Cyber Defense eMagazine August 2019
Cyber Defense eMagazine August Edition for 2019 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cybersecurity expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group
Cyber Defense eMagazine August Edition for 2019 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cybersecurity expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Fortunately, NIST and other security frameworks point to either of two publicly available configuration<br />
standards, the Security Technical Implementation Guides (STIGs) or the CIS Benchmarks.<br />
STIGs and CIS<br />
The STIGs, published by the <strong>Defense</strong> Information Systems Agency, a support agency for the Department<br />
of <strong>Defense</strong> (DoD), outline hundreds of pages of detailed rules that must be followed to properly secure<br />
or “harden” the DoD computing infrastructure.<br />
Although STIGs are mandatory for DoD agencies, any civilian agency and even commercial companies<br />
are welcome to use the STIGs.<br />
For most commercial organizations, however, CIS is the security standard of choice. Originally formed<br />
in 2000, CIS Center for Internet Security, Inc. is a nonprofit organization with a mission is to “identify,<br />
develop, validate, promote, and sustain best practice solutions for cyber defense.”<br />
CIS employs a closed crowdsourcing model to identify and refine effective security measures, with<br />
individuals developing recommendations that are shared with the community for evaluation through a<br />
consensus decision-making process.<br />
“Most organizations need a starting point that works today and that they can explain in simple language<br />
to their board on what needs to be done, and that is really where the CIS Benchmarks and CIS Critical<br />
Security Controls provide is that starting point,” says Curtis W. Dukes, Executive Vice President &<br />
General Manager of the Best Practices and Automation Group at CIS.<br />
Although there are minor differences between the STIGs and CIS Benchmarks, the two overlap and are<br />
pretty much interchangeable, says Brian Hajost of SteelCloud, an expert in automated security control<br />
compliance.<br />
However, implementation of either STIG or CIS Benchmarks can be a challenge if the process isn’t<br />
automated in some manner, due to the disparate requirements and configurations of networks.<br />
Changes to security settings can also have unintended consequences. When the configuration settings<br />
of an application are re-configured, it can cause the installed application to “break,” meaning it won’t<br />
install and/or run properly.<br />
“If the same security policies and configurations could be implemented on all systems, compliance would<br />
be a rather easy exercise,” explains Hajost. “All applications respond to security policies differently.<br />
Because configuration settings have the potential to ‘break’ applications, the settings for each system,<br />
therefore, have to be uniquely adapted or tuned to each application in the operational environment.”<br />
101