What are CIS (Center for Internet Security) benchmarks?
CIS benchmarks are industry-standard guidelines developed by the Center for Internet Security (CIS) to help organizations secure their systems against cybersecurity threats. These benchmarks recommended security configurations and best practices for various operating systems, software applications, and network devices.
CIS benchmarks examples:
CIS Microsoft Windows 10 Benchmark:
Account Policies:
Minimum password length: 12 characters
Password complexity: Enabled (requires a combination of uppercase, lowercase, numeric, and special characters)
Account lockout threshold: 5 invalid login attempts
Inbound firewall rule: Block all incoming connections except those required for essential services (e.g., RDP, DNS)
Outbound firewall rule: Allow essential outgoing connections (e.g., HTTP, HTTPS, DNS)
Audit Policies & Secure Configurations
Disable Guest account: Enabled
Disable SMBv1: Enabled
Windows Update: Configure automatic updates to install security updates daily
CIS Amazon Web Services (AWS) Foundations CIS Benchmark:
Identity and Access Management (IAM): Use IAM roles for EC2 instances with appropriate permissions. Implement least privilege access control by assigning only necessary permissions to IAM users and groups
Logging and Monitoring: Enable AWS CloudTrail logging for all AWS regions.
Configure CloudWatch alarms to monitor CPU utilization, disk space, and network traffic
Encryption: Use AWS KMS to encrypt data at rest with a customer-managed key. Enable server-side encryption with SSE-S3 for all S3 buckets
Network Configuration: Use security groups to restrict inbound traffic to necessary ports (e.g., TCP 22 for SSH, TCP 443 for HTTPS). Use network ACLs to restrict traffic at the subnet level
CIS Docker Benchmark:
Container Configuration:
User namespace remapping: Enabled
Restrict container capabilities: Drop all capabilities except those required by the container
Network Settings:
Use user-defined bridge networks to isolate containers and control communication
Configure Docker daemon to use a specific DNS server for container name resolution
User Authentication:
Configure Docker daemon to use LDAP for user authentication
Container Runtime Security:
Enable AppArmor profiles for containers to enforce security policies
Use Docker Content Trust to verify the authenticity of container images
CIS Kubernetes Benchmark:
Kubernetes Control Plane: Secure access to the Kubernetes API server: Enable client certificate authentication & Disable anonymous access
Encrypt etcd data:
Use TLS encryption for etcd communication
Encrypt etcd data at rest
etcd Security:
Enable authentication using client certificates
Configure role-based access control (RBAC) for end-users
kubelet Security:
Use TLS encryption for kubelet API server communication
Configure kubelet RBAC policies to restrict access to sensitive APIs and resources
Network Policies: to allow/block traffic between pods based on namespace, labels, and ports. Example: Allow traffic from podSelector: app=frontend to podSelector: app=backend on port 80/tcp
CIS Oracle Database Benchmark:
Authentication and Authorization:
Password complexity: At least 12 characters including uppercase, lowercase, numeric, and special characters
Password expiration: Every 90 days
Role-based access control (RBAC) for database users and roles
Auditing:
Enable auditing for all database users
Audit trail retention: Minimum of 90 days
Encryption:
Transparent Data Encryption (TDE) for sensitive tablespaces (e.g., USERS)
SSL/TLS encryption for Oracle Net Services connections
Database Configuration:
Set audit_trail parameter to DB_EXTENDED
Implement least privilege principle for database users and roles
CIS Apache HTTP Server Benchmark:
Server Hardening:
Disable server signature: ServerSignature Off
Disable directory listing: Options -Indexes
SSL/TLS Configuration:
Enable strong cipher suites (e.g., AES256-SHA256, ECDHE-RSA-AES256-GCM-SHA384)
Enable Perfect Forward Secrecy (PFS)
Access Controls:
Restrict access to specific directories using .htaccess files or Apache configuration directives (e.g.,
) Example: Require all granted for authenticated users, deny all for unauthorized users
Logging:
Enable access logging: CustomLog /var/log/apache/access.log combined
Rotate log files daily and keep logs for at least 90 days
What is the Center for Internet Security (CIS)?
It’s a US government-related non-profit organization that gained authority and recognition in the cybersecurity industry. CIS benchmarks are widely adopted by organizations globally because they are created through consensus-based processes involving cybersecurity experts from various sectors. Additionally, CIS collaborates with government agencies, industry partners, and cybersecurity professionals to ensure its recommendations are relevant, effective, and up-to-date. This authoritative status is further solidified by CIS's reputation for providing practical, actionable guidance including:
CIS Controls: A set of prioritized cybersecurity best practices covering areas such as inventory and control of hardware assets, continuous vulnerability assessment and remediation, and data protection.
CIS Benchmarks: Detailed configuration guidelines for securing operating systems, software applications, and network devices.
CIS Hardened Images: Pre-configured virtual machine and container images with security-hardened settings based on CIS benchmarks. These images enable organizations to deploy systems with a reduced attack surface and enhanced security posture.
CIS SecureSuite Membership: A subscription service that provides access to CIS resources, including benchmarks, controls, tools, and support for implementing cybersecurity best practices effectively.
CIS RAM (CIS Risk Assessment Method): A framework for assessing and managing cybersecurity risks within an organization. It helps identify, analyze, and prioritize risks to inform decision-making and resource allocation for cybersecurity efforts.
Other names for CIS benchmarks:
Network security
Internet security
Cybersecurity
Information Security or IT security
Network Configuration Standards