What Are CIS Benchmarks and How Do They Help Businesses with Security Compliance?

CIS Benchmarks are collections of recommendations and best practices for securely configuring servers, networks, software, and other IT systems. Developed by the Center for Internet Security, the benchmarks provide guidance businesses can use to implement secure systems, assess their current level of security, and achieve regulatory compliance. 

Given the number and complexity of IT services and systems, it is challenging for businesses to develop policies and implement procedures that maintain adequate security. CIS Benchmarks provide comprehensive best practices for various platforms and technologies, including cloud platforms like AWS and Microsoft Azure.

In this article, we take a closer look at CIS Benchmarks and how businesses can use them to improve cybersecurity and compliance with information security regulations and standards. 

What is the Center for Information Security?

The Center for Internet Security (CIS) is a non-profit organization that aims to make the internet safe by devising and promoting security best practices. It publishes the CIS Controls and CIS Benchmarks, which are developed in a crowd-sourced consensus-driven process by a membership that includes corporations, government agencies, and other institutions.

What Are CIS Benchmarks?

The CIS Benchmarks are recommendations for securing IT systems. They provide the information businesses need to verify they are following best practices and instructions for best practice implementation.

To look more closely at one of the dozens of CIS Benchmarks, the CIS Amazon Web Services Foundations Benchmark is a 250-page document covering security benchmarks for a wide range of AWS services, including identity and access management, storage, logging, monitoring, and networking. 

Each section provides best practices for commonly used services. For example, the storage section provides guidance for S3, EC2, RDS, and EFS. Each best practice includes a rationale, instructions for verifying the best practice is implemented, and remediation instructions explaining how to secure the service.

The benchmarks are a valuable resource for businesses that need to assess and improve their security posture. That’s why we use the CIS Benchmarks for cloud services—including AWS, Azure, and GCP—as the foundation of our cloud security audits.

CIS Controls vs. CIS Benchmarks

As part of its mission to promote internet security, the CIS publishes the CIS Controls, a compendium of 18 critical security best practices that businesses should follow to defend against known cyberattacks. The controls address many best practices, including for inventory control, data protection, access management, malware, network monitoring, penetration testing, and more. Like the CIS Benchmarks, the CIS Controls are free, and they can be downloaded by any business looking to implement secure systems. 

CIS Controls and CIS Benchmarks differ in specificity. Whereas the CIS Controls offer broad, high-level best practices for a wide range of systems, the CIS Benchmarks offer actionable best practices for specific platforms and technologies, including cloud platforms, operating systems, network-connected devices, and applications. Many CIS Benchmarks refer to the relevant CIS Controls so users can track their progress towards compliance. 

Which Information Security Areas Are Covered By CIS Standards?

CIS Benchmarks cover a wide array of services, platforms, and software, including, among others:

  • Desktop operating systems: Microsoft Windows and macOS.
  • Server operating systems: Debian, Ubuntu, CentOS, RHEL.
  • Server software: Microsoft IIS, Microsoft Windows Server, Nginx, Apache.
  • Virtualization and Cloud Software: VMware, Kubernetes, Docker.
  • Cloud platforms: AWS, Microsoft Azure, Google Cloud Computing Platform, Alibaba Cloud.
  • Desktop software: Microsoft Office, Google Chrome, Safari, Zoom.

What Are CIS Benchmark Levels?

CIS associates each benchmark recommendation with a profile level: Level 1, Level 2, or STIG. The profiles indicate the security level achieved by implementing a recommendation. 

Level 1 recommendations are basic security practices essential to creating a secure IT environment. Level 2 recommendations are high-security recommendations for systems hosting sensitive data or other high-security scenarios. Level 2 recommendations may be more difficult to implement, and they may disrupt a business’s operations. 

For example, the CIS Amazon Web Services Foundations Benchmark contains the following two recommendations, applicable to Level 1 and Level 2, respectively. 

