Wednesday, March 11, 2009
New Guidelines: Top 20 Cybersecurity Controls
New Guidelines: Top 20 Cybersecurity Controls
Public/Private Group Creates Plan to Protect Critical Infrastructures
February 23, 2009
A consortium of federal agencies and private organizations has just released the first version of the Consensus Audit Guidelines (CAG), which defines the most critical cyber security controls to protect government agencies and critical infrastructure industries, including financial services.
"The CAG is based on the philosophy that defense should be informed by what offense is seeing," says Ed Skoudis, co-founder of Inguardians, a security research and consulting firm, and technical editor of the CAG document. "What is being used against our own networks?"
Skoudis also is an author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and is often called to manage incident handling for major financial institutions.
The CAG initiative is part of a larger effort housed at the Center for Strategic and International Studies in Washington, D.C. to advance key recommendations from the CSIS Commission report on Cybersecurity for the 44th Presidency.
Making of the CAG
Described as a "no brainer," the list of 20 cyber security controls (see list below) was found to be essentially identical across government, the defense industrial base, financial institutions and retailers. John Gilligan leads the CAG project. Gilligan served as CIO for both the US Air Force and the US Department of Energy and served on the Obama transition team focusing on IT within the Department of Defense and the Intelligence Community.
"It is a no brainer," says Gilligan. "If you know that attacks are being carried out, you have a responsibility to prioritize your security investments to stop those attacks."
A team of security experts from numerous government agencies compiled the list with feedback from what Skoudris describes as "the defenders who are seeing the bad guys attack, and the government teams (red teams) whose main focus is trying to penetrate the networks to find the flaws before the hackers do, plus the professional penetration testers." All of these groups are very knowledgeable about what the current offensive techniques are, he observes.
For each of the 20 controls, the experts identified:
Specific (actual) attacks that the control stops or mitigates;
Best practices in automating the control (for 15 controls that can be automated);
Tests that can determine whether each control is effectively implemented.
"This is the best example of risk-based security I have ever seen," says Alan Paller, director of research at the SANS Institute. "The team that was brought together represents the nation's most complete understanding of the risk faced by our systems. In the past, cyber security was driven by people who had no clue of how the attacks are carried out. They created an illusion of security. The CAG will turn that illusion to reality."
The CAG project began in early 2008, after severe data losses in companies doing business with the U.S. Department of Defense. Very quickly the experts recognized that the attacks targeting the defense infrastructure were nearly identical to those targeting federal agencies (and sensitive organizations in developed and developing countries around the world). The project took on a greater significance, and more organizations agreed to get involved.
The next steps for the CAG include a 30-day public review period, wherein security professionals around the world will provide comment. A pilot implementation will be conducted in several federal agencies during 2009 to test the CAG's value and cost compared to current practices. A security committee of the federal CIO Council will also review the CAG to determine how it could be used on a broad basis to focus federal security expenditures. A team from the Federal Audit Executive Council will review the CAG to determine how it might allow auditors to provide reviews that more accurately measure the security of Federal systems. A series of workshops will be held in which federal users that have already automated controls identified in the CAG can present the lessons they have learned about what works and why. During the comment period, the CAG will be closely compared with the audit guides for ISO 2700x, HIPAA, GLB, PCI, and SOX compliance testing to determine whether any of these include controls and tests that do a better job of blocking or mitigating known attacks.
Skoudis recommends that institutions look over the CAG and use it as a baseline for building onto their overall security model, especially in the areas of wireless device control and application software security. As an experienced forensics expert, Skoudis notes that the list itself doesn't mean that once an institution has met all of them, the job is over.
"Security these days should be considered an evolutionary process," he says. "As fast as we move to secure networks, the bad guys are moving faster to find new ways to get into our systems."
The 20 Controls
Following is a list of the 20 CAG controls:
Inventory of Authorized and Unauthorized Hardware.
Inventory of Authorized and Unauthorized Software.
Secure Configurations for Hardware and Software For Which Such Configurations Are Available.
Secure Configurations of Network Devices Such as Firewalls And Routers.
Boundary Defense
Maintenance and Analysis of Complete Security Audit Logs
Application Software Security
Controlled Use of Administrative Privileges
Controlled Access Based On Need to Know
Continuous Vulnerability Testing and Remediation
Dormant Account Monitoring and Control
Anti-Malware Defenses
Limitation and Control of Ports, Protocols and Services
Wireless Device Control
Data Leakage Protection
Additional Critical Controls (not directly supported by automated measurement and validation):
Secure Network Engineering
Red Team Exercises
Incident Response Capability
Assured Data Back-Up
Security Skills Assessment and Training to Fill Gaps
For more information, see: http://www.sans.org/cag/guidelines.php
Public/Private Group Creates Plan to Protect Critical Infrastructures
February 23, 2009
A consortium of federal agencies and private organizations has just released the first version of the Consensus Audit Guidelines (CAG), which defines the most critical cyber security controls to protect government agencies and critical infrastructure industries, including financial services.
