such as CIS-CAT Pro can help IT professionals meet their security policy goals. We’ve captured just a few below:
1. Develop Hardened Baseline Configurations
One of the initial steps of the execution of an organization’s security policy is developing hardened baseline configuration states for organizational operating systems, devices, and applications within the environment. To support this activity, it’s important to run initial scans with a configuration assessment tool like CIS-CAT Pro Assessor v4. CIS-CAT Pro reports help system engineers identify areas of potential vulnerability.
2. Analyze Configuration and Reporting
Security managers and technicians occasionally do not have access to make changes to GPO policies or baseline images, but want to review configuration states for select systems. With the help of CIS-CAT Pro, assessment reports can be produced on demand for desired systems. These detailed reports help support more informed organizational discussions on CIS Benchmark recommendation failures and how state changes fit with organizational policies.
3. Audit Conformance
Many internal and external security auditors want to make sure hardened systems are in conformance with CIS Benchmark recommendations. Having the ability to run a configuration assessment against selected systems will allow auditors to feel comfortable that configuration policies are met. Reports can be produced in various easy-to-read reports in formats such as TXT, CSV, or HTML.
New CIS-CAT Pro Assessor v4 GUI
For the example use cases above, the assessment process would be most efficient if it can be easy, quick, and completed without a complicated setup process.
Accordingly, the CIS-CAT team is introducing a new graphical user interface (GUI) to help IT engineers, security technicians, internal auditors, and system engineers produce configuration reports quickly and easily with little training or setup. This new feature will be introduced in Lite and Pro versions of CIS-CAT v4.1.0. This feature offers a simple workflow for the basic, local system configuration scan as well as advanced workflows where multiple combinations of remote and local scanning combinations can be performed.
When using the GUI, there’s no need to set up additional software components (no Java Runtime Environment (JRE) needed) or configurations to utilize the basic workflow. In order to successfully execute assessor commands, admin or elevated access is still required.
The size of the downloaded application will increase from approximately 100MB to 150MB. If an organization’s assessment workflows do not require use of a GUI and the additional space is a concern, it is safe to delete the executable file after downloading.
All other command line or centralized scanning activities continue to require the assessor’s access to a suitable JRE.
Summary of GUI Features
Below is a summary of the key features:
- Basic (local system only) or advanced (any combination of local/remote) configuration scanning workflows
- Multiple result output options including reports in formats of HTML, csv, text, ARF XML, JSON or upload to CIS-CAT Pro Dashboard (via API)
- Define the location of the reporting output
- Ability to save created configuration XML file for repeat scanning needs
- Secured credentials by default in created configuration file with options to encrypt with user-provided passwords
- In-applications links to log files, support, and user guides
- Scan one or more CIS Benchmarks per target system
- Input interactive properties for controls, VMWare, and database scans
- Load and use an existing configuration or sessions file
- View the status of in-progress assessments on screen
- Test connections before assessing
- Add or edit target system connection information and CIS Benchmark selections in the advanced workflow
- Link to generated HTML results from within the application
Note: When utilizing the advanced workflow and selecting to remotely scan a target for Microsoft Windows, Unix/Linux, or Cisco IOS connection types, remember to properly configure the endpoint to allow a successful communication between the CIS-CAT Pro host and the target.
License Key Adoption
To better serve the broadening CIS SecureSuite Member base, CIS-CAT Pro Assessor v4.1.0+ and Assessor V4 Service v1.1.0+ have adopted the use of license keys. As a Member, learn how to unlock access to all the features and content from the Assessor v4 and v4 Service documentation. Versions of Assessor v4 and v4 Service prior to the November release will be archived from the CIS WorkBench by the end of the year. Should users need an older version to run an end of life CIS Benchmark, please open a technical support ticket.