Defense agencies list top 20 security controls

A group of U.S. government security organizations has listed the top 20 security actions that they recommend organizations should take to improve computer security.

Called "Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance," the list was published Monday by a conglomerate of U.S. government agencies, including the NSA, US-CERT, various U.S. Department of Defense computer security groups, and security training organization Sans Institute.

Alan Paller, director of Sans Institute, told CNET News sister site ZDNet UK in an e-mail Friday that the list, also known as the Consensus Audit Guidelines (CAG), would spark "a complete revolution in federal and business cybersecurity."

"I do not know of anything going on in security that will have the impact this initiative can have," said Paller. "If the nation (and the rest of the developed world) cannot make the CAG work we will continue to fall further behind the attackers, at an accelerating rate."

The CAG's first recommendation is that companies should put together an inventory of authorized and unauthorized hardware. According to the CAG, criminal and foreign governmental organizations scan networks to identify and exploit unpatched systems. Companies should compile a dynamic inventory, controlled by automated monitoring and configuration management, to reduce the chance of an attacker finding and exploiting unauthorized and unprotected systems.

Having a whitelist of authorized software, and an inventory of authorized and unauthorized software, is also important, according to the CAG. Software that is extraneous to business use often introduces security vulnerabilities and, once a machine is exploited, attackers can use it as a staging point for collecting sensitive information from other systems, warned the guidelines. The list of security controls is available from the Sans Institute Web site.

Experts began to compile the CAG list in 2008 following a series of "extreme data losses" suffered by U.S. defense industry companies, according to a Sans Institute statement. Federal cyber attack and defense experts, including penetration testing teams, began to pool their knowledge of the attack techniques being used against the government and defense industrial base. The result is the list of 20 security controls.

"We are in a war, a cyber war, and the federal government is one of many large organizations that are being targeted," CAG project leader John Gilligan, who served as chief information officer for both the U.S. Air Force and the Department of Energy, said in a conference call on Monday. "Our ability, at present, to be able to detect and defend against these attacks is really quite weak in many cases."

The CAG will have a 30-day review period following publication, during which time security experts are invited to comment on the document and propose additions. The list of controls will then undergo pilot implementations in several federal agencies, after which it will be reviewed by the CIO council to determine how it can be used across the U.S. government to focus and prioritize security expenditure.

The guidelines have a "high probability of becoming a common set of controls" for private industry, as well, Paller said during the conference call.

Last month U.S. security organizations in conjunction with Sans Institute published a list of the top 25 coding errors that introduce security vulnerabilities into software.

Tom Espiner of ZDNet UK reported from London.

Updated 12:00 p.m. PST with comments from conference call.