Presentation is loading. Please wait.

Presentation is loading. Please wait.

Research Report Summary CIS Benchmark Security Configurations Eliminate 80 – 90 % of Known Operating System Vulnerabilities Bert Miuccio www.cisecurity.org.

Published byAubrey Byrd Modified over 9 years ago

Similar presentations

Presentation on theme: "Research Report Summary CIS Benchmark Security Configurations Eliminate 80 – 90 % of Known Operating System Vulnerabilities Bert Miuccio www.cisecurity.org."— Presentation transcript:

1 Research Report Summary CIS Benchmark Security Configurations Eliminate 80 – 90 % of Known Operating System Vulnerabilities Bert Miuccio www.cisecurity.org bmiuccio@cisecurity.org

2 “ Through 2005, 90 percent of cyber attacks will continue to exploit known security flaws for which a patch is available or a preventive measure known. ” »Gartner Group, May 6, 2002

3 Where are most of the Vulnerabilities that are being exploited? 1. Insecure Accounts –Null Password, Admin no PW, no PW expiration… 2. Unnecessary Services –Telnet, Remote Access, Remote Execution… 3. Backdoors –NETBUS, BACKORIFICE, SUBSEVEN … 4. Mis-configurations – NetBIOS null sessions… 5. Software Defects –Hot-fixes, Patches… These are controlled by configuration settings. Patches fix software defects These are controlled by configuration settings. Patches fix software defects

4 Case studies and research show that 80-90% of known vulnerabilities are blocked by the security settings in the consensus benchmarks.

5 Case Study / Research Methodology (1) Scan a system “out of the box” or in its existing production configuration, and list identified vulnerabilities (2) Configure the system with the appropriate CIS benchmark (3) Rescan the system and note the reduction in vulnerabilities

6 W2K Benchmark Case studies Research BySystemBenchmark Percent Reduction CitadelW2K ProLevel I81% SolutionaryW2K ServerLevel I85% NSAW2K ProLevel II Pro91% Mitre (CVE) W2K ProLevel II Pro83% CitadelW2K ServerLevel II Server99%

7 Using Harris STAT Vulnerability Scanner 5.11 Default config. Post CIS config. High: 13 1 Medium: 57 5 Low:11730 Warning: 11 1 Total:19837 Citadel Research - Win 2000 Pro (CIS Level-1 Benchmark)

8 Solutionary Study – Win 2000 Server (Level-1 Benchmark) Using Solutionary’s Vulnerability Scanning Methodology

9 NSA study (Level -2 benchmark for W2K Pro) % Reduction: 96 90 50 91

10 The Mitre Study Windows 2000 Professional Level-2 configuration reduced CVE vulnerabilities by 83%

11 IA Newsletter describing the NSA and Mitre studies Vol 5, Number 3, Fall 2002 http://iac.dtic.mil/iatac/news_events/ia_ne wsletter.htmhttp://iac.dtic.mil/iatac/news_events/ia_ne wsletter.htm

12 ISS Internet Scanner 6.2.1 Default Post CIS config. High: 300 Medium:890 Low:1092 Total:2282 Citadel Research - Win 2000 Server (Level-2 Benchmark)

13 Conclusion Using the benchmarks and scoring tools available free at http://www.cisecurity.org will help you improve and manage the secure configuration of your systems.

Download ppt "Research Report Summary CIS Benchmark Security Configurations Eliminate 80 – 90 % of Known Operating System Vulnerabilities Bert Miuccio www.cisecurity.org."

Similar presentations

Security Update Server Registration, Active scanning and Windows patching.

Security Update Server Registration, Active scanning and Windows patching.
Vulnerability Analysis Borrowed from the CLICS group.

Vulnerability Analysis Borrowed from the CLICS group.
SLAC Vulnerability Scanning Cyber Security Working Group - LBL December 5, 2005 Teresa Downey - SLAC.

SLAC Vulnerability Scanning Cyber Security Working Group - LBL December 5, 2005 Teresa Downey - SLAC.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
2004, Jei Nessus A Vulnerability Assessment tool A Security Scanner Information Networking Security and Assurance Lab National Chung Cheng University

2004, Jei Nessus A Vulnerability Assessment tool A Security Scanner Information Networking Security and Assurance Lab National Chung Cheng University
F HEPNT/HEPIX Sept, 1999 Use of SPQuery and STAT At FNAL.

F HEPNT/HEPIX Sept, 1999 Use of SPQuery and STAT At FNAL.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Information Networking Security and Assurance Lab National Chung Cheng University Backdoors and Remote Access Tools INSA Laboratory.

Information Networking Security and Assurance Lab National Chung Cheng University Backdoors and Remote Access Tools INSA Laboratory.
Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer

Microsoft Baseline Security Analyzer INLS 187 Security Software Presentation by Hinár György Polczer
1 GFI LANguard Network Security Scanner. 2 Contents Introduction Features Source & Installation Testing environment Results Conclusion.

1 GFI LANguard Network Security Scanner. 2 Contents Introduction Features Source & Installation Testing environment Results Conclusion.
Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.

Module 6: Patches and Security Updates 1. Overview Installing Patches and Security Updates Recent patches and security updates for IIS Recent patches.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Technical Control Standards for Security Configuration Developed Via Public / Private Partnership Bert Miuccio, Vice President The Center for Internet.

Technical Control Standards for Security Configuration Developed Via Public / Private Partnership Bert Miuccio, Vice President The Center for Internet.
1 GFI LANguard N.S.S VS NeWT Security Scanner Presented by:Li,Guorui.

1 GFI LANguard N.S.S VS NeWT Security Scanner Presented by:Li,Guorui.
Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.

Copyright © 2002 ProsoftTraining. All rights reserved. Operating System Security.
Cyber Patriot Training

Cyber Patriot Training
Hands-On Ethical Hacking and Network Defense Chapter 8 Microsoft Operating System Vulnerabilities.

Hands-On Ethical Hacking and Network Defense Chapter 8 Microsoft Operating System Vulnerabilities.
CIS 460 – Network Design Seminar Network Security Scanner Tool GFI LANguard.

CIS 460 – Network Design Seminar Network Security Scanner Tool GFI LANguard.
Penetration Testing Training Day Penetration Testing Tools and Techniques – pt 1 Mike Westmacott, IRM plc Supported by.

Penetration Testing Training Day Penetration Testing Tools and Techniques – pt 1 Mike Westmacott, IRM plc Supported by.

Similar presentations

Ads by Google