Note: CVSS score 8.8(for databases) and 9.8(WebLogic servers).
The Center for Internet Security, INC (CIS) makes the connected world safer for people, businesses, and governments through their ability and capability to collaborate and innovate. CIS is a community-driven nonprofit organization responsible for the CIS Controls and CIS Benchmarks, which are globally recognized as the best practices for securing IT systems and Data. They lead a global community of IT professionals continuously evolving and upgrading these standards and supply products and services to proactively safeguard against any cyber-attacks or emerging threats. Their CIS Hardened Images provide a secure, on-demand, scalable computing environment in the cloud. The multi-state Information Sharing and Analysis Center (MS-ISAC), a trusted resource for cyber threat prevention, protection, response, and recovery for US State, Local, Tribal, and Territorial government entities, and the Elections Infrastructure Information Sharing and Analysis Center (EL-ISAC), which supports the rapidly changing cybersecurity needs of US election offices, are both found at CIS. CIS has developed world-class standards in the form of the CIS Controls and CIS Benchmarks, along with specialized technology tools to help security practitioners implement and manage their cyber defense.
In this article, you will read the latest news and the latest development of CIS which is recognized globally.
The CIS Critical Security Controls is a prescriptive, prioritized set of cybersecurity best practices and defensive actions developed by the Center for Internet Security (CIS) to assist in preventing the most universal and deadly threats and promote compliance in a multi-framework future. These actionable best practices for cyber defense are developed by IT specialists based on data obtained from real-world threats and effective countermeasures. The CIS Controls provide businesses with explicit direction and a clear path to achieving the aims and objectives outlined in a variety of legal, regulatory, and policy frameworks.
Version 8 of the CIS Controls has 18 top-level Controls and 153 Safeguards distributed throughout the three implementation groups (IGs). There are no longer 20 CIS Controls. 18 is the new 20. IGs are the new suggestion guidelines for prioritizing the adoption of controls. To help businesses of all sizes, IGs are divided into three categories. They are decided by an organization’s risk profile as well as the resources available to apply CIS Controls. IG1 is formally defined as “basic cyber hygiene” and a mandated minimum information security standard for all enterprises, according to CIS Controls v8. IG1 (56 Safeguards) is a basic collection of cyber security Safeguards that all businesses should implement to protect themselves from the most common cyber-attacks. IG2 (74 Safeguards) and IG3 (23 Safeguards) expand on previous IGs, with IG1 being the on-ramp to the controls and including IG3 and all the Safeguards; there are a total of 153. The 18 new controls are the following.The 18 new controls are the following.
Control 1: Inventory and Control of Enterprise Assets
Control 2: Inventory and Controls of Software Assets
Control 3: Data Protection
Control 4: Secure Configuration of Enterprise Assets and Software
Control 5: Account Management
Control 6: Access Control Management
Control 7: Continuous Vulnerability Management
Control 8: Audit Log management
Control 9: Email and Web Browser Protections
Control 10: Malware Defenses
Control 11: Data Recovery
Control 12: Network Infrastructure Management
Control 13: Network Monitoring and Defense
Control 14: Security Awareness and Skills Training
Control 15: Service Provider Management
Control 16: Applications Software Security
Control 17: Incident Response Management
Control 18: Penetration testing
Tony Sager is a Senior Vice President and Chief Evangelist for the Center for Internet Security (CIS). Tony Sager champions using CIS Controls and other solutions derived from earlier cyber-attacks to improve global cyber defense. He also nurtures CIS’s independent worldwide community of volunteers, encouraging them to make their enterprise, and the connected world, a safer place. For his team and many others, it was the last in-person industry event they attended before COVID-19 Lockdown in 2020. He is excited that the Center for Internet Security (CIS) will be back at the RSE conference this year. The RSA Conference brings together the cybersecurity community. People receive insights, take part in conversations, and try solutions that might hugely influence their company and careers. He’ll be speaking at RSA in three separate sessions, bringing a CIS perspective to some of our industry’s most pressing issues.
In “Maximizing their Cyber Non-Profits” (RSA Session Code: MASH-W08), Kiersten Todt, chief of staff at the Cybersecurity and Infrastructure Security Agency (CISA) and Tony Sagar, Senior Vice President and Chief Evangelist for the Center for Internet Security (CIS) will talk about the foundational and often under-appreciated role that cybersecurity non-profits play across the entire ecosystem. They’ll also highlight how a group of them have chosen to self-organize into a collective force for good.
