by Sean Sherman, CISSP, CISA, PMP, CPISM

Addressing Compliance Initiatives with Tripwire Enterprise and the Center for Internet Security (CIS)

WHITE PAPER

Executive Summary
As more and more organizations face an ever-expanding number of compliance initiatives, both large and small firms are spending more than ever. The challenge is to figure out where to begin with compliance efforts and how to estimate the work, cost and risk associated with those efforts. It might seem counterintuitive that organizations are spending more on compliance given the current economic downturn, but one reason is straightforward these organizations recognize that although being compliant does not always equate to being secure, the end result of compliance is often a more secure, less risky business. Typically the security holes plugged by being compliant are the ones that would put an organization at risk for breach, direct theft and fines for non-compliance if left unplugged. And while the number of compliance initiatives is growing, it is interesting to note that many of these initiatives tend to call for the same controls. Those organizations that invest earlier and consistently on compliance up front may find themselves at an advantage. It turns out that organizations that check for and report compliance issues at least monthly have the fewest compliance problems. Conversely, organizations that check for and report less frequently (every 9 months to yearly) have larger issues and costs due to more compliance deficiencies remaining undetected, and therefore uncorrected, for a longer period. The following chart illustrates how compliance deficiencies increase with decreased frequency of checking IT controls and configurations. Obviously, you want to avoid being on the end of the spectrum with more compliance deficiencies, but to do so, you must set up a compliance program with the appropriate tools, processes and procedures. To make the job easier, you should depend on tools and methods that will make the most of the investment, drive faster compliance and stronger security. In the end, the initial outlay will ensure you make the most of your security investment.
Higher

In this paper, you will gain the background you need to build an effective compliance program by understanding benchmarks, the basic building blocks of compliance initiatives. In particular, youll learn about the benchmarks specified by the Center for Internet Security (CIS), which are often used as a starting point for creating a compliance initiative. Youll also learn how Tripwire, the leading provider of IT security and compliance automation solutions, helps you take control of security and compliance of your IT infrastructure. Tripwire security and compliance automation solutions include Tripwire Enterprise for configuration control and Tripwire Log Center for log and security event management. And Tripwire Customer Services can help you quickly maximize the value of your Tripwire technology implementation. With Tripwire, get visibility across the entire IT infrastructure, intelligence to enable better and faster decisions, and automation that reduces manual, repetitive tasks.

Introduction
Do any of these situations/questions sound familiar? Your IT system needs to become more secure. How and where do you start that work? Your compliance initiative calls for systems to be hardened. What does that mean? You just went to a conference on security. Now you are worried that your systems are not using best practices for secure configuration. How will you determine best practices? If you are like the IT security professionals in many leading organizations, you want a proven path to securing your organizations IT systems. You want prescriptive guidance that tells you what to do and how to do it, and you want to optimize your IT department by deploying standards that are already published and vetted. If all of this describes what youre looking for, then you are looking for a security benchmark. The concept of the benchmark has been around for a while, and a number of sources for security best practices and security hardening advice are available. Common sources include the government, IT vendors and the Center for Internet Security (CIS). In this paper, youll learn about the CIS and its products and overall mission. In addition, youll learn about Tripwires association with CIS. Finally, we will discuss the common issues with use of benchmarks and their relationship to standards, regulations and frameworks.

Nu

mb

er

of

Co

mp

Greater Number of Compliance Findings Associated with Less Frequent Assessments

lia

nc

eF

ind

ing

Co

li mp

e nc

As

se

m ss

en

tF

q re

ue

nc

Increased Frequency of Compliance Assessment Tracks to Fewer Finding

Higher

2 | WHITE PAPER | Addressing Your Compliance Initiatives with Tripwire and the Center for Internet Security (CIS)

