US Dept of Defense lists top 20 security controls

US Dept of Defense lists top 20 security controls

Summary: Cybersecurity experts from the US government are set to spark a 'complete revolution' with a list of IT security actions for organisations

TOPICS: Security

A group of US government security organisations has listed the top 20 security actions that they recommend organisations should take to improve computer security.

Called Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance, the list was published on Monday by a conglomerate of US government agencies, including the NSA, US-Cert, various US Department of Defense computer security groups and security training organisation Sans Institute.

Alan Paller, director of Sans Institute, told ZDNet UK in an email on Friday that the list, also known as the Consensus Audit Guidelines (CAG), would spark "a complete revolution in federal and business cybersecurity".

"I do not know of anything going on in security that will have the impact this initiative can have," said Paller. "If the nation (and the rest of the developed world) cannot make the CAG work we will continue to fall further behind the attackers, at an accelerating rate."

The CAG's first recommendation is that companies should put together an inventory of authorised and unauthorised hardware. According to the CAG, criminal and foreign governmental organisations scan networks to identify and exploit unpatched systems. Companies should compile a dynamic inventory, controlled by automated monitoring and configuration management, to reduce the chance of an attacker finding and exploiting unauthorised and unprotected systems.

Having a whitelist of authorised software, and an inventory of authorised and unauthorised software, is also important, according to the CAG. Software that is extraneous to business use often introduces security vulnerabilities and, once a machine is exploited, attackers can use it as a staging point for collecting sensitive information from other systems, warned the guidelines. The list of security controls is available from the Sans Institute website.

Experts began to compile the CAG list in 2008 following a series of "extreme data losses" suffered by US defence industry companies, according to a Sans Institute statement. Federal cyber attack and defence experts, including penetration testing teams, began to pool their knowledge of the attack techniques being used against the government and defence industrial base. The result is the list of 20 security controls.

The CAG project is led by John Gilligan, who served as chief information officer for both the US Air Force and the US Department of Energy. In a statement Gilligan said that it was obvious that organisations should implement these controls.

"It is a no-brainer," said Gilligan. "If you know that attacks are being carried out, you have a responsibility to prioritise your security investments to stop those attacks."

The CAG will have a 30-day review period following publication, during which time security experts are invited to comment on the document and propose additions. The list of controls will then undergo pilot implementations in several federal agencies, after which it will be reviewed by the CIO council to determine how it can be used across the US government to focus and prioritise security expenditure.

Last month US security organisations in conjunction with Sans Institute published a list of the top 25 coding errors that introduce security vulnerabilities into software.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion

    At last, we have official endorsement of the best kept secret for protecting the desktop - Whitelisting - this is surely the most effective way to prevent direct harm to computers from viruses and malware. Comprehensive application whitelisting
  • Not so simple

    I can see a number of problems with this approach.

    The first is, how do you determine a program is safe? It is quite possible to write some malicious code that only goes bad after (say) 10,000 data saves.

    The most common integrity check is md5, but I read over a year ago that someone had proved that it is, not easy, but if the stakes are high enough, possible to produce patched code that gives the same md5 sum (especially if the code is a large sprawling mass).

    How do you protect the verification code itself. In my yoof, I wrote a nice little patch that overwrote a BBC B game's security code with NOPs. Now I know that's simplistic, but there are some very savvy malware writers these days.

    I think it is very dangerous to have a system that assesses something as safe, then goes on to assume it will always remain safe. That doesn't even allow for interactions between two different applications that seemingly behave perfectly by themselves, but (for example) when run together on the same machine create some nasty race condition that locks out all access to the storage media - that doesn't even require one of the applications to be malicious, just badly programmed!

    Finally. All this only applies to closed software. Open source software simply doesn't have the problem as the geek fraternity will be all over it like a rash, and very loudly howl about anything remotely dodgy that they find.