Wednesday, March 11, 2009
New Guidelines: Top 20 Cybersecurity Controls
New Guidelines: Top 20 Cybersecurity Controls
Public/Private Group Creates Plan to Protect Critical Infrastructures
February 23, 2009
A consortium of federal agencies and private organizations has just released the first version of the Consensus Audit Guidelines (CAG), which defines the most critical cyber security controls to protect government agencies and critical infrastructure industries, including financial services.
"The CAG is based on the philosophy that defense should be informed by what offense is seeing," says Ed Skoudis, co-founder of Inguardians, a security research and consulting firm, and technical editor of the CAG document. "What is being used against our own networks?"
Skoudis also is an author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and is often called to manage incident handling for major financial institutions.
The CAG initiative is part of a larger effort housed at the Center for Strategic and International Studies in Washington, D.C. to advance key recommendations from the CSIS Commission report on Cybersecurity for the 44th Presidency.
Making of the CAG
Described as a "no brainer," the list of 20 cyber security controls (see list below) was found to be essentially identical across government, the defense industrial base, financial institutions and retailers. John Gilligan leads the CAG project. Gilligan served as CIO for both the US Air Force and the US Department of Energy and served on the Obama transition team focusing on IT within the Department of Defense and the Intelligence Community.
"It is a no brainer," says Gilligan. "If you know that attacks are being carried out, you have a responsibility to prioritize your security investments to stop those attacks."
A team of security experts from numerous government agencies compiled the list with feedback from what Skoudris describes as "the defenders who are seeing the bad guys attack, and the government teams (red teams) whose main focus is trying to penetrate the networks to find the flaws before the hackers do, plus the professional penetration testers." All of these groups are very knowledgeable about what the current offensive techniques are, he observes.
For each of the 20 controls, the experts identified:
Specific (actual) attacks that the control stops or mitigates;
Best practices in automating the control (for 15 controls that can be automated);
Tests that can determine whether each control is effectively implemented.
"This is the best example of risk-based security I have ever seen," says Alan Paller, director of research at the SANS Institute. "The team that was brought together represents the nation's most complete understanding of the risk faced by our systems. In the past, cyber security was driven by people who had no clue of how the attacks are carried out. They created an illusion of security. The CAG will turn that illusion to reality."
The CAG project began in early 2008, after severe data losses in companies doing business with the U.S. Department of Defense. Very quickly the experts recognized that the attacks targeting the defense infrastructure were nearly identical to those targeting federal agencies (and sensitive organizations in developed and developing countries around the world). The project took on a greater significance, and more organizations agreed to get involved.
The next steps for the CAG include a 30-day public review period, wherein security professionals around the world will provide comment. A pilot implementation will be conducted in several federal agencies during 2009 to test the CAG's value and cost compared to current practices. A security committee of the federal CIO Council will also review the CAG to determine how it could be used on a broad basis to focus federal security expenditures. A team from the Federal Audit Executive Council will review the CAG to determine how it might allow auditors to provide reviews that more accurately measure the security of Federal systems. A series of workshops will be held in which federal users that have already automated controls identified in the CAG can present the lessons they have learned about what works and why. During the comment period, the CAG will be closely compared with the audit guides for ISO 2700x, HIPAA, GLB, PCI, and SOX compliance testing to determine whether any of these include controls and tests that do a better job of blocking or mitigating known attacks.
Skoudis recommends that institutions look over the CAG and use it as a baseline for building onto their overall security model, especially in the areas of wireless device control and application software security. As an experienced forensics expert, Skoudis notes that the list itself doesn't mean that once an institution has met all of them, the job is over.
"Security these days should be considered an evolutionary process," he says. "As fast as we move to secure networks, the bad guys are moving faster to find new ways to get into our systems."
The 20 Controls
Following is a list of the 20 CAG controls:
Inventory of Authorized and Unauthorized Hardware.
Inventory of Authorized and Unauthorized Software.
Secure Configurations for Hardware and Software For Which Such Configurations Are Available.
Secure Configurations of Network Devices Such as Firewalls And Routers.
