This blog has previously discussed the CSIS Commission report on cybersecurity, and the one of the next steps towards federal cybersecurity was announced yesterday. A consortium of US federal agencies has drawn up a list of critical security controls they hope will serve as a gold standard for cybersecurity. The Consensus Audit Guidelines (CAG) list is part of larger plans to apply the CSIS Commission report on cybersecurity as a blueprint for making information security systems more secure.
The CAG project began last year in response to data losses in the US defense industry. Participants include the National Security Agency, the Department of Homeland Security, US-CERT, the Department of Defense, the US Department of Energy Los Alamos National Lab, and many others. Mitre Corporation, and the SANS Institute, are also involved.
“I do not know of anything going on in security that will have the impact this one can have,” Alan Paller, director of research at the SANS Institute told El Reg. “It’s a complete revolution in federal cybersecurity, and business security as well. In the past cybersecurity was driven by people who had no clue of how the attacks are carried out. They created an illusion of security. The CAG will turn that illusion to reality.”
The CAG’s Critical Security Controls:
1. Hardware audit.
2. Inventory of authorized and unauthorized software.
3. Secure configurations for computers and servers
4. Secure configurations of network kits such as firewalls and routers.
5. Boundary defense
6. Maintenance of audit logs
7. Application software security
8. Application of administrative privileges
9. Access controls based on need to know
10. Continuous vulnerability testing and remediation
11. Dormant account monitoring and control
12. Anti-malware defenses
13. Limitation and control of ports, protocols and services
14. Wireless device control
15. Data leak protection
16. Secure network engineering
17. Red team exercises
18. Incident response capability
19. Data recovery
20. Security Skills Assessment and Training
To read more about this HUGE announcement, check out more information at http://www.sans.org/cag/