  • Level 1: Ensure CloudTrail is enabled in all regions
  • Level 2: Ensure CloudTrail log file validation is enabled

The STIG profile is intended to help businesses to comply with the Security Technical Implementation Guide, a baseline security standard created by the Defense Information Systems Agency (DISA). The STIG profile includes CIS Level 1 and Level 2 recommendations, as well as additional recommendations required for STIG compliance. 

What are CIS Hardened Images?

CIS Hardened Images are virtual machine (VM) images with configurations that conform to the CIS Benchmarks. A VM image is a snapshot of a computer storage device containing the operating system and key library and utility software. They can be run directly by virtualization software and cloud platforms or copied to a physical server. 

CIS Hardened Images enable businesses to deploy servers and other devices with secure configurations out-of-the-box. Installing a secure VM image is a faster and more reliable way to achieve benchmark compliance than installing an operating system and software and then manually configuring it.

CIS publishes hardened images for most major server operating systems, including Microsoft Windows Server, Amazon Linux, Debian, Ubuntu, CentOS, Oracle Linux, and Red Hat Enterprise Linux. It also publishes images for applications such as Nginx and PostgreSQL. 

Major cloud platforms, including AWS, Microsoft Azure, Google Cloud Platform, and Oracle Cloud, offer CIS Hardened Images in their marketplaces, allowing users to deploy the images directly to virtual servers running on the platform. 

CIS Benchmarks and Regulatory Compliance

Regulatory frameworks and standards impose security and privacy obligations on businesses, but they do not provide concrete guidance for achieving compliance. It’s challenging for businesses to bridge the gap between regulations and real-world implementations on particular platforms. 

CIS Benchmarks are designed to align with major information security regulatory frameworks and standards. In CIS’s language, the recommendations “map” to regulations and standards. Implementing CIS benchmark recommendations can therefore help businesses to comply with aspects of standards and frameworks that include:

  • PCI DSS
  • HIPAA
  • NIST
  • FISMA
  • GDPR
  • ISO 27001

One example of how this works is PCI DSS Requirement 2.2, which requires organizations that process credit card data to “develop configuration standards for all system components…consistent with industry-accepted hardening standards.” CIS Benchmarks qualify as an industry-accepted standard. In fact, they are mentioned in the Requirement as an accepted standard alongside hardening standards from the SANS Institute and the National Institute of Standards Technology (NIST).

Verify Your IT Environment Is Secure and Compliant

CIS Benchmarks make it easier for businesses to secure IT systems and comply with information security standards and regulations. However, compliance should be verified by an independent third party. 

KirkpatrickPrice helps organizations assess, verify, enhance, and demonstrate their security with compliance audits, pen testing, security awareness training, and more. Our comprehensive audit capabilities include:

To learn more, contact a KirkpatrickPrice information security specialist today.

6 Ways Employees Expose Businesses to Security and Compliance Risks

Business managers and IT professionals are inclined to attribute employee-caused security failures to malice, ignorance, or laziness. After all, the business has security policies and procedures. Employees know about them or, at the very least, have signed a declaration affirming they know about them. The IT team has implemented secure systems. 

And yet, employees often circumvent these systems and ignore information security policies, exposing the business to cybersecurity attacks and regulatory risk. Malice and incompetence seem the parsimonious explanation. But the real reasons are more complex.

Why Do Employees Fail to Comply with Security Policies?

A recent study from the Harvard Business Review revealed that few security policy breaches resulted from conscious malice, including incidents where breaches were deliberate. Why Employees Violate Cybersecurity Policies attributes the majority of employee security protocol breaches to four causes:

  • To better accomplish tasks for their job.
  • To access information or functionality they need to do their job.
  • To help other employees to do their work.
  • Because stress drives them to increase productivity at the expense of security.

In short, employees typically fail to comply with security policies for productivity and altruism, not malice or ignorance. That doesn’t make failure to comply any more acceptable or mitigate the regulatory risk, but it may help businesses to build secure and efficient processes. 

