Every business can use benchmarking to improve on its security.
Hopefully, most people are familiar with Microsoft's Baseline Security Analyzer, which identifies missing security updates and common security misconfigurations on machines running Windows, but there are many more Microsoft diagnostic tools you can download for free.
Within the Microsoft Download Center, search for "Analyzer tool," and three should come up: There are "Best Practices Analyzers" for Internet Security and Acceleration Server, Microsoft Exchange and SQL Server, all of which report configuration settings that do not conform to Microsoft's recommended best practices. Following the recommendations that these tools provide will also help the network to achieve greater performance, scalability, reliability and uptime.
For those of you running a wider variety of operating systems and applications or who want a vendor-independent tool, then the free Center for Internet Security (CIS) Benchmark Audit Tools are for you. Benchmarking is a process that compares your business activities to similar companies' or to accepted best practices. The CIS Benchmark tools enable IT and security professionals to rapidly assess their own IT systems, and even in some cases, benchmark security systemsfor compliance with the CIS minimum due-care security benchmark. These benchmarks are developed through a global consensus process, which pools the security knowledge and recommendations of IT security specialists from around the world, and the benchmarks are kept up to date as new vulnerabilities are discovered.
Various reports offer guidance in how to harden new and active systems and applications. I would also recommend the CIS Configuration Audit Tool (CIS-CAT) that compares the configuration of IT systems to CIS Benchmarks and reports conformance scores on a scale of 0-100. This allows you to ensure the security status of your information systems conforms to the configuration specified in the benchmark and to monitor the effectiveness of internal security processes. The reports can then demonstrate to senior management how your system security measures up, as well as show compliance with an accepted security standard. To begin, CIS provides a short video tutorial on how to download CIS-CAT, evaluate a Microsoft Windows system using the CIS Windows XP Benchmark and interpret the assessment results.
There's a total of 52 benchmarks altogether, including those for all the commonly used operating systems such as Microsoft, Linux, Unix, Mac OS and Solaris. Various browsers and databases are covered, and there are also benchmarks for VMware, Wireless Network Devices and Apple Inc.'s iPhone. Once you have hardened a system, you can use it to create a standard configuration image for hardening similar systems prior to deployment. This is a great time saver if you have to rollout several machines at once.
CIS also provides its Consensus Security Metrics to make it easier to make cost-effective security investment decisions and investments. Again, this is a free resource.
There are 20 metric definitions for six business functions: incident management, vulnerability management, patch management, application security, configuration management and financial metrics. (Additional metrics are being defined for other business functions.) The metrics measure the frequency and severity of security incidents, incident recovery performance, and the use of security practices that are generally regarded as effective, allowing you to analyse your own IT security process and performance outcomes.
The Information Security Forum (ISF), an independent, non-profit organisation, offers its members a variety of tools, such as the Security Healthcheck for evaluating information security controls across an application, business unit or an entire organisation, with results displayed to reference against ISO 27002, the Control Objectives for Information and related Technology (COBIT) or the Payment Card Industry Data Security Standard (PCI DSS). The ISF's Information Security Benchmark allows you to assess your security performance and compare your security status against that of other organisations, as well as ISO 27002 and COBIT. Although you need to be a member to download these particular tools, you can download their Standard of Good Practice for Information Security for free. This guide provides a good place to start addressing your information security needs from a business perspective, as it provides a practical basis for assessing an organisation's information security arrangements, large or small.
Every business can use benchmarking to improve on its security: The process questions what you are doing, identifies opportunities for improvement and often provides the momentum necessary for implementing change. At its simplest, it helps you to compare your security posture with best practice and control costs, while more sophisticated benchmarking looks at process design and business strategy. You and your network can benefit from this knowledge, expertise and experience for free, so don't waste the opportunity.
About the author:
Michael Cobb CISSP-ISSAP, CLAS, is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.
This was first published in September 2010