Amid increasing scrutiny over U.S. cybersecurity, experts from both the private and public sectors are pushing a set of recommendations they say are sorely needed to help shore up the nation’s defenses against data breaches.
The resulting Consensus Audit Guidelines (CAG) map out requirements for security controls needed to protect IT installations in government and the private sector.
Their creators include the U.S. Department of Homeland Security’s US-CERT unit, the National Security Agency and the Department of Defense. Commercial penetration testing and forensics experts from security vendors InGuardians and Mandiant also joined the effort.
The release come on the heels of an earlier report by the Center for Strategic and International Studies (CSIS), a Washington think tank, which found U.S. cybersecurity policy lacking in the wake of high-profile breaches in both government and industry.
Aiming to shut the door on such attacks, the new CAG recommendations (available here) call for organizations to adopt 20 key security controls to safeguard themselves against current and future threats.
Recommendations include inventorying hardware and software, maintaining and analyzing security audit logs, setting up boundary defense measures and implementing secure configurations for hardware, software and network devices.
The guidelines’ network security “must haves” are applicable to a broad range of users, its authors said. John Gilligan, the CAG’s project leader and a former IT executive with the U.S. Department of Energy and Air Force, told InternetNews.com that the controls are “the same for defense, financial institutions and retailers.”
One key recommendation ensures that security efforts can pass a real-world litmus test, project participants said.
“The best item in the list is the shortest — how do you test whether or not what you put together is effective?” Alan Paller, director of research at the SANS Institute, a security training group that brought together many of the CAG’s participants, told InternetNews.com. “If you don’t have a way to test, how do you know when you’re done?”
Hammering out security standards
The proposed CAG controls are also organized so that they can be implemented in stages, which their creators said is more practical than urging organizations to implement them all at once.
“Based on my and others’ experience, it’s likely that different parts of an organization will implement different items on the list,” Gilligan said.
[cob:Special_Report]Next on the CAG group’s list is working to get government agencies interested in running pilot projects over the next nine months. “We’re working with the Federal CIOs’ Council to identify possible pilot candidates,” Gilligan said.
The CAG project’s participants also are still revising their work, Gilligan said. The public can review the guidelines until March 23, when Ed Skoudis, a security expert serving as technical editor for the project, will review the comments and recommend any further changes to the CAG.
Stemming the tide
The effort marks the latest moves by security experts to fight back against an onslaught of major data breaches in both industry and government.
Most recently, security holes at the Federal Aviation Administration (FAA) resulted in the loss of data on 49,000 people. Meanwhile, Los Alamos National Laboratory in New Mexico began a security shakeup following the discovery that 90 computers had been reported missing or stolen over the past year.
In the private sector, hackers got into the systems of RBS WorldPay and Heartland Payment Systems, stealing an as-yet unquantified amount of data from the two large payment processors. Experts fear the Heartland incident may be the nation’s largest breach to date.