The 6 Common Employee Security and Compliance Failures

Understanding why employees fail to comply is helpful, but businesses also need to know how employees typically breach security policies. Let’s explore six of the most common ways employees fail to follow security best practices. 

1. Configuration Errors

Configuration errors expose software and services to increased security risk. For example, it is a configuration error to grant public access to an AWS S3 bucket that stores sensitive information.

The OWASP Top Ten lists misconfiguration as one of the most prevalent web application security vulnerabilities, with almost 90% of web apps exhibiting configuration errors. Misconfiguration is also a significant source of cloud security breaches. The National Security Agency (NSA) says misconfiguration is the most common cloud security vulnerability.

Other common examples of misconfiguration include:

  • Deploying publicly accessible databases with inadequate authentication
  • Using default usernames and passwords
  • Configuring firewalls with overly permissive rules
  • Failing to limit access to sensitive data and resources

2. Falling for Social Engineering Attacks

Social engineering attacks manipulate employees into acting in ways that are contrary to security policies. Phishing attacks are the most common type. In a phishing attack, the attacker sends an email or instant message containing a malicious link to many different employees. The link might lead to a fake login form or a malware-infected site. 

The attacker wants to harvest login credentials or infect a trusted device. Once they can access one device, they can use it to island hop to others, circumvent security controls, and gather sensitive information.

Every organization is at risk of phishing, but it’s far from the only social engineering attack. Others include:

  • Spear phishing: a refined phishing variant that focuses on specific employees within an organization, using knowledge of the individual to craft a convincing deception. High-level executives and technical employees with wide-ranging access to IT systems are frequent spear phishing targets.
  • Smishing: attacks that use SMS to manipulate employees via spoofed phone numbers
  • Executive impersonation attacks: the attacker contacts an employee while pretending to be a high-level executive, often to ask the employee to send money to an account under the attacker’s control. Employees rarely have the confidence to challenge executive requests.

3. Exposing Log-In Credentials

The simplest way to compromise business IT systems is with stolen login credentials and API keys. If an attacker can authenticate, they can bypass security controls and take advantage of the employee’s trusted status. The paradigmatic log-in exposure is a username and password stuck to an employee’s monitor, but that’s not the only way attackers obtain credentials. 

  • Sharing credentials: Employees often share authentication credentials with other employees, including those who may not have the same authorization level.
  • Re-using credentials: Using the same usernames and passwords on business systems and other online services increases the risk that they will be exposed.
  • Uploading credentials to version control systems: Employees may choose to upload credentials and keys to version control instead of using secure secret management services.
  • Phishing attacks: As mentioned above, attackers use phishing attacks to harvest authentication credentials.

4. Circumventing Secure Systems

Security and IT professionals implement and monitor secure systems they expect employees to use. But there is often a trade-off between security and productivity, and employees may seek a more convenient option if it allows them to work more efficiently. 

This phenomenon is one of the key drivers of shadow IT, in which employees, teams, and even whole business units use non-approved devices, software, and IT and cloud services because they are “better” than the services officially approved by the company. Of course, employees and security professionals often define “better” very differently, especially when sensitive data is stored and processed on unvetted third-party services. 

5. Poor Data Storage and Transport Practices

A nightmare scenario for IT security professionals: an employee accesses sensitive data and transfers it unencrypted to a portable drive. They want to work on the data at home but lose the bag containing the drive on their commute. Without training, employees are unlikely to understand the need for encryption and the consequences of removing data from secure storage. 

Alternative risk scenarios include employees who:

  • Email sensitive data to third parties or themselves
  • Share authentication credentials with unauthorized third parties
  • Upload data to insecure cloud services for easier access

In our examples, the employee may be acting from positive motives. But deliberate data theft by departing employees is also a huge issue—one reason removing access from employees who quit or are let go is so important. 

