US Dept of Defense lists top 20 security controls

Cybersecurity experts from the US government are set to spark a 'complete revolution' with a list of IT security actions for organisations
Written by Tom Espiner, Contributor

A group of US government security organisations has listed the top 20 security actions that they recommend organisations should take to improve computer security.

Called Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance, the list was published on Monday by a conglomerate of US government agencies, including the NSA, US-Cert, various US Department of Defense computer security groups and security training organisation Sans Institute.

Alan Paller, director of Sans Institute, told ZDNet UK in an email on Friday that the list, also known as the Consensus Audit Guidelines (CAG), would spark "a complete revolution in federal and business cybersecurity".

"I do not know of anything going on in security that will have the impact this initiative can have," said Paller. "If the nation (and the rest of the developed world) cannot make the CAG work we will continue to fall further behind the attackers, at an accelerating rate."

The CAG's first recommendation is that companies should put together an inventory of authorised and unauthorised hardware. According to the CAG, criminal and foreign governmental organisations scan networks to identify and exploit unpatched systems. Companies should compile a dynamic inventory, controlled by automated monitoring and configuration management, to reduce the chance of an attacker finding and exploiting unauthorised and unprotected systems.

Having a whitelist of authorised software, and an inventory of authorised and unauthorised software, is also important, according to the CAG. Software that is extraneous to business use often introduces security vulnerabilities and, once a machine is exploited, attackers can use it as a staging point for collecting sensitive information from other systems, warned the guidelines. The list of security controls is available from the Sans Institute website.

Experts began to compile the CAG list in 2008 following a series of "extreme data losses" suffered by US defence industry companies, according to a Sans Institute statement. Federal cyber attack and defence experts, including penetration testing teams, began to pool their knowledge of the attack techniques being used against the government and defence industrial base. The result is the list of 20 security controls.

The CAG project is led by John Gilligan, who served as chief information officer for both the US Air Force and the US Department of Energy. In a statement Gilligan said that it was obvious that organisations should implement these controls.

"It is a no-brainer," said Gilligan. "If you know that attacks are being carried out, you have a responsibility to prioritise your security investments to stop those attacks."

The CAG will have a 30-day review period following publication, during which time security experts are invited to comment on the document and propose additions. The list of controls will then undergo pilot implementations in several federal agencies, after which it will be reviewed by the CIO council to determine how it can be used across the US government to focus and prioritise security expenditure.

Last month US security organisations in conjunction with Sans Institute published a list of the top 25 coding errors that introduce security vulnerabilities into software.

Editorial standards