As part of a panel, “The States of Cyber Incentives: Creative Laws Driving Better Security” (RSA Session Code: LAW-M03), They’ll describe how multiple states are incentivizing the adoption of cybersecurity best practices, including those from CIS. This strong trend has navigated political and legal barriers and created a path that mixes public policy, technology and economics into a workable model.
He’ll join Steve Lipner, chairmen of SAFECode (and literal National Cybersecurity Hall-of-Famer), to discuss “Is A Secure Software Supply Chain Even Possible, Let Alone Feasible?” (RSA Session Code DSO-M06). They’ll also have a CIS booth at RSA for the first time in our 20+ year history.
The Center for Internet Security (CIS) is excited to sponsor and attend the 2022 Amazon Web Services (AWS) Summit in Washington, D.C., at Booth 520. The event occurs at the Walter E. Washington Convention Center on May 23-25. At the event, attendees will hear about modernizing their infrastructure from experts, peers, and public sector organizations that have migrated to AWS. This year, the Summit includes an industry pre-day, with content and activities dedicated to the federal government, healthcare, and startup organizations. For several reasons, CIS is sponsoring and attending the AWS Summit in Washington, D.C.
First, as the home of the Multi-State and Elections Infrastructure Information Sharing and Analysis Centers (MS-ISAC and EI-ISAC), they recognize the need to help U.S. State, Local, Tribal, and Territorial (SLTT) government organizations with their cybersecurity efforts. SLTTs operate closely with the citizens that they serve. This puts them in a position to understand their constituents’ needs better and fulfill them on time, such as when a natural disaster strikes. SLTTs are also in charge of supplying and maintaining water, transportation, and other essential services that let inhabitants go about their daily lives. Many SLTTs cybersecurity initiatives are under-resourced and under-supported, which is a problem. These government agencies often lack the funding and ability to manage their cybersecurity independently. CIS also manages the communities that build and maintain the CIS Benchmarks. The CIS Benchmarks are prescriptive guidance to safeguard systems against common cyber threats. These resources don’t just save organizations time and money when trying to achieve DISA STIG (Security Technical Implementation Guides) compliance. They’ll also help them understand what steps we’re recommending and why we’re recommending them.
The following CIS Benchmarks have recently been updated. Each Benchmark has a thorough changelog that details all the modifications. Below is a list of the most notable changes.
CIS Google Android Benchmark v1.4.0
All audit and remediation stages have been updated and cleaned up. The CIS Critical Security Controls (CIS Controls) Mappings have been updated from v6 to v7/v8, with more recommendations for Bluetooth, user profiles, and third-party keyboards added.
CIS Amazon Elastic Kubernetes Service (EKS) Benchmark v1.1.0
The latest version includes updated audit logging recommendations and methodology, as well as support for the recommendation to use container-optimized operating systems.
CIS Oracle Cloud Infrastructure Foundations Benchmark v1.2.0
The updates include multiple suggestions about encryption with customer-managed keys, recommendations addressing new and diverse access control techniques, and enhanced syntax for audit and remediation processes.
Four Updated CIS Benchmark for Oracle MySQL
The following CIS Oracle MySQL Benchmarks have been updated to their final versions:
The following CIS Oracle MySQL Benchmarks have been updated as well:
Two CIS Benchmarks for Windows Server 2016 have been updated:
Due to changed ADMX templates, both Benchmarks have 17 new settings, five updated settings, six moved settings, two renamed settings, and other sections that have been moved, added, and renamed.
The CIS Benchmarks listed below have recently been updated or released. Each Benchmark comes with a detailed changelog that lists all the changes. The most significant changes are listed below.
Three New CIS Benchmark for Linux Devices
New and Updated CIS Benchmark for Palo Alto Firewall
Two Updated CIS Benchmarks for Microsoft Windows Server
New and Updated CIS Benchmark for Cisco IOS
SOC 2 (System and Organization Controls) is a reporting structure that sets up standards for handling customer and user data. The American Institute of Certified Public Accountants (AICPA) developed it, and it is based on the institute’s five Trust Services Criteria: privacy, confidentiality, security, availability, and processing integrity. SOC 2 Type II compliance guarantees current and future consumers that your company has set up the necessary security, privacy, and compliance procedures for managing their data.
Driven by members and government contracts that require external assessments and certifications, the Center for Internet Security (CIS) recently completed the SOC 2 Type II audit for its CIS SecureSuite and MS- and EI-ISAC membership services. CIS’s SOC 2 Type II compliance ensures our members’ data and associated information is always protected, within all compliance requirements.