6. Failure to Secure Remote Working Environments

Employees who work remotely present risks that don’t arise when the business controls the working environment. These risks are exacerbated when employees use their personal devices and preferred software to complete tasks. 

Risks include:

  • Unsecured WiFi networks and routers
  • Use of devices that may have been compromised
  • Reduced security awareness and diligence
  • Reduced monitoring and oversight

To learn more about how businesses can reduce remote work risks, visit KirkpatrickPrice’s Remote Access Security Testing resources. 

Risk Management: Reducing Employee Compliance Failures

We’ve seen why employees ignore security policies and how that can increase risk. But what can businesses do to manage that risk? Combatting this type of insider threat may be challenging, but we have identified several approaches that help employees act securely and responsibly.

  • Promote a positive security culture. Ensure security policies are transparent and easy to understand. Encourage employees to report potential security issues and incentivize them to conform to policies.
  • Penetration testing. Pen testing can help to identify potential weaknesses, including those caused by employees.
  • Security awareness training. Ensure all employees understand essential security policies and why the company expects them to be followed.
  • Information security audits. Regular audits help businesses to identify and mitigate inadequate policies, processes, and behaviors.

Connect with an Expert

If you want to talk to an information security and compliance expert about reducing employee risk and combating insider threats, contact KirkpatrickPrice today.

Are Patch Management Failures Putting Your Company At Risk?

Regular software updates and rigorous patch management processes are essential to maintaining security and compliance. Even the most careful proprietary and open source software development introduces bugs. Some of those bugs create security vulnerabilities, and cybercriminals are always looking for opportunities to infiltrate business IT resources and steal sensitive data. 

A report from Arctic Wolf, a security operations vendor, shows the scale of the problem. Exposure of a known vulnerability to external networks caused 82% of the security incidents the company handled in the first quarter of 2022. Of those incidents, 57% could have been avoided by software patching. The remainder were caused by exposing vulnerable services to the public internet. 

A systematic, scheduled, and comprehensive patch management policy is the only way businesses can hope to manage the risk at scale. 

What is Patch Management?

Patch management encompasses a range of processes that ensure potentially vulnerable software is updated as soon as a fix is available. The term “patch” comes from the development world, where a patch is a file containing a set of changes to a piece of software. Patches add and remove features and refactor code. But, most importantly, they fix known vulnerabilities.

We all regularly patch (update) software on our devices with the click of a button. However, patching is much more challenging for complex business IT systems. Most of us don’t mind rebooting our smartphone when it updates, but a business can’t simply shut down its network. It can’t apply patches that haven’t been tested in case they break essential services. And, quite often, it doesn’t know which software needs patching in the first place. 

Software patch management is intended to overcome these problems. It typically involves a number of processes, including:

  • Software discovery: Businesses should develop an inventory of all operating systems and software on their network. They can’t update software if they don’t know about it.
  • Standardization: Patch management is less challenging if businesses standardize on particular operating systems and software products.
  • Vulnerability monitoring: IT and security professionals should track vulnerability reports for software the business uses.
  • Development tracking: They should also keep abreast of patch releases so they can quickly apply patches.
  • Risk assessment: Assessing vulnerability risk helps businesses to prioritize critical vulnerabilities and patches for core systems.
  • Testing: Modifying software has the potential to change its functionality and cause performance regressions. Testing allows businesses to identify issues before they impact production systems.
  • Patching: The patches are applied to production systems, often beginning with a subset to verify there are no unexpected results.
  • Monitoring: Ensure that all IT resources perform as expected after the update.

As you can see, patch management is not straightforward. However, many aspects can be automated by patch management software, as we’ll see later in this article.

Patch Management and Compliance

Compliance and audit failures may occur when businesses:

  1. Fail to patch vulnerabilities promptly.
  2. Implement inadequate patch management processes.

As we’ve seen, exposing software with known vulnerabilities to the public internet is a common cause of network infiltration and data theft. That reality is reflected in information security and privacy regulations and standards. 