Boundary Defense
Maintenance and Analysis of Complete Security Audit Logs
Application Software Security
Controlled Use of Administrative Privileges
Controlled Access Based On Need to Know
Continuous Vulnerability Testing and Remediation
Dormant Account Monitoring and Control
Anti-Malware Defenses
Limitation and Control of Ports, Protocols and Services
Wireless Device Control
Data Leakage Protection
Additional Critical Controls (not directly supported by automated measurement and validation):
Secure Network Engineering
Red Team Exercises
Incident Response Capability
Assured Data Back-Up
Security Skills Assessment and Training to Fill Gaps
For more information, see: http://www.sans.org/cag/guidelines.php
Public/Private Group Creates Plan to Protect Critical Infrastructures
February 23, 2009
A consortium of federal agencies and private organizations has just released the first version of the Consensus Audit Guidelines (CAG), which defines the most critical cyber security controls to protect government agencies and critical infrastructure industries, including financial services.
"The CAG is based on the philosophy that defense should be informed by what offense is seeing," says Ed Skoudis, co-founder of Inguardians, a security research and consulting firm, and technical editor of the CAG document. "What is being used against our own networks?"
Skoudis also is an author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and is often called to manage incident handling for major financial institutions.
The CAG initiative is part of a larger effort housed at the Center for Strategic and International Studies in Washington, D.C. to advance key recommendations from the CSIS Commission report on Cybersecurity for the 44th Presidency.
Making of the CAG
Described as a "no brainer," the list of 20 cyber security controls (see list below) was found to be essentially identical across government, the defense industrial base, financial institutions and retailers. John Gilligan leads the CAG project. Gilligan served as CIO for both the US Air Force and the US Department of Energy and served on the Obama transition team focusing on IT within the Department of Defense and the Intelligence Community.
"It is a no brainer," says Gilligan. "If you know that attacks are being carried out, you have a responsibility to prioritize your security investments to stop those attacks."
A team of security experts from numerous government agencies compiled the list with feedback from what Skoudris describes as "the defenders who are seeing the bad guys attack, and the government teams (red teams) whose main focus is trying to penetrate the networks to find the flaws before the hackers do, plus the professional penetration testers." All of these groups are very knowledgeable about what the current offensive techniques are, he observes.
For each of the 20 controls, the experts identified:
Specific (actual) attacks that the control stops or mitigates;
Best practices in automating the control (for 15 controls that can be automated);
Tests that can determine whether each control is effectively implemented.
"This is the best example of risk-based security I have ever seen," says Alan Paller, director of research at the SANS Institute. "The team that was brought together represents the nation's most complete understanding of the risk faced by our systems. In the past, cyber security was driven by people who had no clue of how the attacks are carried out. They created an illusion of security. The CAG will turn that illusion to reality."
The CAG project began in early 2008, after severe data losses in companies doing business with the U.S. Department of Defense. Very quickly the experts recognized that the attacks targeting the defense infrastructure were nearly identical to those targeting federal agencies (and sensitive organizations in developed and developing countries around the world). The project took on a greater significance, and more organizations agreed to get involved.
The next steps for the CAG include a 30-day public review period, wherein security professionals around the world will provide comment. A pilot implementation will be conducted in several federal agencies during 2009 to test the CAG's value and cost compared to current practices. A security committee of the federal CIO Council will also review the CAG to determine how it could be used on a broad basis to focus federal security expenditures. A team from the Federal Audit Executive Council will review the CAG to determine how it might allow auditors to provide reviews that more accurately measure the security of Federal systems. A series of workshops will be held in which federal users that have already automated controls identified in the CAG can present the lessons they have learned about what works and why. During the comment period, the CAG will be closely compared with the audit guides for ISO 2700x, HIPAA, GLB, PCI, and SOX compliance testing to determine whether any of these include controls and tests that do a better job of blocking or mitigating known attacks.
Skoudis recommends that institutions look over the CAG and use it as a baseline for building onto their overall security model, especially in the areas of wireless device control and application software security. As an experienced forensics expert, Skoudis notes that the list itself doesn't mean that once an institution has met all of them, the job is over.
"Security these days should be considered an evolutionary process," he says. "As fast as we move to secure networks, the bad guys are moving faster to find new ways to get into our systems."
The 20 Controls
Following is a list of the 20 CAG controls:
Inventory of Authorized and Unauthorized Hardware.
Inventory of Authorized and Unauthorized Software.
