How secure configurations meet consensus
Have you ever wondered how technology hardening guidelines are developed? Some are determined by a particular vendor or driven by a bottom-line perspective. But that’s not the case with CIS Benchmarks. They’re developed by the Center for Internet Security (CIS) and the only consensus-developed security configuration recommendations both created and trusted by a global community of IT security professionals from academia, government, and industry.
There are currently more than 100 configuration guidelines for 25+ vendor product families. Some of the most used include web browsers, videoconferencing, operating systems, and cloud infrastructure.
The CIS Benchmarks are used by companies from around the world to secure technologies from configuration vulnerabilities such as:
- Open system ports
- Unauthorized root or admin access
- User account control (UAC)
- Unnecessary/unused system services
- Server Message Block (SMB v1.0)
These vulnerabilities are often open doors for malware that can cause serious damage.
Meet the experts
There are over 12,000 professionals in the CIS Benchmarks communities. These volunteers collaborate on CIS WorkBench, an online platform used for developing and sharing security best practices. Creating CIS Benchmark recommendations requires a wide variety of skills. If you have expertise in risk, security, compliance, or technology and a collaborative spirit, you’re just the kind of person we’re looking for!
Read more about CIS Benchmarks volunteer profiles.
“Don’t be afraid to get involved, to ask questions, or to highlight things you think are wrong. You do not have to be a 10-year veteran who can read RFCs backwards while balancing on your head to have a valid insight, and to make a genuine contribution to the security of the wider internet community,” says Martin White, CIS Benchmarks Editor & Author Community Member for 14 years.
Finding the right role
CIS is always looking for volunteers to join and help develop the CIS Benchmarks. Whether you can commit an hour each week or more, your participation can help shape cybersecurity best practices. Here are some of the roles you can take on as a volunteer in a CIS Benchmark community:
- Technical and security subject matter expert (SME)
- Technical writer
Technical and security subject matter expert (SME)
No matter your level of technical or professional experience, there’s a place for you in the CIS Benchmarks communities. If you have expertise in a given technology family and/or in broad security issues and system interactions, the SME role might be a great fit for your skills. SME volunteers might draft a new set of configuration items for a CIS Benchmark. Or, an SME could lead the development of an entire CIS Benchmark document.
Strong writers or proofreaders are always valued as technical writers. If you have experience communicating technical subjects clearly to a diverse audience (English is the standard language of the CIS Benchmarks) then we encourage you to join! Technical writers will look for spelling errors, unclear wording, and review the format of the documents. This helps ensure clear communication throughout the security recommendations.
If you’re a volunteer who has access to network devices or specialized hardware, the tester role might be the position for you. Testers often review and comment on technical details of the open discussions or tickets on a particular CIS Benchmark. This helps ensure recommendations are correct when applied and not impacting system.
The day-to-day work of developing the CIS Benchmarks varies. It takes people with all expertise levels to create a document. Every contribution made is valued in the communities. “I wanted to contribute and to be part of the discussion in shaping those standards for the future,” says White.
CIS Benchmarks community members enjoy collaborating and networking with thousands of cybersecurity experts from around the globe. In addition to the warm-and-fuzzy feeling you get from helping secure the connected world, you’ll be providing real security for real threats. Here are a few communities which are currently seeking participants:
- Google Workspaces
- Cisco NX-OS
- Oracle MySQL
Besides helping stop cyber threats, volunteers can also receive CPEs (Continuing Professional Education credits) and be recognized for major contributions to CIS Benchmarks within the documentation. Not to mention, bragging rights to your friends and family about the intricacies of FIPS encryption configuration!
How to get involved
Some of the specific technologies CIS is currently working to secure include Microsoft Windows (Workstation and Server), mac OS, flavors of Linux, containers, as well as mobile devices, cloud products/services, hypervisors, and networking equipment.
You can join the CIS Benchmark communities anytime! Simply register on CIS WorkBench. It’s free to join and contribute to the CIS Benchmarks development. Whether you focus on technical configurations, risk management, or cyber defenses, there’s a place for you. Come spend an hour or two each week networking and collaborating on security best practices.