What is CIS?
The CIS develops security benchmarks for common IT platforms. The organization takes a consensus approach by developing each benchmark with a group whose members are typically recognized platform and security experts, vendor engineers, publishers and security consultants. The results of these groupauthored documents are CIS benchmark documents that CIS makes publicly available at www.cisecurity.org. The Center for Internet Security (CIS) is a not-forprofit organization that helps enterprises reduce the risk of business and e-commerce disruptions resulting from inadequate technical security controls, and provides enterprises with resources for measuring information security status and making rational security investment decisions. (Taken from the CIS Web site) The CIS Benchmarks are considered a tremendous success. Many industry and governmental organizations have used the benchmarks as either an internal security standard or as a starting point for creating their own standards. Because they are freely available, independent (of vendor-only authorship), well-documented and easy to interpret, it is not hard to understand their popularity. And given the rise of security concerns, increased regulation and compliance issues, the CIS benchmarks have become a cornerstone for good system security. Frequently, regulatory compliance programs will require an entity to protect essential IT systems with the best practices outlined in the CIS benchmarks.2 As an active member of the security and compliance world, CIS participates in the creation of other security guidance and contributes to or is involved in development of other standards like COBIT and vendor specific security guidance.3 The CIS Benchmarks are widely accepted by U.S. government agencies for the Federal Information Security Management Act (FISMA) compliance, and by auditors for compliance with the ISO standard as well as the Gramm-Leach-Bliley Act (GLBA), the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS). Additionally, CIS develops tools and works on other initiatives designed to provide value to its members.4

While the CIS benchmarks are free, the CIS organization also exists for the benefit of its members. Membership benefits include: Rights to distribute benchmarks within the organization Access to early release scoring tools and benchmarks Access to forums and user groups Ability to take an active role in the benchmark consensus process Ability to test software and be awarded CIS Security Software Certification Tripwire is a Category 1 Member of the CIS, and because Tripwires configuration control product, Tripwire Enterprise, meets the configuration prescription of the benchmarks, Tripwire has been awarded CIS Security Software Certification. Tripwires clients receive the additional benefit of the CIS Policies in the compliance policy manager of Tripwire Enterprise. These policies have been examined by CIS and meet the requirements of the CIS benchmark program. CIS-certified Tripwire Enterprise products are listed on the CIS Web site at: www.cisecurity.org/tripwire_cert.html. CIS Software Certification MarkThe CIS Software Certification Mark signifies that a security software product has been: (1) tested to accurately measure and report the conformity of computer configurations with the technical settings and actions defined in the CIS Security Benchmark and (2) awarded Certification by CIS. (Taken from the CIS Web site)

How to Use CIS Benchmarks

Many organizations use benchmarks as a starting point when they begin to address security and compliance in their organization. Benchmarks are easy to appreciate because much like a cookbook recipe, they are highly prescriptive, providing specific settings and instructions. Essentially benchmarks say Turn specific setting xyz off (or on) to avoid this risk. Some benchmarks include additional information about their recommendations; for example, If you change setting xyz, you are addressing vulnerabilities 1, 2, and 3. For many organizations, applying a benchmark typically starts with a test system. You apply the benchmark and see

3 | WHITE PAPER | Addressing Your Compliance Initiatives with Tripwire and the Center for Internet Security (CIS)

how the system behaves. If done systematically, your engineering team can then see where your organizations existing standards vary from the benchmark. In addition, if you time the benchmark application effort, you can estimate how much work is involved in making each prescriptive setting across the rest of your organization. IMPLEMENTATION CONSIDERATIONS The most common problem with benchmarks is the possible misrepresentation of benchmarks as a guarantee of good security. Benchmarks typically create a more secure IT infrastructure. But along with security hardening instructions, most benchmarks point out that some settings are severe, and each setting may not fit your specific environment. You may apply a benchmark setting to avoid a specific risk, but may inadvertently make the system unusable or unstable by doing so! So how do you fit the benchmark prescriptions to your environment? Benchmark authors are often experienced security and system administrators, so they know some settings will not work in some applications. Benchmarks, like those provided by CIS, address this issue in two ways: First, they may provide different security levels for you to consider. For example, CIS uses a multi-level system to describe the level of effort required for a SysAdmin to implement a benchmark as well as the relative severity associated with a benchmark. For example, with the Windows Server environment CIS created a three-level category to describe benchmark severity: Legacy (a lower security level), Enterprise (a moderate security level), and Specialized (a high level security). The benchmark user might choose and apply a specific security level based on, and appropriate to, the specific function of a Windows server. However, this method offers only a rough approximation of security levels, which may not actually fit a given situation. The second method of addressing benchmark functionality is to augment each benchmark prescription with additional information about the level of risk and impact of each setting. For example, Disable FTP services on database servers should be set whenever possible, but may occasionally be difficult to implement.. Most benchmarks do not go very far in this extra information, because your specific environment could vary widely from what might be considered a standard installation. The true solution for modifying benchmarks to meet your organizations operational and security needs is to perform some level of risk assessment of each system, or type of system, and to determine which benchmark settings provide the

