1 / 13

Research Report Summary CIS Benchmark Security Configurations Eliminate 80 – 90 % of Known Operating System Vulnerabilit

Research Report Summary CIS Benchmark Security Configurations Eliminate 80 – 90 % of Known Operating System Vulnerabilities Bert Miuccio www.cisecurity.org bmiuccio@cisecurity.org.

gitel
Download Presentation

Research Report Summary CIS Benchmark Security Configurations Eliminate 80 – 90 % of Known Operating System Vulnerabilit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Research Report Summary CIS Benchmark Security Configurations Eliminate 80 – 90 % of Known Operating System Vulnerabilities Bert Miuccio www.cisecurity.org bmiuccio@cisecurity.org

  2. “Through 2005, 90 percent of cyber attacks will continue to exploit known security flaws for which a patch is available or a preventive measure known.” • Gartner Group, May 6, 2002

  3. Where are most of the Vulnerabilities that are being exploited? 1. Insecure Accounts • Null Password, Admin no PW, no PW expiration… 2. Unnecessary Services • Telnet, Remote Access, Remote Execution… 3. Backdoors • NETBUS, BACKORIFICE, SUBSEVEN… 4. Mis-configurations • NetBIOS null sessions… 5. Software Defects • Hot-fixes, Patches… These are controlled by configuration settings. Patches fix software defects

  4. Case studies and research show that 80-90% of known vulnerabilities are blocked by the security settings in the consensus benchmarks.

  5. Case Study / Research Methodology • (1) Scan a system “out of the box” or in its existing production configuration, and list identified vulnerabilities • (2) Configure the system with the appropriate CIS benchmark • (3) Rescan the system and note the reduction in vulnerabilities

  6. W2K Benchmark Case studies

  7. Citadel Research - Win 2000 Pro(CIS Level-1 Benchmark) Using Harris STAT Vulnerability Scanner 5.11 Default config.Post CIS config. • High: 131 • Medium: 57 5 • Low: 117 30 • Warning: 11 1 • Total: 198 37

  8. Solutionary Study – Win 2000 Server (Level-1 Benchmark) Using Solutionary’s Vulnerability Scanning Methodology

  9. NSA study (Level -2 benchmark for W2K Pro) % Reduction: 96 90 50 91

  10. The Mitre Study Windows 2000 Professional Level-2 configuration reduced CVE vulnerabilities by 83%

  11. IA Newsletter describing the NSA and Mitre studies Vol 5, Number 3, Fall 2002 • http://iac.dtic.mil/iatac/news_events/ia_newsletter.htm

  12. Citadel Research - Win 2000 Server(Level-2 Benchmark) ISS Internet Scanner 6.2.1 DefaultPost CIS config. • High: 30 0 • Medium: 89 0 • Low: 109 2 • Total: 228 2

  13. Conclusion Using the benchmarks and scoring tools available free at http://www.cisecurity.org will help you improve and manage the secure configuration of your systems.

More Related