How the u. S. changed its security game

Source: Internet
Author: User
Alan paller
Agencies Pool threat data and make practical fixes to common woes
Alan paller is ctor of research for the Sans Institute, responsible for projects including the Internet storm center and the top 10 Security menaces.


On March 12,200 7, the CEO of one of the nation's largest defense contractors learned of a call from the office of the Secretary of Defense informing his firm that the FBI had eviary that his company had allowed another nation steal details of some sensitive technology that DoD had contracted to develop. there was no getting the data back. in a meeting at the Pentagon the next week, the executive learned he was not alone. around the table were other defense contractor executives who had suffered similar breaches.

The meeting was among the specified STs for what has evolved into a change in thinking about information security in U. s. government and the defense industrial base. it has des more emphasis on actions proven to block known or expected attacks, as exemplified in the "20 critical security controls" crafted earlier this year.

The changed thinking involves IT pros from CIO to developer, and is highly relevant to the private sector as well. A Bank recently lost $10 million in less than 30 minutes to hackers who had replicated ATM cards and manipulated internal bank computers to increase limits on the amount each card holder cocould take in a day. the amount of money lost was limited only by the amount of money in the ATM machines that had been targeted.

Throughout most of this decade, the topic of cybersecurity Rarely touched senior management, coming up only in the context of regulatory compliance. the problem has been that corresponds to the steps taken to meet compliance requirements weren't geared to match the emerging threat. rather than doing the tasks needed to ensure that systems were configured securely and that attacks were blocked or found quickly, organizations were forced to pay consultants to write lengthy compliance reports. the reports met the regulator's demands, and the CIO was told that his organization was in compliance. when the CIO learned that the company's systems had been penetrated and its data looted, surprise was a reasonable response.

The big questions

Three questions are usually asked following a cyberattack. The first two are:

What do we need to do to fix this problem?
How much is enough?

Any CIO will quickly discover security people don't agree on the answers. When outside experts are asked, their opinions also differ, leaving CIOs frustrated and asking the third question:

Whom can I trust to answer the first two questions?

The CIOs of the major defense contractors and sensitive government sites faced exactly this uncertainty. they found a solution to this problem that may be of value to those who want to avoid those unwanted fbi cils. while the U. s. defense Industry was discovering the extent of penetration into its systems, and thousands of other businesses were hearing from the FBI that they were victims, too, the U. s. intelligence community, the Departments of Defense, Homeland Security, and energy, were leading a national effort to transform cybersecurity.

A theme that shaped the National makeover was that defense must be informed by offense. in other words, organizations shocould prioritize their security investments on actions that can be proven to block known or expected attacks, or that directly help identify and mitigate damage from attacks that get past the defense. this was a huge shift in thinking and in behavior. its greatest impact was to change who was considered expert -- it answered question No. 3. in the past, consulting firms armed with checklists of questionable value were let loose to point out missing documentation or incomplete awareness programs.

Under the "offense informs defense" approach, the measures of specified tiveness are defined by the people who know how attacks are carried out, and are more specific and more directly related to defenses against known attacks -- such as the speed with which unauthorized systems are identified and removed from the network. other examples of the new practices include:

Automatic inventory so every connected system is known and monitored.
Application Software Testing so that security flaws are removed from Web applications before they're posted.
Secure deployments of systems and software deployed on the network.

In all cases, the practices include specific tests that can measure the specified tiveness of the controls. most of the new metrics are automatically so that CIOs get continuous visibility into their organization-wide security extends tiveness, rather than snapshots or compliance summaries. in short, common threats mean common defenses must be implemented first, and extensively automatic to continually update.

Another critical change in thinking in government is recognition that, because of the widespread use of common computer and network technology (Windows, UNIX, HTML, Secure Sockets Layer, SQL, and so on ), all organizations face privileges of the same threats. individual organizations may face additional threats, but unless they engineer their systems to withstand the common threats, even targeted Attackers need not worry about specialized tactics -- attackers can just use the common attacks that work on any organization not fully prepared.

It's those common threats that make this security challenge a top priority for software development staff. the majority of current attacks exploit programming errors made by developers whose training never defined finding and fixing security flaws. one of the most critical controls not in place in most organizations is a secure application training testing program. (Disclosure: sans Institute operates the Internet storm center, the Internet's early-warning system; is a degree-granting institution; and provides training for security comprehensionals and programmers .)

In federal agencies and leading defense industry organizations, these common threats are being countered through a three-part initiative:

Establish a prioritized set of security controls that the Community affirms will stop or mitigate known attacks.
Use common tools to automate the controls, and even the measurement of the controls, that continuously monitor security.
Create a dashboard for CIOs and senior managers to be able to monitor the status of security in their organizations.

Agreement on the 20 most critical controls

Although submit subdivisions of the U. s. department of Defense, the civilian government, and various defense contractors have detailed knowledge of attacks that they have experienced, creating an aggressive tive national defense means pooling all that knowledge into a prioritized and up-todate list of critical security controls that represents the most current attack map available.

In February, the Center for Strategic and International Studies ( announced it had collated that attack knowledge authentication SS all relevant agencies and published a first draft of the "20 critical security controls" (the list is at ). the controls were the consensus of organizations that understand offense -- including the National Security Agency, DoD Joint Task Force computer-global network operations, the DOD Cyber Crime Center, US-Cert at the Department of Homeland Security, and the nuclear energy research laboratories at the U. s. department of Energy, plus top administrative cial forensics and penetrationtesting organizations. after public review involving more than 60 organizations, the 20 critical controls were published for government and private use. the u. s. state Department has already implemented software and hardware that automate monitoring of the 20 critical controls and is demonstrating how they can be monitored at every U. s. embassy around the world through a centralized dashboard.

Twenty critical controls for valid cyber defense: consensus audit guidelines
20 critical security controls-Introduction (Version 2.0)
Critical Control 1: Inventory of authorized and unauthorized devices
Critical Control 2: Inventory of authorized and unauthorized software
Critical Control 3: Secure configurations for hardware and software on laptops, workstations, and servers
Critical Control 4: Secure configurations for network devices such as firewils, routers, and switches
Critical Control 5: boundary defense
Critical Control 6: maintenance, monitoring, and analysis of audit logs
Critical Control 7: Application Software Security
Critical Control 8: controlled use of administrative privileges
Critical Control 9: controlled access based on need to know
Critical Control 10: continuous vulnerability assessment and remediation
Critical Control 11: account monitoring and control
Critical Control 12: malware defenses
Critical Control 13: limitation and control of Network Ports, protocols, and services
Critical Control 14: Wireless Device Control
Critical Control 15: Data Loss Prevention
Critical Control 16: secure network engineering
Critical Control 17: penetration tests and Red Team exercises
Critical Control 18: Incident Response Capability
Critical Control 19: data recovery capability
Critical Control 20: security skills assessment and appropriate training to fill gaps


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.