  • PCI DSS: PCI Requirement 6.1 states that businesses should establish a process to identify security vulnerabilities. PCI Requirement 6.2 states that businesses should ensure all systems and software are protected from known vulnerabilities.
  • HIPAA: 45 CFR § 164.308(1)(i) states that businesses should implement policies and procedures to prevent, detect, contain, and correct security violations.
  • ISO 27001: Control A.12.6.1 focuses on technical vulnerability management and states that vulnerabilities should be quickly identified, subject to a risk assessment, and remediated through proper measures, which include asset patching.

Other information security frameworks and standards include similar requirements which assert or imply the necessity of a robust and effective patch management process. 

How to Monitor Critical Security Vulnerabilities

Businesses must be aware of software vulnerabilities before they can fix them. To do so, it is necessary to:

  1. Understand which software your business operates.
  2. Monitor sources of vulnerability information for relevant announcements.
  3. Assess the level of risk a vulnerability poses.

There is no canonical source for vulnerability data, and it is often best to monitor vulnerability and update information published by software vendors and open source projects. You should also monitor public vulnerability databases, which include:

These databases allow users to search for vulnerabilities in specific software and software created by specific vendors. 

Patch Management Software

Patch management software automates some of the processes outlined above, allowing businesses to reduce the cost and complexity of keeping their software safe and up-to-date. There are many competing patch management software solutions with varying features. Businesses should take the time to investigate the capabilities of each to find the best solution for their unique circumstances, but we’d like to highlight three prominent solutions. 

AWS Systems Patch Manager

AWS Systems Patch Manager is a capability of AWS Systems Manager, which integrates many system automation tools. It can automate patching on managed AWS nodes, including operating system and application patching. Usefully, Patch Manager integrates with System Manager’s maintenance window functionality, so patching can be scheduled to run at convenient times. 

Azure Automation Update Management

Azure Automation offers a range of automation tools for Microsoft’s Azure cloud platform. The Update Management tool can automatically perform updates for Windows and Linux operating systems on Azure or on-premises. 

Red Hat Satellite

Red Hat Satellite is a comprehensive infrastructure management tool with automatic patch management functionality. Satellite can report which servers need to be updated and automatically apply updates as required. 

Other patch management tools include Solarwinds Patch Manager, LANDesk Patch Manager, ManageEngine Patch Manager Plus, and Ivanti Patch Manager.

3 Critical Vulnerabilities You Should Patch Immediately

Failure to patch is the root cause of many of the most serious security incidents. A vulnerability in widely used software can have a catastrophic impact on thousands of businesses. To conclude this article, we will look at three critical and widespread vulnerabilities, all of which continue to be exploited by cybercriminals, despite the availability of patches that would protect businesses and their customers.

Log4J

Log4J is a logging library for the Java ecosystem. It is integrated into hundreds of thousands of servers and applications and is particularly popular in the enterprise space. In 2021, a critical remote code execution vulnerability was discovered. Log4Shell allows malicious third parties to execute arbitrary code and has been described as “the biggest, most critical vulnerability of the last decade.”

A patch was released to fix the vulnerability immediately after it was discovered, yet many servers and applications remain vulnerable. 

ProxyShell

ProxyShell is an attack that relies on a series of vulnerabilities affecting Microsoft Exchange. An attacker can string the vulnerabilities together to achieve remote code execution via a PowerShell instance available from the web. ProxyShell is relatively straightforward to exploit, requiring only a specially crafted email containing code that the attacker can trick the server into executing. 

Microsoft released patches that mitigate the risk in May and July 2021.

SpringShell

Spring is an enormously popular web framework for Java. Earlier this year, a remote code execution vulnerability was discovered. Although not considered as severe as the Log4J vulnerability because it is more challenging to implement, cybercriminals quickly began to exploit SpringShell to gain access to servers running the Spring framework. 

