Transforming Security Compliance to Shrink VulnerabilitiesAmid daily reports of hacker attacks and data leakage incidents, proliferating regulatory requirements that are sometimes in conflict have created an overwhelming compliance challenge for federal government agencies and departments to overcome.
Federal agencies and departments today must comply with multiple varied regulations and executive directives including the Federal Information Security Management Act (FISMA), OMB Circulars A-11 and A-130, and Homeland Security Presidential Directive/HSPD-7, which are but a few examples of the required security mandates used to assure that federal IT operations are properly and cost effectively secured.
Confusion and frustration about the complicated paper chase involved in just reporting FISMA results each year has driven federal agencies to seek some sort of baseline for regulatory compliance, while simultaneously simplifying operations and improving security. A new plan introduced by the Center for Strategic and International Studies (CSIS) in partnership with key federal oversight organizations seeks to create a minimum standard of due care that agencies and the courts will be able to use to determine how much, and what kind of investment in security is ‘enough.’
Recent news of cyber security law suits and liability played a key role in the creation of this critical minimum standard for IT security compliance. The $20 million paid by the Department of Veterans’ Affairs, along with private sector law suits against RBS and Heartland Payment Systems, are only the beginning. The Privacy Rights Clearinghouse recorded more than 50 security incidents in the first 50 days of 2009, including the loss of three Los Alamos National Laboratory computers and a Blackberry device. There’s also the hacking of a computer at the Federal Aviation Administration, in which two files containing the personal information of more than 45,000 employees were illegally accessed. And in another incident, the social security numbers of nearly 9,000 state employees were posted on the Indiana Department of Administration’s web site.
As government organizations face ongoing pressure to improve security measures to reduce the alarming number of leaks and breaches, the frustration they face in striving to achieve compliance with a myriad of regulatory mandates continues to grow. At the same time, the ongoing compliance efforts at every federal organization further deplete already constrained IT security resources. Official Office of Management and Budget (OMB) reported that federal agencies have nearly spent $5 billion in the last several years in their efforts to meet FISMA compliance reporting requirements. Ultimately, it’s clear the money spent chasing compliance would be far better spent on actual security protections.
Under the new presidential administration, public sector organizations are seeking new ways to integrate risk, compliance and security, to reduce both cost and complexity, while maintaining strong, secure, uninterrupted access to government resources and critical applications. As agencies and departments have learned to crack down on hackers and data breaches, upping network security and encouraging both internal offices and industry suppliers and partners to beef up security, threats from both internal and external sources – in the U.S., and from overseas – continue to chip away at their IT security protections. That’s because federal organizations of all kinds are considered a “rich target environment,” said Alan Paller, director of research at the SANS Institute.
Since there is no way security will ever be “perfect,” Paller explained, what’s needed is the newly proposed critical minimum standard of care.
Even if the proposed plan doesn’t resolve legal challenges, it almost certainly will alter federal cybersecurity compliance practices, and will spill over to the defense industrial base, banks and other private sector commercial organizations, almost immediately, Paller asserted.
Version 1.0 of the Consensus Audit Guidelines (CAG) that define the most critical security controls to protect federal and contractor information and information systems. The CAG initiative is part of a larger effort housed at the Center for Strategic and International Studies in Washington D.C. to advance key recommendations from the CSIS Commission report on Cybersecurity for the 44th Presidency.
In the proposed Consensus Audit Guidelines, federal agencies most involved in cybersecurity pooled their knowledge of the attack techniques being used against the government and the defense industrial base to determine the twenty key actions (called security “controls”) that organizations must take if they hope to block or mitigate known attacks and attacks that can be reasonably expected in the near term. They tested their proposal for protecting federal systems to determine whether they would also stop or mitigate attacks known to be used against financial institutions and found the top 20 controls are essentially identical across government, the defense industrial base, financial institutions and retailers.
For each of the 20 controls, the experts identified specific (actual) attacks that the control stops or mitigates, illuminated best practices in automating the control, and defined tests that can determine whether each control is effectively implemented. The resulting Consensus Audit Guidelines (CAG) document, once fully vetted, is expected to become the standard baseline for measuring computer security in organizations that are likely to be under attack.
The CAG project has been led by John Gilligan who served as CIO for both the U.S. Air Force and the Department of Energy and served on the Obama transition team focusing on IT within the DoD and intelligence community. Of this project, Gilligan said, “It is a no brainer. If you know that attacks are being carried out, you have a responsibility to prioritize your security investments to stop those attacks.”
“The team that was brought together represents the nation’s most complete understanding of the risk faced by our systems. In the past cybersecurity was driven by people who had no clue of how the attacks are carried out. They created an illusion of security. The CAG will turn that illusion to reality,” said Paller.
Broad adoption of the CAG would lead to agreement on standards for security automation and government-wide procurement of tools that have been proven to work. Because the federal government spends more than $70 billion on information technology each year, Jim Lewis, Director of the CSIS Technology and Public Policy Program said, “Better use of standards and acquisitions authorities are among the most powerful tools the federal government has to improve cybersecurity and offer a real opportunity for progress.”
The critical controls proposed to automate measurement and validation include:
*Inventory of authorized and unauthorized hardware;*Inventory of authorized and unauthorized software;*Secure configurations for hardware and software for which such configurations are available;*Secure configurations of network devices such as firewalls and routers;*Boundary defense;*Maintenance and analysis of complete security audit logs;*Application software security;*Controlled use of administrative privileges;*Controlled access based on need to know;*Continuous vulnerability testing and remediation;*Dormant account monitoring and control;*Anti-malware defenses;*Limitation and control of ports, protocols and services;*Wireless device control;*Data leakage protection.Meanwhile, critical controls that are currently not directly supported by automated measurement and validation, include:
*Secure network engineering;*Red team exercises;*Incident response capability;*Assured data back-ups;*Security skills assessment and training.The CAG’s detailed control descriptions, with attacks they stop or mitigate, how to automate them, and how to test them, have been posted at:
http://www.sans.org/cag/.Multiple industry observers have reported on the need for a layered, methodical approach to security management featuring automation and analytics to replace the various federal security mandates that have grown organically over the last decade. As the battle to comply with federal security regulations moves away from being an overwhelming paper chase to a more cohesive, common-sense approach to managing IT security, observers maintain the new plan would go a long way to improve the federal government’s IT security posture.