400 likes | 836 Views
Research Report Summary CIS Benchmark Security Configurations Eliminate 80 – 90 % of Known Operating System Vulnerabilities Bert Miuccio www.cisecurity.org bmiuccio@cisecurity.org.
E N D
Research Report Summary CIS Benchmark Security Configurations Eliminate 80 – 90 % of Known Operating System Vulnerabilities Bert Miuccio www.cisecurity.org bmiuccio@cisecurity.org
“Through 2005, 90 percent of cyber attacks will continue to exploit known security flaws for which a patch is available or a preventive measure known.” • Gartner Group, May 6, 2002
Where are most of the Vulnerabilities that are being exploited? 1. Insecure Accounts • Null Password, Admin no PW, no PW expiration… 2. Unnecessary Services • Telnet, Remote Access, Remote Execution… 3. Backdoors • NETBUS, BACKORIFICE, SUBSEVEN… 4. Mis-configurations • NetBIOS null sessions… 5. Software Defects • Hot-fixes, Patches… These are controlled by configuration settings. Patches fix software defects
Case studies and research show that 80-90% of known vulnerabilities are blocked by the security settings in the consensus benchmarks.
Case Study / Research Methodology • (1) Scan a system “out of the box” or in its existing production configuration, and list identified vulnerabilities • (2) Configure the system with the appropriate CIS benchmark • (3) Rescan the system and note the reduction in vulnerabilities
Citadel Research - Win 2000 Pro(CIS Level-1 Benchmark) Using Harris STAT Vulnerability Scanner 5.11 Default config.Post CIS config. • High: 131 • Medium: 57 5 • Low: 117 30 • Warning: 11 1 • Total: 198 37
Solutionary Study – Win 2000 Server (Level-1 Benchmark) Using Solutionary’s Vulnerability Scanning Methodology
NSA study (Level -2 benchmark for W2K Pro) % Reduction: 96 90 50 91
The Mitre Study Windows 2000 Professional Level-2 configuration reduced CVE vulnerabilities by 83%
IA Newsletter describing the NSA and Mitre studies Vol 5, Number 3, Fall 2002 • http://iac.dtic.mil/iatac/news_events/ia_newsletter.htm
Citadel Research - Win 2000 Server(Level-2 Benchmark) ISS Internet Scanner 6.2.1 DefaultPost CIS config. • High: 30 0 • Medium: 89 0 • Low: 109 2 • Total: 228 2
Conclusion Using the benchmarks and scoring tools available free at http://www.cisecurity.org will help you improve and manage the secure configuration of your systems.