A group of public and private sector security experts identified 20 security controls to help government agencies block attacks against critical systems and lock down sensitive data.
To get security news and tips delivered to your inbox,
The 20 important controls for effective cyber defense and FISMA compliance, presented Monday as the Consensus Audit Guidelines (CAG). The group said it's the first step toward providing specific audit guidelines used by the Federal government to ensure a minimum standard of security controls are in place for agency systems and the civilian contractors they do business with. It also addresses recommendations issued by the Commission on Cybersecurity for the 44th Presidency.
The list could help agencies better prioritize the actions they need to take in securing themselves, said Ed Skoudis, founder and senior security consultant with InGuardians Inc. Skoudis was the technical editor that helped pull together the list from guidelines issued by the National Institute of Standards and Technology (NIST) and other organizations.
Federal cybersecurity efforts:
DHS should lose cybersecurity authority, experts say: A group of security and policy experts told a House subcommittee Tuesday that cybersecurity should move from DHS to the White House.
Cybersecurity czar signals government cooperation at RSA Conference: Cybersecurity chief, Greg Garcia told RSA Conference attendees that government, enterprises and academia need to work together to fight growing Internet threats.
"If you defend against the attacks of 10 years ago or five years ago, you're going to get owned," Skoudis said. "You need to defend against things five or 10 years ago, but you also need to defend against attack vectors we're seeing today." Lawmakers have been critical of the Federal government's ability to address cybersecurity and lock down systems that are under constant attack. Last September, the Commission on Cybersecurity for the 44th Presidency recommended moving cybersecurity authority from the Department of Homeland Security (DHS) to the White House to gain better control on how all agencies prepare for a major online attack. The goal of the commission has been to develop a coherent strategy that helps protect all government agencies.
The project to develop the security controls list was led by John Gilligan, president of the consulting firm Gilligan Group. Security experts, including penetration testers, U.S. Department of Defense cybsersecurity experts, The United States Computer Emergency Readiness Team (US-CERT) and representatives from the National Security Agency contributed to the project.
The list includes four categories or levels that progress from easiest to implement to more technical techniques that may require more time and an investment in technology. The first group lists fundamental security controls that can be implemented without any major change to current processes or an organization's environment. These controls include taking an inventory of hardware and software, controlling the use of administrative privileges and securing hardware and software configurations on endpoint devices.
A second group of security controls focuses on ways a company can gain visibility into system operations and establish event monitoring to determine which systems generate security events. For example, the group of controls includes log monitoring and analysis and account monitoring and control.
Another group of controls also addresses ways an organization can reduce vulnerabilities and address network configuration issues. It addresses application software security and firewall and router configurations. The most advanced controls identified by the group include ways organizations can improve security of the most sensitive networks. For example, an organization using two-factor authentication for a sensitive system may want to implement two-factor across all systems.
"It's designed to help [agencies] focus on those areas that are most commonly being exploited today," Skoudis said. "It also helps organizations that already have a robust security infrastructure, take it to next level."
Dan Galik, CISO of the U.S. Department of Health and Human Services said the list will help the federal government realign its cybersecurity objectives across agencies.
"I think it will go a long way towards recalibrating the Federal cybersecurity efforts away from being what many have described as a report card driven paper-work exercise, to instead being now properly focused on meaningful efforts to improve the real security posture of our operational systems," Galik said in a statement.
The group said the controls should be examined and prioritized against an organization's current use of security technologies and policies. The project is seeking comments about the list from the public until March 23 when pilot tests are set to begin within several agencies.