TL;DR
The CIS Benchmarks are generally the best starting point for security configuration guidance. They provide detailed, practical advice across many operating systems and applications. NIST publications offer deeper technical detail but can be more complex to implement.
1. Understanding Your Options
There are several sources of security configuration guidance available. Here’s a breakdown of the most useful:
- CIS Benchmarks: Created by the Center for Internet Security (CIS). These are widely respected, platform-specific guides covering operating systems (Windows, Linux, macOS), cloud platforms (AWS, Azure, GCP), and applications. They offer levels of implementation – Level 1 is often a good starting point.
- NIST Publications: The National Institute of Standards and Technology (NIST) publishes detailed security standards and guidelines, such as the NIST Cybersecurity Framework and Special Publication 800-53. These are very thorough but can be complex to apply directly.
- Vendor Documentation: Operating system and application vendors often provide their own security configuration guides. While useful, these may not be independent or cover all potential vulnerabilities.
- OWASP: The Open Web Application Security Project (OWASP) focuses on web application security. Their guides are excellent for securing web applications and APIs.
2. Why CIS Benchmarks Are a Good Starting Point
CIS Benchmarks offer several advantages:
- Practicality: They provide step-by-step instructions that can be easily implemented.
- Platform Coverage: They cover a wide range of operating systems, cloud platforms, and applications.
- Community Driven: Developed by a community of security experts.
- Levels of Implementation: Allow you to tailor the hardening process based on your risk tolerance and resources.
3. Accessing CIS Benchmarks
CIS Benchmarks are available through the CIS website. Some benchmarks are free, while others require a paid membership.
4. Implementing CIS Benchmarks – Example (Linux)
You can use tools like Lynis to automate some of the benchmark checks and hardening steps on Linux systems:
sudo apt update && sudo apt install lynissudo lynis audit systemLynis will scan your system and provide a report with recommendations based on CIS benchmarks. You’ll need to review the report and manually implement the changes.
5. Using NIST Publications
NIST publications, particularly SP 800-53, are more comprehensive but require significant effort to implement:
- Identify Relevant Controls: Determine which controls apply to your environment and risk profile.
- Develop a Security Plan: Create a plan for implementing the selected controls.
- Implement and Test: Implement the controls and test their effectiveness.
6. Automating Configuration Management
To maintain security configurations over time, consider using configuration management tools such as:
- Ansible: A popular automation tool for configuring systems and deploying applications.
- Puppet: Another widely used configuration management tool.
- Chef: Similar to Ansible and Puppet, Chef allows you to automate infrastructure configuration.
These tools allow you to define your desired security state as code and automatically enforce it across your environment.