How to get started with ongoing configuration assessments

There’s an old adage in business: if you’re not measuring something, you can’t manage it. These days, information technology (IT) and information security professionals know this all too well, especially when it comes to configuration assessments.

Network performance requires constant monitoring. Cyber threats demand identification and remediation. Systems need to be securely configured upon implementation and then assessed frequently to ensure they stay that way. What’s more, cyber threat actors (CTAs) constantly seek out poorly configured or vulnerable systems. As hundreds of organizations experienced with the MOVEit-related data breaches, CTAs are constantly looking for new ways try to exploit these weaknesses – including by preying on your supply chain. After all, when one system is left unsecured, it often means that others are unsecured by extension.

The need for ongoing configuration assessments

Identifying configuration vulnerabilities is a key element of a strong cybersecurity program. Improper configurations can put your organization at risk. While configuration assessment is essential, it can be difficult to execute. First, systems very rarely come securely configured right out of the box. The sheer number of systems that you need to harden is probably enormous, and the volume of settings that require configuration can be daunting. As your teams try to meet deadlines or day-to-day business needs, your personnel might put systems into production without basic hardening. Upgrades and other changes can lead to configuration drift, creating new vulnerabilities over time.

For your IT teams, system configuration can be a big focus at the time of implementation. Even so, effective protection against cyber threats requires continuous attention. You can use regular configuration assessments to reduce attack opportunities for CTAs.

Establishing secure configurations

Assessment is an important step in system hardening. To understand how your current environment matches up to industry best practices, compare your configurations to the recommendations in the CIS Benchmarks. The CIS Benchmarks are consensus-developed, best practice secure configuration guidelines that you can use to harden your target systems. More than 100 CIS Benchmarks are available at the time of writing; they cover more than 25 vendor product families. The PDF versions are available to download at no cost to you.

Each CIS Benchmark describes – in simple language – the security benefit of each recommendation and the steps that should be taken for secure configuration. Every CIS Benchmark also maps to the CIS Critical Security Controls (CIS Controls) where applicable, making it possible to develop an actionable remediation plan with a high-level view. Taken together, the CIS Benchmarks’ security recommendations provide proven steps that take the guesswork out of hardening systems. As a result, you can save time and effort in assessing and remediating configuration vulnerabilities across your environments.

Scaling configuration assessments

Knowing your desired end state for secure configuration is only part of the picture. Assessing system configuration at scale is also important. To understand how your system configurations conform to the CIS Benchmarks, you can use the CIS Configuration Assessment Tool (CIS-CAT). It scans against a target system’s configuration settings against the corresponding Benchmark’s hundreds of recommendations. These automated assessments help you to accelerate your implementation of secure configurations at scale – not to mention your remediation of vulnerabilities.

CIS-CAT Pro, which is available to CIS SecureSuite Members, has two components: the easy-to-use CIS-CAT Pro Assessor v4 GUI and the CIS-CAT Dashboard. CIS-CAT Pro Assessor v4 supports more than 80 CIS Benchmarks for automated configuration assessments and remote endpoints. CIS-CAT Pro Dashboard is a companion application for CIS-CAT Pro Assessor; it helps you to visualize your assessment results and track your conformance over a recent period of time so that you can plan your hardening efforts going forward.

Analyzing security configuration assessment results is critical to your remediation planning efforts. That’s why the CIS-CAT Pro Assessor includes configuration assessment evidence in the HTML report. The evidence provides an in-depth view of your endpoint’s state and assists in remediation planning. To experience how CIS-CAT works, you can try CIS-CAT Lite, our free configuration assessment tool. The free version produces only HTML reports and supports a subset of CIS Benchmark assessments.

Assess at Scale with CIS SecureSuite

CIS-CAT Pro Assessor and CIS-CAT Pro Dashboard are both included in CIS SecureSuite Membership. In addition to CIS-CAT Pro, CIS SecureSuite Membership provides access to benefits, tools, and resources, including full-format CIS Benchmarks and more. This makes it even easier for you to start secure and stay secure with the CIS Benchmarks.