appropriate level of security without harming necessary functionality. Essentially, you get the most value from a benchmark if you dont consider the recipe to be set in stone and examine each setting in the context of your environment to determine if it fits your risk profile and application requirement. Another common problem you may experience with benchmarks is that it may not be complete for your environment. A benchmark committee may know that a setting mitigates a specific risk, but if that risk is uncommon or the setting is difficult to implement, the setting may not be included in the benchmark. New vulnerabilities often arise after a benchmark is published that could make a specific setting that the benchmark committee left out of the benchmark suddenly important. As a result of the previously described problems, a prescriptive setting may be omitted from the benchmark, leaving unmitigated vulnerability in your systems. To address this problem you must maintain awareness of security risks even though after youve applied a benchmark, and you may want to consider referring to multiple benchmark sources for best practices when developing your secure systems. The conclusion? Do not rely solely on benchmarks to eliminate your security risks. While the benchmark is an excellent starting point, you need to also include good security practices, perform risk assessment and ensure due diligence. DIFFERENCE BETWEEN BENCHMARK, FRAMEWORK AND REGULATION Essentially, a benchmark, a security framework, and a regulation are all sources of instruction. They tell the organization what to do or not do to meet compliance and security goals. Distinguishing between the three can be confusing, but understanding their differences and similarities can help you determine the likelihood of your being subject to them as well as how they support one another. At a very high level, a regulation, or law, is the ultimate in compliance instructions. Regulations typically do not prescribe detail on how to perform, configure or manage IT systems, but they clearly indicate the goals a security and compliance program must meet. Often regulations have defined penalties for non-compliance and describe some sort of enforcement mechanism. Almost 100 percent of security regulations will prescribe that the organization creates and maintain an IT security program or framework. Frameworks are designed to provide a complete security program for an organization. They often read like a checklist of processes and procedures that should be implemented for

4 | WHITE PAPER | Addressing Your Compliance Initiatives with Tripwire and the Center for Internet Security (CIS)

complete security. Most security frameworks describe a security program that will include technical, administrative and physical protection schemes. Frameworks often recommend that hardening best practices, or benchmarks, be used for technical protections. Often the advice in a framework is non-specific, but the framework does outline goals and metrics for judging success. Benchmarks, or standards, can be seen as the prescriptive, most granular level of the compliance spectrum. A benchmarks specific prescriptive content addresses how to protect IT systems against specific risksrisks that can be clarified and quantified by the frameworks and regulations. Below is a chart with examples of different Benchmarks, Frameworks and Regulations. Each source can play a part in a security and compliance program for your organization, and you may implement more than one of each.

these systems and compare them to benchmarks and other prescribed settings. By baselining, capturing and examining the initial state of configurations and settings, Tripwire can perform a number of compliance functions, including: Testing. The ability to test configuration compliance against a benchmark, framework or regulation on a schedule or in near real-time to detect out-of-compliance configurations. Policy Management. The ability to arrange configuration tests, such as benchmark settings, into policies, and provide the ability to create customized policies. Policy Distribution. The ability to import pre-defined configuration policies. Reporting. The ability to report on compliance with configuration policy, as well as provide remediation instructions that help bring the non-compliant systems into compliance. CONFIGURATION COMPLIANCE For Tripwire Enterprise, a compliance policy represents a compliance source document like a CIS benchmark. A typical benchmark might have a total of 200 or more configuration instructions that are numbered by the benchmark publisher. Tripwire analyzes these documents carefully, determining how we can test each prescribed setting in a subject system. The compliance policy manager in Tripwire Enterprise enables it to define and run tests against configurations to determine adherence to a specific compliance policy.

