During the development, building, and installation of software, databases, computers, computer devices, and network services, secure configuration is the security measure kept in place to reduce vulnerability.
Why is Secure Configuration necessary?
The famous saying “default settings” is an example of a set of configurations an application, database, operating system, etc. comes shipped with, which might be secure or not secure depending on the risk dynamics of the environment where it is deployed. Also, web configuration also plays a vital role in blocking unnecessary security vulnerabilities while you surf the internet.
SECURE CONFIGURATION: CIS vs STIG BENCHMARK
The Center for Internet Security (CIS) is a nonprofit entity whose mission is to ‘identify, develop, validate, promote, and sustain best practice solutions for cyberdefense.’ It draws on the expertise of cybersecurity and IT professionals from government, business, and academia around the world. To develop standards and best practices, including CIS benchmarks, controls, and hardened images, they follow a consensus decision-making model.
The CIS benchmark is divided into two, each benchmark is reviewed by the consensus twice. The first takes place during the early stages of development when specialists get together to talk, create, and test working drafts until they agree on the benchmark. The consensus team evaluates the input from the online community for inclusion in the benchmark during the second phase, which follows the publication of the benchmark.
Security Technical Implementation Guide (STIG) is a configuration standard consisting of cybersecurity requirements for a specific product. The use of STIGs enables a preset for securing protocols within networks, servers, computers, and logical designs to enhance overall security. These guides, when employed, enhance security for software, hardware, physical and logical architectures to further reduce vulnerabilities.
Examples of situations where STIGs would be useful include configuring a desktop computer or a business server. Most operating systems lack inherent security, which leaves them open to criminals like identity thieves and hacker attacks. STIG documents how to limit access to the system and lessen network-based attacks whether the attacker interacts with it physically at the computer or remotely via a network. Additionally, STIGs describes upkeep procedures like software updates and vulnerability patches.
Advanced STIGs could cover a company’s network design, including switches, routers, databases, firewalls, domain name servers, and firewall configurations.
CIS VS STIG which baseline is best for you?
In selecting which of these two secure configuration baselines you should adopt, you will have to consider a few things, which are:
FEATURE | CIS | STIG |
Pricing | You need to sign up to download it. | It is free to download without signing up. |
Format | Guidelines are downloaded in pdf format. | Guidelines are downloaded in XML format |
Commercial Adoption | CIS enjoys a broader rate of adoption. | STIG is majorly used by the government. agencies. |
Implementation and Compliance Tools | CIS offers a tool called the CIS-CAT Benchmark Assessment Tool, which is slightly more robust than the STIG tool. | STIG offers handy tools to help you automate recommendations, implementation, and compliance. |
I trust you find this article helpful. You can head on to the websites quoted to download best practice secure configuration to evaluate the level of security that obtains in your enterprise.