Infosec checklists becoming common, but they're not magic

Security checklists like the Australian Signals Directorate's Top 4 Mitigation Strategies are valuable, but to treat them as universal compliance mechanisms is a mistake. A risk-based approach is essential.
Written by Stilgherrian , Contributor

Three and a half years ago, the organisation then called the Defence Signals Directorate (DSD) used science to better understand the causes of information security problems. Its resulting recommendations reflected what security professions had long believed — but distilled it down into a message so simple that it won an award.

Nowadays, the organisation is called the Australian Signals Directorate (ASD), but the message is the same. The ASD has identified 35 Strategies to Mitigate Targeted Cyber Intrusions, based on its research into issues it discovered during vulnerability assessments and penetration testing, as well as actual security incidents. All are important, but organisations should focus on just the Top 4 first, the ASD says, because that will make the biggest difference.

"At least 85 percent of the targeted cyber intrusions that the ASD responds to could be prevented by following the Top 4 mitigation strategies," it wrote. "The Top 4 Strategies to Mitigate Targeted Cyber Intrusions are mandatory for Australian government agencies as of April 2013."

Those Top 4 strategies are:

  • Use application whitelisting to help prevent malicious software and unapproved programs from running
  • Patch applications such as Java, PDF viewers, Flash, web browsers, and Microsoft Office
  • Patch operating system vulnerabilities
  • Restrict administrative privileges to operating systems and applications based on user duties.

The clarity and simplicity of this list won the then-DSD the US National Cybersecurity Innovation Award in 2011.

"The cost of implementing these four controls is a tiny fraction of the cost of implementing the average US federal government agency cybersecurity program. Since the impact of this low-cost approach is much better security than what US agencies are experiencing, the Australian innovation changes the game," wrote the SANS Institute in a media release announcing the win.

The ASD has since merged the two patching items to create a three-point list and three-point slogan, "Catch, Patch, Match", along with a promotional video and brochure.

ZDNet spoke with a number of information security professionals about the ASD Top 4 and similar lists. While all of them agreed that such checklists are valuable in helping maintain focus, they also warned that organisations need to apply the lists in the context of their own risk assessment, and avoid turning it into a mere box-ticking exercise.

"It's fantastic that the ASD has actually led the charge and helped people to cut through the noise in this space, and say 'This is where you start. This is your blueprint... This is how you eat this particular elephant'," said Brent Thurrell, vice president of sales for the EMEA and APAC regions with BeyondTrust, a company that specialises in user privilege and access management.

"It's always been a challenge for any organisation — let alone a government organisation — to actually get their arms around how do we best set ourselves up for success against all these threats that exist out there," he said, particularly as it's easy to get distracted by exotic threats with a high media profile.

BeyondTrust provides tools to discover and report the privileges and vulnerabilities that exist on networks, and prioritise them for patching and whitelisting. Given that background, the company has often found itself being asked to implement the ASD standard — and now its ability to do so forms a key part of its advertising.

"The Top 4, it was kind of a dream list for us as an organisation, I have to say, because we can map very closely to it," Thurrell told ZDNet.

"The Top 4 cover 90 percent of the security issues that are going to cause the most headaches. It just allows the organisations to much better channel their resources and investments."

But while the Top 4 mitigations might be essential, they're not enough on their own to form a complete security strategy.

"This is a very good explanation of due diligence. I think that if I didn't have these four things covered, I would be in a world of hurt, should anything happen, to explain why they weren't done. These are foundational security practices," said Eric Stevens, information security and strategy officer in Websense's Office of the CSO.

"What they don't do for us, though, is really talk about the data on the way out."

Stevens gave the example of an employee from a company's human resources department who needs to work on the weekend to complete a report by Monday morning. The business hasn't provided them with a laptop, just their desktop machine, and they can't use Outlook Web Access because the security team thought that wasn't a good idea. So they end up emailing the work via some external email provider to their home computer — with obvious security risks.

"That person has no malicious intent. They're just trying to do their job, and the business has thrown [up] many different barriers to success for them," Stevens said — including the poor management of an overly tight deadline that has required the weekend work in the first place.

"There's not a single one of those controls that would help this person not get into trouble by doing that — or help us [deal with the security incident] should that email be compromised. Politicians and their families are frequent targets, for instance, of email getting compromised," Stevens said.

"Foundationally, they are all what I would consider best practices. If you didn't have that, I would say you really need to get them yesterday. But are those the solutions for your woes? Probably not."

Security analyst James Turner, who chairs the advocacy group of the Australian Information Security Association (AISA), agrees that the Top 4 list is not the be-all and end-all.