Tripwires CIS Solution

Tripwire Enterprise is a well established IT infrastructure security and integrity tool. To understand how Tripwire Enterprise meets the assessment requirements of the CIS benchmarks (and other sources), it is important to grasp some of the functionality of the core product. At a high level, Tripwire Enterprise monitors for change within the IT enterprise by employing sophisticated technology that examines change occurring on operating systems, network devices, applications and databases. Using this technology, Tripwire can examine configurations and settings of

Benchmark
Provides Specific Prescriptive Tests CIS Benchmarks DISA Checklists Vendor Security Guidance COBIT v.4.1 ISO 27001 NIST 800-53 HIPAA PCI NERC CIP SOX FISMA

Framework
Outlines Security Program Requirements

Regulation/Law
Force of Law (Penalty), Results Focused

4 4 4 4 4 4 4 4 4

(Semi)

4 4 4 4 4

5 | WHITE PAPER | Addressing Your Compliance Initiatives with Tripwire and the Center for Internet Security (CIS)

A benchmark test will most often take on the form of system setting X must be Y, where Y might be a value, range of values, true/false, etc. A benchmark test might also be formed as an expression, such as PasswordLength is equal or greater than 8. It is easy to see that to pass this test, the actual password length setting will be a value of 8 or more. If the actual setting is less than 8, the test result will show as failed. Tripwire Enterprise supports multiple types of tests; for example, it supports Attribute, Content or Windows ACL tests. Each test type is designed to process information that ensures configuration compliance and conformance with change process. POLICY A Tripwire Enterprise compliance policy can be created to reflect the structure of a benchmark standard, framework or regulation. You can even create a custom compliance policy that meets your organizations specific needs. In a Tripwire Enterprise compliance policy, a policy group represents a specific chapter in a benchmark, and entire policy groups or individual tests can be placed within other policy groups. To understand how a Tripwire Enterprise compliance policy mirrors the benchmark from which it was created, it may be useful to see a comparison between the table of contents for a benchmark and the equivalent policy group structure in Tripwire Enterprise. The CIS Benchmark for Solaris 10 table of contents looks like this:

The top-level group for a given set of tests represents a compliance policy. In the example below, you see a specific test group highlighted called IBM AIX BenchmarkCIS v.1.0.1. This test group is a part of the CIS benchmarks for IBM AIX, which are part of the overall CIS benchmarks available with Tripwire Enterprise. This top-level test group marks the root of a compliance policy. This policy has sub-groups that mirror the actual CIS benchmark document sections, and within those sections are the prescriptive tests like Minimum Password Age and Minimum Password Length. Because the Tripwire Enterprise compliance policy includes the same prescriptive components as the CIS benchmark and the policys content has been CIS-certified, benchmark users can be confident they are constantly monitoring configurations against the prescribed CIS benchmark settings.

Finally, you can create a custom policy within the Tripwire Enterprise compliance policy manager. You can move, copy, create and edit tests and test groups to meet specific needs. You can even usethe compliance policy manager to create a compliance policy that matches an existing standard your organization uses. COMPLIANCE POLICY DISTRIBUTION

Based on this CIS benchmark, Tripwire creates the following policy group structure:

Since July 2007, Tripwire has created and distributed over 150 distinct compliance policies. This includes the Tripwire Enterprise compliance policies based on the CIS benchmarks for many different platforms, the names and descriptions of the different benchmarks are exactly the same as in those in the CIS benchmark documents. Tripwire also releases compliance policies for many different frameworks and regulations; some of these additional sources for Tripwire complianc policies include: CIS Benchmarks DISA Checklists Vendor Security Guidance COBIT v.4.1 ISO 27001 NIST 800-53 HIPAA PCI NERC CIP SOX FISMA

6 | WHITE PAPER | Addressing Your Compliance Initiatives with Tripwire and the Center for Internet Security (CIS)

COMPLIANCE REPORTING With Tripwire Enterprise, you can receive reports on adherence to a specific compliance policy by device (node), policy or group. Tripwire includes standard reports that indicate the status of benchmark tests in aggregate or individually. You can

sort information in reports by tests that passed or failed, and as shown below, you can review remediation instructions from within a report that explain how to configure the system to pass a specific, failed compliance test.

7 | WHITE PAPER | Addressing Your Compliance Initiatives with Tripwire and the Center for Internet Security (CIS)

LIST OF CIS CERTIFIED BENCHMARKS FOR TRIPWIRE To support CIS, Tripwire publishes a list of the exact CIS benchmarks for which Tripwire Enterprise compliance policies are CIS-certifiedcurrently this list includes CIS benchmarks for
Tripwire Certified CIS Benchmarks Benchmark 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 AIX 5.1 Cisco ASA, FWSM, and PIX Cisco IOS Router Exchange Server 2003 HP-UX 11 IIS 6 Oracle Database 9i/10g Oracle Database 9i/10g Red Hat Linux 4 (for RHEL 2.1, 3.0, 4.0 and Fedora Core 1, 2, 3, 4, & 5) Solaris 10 Solaris 2.5.1 - 9.0 SQL Server 2000 SQL Server 2005 SUSE Linux (v9) VMware ESX Server Windows 2000 Server Windows Server 2003 Windows Server 2003 Windows XP Professional SP1/SP2 Solaris 10 11/06 and 8/07 Red Hat Linux 5 (for RHEL 5) SUSE Linux (v10) HP-UX Version 1.01 1 2.1 1 1.3.1 1 2.01 2.01 1.0.5 2.1.3 1.3 1 1 1 1 2.2.1 1.2 2 2.01 4 1.1 2 1.4.2

