MBrown posted on November 21, 2011 16:05
Cybersecurity controls abound in the federal government. With a changing threat landscape and rapidly evolving IT environment, Chief Information Security Officers (CISOs) have their hands full protecting their agency's information assets. In that respect, the National Insitute for Standards and Technology (NIST) serves as a helping hand, developing and refining cybersecurity controls that serve as standards to live by. But which controls are the most effective?
The Consensus Audit Guidelines 20 security controls is an excellent guide for prioritizing the top 20 technical controls for protecting the enterprise infrastructure. It is also an excellent starting point for implementing continuous monitoring using automated technologies.
Recently, the Australian Defence Signals Directorate - or DSD - performed a detailed analysis of intrusions into their military and government information systems with a goal of identifying critical security controls that would prevent or minimize the damage of intrusions. By studying all known target intrusions against government systems, DSD identified a total of 35 controls. According to the DSD, agencies within the Australian government that have implemented just the top four controls have halted the spread of targeted attacks - at a fraction of the cost of U.S. government efforts. So, what are these four controls?
1. Patch applications, such as PDF, Flash Player, Java and Office.
2. Patch operating system vulnerabilities, such as those in Windows XP, or Mac OSX.
3. Minimize the number of users with domain or local administrative privileges. Users who do have privileges should use a separate, unprivileged account for email access and web browsing.
4. Use application whitelisting, which prevents malicious software from running.
DSD's analysis and subsequent control reporting enabled them to win this year's U.S. National Cybersecurity Innovation Award, honored by the SANS Institute.
These controls, along with the CAG 20 Critical Controls, should be used by CISOs to prioritize decisions on allocating resources in the face of tightening budgets. By focusing on controls proven to significantly reduce or minimize intrusion damage, CISOs have a level of assurance that their security dollars are maximizing risk reduction and improving the situational awareness of the security posture of the organization.