"Keep in mind that even the ASD say that these controls should be applied on a risk-based approach. Many relate to the Top 4 as an edict from on high that must be performed to appease the gods, but the gods are more interested in your intention and consequent actions than on blind obedience," Turner told ZDNet.

Application whitelisting is a key example. "Whitelisting is like a mythical land that some people have caught glimpses of, but few people believe them. Even the most mature organisations do small pockets and, typically, only on servers," Turner said.

Whitelisting is difficult, said Brian Chappell, technical services director for EMEAI and APAC at BeyondTrust, but it's something that can be tackled in stages. You don't start by individually examining all the individual parts of something like Microsoft Office, for example, and deciding which components you will and won't whitelist to allow in your environment.

"What the ASD is pushing towards is actually saying 'trust the publisher'. So whitelist Microsoft," Chappell told ZDNet.

"Best practice is an objective, it's a target, and there's a journey to be made to get there... You could start more broadly, and then refine it so that you do get more control — but it gets people into that space," he said.

"If you can make a simple progression into it to begin with, then they get familiar with it, they get comfortable with it, it becomes a day-to-day operation — and then they begin to get the brain space to actually be able to really focus down and make that into proper best practice. Trying to go best practice in any scope on day one is really, really hard."

The same risk-based approach applies to patching, Stevens said.

"If they [the systems] can't be [patched] for some operational reason, like maybe a plugin we've bought or something, have I the appropriate business-case justification? And has that been communicated up so that we can make a good decision, risk based, to patch or not patch?"

As Turner observed, "Patching gets geometrically more complex as a function of the environment."

This risk-based approach also applies to the management of user privileges, said Thurrell. User privileges used to be something that was overseen by the human resources department, in what was called roles-based access controls. But that led to relatively coarse access controls — where everyone in HR had access to everyone's pay records or health records, for example.

"The approach that we take to that is the approach of least privilege, where it doesn't really matter what the actual role is," he said. "We just know what's acceptable organisationally to make sure that we reduce the overall risk level of using a particular application."

Thurrell said that change in approach is being mirrored in the structure of IT organisations.

"Historically, IT ops used to look after the management of privilege and who has access to my system or my application, and the security guys looked after the vulnerability management, the scanning, the patching, and so forth. Those teams — we're seeing this in large banks, in government organisations around the world — are actually now being brought together, so security and operations are being dealt with hand in hand."

According to BeyondTrust's regional sales director for APAC Eddie Stefanescu, since the high-profile data breaches in 2013, there's been an increased understanding in the Asia-Pacific region of the correlation between privilege and vulnerability — where a hacker comes in, exploits a vulnerability, gets a privileged account, and moves sideways through the network.

"Privilege is just another vulnerability, so we're bringing the two of them together now. So a hacker comes in, they're a standard user. What are they going to do? Change my clock? Good luck to them," Stefanescu said.

However, there's a long way to go. "We're still walking into organisations that are running their password management strategy via Excel and pieces of paper," he said.

Ultimately, it's about producing checklists that match the organisation's individual needs, according to Dr Nataraj (Raj) Nagaratnam, chief technology officer for IBM's Security Solutions division.

"It's all about risk, right? So I'm not sure I can generalise that [specific] checklists will apply to every customer," Nagaratnam told ZDNet. Organisations need to take into account the context of their industry and their individual appetite for risk.

"It's for that enterprise to make the call, and then figure out what to do," he said.

Increasingly, Nagaratnam is seeing organisations produce their own checklists for specific circumstances, such as listing the high-priority, non-negotiable security controls for moving applications into the cloud.

But according to Websense's Eric Stevens, there's always the risk that more compliance-based organisations will see the lists as an end in themselves.

"When we're chasing compliance as the primary driver, it's always the easiest one to get the money for. But the clever CISO will always figure out how to take that spend, and apply it to their general security program first, while meeting the compliance objectives," he said.

Stevens said he's been in plenty of companies that said they were compliant with multiple standards — but there's still a problem. "I look at it, and there's this great big huge space of insecurity that I could drive a truck through," he said.

Nevertheless, it's clear that a prioritised approach like the ASD Top 4 is becoming the way things are done, according to Thurrell.

"We work with DoD [US Department of Defense], we work with the Ministry of Defence in the UK, various ministries of defence in the Middle East as well," Thurrell said, as well as working with agencies in Canada and New Zealand.

"Whilst they haven't spelt it out in the same way as the ASD has, there's a real push toward having a common set of standards like this."

Editorial standards