numerous platforms. Tripwire constantly updates their certified products as CIS releases new versions of benchmarks or as new benchmarks are created. As of February 2009, these CIScertified Tripwire Enterprise compliance polices include:
Certification Counts Certified 7-Sep-07 17-Jul-07 17-Jul-07 14-Dec-07 5-Oct-07 21-Nov-07 2-Aug-07 16-Nov-07 18-Jul-07 18-Jul-07 19-Oct-07 5-Oct-07 19-Oct-07 5-Oct-07 17-Jul-07 19-Jul-07 19-Jul-07 17-Sep-08 17-Oct-08 5-Nov-08 24-Nov-08 5-Nov-08 26-Feb-09 37 1 2* 2 1 1 1 2 2 1 1 1 1 1 1 1 1 6* 6 1 1 1 1 1

*CIS Benchmarks will occasionally combine different certifiable levels of benchmarks within a single document (e.g. CISCO benchmarks include level 1 (a basic level of security settings) and level 2 (a higher level of security settings). Windows 2003 contains three sections (Legacy, Enterprise and Specialized Security) and two server modes (Domain Controller and Domain Member)). Each of these specific security levels represents different benchmark certifications.

8 | WHITE PAPER | Addressing Your Compliance Initiatives with Tripwire and the Center for Internet Security (CIS)

Conclusion
The goal of any security and compliance initiative is to not only get systems into a secure state, but a state that balances the organizations application needs against its security risks. Because risk assessment for technical systems is extremely challenging and time consuming to implement, CIS provides an excellent starting point for risk assessment by enabling an organization to compare systems against a best practices standard for security. And because CIS benchmarks are vetted by industry experts, you will meet the compliance requirement for best practices and security hardened systems when you base your compliance initiatives on these benchmarks. Tripwire understands the value of the CIS benchmarks and embraces the CIS benchmarks as core building blocks of compliance programs. As an active member of CIS, Tripwire has an active, ongoing program to build and certify policies against these standards. To help your organization benefit from these benchmarks, Tripwire provides Tripwire Enterprise, a powerful and flexible configuration control solution your organization can use to check compliance against the CIS benchmarks, create or customize these benchmarks for your organizations needs or build its own custom policies. Tripwire IT compliance reporting can be scheduled or even trigger alerts when compliance status with a given compliance policy changes. These powerful features of Tripwire Enterprise enable you to address a key element of a low cost and efficient compliance programmonitoring for continuous compliance. With Tripwire Enterprise, your organization can meet its compliance initiatives and secure its IT infrastructure using powerful, vetted CIS benchmarks.

1 IT Policy Compliance Group, 2006, http://www.itpolicycompliance.com/ factoid/index.asp?ID=3. 2 See PCI DSS Requirement 2.2 and (for example) NSA Report Number: C4-040R-02 (Router Security Configuration Guide) 3 Example: Microsofts own Windows 2003 Server Security Guide 4 See the CIS Web site: www.cisecurity.org

9 | WHITE PAPER | Addressing Your Compliance Initiatives with Tripwire and the Center for Internet Security (CIS)

ABOUT TRIPWIRE Tripwire is the leading global provider of IT security and compliance automation solutions that help businesses and government agencies take control of their entire IT infrastructure. Over 7,000 customers in more than 86 countries rely on Tripwires integrated solutions. Tripwire VIA, the comprehensive suite of industry-leading file integrity, policy compliance and log and event management solutions, is the way organizations proactively prove continuous compliance, mitigate risk, and achieve operational control through Visibility, Intelligence and Automation. Learn more at tripwire.com.

2010 Tripwire, Inc. | Tripwire is a registered trademark of Tripwire, Inc. All other product and company names are property of their respective owners. All rights reserved. | WPCIS2a