Center for Internet Security (CIS) Membership Benefits

srothmansrothman Member Posts: 45 ■■■□□□□□□□
Hi, 
I'm taking a long shot and asking if anyone here is a CIS member, and what tools and resources are made available once you join?

Here is some context;
We are busy building a competency in our organization that will focus primarily on getting assessments done against common frameworks and benchmarks such as NSF and CIS. One thing we are looking for is an assessment platform/tool/resource that will help us get assessments done against the CSC 20.

My question really being, I suppose: Will a membership with the CIS provide us with the necessary tooling to effectively perform this assessment? I've asked the people at CIS, but not getting a response, and also not really keen to get the opinion of someone on their own product.

Bonus question! Any other toolset that will help with such assessments (preferably not a massive Excel sheet we're using at the moment) that you can recommend?

TIA

Comments

  • yoba222yoba222 Senior Member Member Posts: 1,182 ■■■■■■■■□□
    edited May 24
    I don't know NSF. For CIS, are you referring to security configuration guidelines, mainly for different operating systems? If so, I can't remember which tier of membership, but CIS offers a tool (I think Java-based) that you can drop on the desktop of the target operating system that runs the checks in an automated fashion. Nothing all that special, but gets the job done in some circumstances.

    Other than that, many vulnerability scanners have CIS-based templates baked in that can do the same checks. Tenable, Rapid 7, probably Qualys offer this ability to do the same sort of automated checks. I'd go that route before giving CIS money or using a spreadsheet.

    Another option is to just role your own tooling. The CIS benchmarks are free to download in PDF format. You could write command line/bash scripts to perform the same checks right from the benchmarks. This is time consuming though.
    A+, Network+, CCNA, LFCS,
    Security+, eJPT, CySA+, PenTest+,
    Cisco CyberOps, GCIH, VHL,
    In progress: OSCP
  • srothmansrothman Member Posts: 45 ■■■□□□□□□□
    Thanks. I'm busy looking at both Tenable and Qualys at the moment as well as part of some other service offerings too, and tend to agree with you.
Sign In or Register to comment.