Enhancing Security and Functionality

After attending several conferences on the state of enterprise security, including Symantec’s Federal Summit and AFCEA’s Cyber Security Symposium.  My conclusion:  The most important thing enterprise leaders can do right now to enhance security and functionality is to implement the Common Audit Guidelines (CAG).

The CAG was created by a Consortium of US Federal Cybersecurity Experts on Consensus Audit Guidelines.  Details of this effort are at http://www.sans.org/cag/

The CAG provide the twenty most important controls and metrics for effective cyber defense and continuous FISMA compliance.   These controls and metrics include:

Critical Controls Subject to Automated Measurement and Validation:

1. Inventory of Authorized and Unauthorized Hardware.
2. Inventory of Authorized and Unauthorized Software.
3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
4. Secure Configurations of Network Devices Such as Firewalls and Routers.
5. Boundary Defense
6. Maintenance and Analysis of Complete Security Audit Logs
7. Application Software Security
8. Controlled Use of Administrative Privileges
9. Controlled Access Based On Need to Know
10. Continuous Vulnerability Testing and Remediation
11. Dormant Account Monitoring and Control
12. Anti-Malware Defenses
13. Limitation and Control of Ports, Protocols and Services
14. Wireless Device Control
15. Data Leakage Protection

Additional Critical Controls (not directly supported by automated measurement and validation):

1. Secure Network Engineering
2. Red Team Exercises
3. Incident Response Capability
4. Data Recovery Capability
5. Security Skills Assessment and Training to Fill Gaps

The site at http://www.sans.org/cag provides more details on each, including detailed descriptions of the controls, how to implement them, how to measure them, and how to continuously improve them.   The site also spells out the fact that this is a work in progress and processes are in place to ensure this great effort remains relevant and maximizes our ability to protect ourselves.

What should CTOs think about this guidance?  As for me, I most strongly endorse it. In my mind the appropriate implementation of these controls will reduce unauthorized intrusions in any enterprise.

The deeply respected community leader Alan Paller said it this way:

“This is the best example of risk-based security I have ever seen,” said Alan Paller, director of research at the SANS Institute.  “The team that was brought together represents the nation’s most complete understanding of the risk faced by our systems. In the past cybersecurity was driven by people who had no clue of how the attacks are carried out. They created an illusion of security. The CAG will turn that illusion to reality.”

Please give these controls a read, and please help get them into the hands of the security and functionality professionals in your enterprise.

For more on the CAG and other related topics visit the CTOvision blog at http://ctovision.com