A patch to mitigate the vulnerability was released immediately, and businesses using the Spring Framework should update to a recent version as soon as possible.

Enterprise Security and Compliance with KirkpatrickPrice

KirkpatrickPrice provides services to help businesses secure their infrastructure and comply with regulatory frameworks and standards, including compliance audits, penetration testing, and remote access security testing.

What is a Web Application Firewall (WAF)?

A web application firewall (WAF) sits between web applications and the internet. It monitors inbound traffic and filters malicious requests before they reach the potentially vulnerable application. This article explores WAFs, how they work, the most popular and effective examples, and why you should consider using a WAF to protect your site or app from cybercriminals.

Does Your Web App Need a WAF?

Sooner or later, every website, app, and API is targeted by malicious bots or their cybercriminal operators. If it’s online, it’ll be attacked. Vulnerabilities will be exploited, data will be stolen, web pages will be defaced, and malware will be injected. A web application firewall (WAF) works alongside other security measures to defeat bad actors and keep sites and apps safe. 

If you don’t use a WAF, you rely on the web app to repel attacks. That may work in the short term, but a WAF provides an additional layer of defense that can be dynamically updated to protect against emerging threats. WAFs are an effective and valuable defense against the most common attacks against web apps and APIs.

How Does a Web Application Firewall Work?

A WAF is a reverse proxy. It intercepts inbound HTTP requests and inspects them for patterns that indicate an attack. If an attack is detected, the request is dropped before it reaches the web app. Legitimate requests are passed through the WAF to the app, which responds as usual. 

You can think of a WAF as a filter. It absorbs all incoming web traffic and removes any that could be harmful, providing the app with a stream of pre-vetted, legitimate requests. 

One of the main advantages of a WAF is that it can be updated quickly in response to new threats. Consider what happens when a challenging zero-day vulnerability is discovered in a web app. It might not be possible to release a patch immediately, and even if it were, there is a delay between patch release and updating, especially for apps with many instances. 

WAF users can, however, quickly add new rules to filter inbound requests that could exploit the unpatched vulnerability. This ability allows businesses to keep web app users and their data safe with greater efficiency and flexibility. 

Does a WAF Replace a Network Layer Firewall?

WAFs complement network firewalls and provide additional protection but do not replace traditional network layer firewalls. A web application firewall works at the application layer, Layer 7 in the OSI model. It intercepts HTTP data but cannot monitor and filter data protocols used at lower levels. 

In contrast, firewalls such as iptables typically operate at the network and session layers (Layers 3 and 4). They work with low-level protocols such as TCP and UDP, but not higher-level protocols such as HTTP. 

Some modern firewalls cover a broader range. For example, AWS Network Firewall can monitor and control Layer 3–7 network traffic, combining the functionality of a network layer firewall and a WAF. However, users should verify the specific capabilities of each firewall before relying on it to protect their web applications. 

Threats Web Application Firewalls Prevent

Web application firewalls protect against many different types of attacks commonly used against web apps. These include attacks that traditional network firewalls cannot intercept, including:

  • Cross-site scripting (XSS): malicious code injection into web pages.
  • Cross-site forgery: an attack that forces an authenticated user to carry out unwanted actions.
  • SQL injection: the injection of SQL code, which is then executed by the site’s database.
  • Cookie poisoning: session hijacking using forged or intercepted cookies.

Many WAFs also provide some protection against distributed denial of service (DDoS) attacks. Because all traffic goes through the WAF first, it can be rate-limited and malicious floods of traffic can be filtered. However, a WAF is unlikely to protect a web app against a large-scale volumetric attack as effectively as a dedicated DDoS mitigation service

Additionally, some WAFs can be used to implement protections usually carried out at the network layer. Many WAFs allow users to upload lists of IP addresses to block. They can also be used to block traffic sources that are considered likely to cause issues. For example, AWS WAF curates a managed set of rules for blocking traffic from TOR and VPNs, and other WAFs offer similar functionality. 

