Center for Internet Security, CIS Benchmark & CIS Control


  1. 說明
  2. CIS Benchmark
    1. IIS Benchmark
    2. SQL Server Benchmark
  3. CIS Control
    1. Mapping
  4. Abbreviations

介紹 CIS Benchmark 與 CIS Control,藉由相關規範與最佳資安實務建議調整 IIS, SQL Server 與 Windows Server 減少潛在的資安風險 😎

logo

說明

CIS 是非營利組織,其提出關於資訊環境設置的 Benchmark 與 Control,可以做為提升資安的遵循規範。

CIS Benchmark

  • IIS
  • SQL Server
  • Windows Server
  • Windows
  • Office

技服中心的 GCB 主題說明文件如 IIS 及 SQL Server,參考文獻都有提及到 CIS,尤其是 IIS 的部分,GCB 與 CIS 兩者的相互關聯非常高,因此溯源學習 CIS Benchmark 能夠更快更及時的掌握最佳組態設定。

IIS Benchmark

IIS Benchmark 的主題:

  • Basic Configurations
  • Configure Authentication and Authorization
  • ASP.NET Configuration Recommendations
  • Request Filtering and Other Restriction Modules
  • IIS Logging Recommendations
  • FTP Requests
  • Transport Encryption

相關的最佳組態建議連同 GCB 的設定建議,合併整理於 IIS 網頁伺服器的安全設定 (IIS Security Configuration)

SQL Server Benchmark

SQL Server Benchmark 的主題:

  • Installation, Updates and Patches
  • Surface Area Reduction
  • Authentication and Authorization
  • Password Policies
  • Auditing and Logging
  • Application Development
  • Encryption
  • Appendix: Additional Considerations

除了 CIS 外,GCB 在關於 SQL Server 的主題也參考了美國國防部SITGS 的建議設定。

CIS Control

不同於 資通安全責任等級分級辦法附表十 資通系統防護基準是以系統高、中、普分級,決定控制措施。CIS 是以 Implementation Groups (企業規模),分為 IG3、IG2 與 IG1,來定需要落實的控制措施。

IG1
中小型企業,有限的 IT 與資安人力,企業最主要的目標是維持營運不中斷,較無機敏資料需要保護。因此 IG1 的控制措施就是在衡量經濟效益下,需要達到的最小限度資安控制措施。
IG2
企業具有專人負責資安防護,並且 IG2 通常為數個 IG1 的支援單位,例如總公司的資安單位。IG2 落實 IG1 的各種制措施,並處理保護敏感與重要資料的需求。
IG3
企業由各資安領域專家 (風險管理、滲透測試與應用系統安全等)落實防護措施,IG3 對於機敏資料受法規與合規性上的要求,並且對於可用性與資料完整性有嚴格的要求,若發生資安事變會動公共大眾有嚴重的影響。而落實 IG3 的控制措施包含落實 IG2 與 IG1 的控制措施。

Mapping

CIS Control 可以與其他資安框架、控制措施互相對照,以下是 CIS 所提供的對照清單:

SOC2
PCI v3.2.1
NIST
SP800-53 Rev 5 v8
SP800-171 Rev 2 v8
SP 800-53 Rev 5 Moderate and Low Baselines
CSF v8 Mappings
NERC-CIP
ISO/IEC 27002:2021
ISACA COBIT 19
GSMA FS.31 Baseline Security Controls
FFEIC CAT
Federal Financial Institutions Examination Council - Cybersecurity Assessment Tool
Enterprise ATT&CK v8.2 Master Mapping
CSA v8
(Cloud Security Alliance)
CMMC v8
CJIS
(Criminal Justice Information Services)
Azure Security Benchmark v3

Abbreviations

CIS 中使用到的相關縮寫,資料來源為 CIS Controls Guide

AAA
Authentication, Authorization,and Auditing
ACL
Access Control List
AD
Active Directory
AoC
Attestation of Compliance
API
Application Programming Interface
BEC
Business Email Compromise
C2
Command and Control
CCE
Common Configuration Enumeration
CDM
Community Defense Model
CIA
Confidentiality, Integrity, and Availability
CIS
Center for Internet Security
CIS-CAT
CIS Configuration Assessment Tool
COTS
Commercial off-the-Shelf
CPE
Common Platform Enumeration
CREST
Council of Registered Security Testers
CSA
Cloud Security Alliance
CSP
Cloud Service Provider
CVE
Common Vulnerabilities and Exposures
CVSS
Common Vulnerability Scoring System
DBIR
Data Breach Investigations Report
DEP
Data Execution Prevention
DG
Development Group
DHCP
Dynamic Host Configuration Protocol
DKIM
DomainKeys Identified Mail
DLP
Data Loss Prevention
DMARC
Domain-based Message Authentication, Reporting, and Conformance
DMS
Database Management System
DNS
Domain Name System
DPI
Deep Packet Inspection
EDR
Endpoint Detection and Response
EOL
End of Life
FFIEC
Federal Financial Institutions Examination Council
FISMA
Federal Information Security Modernization Act
GRC
Governance Risk and Compliance
HECVAT
Higher Education Community Vendor Assessment Toolkit
HIPAA
Health Insurance Portability and Accountability Act
HTTP
Hypertext Transfer Protocol
HTTPS
Hypertext Transfer Protocol Secure
IaaS
Infrastructure as a Service
IAM
Identity and Access Management
IDS
Intrusion Detection System
IG
Implementation Group
IOCs
Indicators of Compromise
IoT
Internet of Things
IP
Internet Protocol
IPS
Intrusion Prevention System
ISAC
Information Sharing and AnalysisCenter
ISO
International Organization for Standardization
IT
Information Technology
LotL
Living off the Land
MDM
Mobile Device Management
MFA
Multi-Factor Authentication
MITRE ATT&CK
MITRE Adversarial Tactics, Techniques, and Common Knowledge
MS-ISAC
Multi-State Information Sharing and Analysis Center
NaaS
Network-as-a-Service
NCSA
National Cyber Security Alliance
NIDS
Network Intrusion Detection System
NIST
National Institute of Standards and Technology
OS
Operating System
OSS
Open Source Software
OVAL
Open Vulnerability and Assessment Language
OWASP
Open Web Application Security Project
PaaS
Platform as a Service
PAM
Privileged Access Management
PCI
Payment Card Industry
SaaS
Software as a Service
SAFECode
Software Assurance Forum for Excellence in Code
SCADA
Supervisory Control and Data Acquisition
SCAP
Security Content Automation Protocol
SIEM
Security Information and Event Management
SIP
System Integrity Protection
SMS
Short Messaging Service
SOC
Security Operations Center
SOC 2
Service Organization Control 2
SPAM
Something Posing as Mail
SPF
Sender Policy Framework
SQL
Structured Query Language
SSDF
Secure Software Development Framework
SSH
Secure Shell
SSO
Single Sign-On Telnet Teletype Network
TLS
Transport Layer Security
TTPs
Tactics, Techniques, and Procedures
URL
Uniform Resource Locator
USB
Universal Serial Bus
VPN
Virtual Private Network
WDEG
Windows Defender Exploit Guard
WPA2
Wi-Fi Protected Access 2
XCCDF
Extensible Configuration Checklist Description Format