介紹 CIS Benchmark 與 CIS Control,藉由相關規範與最佳資安實務建議調整 IIS, SQL Server 與 Windows Server 減少潛在的資安風險 😎
說明
CIS 是非營利組織,其提出關於資訊環境設置的 Benchmark 與 Control,可以做為提升資安的遵循規範。
CIS Benchmark
- IIS
- SQL Server
- Windows Server
- Windows
- Office
技服中心的 GCB 主題說明文件如 IIS 及 SQL Server,參考文獻都有提及到 CIS,尤其是 IIS 的部分,GCB 與 CIS 兩者的相互關聯非常高,因此溯源學習 CIS Benchmark 能夠更快更及時的掌握最佳組態設定。
IIS Benchmark
IIS Benchmark 的主題:
- Basic Configurations
- Configure Authentication and Authorization
- ASP.NET Configuration Recommendations
- Request Filtering and Other Restriction Modules
- IIS Logging Recommendations
- FTP Requests
- Transport Encryption
相關的最佳組態建議連同 GCB 的設定建議,合併整理於 IIS 網頁伺服器的安全設定 (IIS Security Configuration)
SQL Server Benchmark
SQL Server Benchmark 的主題:
- Installation, Updates and Patches
- Surface Area Reduction
- Authentication and Authorization
- Password Policies
- Auditing and Logging
- Application Development
- Encryption
- Appendix: Additional Considerations
除了 CIS 外,GCB 在關於 SQL Server 的主題也參考了美國國防部SITGS 的建議設定。
CIS Control
不同於 資通安全責任等級分級辦法的附表十 資通系統防護基準是以系統高、中、普分級,決定控制措施。CIS 是以 Implementation Groups (企業規模),分為 IG3、IG2 與 IG1,來定需要落實的控制措施。
- IG1
- 中小型企業,有限的 IT 與資安人力,企業最主要的目標是維持營運不中斷,較無機敏資料需要保護。因此 IG1 的控制措施就是在衡量經濟效益下,需要達到的最小限度資安控制措施。
- IG2
- 企業具有專人負責資安防護,並且 IG2 通常為數個 IG1 的支援單位,例如總公司的資安單位。IG2 落實 IG1 的各種制措施,並處理保護敏感與重要資料的需求。
- IG3
- 企業由各資安領域專家 (風險管理、滲透測試與應用系統安全等)落實防護措施,IG3 對於機敏資料受法規與合規性上的要求,並且對於可用性與資料完整性有嚴格的要求,若發生資安事變會動公共大眾有嚴重的影響。而落實 IG3 的控制措施包含落實 IG2 與 IG1 的控制措施。
Mapping
CIS Control 可以與其他資安框架、控制措施互相對照,以下是 CIS 所提供的對照清單:
- SOC2
- PCI v3.2.1
- NIST
-
SP800-53 Rev 5 v8
SP800-171 Rev 2 v8
SP 800-53 Rev 5 Moderate and Low Baselines
CSF v8 Mappings - NERC-CIP
- ISO/IEC 27002:2021
- ISACA COBIT 19
- GSMA FS.31 Baseline Security Controls
- FFEIC CAT
- Federal Financial Institutions Examination Council - Cybersecurity Assessment Tool
- Enterprise ATT&CK v8.2 Master Mapping
- CSA v8
- (Cloud Security Alliance)
- CMMC v8
- CJIS
- (Criminal Justice Information Services)
- Azure Security Benchmark v3
Abbreviations
CIS 中使用到的相關縮寫,資料來源為 CIS Controls Guide
- AAA
- Authentication, Authorization,and Auditing
- ACL
- Access Control List
- AD
- Active Directory
- AoC
- Attestation of Compliance
- API
- Application Programming Interface
- BEC
- Business Email Compromise
- C2
- Command and Control
- CCE
- Common Configuration Enumeration
- CDM
- Community Defense Model
- CIA
- Confidentiality, Integrity, and Availability
- CIS
- Center for Internet Security
- CIS-CAT
- CIS Configuration Assessment Tool
- COTS
- Commercial off-the-Shelf
- CPE
- Common Platform Enumeration
- CREST
- Council of Registered Security Testers
- CSA
- Cloud Security Alliance
- CSP
- Cloud Service Provider
- CVE
- Common Vulnerabilities and Exposures
- CVSS
- Common Vulnerability Scoring System
- DBIR
- Data Breach Investigations Report
- DEP
- Data Execution Prevention
- DG
- Development Group
- DHCP
- Dynamic Host Configuration Protocol
- DKIM
- DomainKeys Identified Mail
- DLP
- Data Loss Prevention
- DMARC
- Domain-based Message Authentication, Reporting, and Conformance
- DMS
- Database Management System
- DNS
- Domain Name System
- DPI
- Deep Packet Inspection
- EDR
- Endpoint Detection and Response
- EOL
- End of Life
- FFIEC
- Federal Financial Institutions Examination Council
- FISMA
- Federal Information Security Modernization Act
- GRC
- Governance Risk and Compliance
- HECVAT
- Higher Education Community Vendor Assessment Toolkit
- HIPAA
- Health Insurance Portability and Accountability Act
- HTTP
- Hypertext Transfer Protocol
- HTTPS
- Hypertext Transfer Protocol Secure
- IaaS
- Infrastructure as a Service
- IAM
- Identity and Access Management
- IDS
- Intrusion Detection System
- IG
- Implementation Group
- IOCs
- Indicators of Compromise
- IoT
- Internet of Things
- IP
- Internet Protocol
- IPS
- Intrusion Prevention System
- ISAC
- Information Sharing and AnalysisCenter
- ISO
- International Organization for Standardization
- IT
- Information Technology
- LotL
- Living off the Land
- MDM
- Mobile Device Management
- MFA
- Multi-Factor Authentication
- MITRE ATT&CK
- MITRE Adversarial Tactics, Techniques, and Common Knowledge
- MS-ISAC
- Multi-State Information Sharing and Analysis Center
- NaaS
- Network-as-a-Service
- NCSA
- National Cyber Security Alliance
- NIDS
- Network Intrusion Detection System
- NIST
- National Institute of Standards and Technology
- OS
- Operating System
- OSS
- Open Source Software
- OVAL
- Open Vulnerability and Assessment Language
- OWASP
- Open Web Application Security Project
- PaaS
- Platform as a Service
- PAM
- Privileged Access Management
- PCI
- Payment Card Industry
- SaaS
- Software as a Service
- SAFECode
- Software Assurance Forum for Excellence in Code
- SCADA
- Supervisory Control and Data Acquisition
- SCAP
- Security Content Automation Protocol
- SIEM
- Security Information and Event Management
- SIP
- System Integrity Protection
- SMS
- Short Messaging Service
- SOC
- Security Operations Center
- SOC 2
- Service Organization Control 2
- SPAM
- Something Posing as Mail
- SPF
- Sender Policy Framework
- SQL
- Structured Query Language
- SSDF
- Secure Software Development Framework
- SSH
- Secure Shell
- SSO
- Single Sign-On Telnet Teletype Network
- TLS
- Transport Layer Security
- TTPs
- Tactics, Techniques, and Procedures
- URL
- Uniform Resource Locator
- USB
- Universal Serial Bus
- VPN
- Virtual Private Network
- WDEG
- Windows Defender Exploit Guard
- WPA2
- Wi-Fi Protected Access 2
- XCCDF
- Extensible Configuration Checklist Description Format