What Are the Types of Web Application Firewall?

All web application firewalls serve the same fundamental role, but there are alternative hosting and operational models. These can be divided into three broad categories:

  • Network-based WAFs are usually hosted on dedicated hardware in data centers close to the application they protect. Network-based WAFs are often used to protect large, high-traffic applications where low-latency connectivity is a priority. They are the most expensive WAF type and the most complex to manage and maintain.
  • Host-based WAFs are integrated into the software they protect and may be hosted on the same hardware. For example, many WordPress plugins integrate a host-based web application firewall with the CMS. This approach has the benefit of flexibility and ease of use, but it can result in reduced performance if the host lacks the resources to run the WAF and the app at peak load times.
  • Cloud WAFs are managed services hosted on cloud platforms. They are the easiest to use and manage. The cloud provider manages the software and underlying hardware. They are also responsible for deploying rules and policies for filtering threats, including updates for emerging threats. Cloud WAFs provide a reasonable level of customization, performance, and uptime, but they may not be the best option for businesses that need more control over their firewall.

WAFs may also be categorized by whether they operate on a blocklist or allowlist model. A blocklist selectively disallows connections that match an undesirable pattern, whereas an allowlist permits connections that conform to a desirable pattern. 

There are advantages to both approaches. Blocklists allow security professionals to target known malicious connections. In contrast, allowlists can block all connections that do not match a desirable profile. Allowlists are effective and require less maintenance, but they may not be suitable for applications intended to be accessible to as many users as possible.

Popular Web Application Firewalls

There are dozens of WAFs to choose from. Although they offer similar core functionality, they differ in focus and features. To conclude this article, we’ll look at four widely used WAFs.

ModSecurity

ModSecurity, or ModSec, is an open-source WAF initially developed as a module for the Apache web server. It subsequently evolved into a cross-platform WAF for Apache, Nginx, and Microsoft Internet Information Services (IIS). 

ModSecurity secures web apps using a set of rules to determine which connections to accept and which to block. These can be custom-made by the user, but there are many pre-made rule sets. One of the most widely used is the OWASP ModSecurity Core Rule Set, which detects the ten most widespread attacks, including SQL injection, cross-site scripting, and local file inclusion. 

AWS WAF

AWS WAF is a managed cloud WAF provided by Amazon Web Services. It is easy to configure and deploy, and users pay only for the cloud compute resources they consume. Users can create their own firewall rules, but AWS also provides Managed Rules, pre-configured rule sets that cover a specific range of threats. Basic managed rules sets are free, and more specialized sets are made available on the AWS Marketplace, including an OWASP Top Ten set. 

In addition to standard WAF features, AWS WAF also provides bot control functionality, which allows users to monitor bot traffic and block or rate limit traffic from bots that use excessive traffic. 

Watch Introduction to AWS WAF and Shield and Protecting API Gateways with WAF Rules to learn more about AWS WAF. 

Azure Web Application Firewall

Azure Web Application Firewall is a cloud WAF offered by Microsoft’s Azure cloud platform. It provides much the same functionality as AWS WAF, including managed rulesets that protect against the OWASP Top Ten and other common threats. 

Cloudflare WAF

Cloudflare WAF is part of Cloudflare’s range of CDN and security services. It is a cloud WAF integrated with Cloudflare’s global network, providing managed and custom rules, protections based on machine learning, and rapid deployment of rules to protect from emerging zero-day vulnerability threats. 

Web Application Security and Compliance with KirkpatrickPrice

A web application firewall is one component of an effective security and compliance program. KirkpatrickPrice provides a range of services to help businesses secure their infrastructure and comply with regulatory frameworks and standards, including compliance audits, penetration testing, and remote access security testing.

How to Set Up AWS Systems Manager Maintenance Windows

Information security regulations and standards often require businesses to perform regular maintenance tasks to ensure compliance. For example, PCI DSS Requirement 6 says merchants must deploy critical patches within a month of release. Failure to complete these tasks on time risks non-compliance. 