Secure Configurations for Hardware and Software For Which Such Configurations Are Available.
Secure Configurations of Network Devices Such as Firewalls And Routers.
Boundary Defense
Maintenance and Analysis of Complete Security Audit Logs
Application Software Security
Controlled Use of Administrative Privileges
Controlled Access Based On Need to Know
Continuous Vulnerability Testing and Remediation
Dormant Account Monitoring and Control
Anti-Malware Defenses
Limitation and Control of Ports, Protocols and Services
Wireless Device Control
Data Leakage Protection
Additional Critical Controls (not directly supported by automated measurement and validation):
Secure Network Engineering
Red Team Exercises
Incident Response Capability
Assured Data Back-Up
Security Skills Assessment and Training to Fill Gaps
For more information, see: http://www.sans.org/cag/guidelines.php
Parking tickets actually malware attacks in disguise
Parking tickets actually malware attacks in disguise
Thu Feb 5, 2009 12:02PM EST
Buzz up!on Yahoo!The last place anyone would expect to face a computer security attack is on the windshield of their car in the form of a parking ticket.
But that's the latest -- and intensely clever -- way that hackers are attempting to goad people into visiting infected websites and willingly install malware on their machines.
The scam is instantly clever once you hear how it works: Hackers print up phony "PARKING VIOLATION" notices and plaster them on cars parked on the street. The phony ticket directs the car's owner to visit a certain website, and of course the website in question (which largely seems to comprise of photos of badly parked cars) is a hack site which attempts to install malware on your PC.
Essentially what we have here is a phishing attack that takes place in the real world instead of via email. The use of fliers on parked cars is what's truly ingenious: A similar attack sent via postal mail would probably have minimal effect, but people are incredibly protective of their cars, and I imagine these windshield fliers will actually have a pretty good percentage of people typing in the URLs typed on them.
The good news -- for now -- is that the fliers are extremely crude, printed on yellow paper and offering nothing in the way of legal language that would compel a sophisticated and naturally skeptical reader to even visit the website in question. Like the earliest email phishing attacks, this attack may be simplistic, but it's probably a precursor of more advanced attacks to come. When hackers scan in real parking tickets and reprint them, replacing the URL printed there with one for a sophisticated attack site, then the sparks are going to start flying. (Installing malware is boring by comparison... I expect the real attacks will involve collecting money and hijacking credit cards and bank accounts wholesale.)
This appears to be a very limited attack (reported only in Grand Forks, North Dakota) for the time being, but it's a good idea to keep your skepticism handy next time you receive a parking "violation," just in case.
Thu Feb 5, 2009 12:02PM EST
Buzz up!on Yahoo!The last place anyone would expect to face a computer security attack is on the windshield of their car in the form of a parking ticket.
But that's the latest -- and intensely clever -- way that hackers are attempting to goad people into visiting infected websites and willingly install malware on their machines.
The scam is instantly clever once you hear how it works: Hackers print up phony "PARKING VIOLATION" notices and plaster them on cars parked on the street. The phony ticket directs the car's owner to visit a certain website, and of course the website in question (which largely seems to comprise of photos of badly parked cars) is a hack site which attempts to install malware on your PC.
Essentially what we have here is a phishing attack that takes place in the real world instead of via email. The use of fliers on parked cars is what's truly ingenious: A similar attack sent via postal mail would probably have minimal effect, but people are incredibly protective of their cars, and I imagine these windshield fliers will actually have a pretty good percentage of people typing in the URLs typed on them.
The good news -- for now -- is that the fliers are extremely crude, printed on yellow paper and offering nothing in the way of legal language that would compel a sophisticated and naturally skeptical reader to even visit the website in question. Like the earliest email phishing attacks, this attack may be simplistic, but it's probably a precursor of more advanced attacks to come. When hackers scan in real parking tickets and reprint them, replacing the URL printed there with one for a sophisticated attack site, then the sparks are going to start flying. (Installing malware is boring by comparison... I expect the real attacks will involve collecting money and hijacking credit cards and bank accounts wholesale.)
This appears to be a very limited attack (reported only in Grand Forks, North Dakota) for the time being, but it's a good idea to keep your skepticism handy next time you receive a parking "violation," just in case.
Labels: Parking Tickets Malware
