Cyberwar QOTD and Consensus Audit Guidelines

Amid much anticipation and press, a conglomerate of US agencies (incl. NSA, US-CERT, DoD) and the SANS Institute have released the Consensus Audit Guidelines (CAG). John Gilligan, CAG project leader and former CIO for both the USAF and DOE, said:
We are in a war, a cyber war, and the federal government is one of many large organizations that are being targeted...
Our ability, at present, to be able to detect and defend against these attacks is really quite weak in many cases.
The CAG is comprised of 20 controls, with 1-15 being automatable.
  1. Inventory of Authorized and Unauthorized Hardware
  2. Inventory of Authorized and Unauthorized Software
  3. Secure Configurations for Hardware and Software For Which Such Configurations Are Available
  4. Secure Configurations of Network Devices Such as Firewalls And Routers
  5. Boundary Defense
  6. Maintenance and Analysis of Complete Security Audit Logs
  7. Application Software Security
  8. Controlled Use of Administrative Privileges
  9. Controlled Access Based On Need to Know
  10. Continuous Vulnerability Testing and Remediation
  11. Dormant Account Monitoring and Control
  12. Anti-Malware Defenses
  13. Limitation and Control of Ports, Protocols, and Services
  14. Wireless Device Control
  15. Data Leakage Protection
  16. Secure Network Engineering
  17. Red Team Exercises
  18. Incident Response Capability
  19. Assured Data Backups
  20. Security Skills Assessment and Training to Fill Gaps
Src: Defense agencies list top 20 security controls | CNET News

No comments: