“We are in a cyberwar,” said John Gilligan, who led the Consensus Audit Guidelines (CAG) project, announced Monday in a conference call.
"The federal government is being targeted," said Gilligan, who previously served as CIO for both the U.S. Air Force and the U.S. Department of Energy and served on the Obama transition team focusing on IT within the Department of Defense and the intelligence community. "Our ability to defend against attacks is quite weak. We're bleeding badly and need to focus on keeping the patient alive."
The team that put together the CAG initiative, part of a larger effort housed at the Center for Strategic and International Studies (CSIS) in Washington D.C. to advance key recommendations from the Commission on Cybersecurity for the 44th Presidency, consulted with a number of key government agencies to gather data on the latest attack patterns.
These experts agreed on the 20 key actions that enterprises must take to mitigate not only known attacks, but attacks that can be expected in the near term.
“This is the best example of risk-based security I have ever seen,” Alan Paller, director of research at the SANS Institute, said in a statement. “The team that was brought together represents the nation's most complete understanding of the risk faced by our systems.”
James Lewis, director of CSIS' Technology and Public Policy Program, said on the call that the guidelines will allow agencies to catch up with the latest risks, allowing the government to change how it defends itself and making itself a harder target.
One of the frustrations that individual organizations face each year is repeatedly doing the same things and not making significant progress in their security posture, Gilligan said. He pointed to the guidelines' emphasis on automating processes.
“We need to take the process out of the hands of individuals to ensure that 100 percent of the time we can implement effective security controls,” he said.
Ed Skoudis, the technical editor for the CAG and author of Malware and Counter Hack Reloaded, said during the call that he was impressed at how quickly a broad group of people came to consensus to address both external and internal threats.
Skoudis added that the guidelines do more than just focus on preventative measures.
“While we still need to defend against older-style attacks, today's attackers are sophisticated, so we need to defend against current attacks,” he said.
The CAG is a living document that must be continually updated, he added. It provides specific details on what organizations should do, and provides vendor-neutral tools that can be used to achieve the security goals of each piece, he said.
Response to early drafts of the document have been eliciting positive responses.
"It will go a long way toward recalibrating the federal cybersecurity efforts away from being what many have described as a report-card driven paper-work exercise, to instead being now properly focused on meaningful efforts to improve the real security posture of our operational systems,” said Dan Galik, CISO of the U.S. Department of Health and Human Services.
What are the guidelines?
The Consensus Audit Guidelines are posted here, along with detailed control descriptions, examples of attacks they stop or mitigate, how to automate them, and how to test them.
This is a list of controls that will be subject to validation:
- Inventory of Authorized and Unauthorized Hardware
- Inventory of Authorized and Unauthorized Software
- Secure Configurations for Hardware and Software
- Secure Configurations of Network Devices such as Firewalls and Routers
- Boundary Defense
- Maintenance and Analysis of Complete Security Audit Logs
- Application Software Security
- Controlled Use of Administrative Privileges
- Controlled Access Based On Need to Know
- Continuous Vulnerability Testing and Remediation
- Dormant Account Monitoring and Control
- Anti-Malware Defenses
- Limitation and Control of Ports, Protocols and Services
- Wireless Device Control
- Data Leakage Protection Additional Critical Controls
- Secure Network Engineering
- Red Team Exercises
- Incident Response Capability
- Assured Data Backups