"The CAG is based on the philosophy that defense should be informed by what offense is seeing," says Ed Skoudis, co-founder of Inguardians, a security research and consulting firm, and technical editor of the CAG document. "What is being used against our own networks?"
Skoudis also is an author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and is often called to manage incident handling for major financial institutions.
The CAG initiative is part of a larger effort housed at the Center for Strategic and International Studies in Washington, D.C. to advance key recommendations from the CSIS Commission report on Cybersecurity for the 44th Presidency.
Making of the CAG
Described as a "no brainer," the list of 20 cyber security controls (see list below) was found to be essentially identical across government, the defense industrial base, financial institutions and retailers. John Gilligan leads the CAG project. Gilligan served as CIO for both the US Air Force and the US Department of Energy and served on the Obama transition team focusing on IT within the Department of Defense and the Intelligence Community.
"It is a no brainer," says Gilligan. "If you know that attacks are being carried out, you have a responsibility to prioritize your security investments to stop those attacks."
A team of security experts from numerous government agencies compiled the list with feedback from what Skoudris describes as "the defenders who are seeing the bad guys attack, and the government teams (red teams) whose main focus is trying to penetrate the networks to find the flaws before the hackers do, plus the professional penetration testers." All of these groups are very knowledgeable about what the current offensive techniques are, he observes.
For each of the 20 controls, the experts identified:
Specific (actual) attacks that the control stops or mitigates;
Best practices in automating the control (for 15 controls that can be automated);
Tests that can determine whether each control is effectively implemented.
"This is the best example of risk-based security I have ever seen," says Alan Paller, director of research at the SANS Institute. "The team that was brought together represents the nation's most complete understanding of the risk faced by our systems. In the past, cyber security was driven by people who had no clue of how the attacks are carried out. They created an illusion of security. The CAG will turn that illusion to reality."
The CAG project began in early 2008, after severe data losses in companies doing business with the U.S. Department of Defense. Very quickly the experts recognized that the attacks targeting the defense infrastructure were nearly identical to those targeting federal agencies (and sensitive organizations in developed and developing countries around the world). The project took on a greater significance, and more organizations agreed to get involved.
The next steps for the CAG include a 30-day public review period, wherein security professionals around the world will provide comment. A pilot implementation will be conducted in several federal agencies during 2009 to test the CAG's value and cost compared to current practices. A security committee of the federal CIO Council will also review the CAG to determine how it could be used on a broad basis to focus federal security expenditures. A team from the Federal Audit Executive Council will review the CAG to determine how it might allow auditors to provide reviews that more accurately measure the security of Federal systems. A series of workshops will be held in which federal users that have already automated controls identified in the CAG can present the lessons they have learned about what works and why. During the comment period, the CAG will be closely compared with the audit guides for ISO 2700x, HIPAA, GLB, PCI, and SOX compliance testing to determine whether any of these include controls and tests that do a better job of blocking or mitigating known attacks.
Skoudis recommends that institutions look over the CAG and use it as a baseline for building onto their overall security model, especially in the areas of wireless device control and application software security. As an experienced forensics expert, Skoudis notes that the list itself doesn't mean that once an institution has met all of them, the job is over.
"Security these days should be considered an evolutionary process," he says. "As fast as we move to secure networks, the bad guys are moving faster to find new ways to get into our systems."
The 20 Controls
Following is a list of the 20 CAG controls:
Inventory of Authorized and Unauthorized Hardware.
Inventory of Authorized and Unauthorized Software.
Secure Configurations for Hardware and Software For Which Such Configurations Are Available.
Secure Configurations of Network Devices Such as Firewalls And Routers.
Boundary Defense
Maintenance and Analysis of Complete Security Audit Logs
Application Software Security
Controlled Use of Administrative Privileges
Controlled Access Based On Need to Know
Continuous Vulnerability Testing and Remediation
Dormant Account Monitoring and Control
Anti-Malware Defenses
Limitation and Control of Ports, Protocols and Services
Wireless Device Control
Data Leakage Protection
Additional Critical Controls (not directly supported by automated measurement and validation):
Secure Network Engineering
Red Team Exercises
Incident Response Capability
Assured Data Back-Up
Security Skills Assessment and Training to Fill Gaps
For more information, see: http://www.sans.org/cag/guidelines.php
# posted by raveneye @ 8:58 AM 