The CIS RAM V2.1 (Center for Internet Security Risk Assessment Method) is a free risk assessment tool that may be used to justify investments in the CIS Critical Security Controls (CIS Controls). It includes step-by-step directions, examples, templates, and exercises for completing risk assessments that comply with recognized information security risk assessment standards, as well as legal authorities and regulators.
The CIS Risk Assessment Approach (RAM) v2.1, a risk assessment method designed to help businesses justify investments in CIS Critical Security Controls, was recently released by CIS (CIS Controls). CIS RAM assists businesses in deciding their acceptable level of risk and then managing that risk after the CIS Controls are in place. CIS RAM v2.0, which was first released in October 2021, has been superseded by this version.
CIS RAM v2.1 is a collection of documents. The first, CIS RAM Core, is a “bare-bones” version of CIS RAM that provides the ideas and methods of CIS RAM risk assessments to enable users to learn and implement CIS RAM quickly. For both v8 and v7.1 of the CIS Controls, one document for each Implementation Group (IG) – IG1, IG2, and IG3 is available in addition to CIS RAM Core. Each resource includes a workbook and a guide, as well as examples, templates, exercises, background information, and further risk analysis approaches assistance. CIS has issued various CIS RAM v2.1 documents, including CIS RAM Core v2.1, CIS RAM v2.1 for IG1, and CIS RAM v2.1 for IG2. The development of CIS RAM v2.1 for the IG3 is presently underway.
In 2018, HALOCK and CIS partnered to release CIS RAM v1.0, the first public release of the methodologies. Through a long-term collaboration with HALOCK Security Labs, CIS produced CIS RAM v2.1. Since then, HALOCK has received excellent feedback from legal authorities, regulators, attorneys, business executives, and technological leaders for their CIS RAM methods.
CIS is a founding member of the DoCRA Council, which oversees the risk analysis standard upon which CIS RAM v1.0 is based.
Cloud computing is expected to drive digital initiatives for businesses in the following years. By 2025, Gartner predicts that more than 85 percent of enterprises will have adopted a cloud-first strategy. They’ll investigate cloud solutions to help them achieve their company objectives in the future. There will be many hurdles in safeguarding the cloud along the road. When enterprises don’t own the underlying physical infrastructure, asset visibility, data protection, and other security functions become more complicated. Attackers know that businesses are finding it difficult to negotiate these difficulties on their own.
Cloud security recommended practices. Organizations don’t have to go it alone when it comes to cloud security. They can develop secure cloud environments by following a set of best practices. The CIS Critical Security Controls (CIS Controls) team has created a cloud security companion guide to help enterprises secure their cloud-based assets, working with an army of worldwide adopters and cybersecurity
professionals. Using consensus-developed best practices, the CIS Controls v8 Cloud Companion Guide describes how to map and implement applicable CIS Safeguards in a cloud environment. When using best practices in a cloud environment, sharing responsibilities is one of the biggest hurdles. The user and the cloud provider often share security responsibilities. In the Guide, we find who is responsible for cloud security tasks outlined in Safeguards.
These responsibilities are unique to each of the four most prominent cloud service models: IaaS (Infrastructure as a Service), PaaS (Platform as a Service), SaaS (Software as a Service), and FaaS (Facility as a Service) (Function as a Service). The consumer will have the tools they need to customize the CIS Controls in a specific IT/OT cloud environment using the CIS Controls v8 Cloud Companion Guide.
New Guidance to Secure Election Management System Machines
Systems that aid in election management are essential to maintaining order. Election management systems (EMS) assist organizations such as the Electoral College of the United States in planning, managing, and conducting elections on a state or local level. An EMS handles many necessary backend actions needed to run an election. Building ballots, programming the election database, reporting results, and ballot tracking are a few examples. EMSs (Election Management Systems) are well-protected and segregated from the internet in general, which helps to reduce various cyber dangers. However, protecting machines that share data with the EMS via removable media is still critical.
The CIS Microsoft Windows 10 EMS Gateway Benchmark has been released, and CIS is glad to announce it. Internet Security Center CIS has created a new CIS benchmark that provides enhanced protection for EMS gateway machines and specific instructions to reduce malware risk. This new CIS benchmark is an upgraded version of the Windows 10 Benchmark in terms of security. Because they are used to transfer data from a network or through the internet onto portable media that traverses the air gap to the EMS, it is perfected for deployment on Windows 10 computers with unique security needs.
Abdul Samad Saleem
Note: Part-1 Article by "Waqar Mehboob"
Note: Article by "Waqar Mehboob"