Benchmarks and Secure Baselines

---

A secure baseline is standard configuration guides, benchmarks, and best practices for deploying and maintaining a network device or application server in a secure state for its given role.

Best Practice Secure Configurations

• use best practice configurations as a reference when hardening endpoints
  • provided by listing the controls and appropriate configuration settings in a template
• 2 popular guidance sources
  • Center for Internet Security (CIS) Benchmarks
    • publishes best practice guides
    • CIS Benchmarks
    • product benchmarks
  • Defense Information Systems Agency (DISA) STIGs
    • Security Technical Implementation Guides (STIG)
    • define a standardized set of security configurations and controls specifically designed for the DoD’s IT infrastructure

Secure Baseline Management

• 3 phases:
  • Establish
    • Define and develop a secure baseline configuration by identifying and prioritizing security controls and configurations based on industry standards and organizational requirements
    • e.g. Define a set of password complexity requirements and encryption protocols as part of the baseline security configuration.
  • Deploy
    • Deploy the secure baseline uniformly across all applicable IT systems and applications, ensuring consistent application of security controls
    • e.g. Install antivirus software on all company laptops according to the established security baseline
  • Maintain
    • Continuously monitor, update, and refine the secure baseline to adapt to evolving security threats and organizational requirements while ensuring ongoing effectiveness and compliance.
    • e.g. Regularly update firewall rules to address new security threats and organizational changes

Deviations and Exceptions

• Baseline should be made to be applicable to as many devices as possible
  • can create based on department needs
• Deviations and exceptions will arise
  • make the process easy for operations
  • otherwise will avoid following processes
• security should enhance operations not hinder

Tools

• Security Content Automation Protocol (SCAP) compliant tools enable checking against a baseline
• config management tools:
  • automate the deployment of secure baseline configurations
    • Puppet
    • Chef
    • Ansible
  • enforce consistency and detect and correct deviations from the established baseline
    • OpenSCAP
      • assess and verify the system’s adherence to the baseline
    • CIS-CAT Pro tool
      • assess system configurations against CIS’s secure baseline benchmarks
    • SCAP Compliance Checker (SCC)
      • used to measure compliance with STIG baselines