What are CIS (Center for Internet Security) benchmarks?

CIS benchmarks are industry-standard guidelines developed by the Center for Internet Security (CIS) to help organizations secure their systems against cybersecurity threats. These benchmarks recommended security configurations and best practices for various operating systems, software applications, and network devices.

CIS benchmarks examples:

  1. CIS Microsoft Windows 10 Benchmark:

    • Account Policies:

      • Minimum password length: 12 characters

      • Password complexity: Enabled (requires a combination of uppercase, lowercase, numeric, and special characters)

      • Account lockout threshold: 5 invalid login attempts

    • Inbound firewall rule: Block all incoming connections except those required for essential services (e.g., RDP, DNS)

    • Outbound firewall rule: Allow essential outgoing connections (e.g., HTTP, HTTPS, DNS)

    • Audit Policies & Secure Configurations

    • Disable Guest account: Enabled

    • Disable SMBv1: Enabled

    • Windows Update: Configure automatic updates to install security updates daily

  2. CIS Amazon Web Services (AWS) Foundations CIS Benchmark:

    • Identity and Access Management (IAM): Use IAM roles for EC2 instances with appropriate permissions. Implement least privilege access control by assigning only necessary permissions to IAM users and groups

    • Logging and Monitoring: Enable AWS CloudTrail logging for all AWS regions.

    • Configure CloudWatch alarms to monitor CPU utilization, disk space, and network traffic

    • Encryption: Use AWS KMS to encrypt data at rest with a customer-managed key. Enable server-side encryption with SSE-S3 for all S3 buckets

    • Network Configuration: Use security groups to restrict inbound traffic to necessary ports (e.g., TCP 22 for SSH, TCP 443 for HTTPS). Use network ACLs to restrict traffic at the subnet level

  3. CIS Docker Benchmark:

    • Container Configuration:

      • User namespace remapping: Enabled

      • Restrict container capabilities: Drop all capabilities except those required by the container

    • Network Settings:

      • Use user-defined bridge networks to isolate containers and control communication

      • Configure Docker daemon to use a specific DNS server for container name resolution

    • User Authentication:

      • Configure Docker daemon to use LDAP for user authentication

    • Container Runtime Security:

      • Enable AppArmor profiles for containers to enforce security policies

      • Use Docker Content Trust to verify the authenticity of container images

  4. CIS Kubernetes Benchmark:

    • Kubernetes Control Plane: Secure access to the Kubernetes API server: Enable client certificate authentication & Disable anonymous access

    • Encrypt etcd data:

      • Use TLS encryption for etcd communication

      • Encrypt etcd data at rest

    • etcd Security:

      • Enable authentication using client certificates

      • Configure role-based access control (RBAC) for end-users

    • kubelet Security:

      • Use TLS encryption for kubelet API server communication

      • Configure kubelet RBAC policies to restrict access to sensitive APIs and resources

    • Network Policies: to allow/block traffic between pods based on namespace, labels, and ports. Example: Allow traffic from podSelector: app=frontend to podSelector: app=backend on port 80/tcp

  5. CIS Oracle Database Benchmark:

    • Authentication and Authorization:

      • Password complexity: At least 12 characters including uppercase, lowercase, numeric, and special characters

      • Password expiration: Every 90 days

      • Role-based access control (RBAC) for database users and roles

    • Auditing:

      • Enable auditing for all database users

      • Audit trail retention: Minimum of 90 days

    • Encryption:

      • Transparent Data Encryption (TDE) for sensitive tablespaces (e.g., USERS)

      • SSL/TLS encryption for Oracle Net Services connections

    • Database Configuration:

      • Set audit_trail parameter to DB_EXTENDED

      • Implement least privilege principle for database users and roles

  6. CIS Apache HTTP Server Benchmark:

    • Server Hardening:

      • Disable server signature: ServerSignature Off

      • Disable directory listing: Options -Indexes

    • SSL/TLS Configuration:

      • Enable strong cipher suites (e.g., AES256-SHA256, ECDHE-RSA-AES256-GCM-SHA384)

      • Enable Perfect Forward Secrecy (PFS)

    • Access Controls:

      • Restrict access to specific directories using .htaccess files or Apache configuration directives (e.g., )

      • Example: Require all granted for authenticated users, deny all for unauthorized users

    • Logging:

      • Enable access logging: CustomLog /var/log/apache/access.log combined

      • Rotate log files daily and keep logs for at least 90 days

What is the Center for Internet Security (CIS)?

It’s a US government-related non-profit organization that gained authority and recognition in the cybersecurity industry. CIS benchmarks are widely adopted by organizations globally because they are created through consensus-based processes involving cybersecurity experts from various sectors. Additionally, CIS collaborates with government agencies, industry partners, and cybersecurity professionals to ensure its recommendations are relevant, effective, and up-to-date. This authoritative status is further solidified by CIS's reputation for providing practical, actionable guidance including:

  • CIS Controls: A set of prioritized cybersecurity best practices covering areas such as inventory and control of hardware assets, continuous vulnerability assessment and remediation, and data protection.

  • CIS Benchmarks: Detailed configuration guidelines for securing operating systems, software applications, and network devices. 

  • CIS Hardened Images: Pre-configured virtual machine and container images with security-hardened settings based on CIS benchmarks. These images enable organizations to deploy systems with a reduced attack surface and enhanced security posture.

  • CIS SecureSuite Membership: A subscription service that provides access to CIS resources, including benchmarks, controls, tools, and support for implementing cybersecurity best practices effectively.

  • CIS RAM (CIS Risk Assessment Method): A framework for assessing and managing cybersecurity risks within an organization. It helps identify, analyze, and prioritize risks to inform decision-making and resource allocation for cybersecurity efforts.

Other names for CIS benchmarks:

  1. Network security

  2. Internet security

  3. Cybersecurity

  4. Information Security or IT security

  5. Network Configuration Standards

MORE FROM PUBNUB
Add chat to your application or website

Add chat to your application or website

Easy to build, fully customizable, secure and massively scalable in-app chat APIs. Your customers will love it!
Learn More
Chat Real-Time Developer Path

Chat Real-Time Developer Path

List of resources for chat developers
Learn More