Unfortunately, many security-related tasks are disruptive—updating a server operating system can take the server offline. Therefore, businesses prefer to carry out patching and other potentially disruptive activities during scheduled maintenance windows. These typically occur during low traffic periods or when redundant infrastructure is available.

AWS System Manager Maintenance Windows is a cloud service that helps businesses manage and automate maintenance windows. In this article, we’ll explore what AWS Systems Manager Maintenance Windows is and how you can use it to automate compliance tasks. 

What is AWS Systems Manager Maintenance Windows?

AWS Systems Manager Maintenance Windows is a capability of AWS Systems Manager, a cloud service that allows IT administrators to automate repetitive operations and management tasks.  We discussed Systems Manager in-depth in How to Get Started Using AWS Systems Manager, so in this article, we’ll focus exclusively on its Maintenance Windows capability. 

The Maintenance Windows service can schedule actions to be carried out at a specified time on a subset of your AWS infrastructure. It can automate actions on AWS services that include S3, EC2 nodes, Amazon DynoDB, and other services that can be used with AWS Resource Groups and Tag Editor.

Each maintenance window consists of:

  • A schedule that determines when to carry out tasks.
  • A maximum duration to limit the length of each maintenance window. 
  • Registered targets:  the cloud resources that actions will impact. 
  • Registered tasks: the actions the system will take within the scheduled period.

What Actions Does Maintenance Windows Support?

Maintenance Windows supports various task types that are part of other Systems Manager capabilities. These include:

  • Run Command for executing configuration commands and tasks on managed instances, including EC2 nodes and on-premises servers and VMs.
  • Workflows from AWS Systems Manager’s Automation capability. 
  • Serverless AWS Lambda functions.
  • AWS Step Function tasks. 

Together, these task types can schedule and automate a wide range of compliance activities, including application updating, OS patching, executing shell scripts, launching serverless functions that carry out further compliance tasks, altering node configurations, and much more. 

Setting Up an AWS Maintenance Window

AWS Maintenance Windows is a powerful automation tool with many different options. We can’t cover all of its features here, but to give you an idea of what’s involved in creating a maintenance window, let’s walk through a simple maintenance window set up that updates the SSM Agent installed on an EC2 instance.  

Assuming We assume you have already configured Systems Manager to work with your EC2 instance, as described in the Systems Manager documentation, the set up process would be as follows:

  1. Navigate to AWS Systems Manager and select Maintenance Windows from the sidebar menu.
  2. Click “Create Maintenance Window.” Provide a name and set up a schedule.  Maintenance Window provides an intuitive graphical schedule builder, but you can also use rate expressions and the crontab format
  3. Once the maintenance window is scheduled, select it from the list. You’ll be presented with a tabbed interface where you can register tasks and designate targets. 
  4. On the Tasks tab, select Register tasks and choose Register Run Command task from the dropdown menu. 
  5. Select AWS-UpdateSSMAgent from the Command Document section and choose your instance in the Targets section. 
  6. Click Register Run Command at the bottom of the page.

As you can see, setting up scheduled automations to take care of repetitive compliance tasks is straightforward. We’ve only scratched the surface of what you can do with Maintenance Windows, so be sure to check out the Guidebook for more information

State Manager vs. Maintenance Windows

AWS Systems Manager also has a capability called State Manager. There is some cross-over in the functionality of State Manager and Maintenance Windows. Both can be used to automate some tasks. However, State Manager may be a better choice for compliance tasks where the goal is to maintain managed node configurations in a consistent state and for compliance reporting. Before choosing a compliance automation service, read Choosing between State Manager and Maintenance Windows

 

Learn About AWS Compliance with KirkpatrickPrice

To learn more about AWS compliance, visit our cloud security and compliance resources, which provide expert guidance for cloud audits, regulatory compliance, and information security, or connect with an expert today..