Execute System Safety Configuration Evaluation Utilizing Free CIS-CAT® Lite (Obtain, Run, Scan) – InfoSec Memo

CIS-CAT Lite is the free evaluation device developed by the CIS (Heart for Web Safety, Inc.). CIS-CAT Lite helps customers implement safe configurations for a number of applied sciences. With limitless scans accessible through CIS-CAT Lite, your group can obtain and begin implementing CIS Benchmarks in minutes.


With CIS-CAT Lite, You Can Simply:

  • Immediately verify your programs in opposition to CIS Benchmarks.
  • Obtain a compliance rating 1-100.
  • Comply with remediation steps to enhance your safety.


CIS-CAT Lite vs CIS-CAT Professional

CIS-CAT Professional presents a number of evaluation reporting output codecs (TXT, CSV, HTML, XML, JSON) that present a conformance rating for 80+ CIS Benchmarks.

CIS-CAT Lite is accessible as a preview for customers. It presents HTML-based reporting output and a restricted set of CIS Benchmarks (Microsoft Home windows 10, Google Chrome, and Ubuntu). Overview the total listing of comparisons between the variations of Lite and Professional.

Evaluate Key Options (CIS-CAT Lite vs CIS-CAT Professional)

Evaluate the important thing options of CIS-CAT Lite and CIS-CAT Professional to know the variations between the varied variations:

Entry to CIS PDF paperwork is free, however utilizing the official content material requires a comparatively important effort of manually strolling by means of the PDF paperwork and parsing them into one thing machine-readable. In fact, a CIS membership drastically eases that ache and vitality, and allows some remediation capabilities, too.

To entry CIS-CAT Professional, your group have to be a CIS SecureSuite Member. Members can obtain CIS-CAT Professional from our neighborhood platform, CIS WorkBench. Log in to CIS WorkBench along with your work e mail tackle (registration required) and click on on the “Downloads” tab.

CIS-CAT Professional Assessor v4 and v4 Service require a license to unlock full options and CIS Benchmark content material. See our deployment information on the way to apply your group’s license key.

You’ll be requested to fill in some data to get obtain hyperlink in e mail.

After you submit the shape , you’ll get a thanks web page and ask you to verify your e mail in a couple of minutes:

Your e mail inbox will get an e mail like this in a couple of minutes:

To make issues a lot easier for my weblog reader, right here is the obtain hyperlink I acquired from the e-mail. I’m hoping it is going to be nonetheless working:

Obtain Hyperlink for model 4.21.0: https://be taught.cisecurity.org/e/799323/l-799323-2019-11-15-3v7x/2mnnf/466068160?h=obkEDgLFWSJIYMScLM33jw7hlaNnzd1fvJSmc8su7Vw

For my downloading, I acquired a zipper file which title is CIS-CAT-Lite-v4.21.0.zip. It’s 147MB file. After extracted, the fold measurement is about 212MB.

Execute Safety Evaluation

When utilizing the GUI, there’s no must arrange further software program parts (no Java Runtime Atmosphere (JRE) wanted) or configurations to make the most of the fundamental workflow. In an effort to efficiently execute assessor instructions, admin or elevated entry continues to be required. (https://www.cisecurity.org/insights/weblog/the-evolution-of-cis-cat-and-a-new-gui-in-cis-cat-v4-1-0)

Right here is model v4.1.0 folder content material screenshot:

5. If there’s profile which incorporates some questions added into chosen listing, you would possibly get some interactive window to enter worth or reply for these questions

There are pre-defined default worth set for these questions. 

6. Now benchmark and profile has been chosen, you possibly can go to subsequent step

7. Subsequent window is for evaluation choices. You may straight click on subsequent since we’re utilizing lite model, we wont be capable of select format.

8. Begin Evaluation

9. Within the progress of assessing your native pc

10. Evaluation accomplished.

11. View HTML Report

CIS Essential Safety Management Sorts

Implementation Group (IG)

Implementation Teams (IGs) are the advisable steering to prioritize implementation of the CIS Essential Safety Controls (CIS Controls). In an effort to help enterprises of each measurement, IGs are divided into three teams. They’re based mostly on the chance profile and sources an enterprise has accessible to them to implement the CIS Controls. Every IG identifies a set of Safeguards (beforehand known as CIS Sub-Controls), that they should implement. There’s a complete of 153 Safeguards in CIS Controls v8.

1. IG1 (Minimal, 56 Safeguards) – important cyber hygiene and represents an rising minimal normal of data safety for all enterprises.Each enterprise ought to begin with IG1. IG1 is outlined as “important cyber hygiene,” the foundational set of cyber protection Safeguards that each enterprise ought to apply to protect in opposition to the commonest assaults.

2. IG2 (Really useful, 56 + 74 Safeguards) -IG2 builds upon IG1, and is comprised 74 further safeguards , which assist safety groups deal with elevated operational complexity.

3. IG3 (Full, 56 + 74 + 23 Safeguards) – comprised of all of the Controls and Safeguards. IG3 property and information comprise delicate data or features which might be topic to regulatory and compliance oversight. An IG3 enterprise should tackle availability of providers and the confidentiality and integrity of delicate information.

CIS Profiles – Degree 1, 2, STIG (3)

Most CIS Benchmarks embody a number of configuration profiles. A profile definition describes the configurations assigned to benchmark suggestions. Typically, profile could be handled as baseline. 

The Degree 1 profile is taken into account a base suggestion that may be applied pretty promptly and is designed to not have an in depth efficiency affect. The intent of the Degree 1 profile benchmark is to decrease the assault floor of your group whereas holding machines usable and never hindering enterprise performance.

The Degree 2 profile is taken into account to be “protection in depth” and is meant for environments the place safety is paramount. The suggestions related to the Degree 2 profile can have an adversarial impact in your group if not applied appropriately or with out due care.

The STIG profile replaces the earlier Degree 3. The STIG profile offers all suggestions which might be STIG particular. Overlap of suggestions from different profiles, i.e. Degree 1 and Degree 2, are current within the STIG profile as relevant.

Notes: The 2 most typical system configuration baselines for cybersecurity are the Heart for Web Safety’s CIS Benchmarks, and the US Division of Protection Programs Company (DISA) Safety Technical Implementation Guides (STIG).




Leave a Reply

Your email address will not be published.