New Guidelines: Top 20 Cybersecurity Controls

Public/Private Group Creates Plan to Protect Critical Infrastructures
New Guidelines: Top 20 Cybersecurity Controls
SANS Institute's Alan Paller
A consortium of federal agencies and private organizations has just released the first version of the Consensus Audit Guidelines (CAG), which defines the most critical cyber security controls to protect government agencies and critical infrastructure industries, including financial services.

"The CAG is based on the philosophy that defense should be informed by what offense is seeing," says Ed Skoudis, co-founder of Inguardians, a security research and consulting firm, and technical editor of the CAG document. "What is being used against our own networks?"

Skoudis also is an author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and is often called to manage incident handling for major financial institutions.

The CAG initiative is part of a larger effort housed at the Center for Strategic and International Studies in Washington, D.C. to advance key recommendations from the CSIS Commission report on Cybersecurity for the 44th Presidency.

Making of the CAG

Described as a "no brainer," the list of 20 cyber security controls (see list below) was found to be essentially identical across government, the defense industrial base, financial institutions and retailers. John Gilligan leads the CAG project. Gilligan served as CIO for both the US Air Force and the US Department of Energy and served on the Obama transition team focusing on IT within the Department of Defense and the Intelligence Community.

"It is a no brainer," says Gilligan. "If you know that attacks are being carried out, you have a responsibility to prioritize your security investments to stop those attacks."

A team of security experts from numerous government agencies compiled the list with feedback from what Skoudris describes as "the defenders who are seeing the bad guys attack, and the government teams (red teams) whose main focus is trying to penetrate the networks to find the flaws before the hackers do, plus the professional penetration testers." All of these groups are very knowledgeable about what the current offensive techniques are, he observes.

For each of the 20 controls, the experts identified:

Specific (actual) attacks that the control stops or mitigates;
Best practices in automating the control (for 15 controls that can be automated);
Tests that can determine whether each control is effectively implemented.

"This is the best example of risk-based security I have ever seen," says Alan Paller, director of research at the SANS Institute. "The team that was brought together represents the nation's most complete understanding of the risk faced by our systems. In the past, cyber security was driven by people who had no clue of how the attacks are carried out. They created an illusion of security. The CAG will turn that illusion to reality."

The CAG project began in early 2008, after severe data losses in companies doing business with the U.S. Department of Defense. Very quickly the experts recognized that the attacks targeting the defense infrastructure were nearly identical to those targeting federal agencies (and sensitive organizations in developed and developing countries around the world). The project took on a greater significance, and more organizations agreed to get involved.

The next steps for the CAG include a 30-day public review period, wherein security professionals around the world will provide comment. A pilot implementation will be conducted in several federal agencies during 2009 to test the CAG's value and cost compared to current practices. A security committee of the federal CIO Council will also review the CAG to determine how it could be used on a broad basis to focus federal security expenditures. A team from the Federal Audit Executive Council will review the CAG to determine how it might allow auditors to provide reviews that more accurately measure the security of Federal systems. A series of workshops will be held in which federal users that have already automated controls identified in the CAG can present the lessons they have learned about what works and why. During the comment period, the CAG will be closely compared with the audit guides for ISO 2700x, HIPAA, GLB, PCI, and SOX compliance testing to determine whether any of these include controls and tests that do a better job of blocking or mitigating known attacks.

Skoudis recommends that institutions look over the CAG and use it as a baseline for building onto their overall security model, especially in the areas of wireless device control and application software security. As an experienced forensics expert, Skoudis notes that the list itself doesn't mean that once an institution has met all of them, the job is over.

"Security these days should be considered an evolutionary process," he says. "As fast as we move to secure networks, the bad guys are moving faster to find new ways to get into our systems."

The 20 Controls

Following is a list of the 20 CAG controls:

  1. Inventory of Authorized and Unauthorized Hardware.
  2. Inventory of Authorized and Unauthorized Software.
  3. Secure Configurations for Hardware and Software For Which Such Configurations Are Available.
  4. Secure Configurations of Network Devices Such as Firewalls And Routers.
  5. Boundary Defense
  6. Maintenance and Analysis of Complete Security Audit Logs
  7. Application Software Security
  8. Controlled Use of Administrative Privileges
  9. Controlled Access Based On Need to Know
  10. Continuous Vulnerability Testing and Remediation
  11. Dormant Account Monitoring and Control
  12. Anti-Malware Defenses
  13. Limitation and Control of Ports, Protocols and Services
  14. Wireless Device Control
  15. Data Leakage Protection
  16. Additional Critical Controls (not directly supported by automated measurement and validation):

  17. Secure Network Engineering
  18. Red Team Exercises
  19. Incident Response Capability
  20. Assured Data Back-Up
  21. Security Skills Assessment and Training to Fill Gaps

For more information, see:

About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.