U.S. lists top 20 security controls

Called Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance, the list was published on Monday by a conglomerate of U.S. government agencies, including the NSA, US-Cert, various U.S. Department of Defense computer security groups and security training organization Sans Institute.

Alan Paller, director of Sans Institute, told ZDNet UK in an email on Friday that the list, also known as the Consensus Audit Guidelines (CAG), would spark "a complete revolution in federal and business cybersecurity".

"I do not know of anything going on in security that will have the impact this initiative can have," said Paller. "If the nation (and the rest of the developed world) cannot make the CAG work we will continue to fall further behind the attackers, at an accelerating rate."

The CAG's first recommendation is that companies should put together an inventory of authorized and unauthorized hardware. According to the CAG, criminal and foreign governmental organizations scan networks to identify and exploit unpatched systems. Companies should compile a dynamic inventory, controlled by automated monitoring and configuration management, to reduce the chance of an attacker finding and exploiting unauthorized and unprotected systems.

Having a whitelist of authorized software, and an inventory of authorized and unauthorized software, is also important, according to the CAG. Software that is extraneous to business use often introduces security vulnerabilities and, once a machine is exploited, attackers can use it as a staging point for collecting sensitive information from other systems, warned the guidelines. The list of security controls is available from the Sans Institute website.

Experts began to compile the CAG list in 2008 following a series of "extreme data losses" suffered by U.S. defense industry companies, according to a Sans Institute statement. Federal cyber attack and defense experts, including penetration testing teams, began to pool their knowledge of the attack techniques being used against the government and defense industrial base. The result is the list of 20 security controls.

The CAG project is led by John Gilligan, who served as chief information officer for both the U.S. Air Force and the U.S. Department of Energy. In a statement Gilligan said that it was obvious that organizations should implement these controls. "It is a no-brainer," said Gilligan. "If you know that attacks are being carried out, you have a responsibility to priorities your security investments to stop those attacks."

The CAG will have a 30-day review period following publication, during which time security experts are invited to comment on the document and propose additions. The list of controls will then undergo pilot implementations in several federal agencies, after which it will be reviewed by the CIO council to determine how it can be used across the U.S. government to focus and priorities security expenditure.

Last month U.S. security organizations in conjunction with Sans Institute published a list of the top 25 coding errors that introduce security vulnerabilities into software.

This article was originally published on ZDNet.co.uk.