Security Laboratory

Security Laboratory


Center for Internet Security Toolset to Offset Impact of Government Regulations


By Stephen Northcutt
Version 2.1

A series of consensus configurations and testing tools from the Center for Internet Security for operating systems, databases, networking gear and applications are the best vendor neutral approach to enable organizations to achieve and sustain compliance across multiple regulations. Compliance with multiple regulations is becoming an increasing problem for organizations.

What is the Center for Internet Security?

If you have a chance to take a look at the CIS website you will see that what we provide is an extensive portfolio of configuration benchmarks containing expert consensus recommendations on what technical security controls to use to harden the different operating systems, network devices, and applications. A scoring tool is provided that enables users to audit their systems against the recommendations in the appropriate benchmarks to see if the recommended security settings have been implemented. A citation to the CIS website will steer users to the available benchmarks and scoring tooks, which by the way, are free-of-charge. During 2006, they were downloaded over 700,000 times worldwide.[7]

Multiple IT Related Regulations are a Concern for Industry

As the governments of the world continue to release regulatory guidance, many organizations find themselves responsible for complying with two or more regulations, for instance Sarbanes Oxley, HIPAA, and GLBA. Since none of the regulations match up exactly with others, there tends to be gaps and overlaps. In addition, regulations tend to be high level and somewhat vague. This leads to situations where organizations have to "crosswalk" each of the regulations they must comply with. The process of crosswalking is to compare each item in the first body of regulations with which an organization must comply and determine if that entity is also required by any other regulations.[1] Eventually you will come up with a document that has all the requirements of all of the regulations.

However, since the regulations tend to be high level and vague, it can be hard to ascertain whether similar items in regulations are one item or two different but similar items. Worse, when companies prepare for successive audits, the resulting audit reports often have little resemblance to one another. This is unacceptable because consistency is one of the keys to a successful business. The market place has responded with commercial tools like the VeriSign(R) Security Risk Profiling Service, however the score is only as accurate as the input data.[2] In addition, these problems caused by successive audits to different regulatory requirements are sucking the oxygen out of the information security atmosphere so there is no time, money, or energy to actually address improvements in security and the changing trends in the industry such as those discussed at Vision and Decisions (http://www.sans.org/visionsdecisions07/).

Regaining Focus to Position IT Security to Meet Corporate Objectives

How do we regain focus on managing risk across the entire business and ensure operational performance meets strategic corporate objectives with conflicting regulations and inconsistent audits? We need configuration tools for operating systems, databases, networking gear and applications that are operationally actionable (able to turn resources on or off), specific, repeatable and measurable. If these tools were complete enough and respected enough, it would be possible to crosswalk the overwhelming majority of the IT related requirements for these approved configurations.

Generally Accepted Configurations

Is there really such a thing as a generally accepted configuration for a Microsoft server or Cisco router? Vendors deliver operating systems, databases, networking gear, and applications in every state imaginable. Software and operating systems have a tremendous number of features that are able to be used for security and regulatory compliance, but many manufacturers deliver the features turned off. It would be similar to buying a car and having its safety equipment such as brakes in the trunk and you had to find an expert to install them for you. That is how manufacturers of computing and network equipment treat the industry.[1] Fortunately there was a meeting six years ago at the Cosmos Club in Washington DC where interested parties met to discuss this very problem and funding was made available to create a non-profit called the Center for Internet Security (CIS). The URL for their web site is www.cisecurity.com.

NIST SP 800-14 brought the concept of generally accepted principles for system configuration to our industry. They built on the work of the Organization for Economic Co-operation and Development's (OECD) Guidelines for the Security of Information Systems as the base for the principles. The OECD Guidelines were developed in 1992 by a group of international experts to provide a foundation from which governments and the private sector, acting singly and in concert, could construct a framework for securing IT systems.[4] However, 800-14 is not very specific. They have statements like "Risk mitigation involves the selection and implementation of security controls to reduce risk to a level acceptable to management."[4] CIS builds on this excellent foundational work to create generally accepted configurations. A good reference as to the effectiveness of the technical control settings in the benchmarks is Vol 5 No 1, Fall 2002 issue of the DoD IA Newsletter, which reports case studies by NSA and Mitre that involved scanning systems as received from the vendor to identify vulnerabilities, followed by implementing the benchmark controls, then rescanning to identify remaining vulnerabilities. The articles report that 85-90% of known vulnerabilities are eliminated by up-to-date patching and implementing the controls recommended in the CIS benchmarks. See http://www.cisecurity.org/Documents/IA_CIS.pdf.[5]

CIS works by getting experts on teams to develop a consensus on the types of features needed to be turned on with the various operating systems, databases, networking gear, and applications. These configurations are made available for public scrutiny. There are also similar configurations available from the NSA, Cisco, Microsoft and others. These configurations are far more consistent than government regulations, usually they only differ by one or two points. Therefore, organizations that use these configurations can assert to their auditors that they are implementing generally accepted best practice for the configuration of their operating systems, databases, networking gear, and applications in their environment.

The Role of Generally Accepted Configurations in Risk Management

In general, the more quantification (actually using metrics based on measurements of generally accepted configurations) we can include in our Risk Assessment and Risk Management the higher the quality of our understanding of the residual risk. Most risk assessment processes are primarily qualitative where someone makes an estimation of the risk of a particular event occurring, whether it be high, medium, or low. The more we are dependent on qualitative information to determine our residual risk, the lower the certainty that we have accurately computed risk. CIS has developed testing tools to measure the actual state of the system against the generally accepted configurations. This allows us to feed quantified data into our risk assessment or risk management process.

Additional improvement in the risk management process can be achieved, by integration into the System Development Life Cycle (SDLC). Effective risk management must be totally integrated into the SDLC. An IT systems SDLC has five phases: initiation, development or acquisition, implementation, operation or maintenance, and disposal. In some cases, an IT system may occupy several of these phases at the same time. However, the risk management methodology is the same regardless of the SDLC phase for which the assessment is being conducted. Risk management is an iterative process that can be performed during each major phase of the SDLC.[6] The CIS tools are particularly useful in the implementation and operation phases of the SDLC where they can ensure that the generally accepted configuration tested during the implementation phase is the same configuration during the operational phase.

Kevin Mcnamee from Alcatel supports the view that risk management should be integrated into the System Development Life Cycle and uses the CIS tools. Our product development life-cycle includes a product hardening phase. We recommend using the CIS Benchmark documents as the basis for hardening the underlying operating system on which the product is based. We chose the CIS tools because they cover HP/UX, Solaris, Linux and Windows.[7]

The Road Ahead

At the present time there is no documentation that ties items in the various regulations to the items in the CIS configurations. That needs to be the next focus for the organization. In the mean time, organizations would be wise to incorporate the Center for Internet Security configurations and testing tools as part of their risk management strategy.

  1. http://www.hipaadvisory.com/action/security/#crosswalk ( as an example )
  2. http://www.verisign.com/managed-security-services/information-security/risk-profiling/index.html
  3. Interview December 14, 2006 with Clint Krietner, CEO Center for Internet Security
  4. http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf
  5. http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf section 2.2
  6. Email between Kevin and Stephen December 15, 2006
  7. Email Clink Krietner to Stephen Northcutt February 18, 2007