New Guidelines: Top 20 Cybersecurity Controls
Public/Private Group Creates Plan to Protect Critical Infrastructures"The CAG is based on the philosophy that defense should be informed by what offense is seeing," says Ed Skoudis, co-founder of Inguardians, a security research and consulting firm, and technical editor of the CAG document. "What is being used against our own networks?"
Skoudis also is an author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and is often called to manage incident handling for major financial institutions.
The CAG initiative is part of a larger effort housed at the Center for Strategic and International Studies in Washington, D.C. to advance key recommendations from the CSIS Commission report on Cybersecurity for the 44th Presidency.
Making of the CAG
Described as a "no brainer," the list of 20 cyber security controls (see list below) was found to be essentially identical across government, the defense industrial base, financial institutions and retailers. John Gilligan leads the CAG project. Gilligan served as CIO for both the US Air Force and the US Department of Energy and served on the Obama transition team focusing on IT within the Department of Defense and the Intelligence Community.
"It is a no brainer," says Gilligan. "If you know that attacks are being carried out, you have a responsibility to prioritize your security investments to stop those attacks."
A team of security experts from numerous government agencies compiled the list with feedback from what Skoudris describes as "the defenders who are seeing the bad guys attack, and the government teams (red teams) whose main focus is trying to penetrate the networks to find the flaws before the hackers do, plus the professional penetration testers." All of these groups are very knowledgeable about what the current offensive techniques are, he observes.
For each of the 20 controls, the experts identified:
"This is the best example of risk-based security I have ever seen," says Alan Paller, director of research at the SANS Institute. "The team that was brought together represents the nation's most complete understanding of the risk faced by our systems. In the past, cyber security was driven by people who had no clue of how the attacks are carried out. They created an illusion of security. The CAG will turn that illusion to reality."
The CAG project began in early 2008, after severe data losses in companies doing business with the U.S. Department of Defense. Very quickly the experts recognized that the attacks targeting the defense infrastructure were nearly identical to those targeting federal agencies (and sensitive organizations in developed and developing countries around the world). The project took on a greater significance, and more organizations agreed to get involved.
The next steps for the CAG include a 30-day public review period, wherein security professionals around the world will provide comment. A pilot implementation will be conducted in several federal agencies during 2009 to test the CAG's value and cost compared to current practices. A security committee of the federal CIO Council will also review the CAG to determine how it could be used on a broad basis to focus federal security expenditures. A team from the Federal Audit Executive Council will review the CAG to determine how it might allow auditors to provide reviews that more accurately measure the security of Federal systems. A series of workshops will be held in which federal users that have already automated controls identified in the CAG can present the lessons they have learned about what works and why. During the comment period, the CAG will be closely compared with the audit guides for ISO 2700x, HIPAA, GLB, PCI, and SOX compliance testing to determine whether any of these include controls and tests that do a better job of blocking or mitigating known attacks.
Skoudis recommends that institutions look over the CAG and use it as a baseline for building onto their overall security model, especially in the areas of wireless device control and application software security. As an experienced forensics expert, Skoudis notes that the list itself doesn't mean that once an institution has met all of them, the job is over.
"Security these days should be considered an evolutionary process," he says. "As fast as we move to secure networks, the bad guys are moving faster to find new ways to get into our systems."
The 20 Controls
Following is a list of the 20 CAG controls:
- Inventory of Authorized and Unauthorized Hardware.
- Inventory of Authorized and Unauthorized Software.
- Secure Configurations for Hardware and Software For Which Such Configurations Are Available.
- Secure Configurations of Network Devices Such as Firewalls And Routers.
- Boundary Defense
- Maintenance and Analysis of Complete Security Audit Logs
- Application Software Security
- Controlled Use of Administrative Privileges
- Controlled Access Based On Need to Know
- Continuous Vulnerability Testing and Remediation
- Dormant Account Monitoring and Control
- Anti-Malware Defenses
- Limitation and Control of Ports, Protocols and Services
- Wireless Device Control
- Data Leakage Protection
- Secure Network Engineering
- Red Team Exercises
- Incident Response Capability
- Assured Data Back-Up
- Security Skills Assessment and Training to Fill Gaps
Additional Critical Controls (not directly supported by automated measurement and validation):
For more information, see: http://www.sans.org/cag/guidelines.php