A group of US government security organisations has listed the top 20 security actions that they recommend organisations should take to improve computer security.
Called Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance, the list was published on Monday by a conglomerate of US government agencies, including the NSA, US-Cert, various US Department of Defense computer security groups and security training organisation Sans Institute.
Alan Paller, director of Sans Institute, told ZDNet UK in an email on Friday that the list, also known as the Consensus Audit Guidelines (CAG), would spark "a complete revolution in federal and business cybersecurity".
"I do not know of anything going on in security that will have the impact this initiative can have," said Paller. "If the nation (and the rest of the developed world) cannot make the CAG work we will continue to fall further behind the attackers, at an accelerating rate."
The CAG's first recommendation is that companies should put together an inventory of authorised and unauthorised hardware. According to the CAG, criminal and foreign governmental organisations scan networks to identify and exploit unpatched systems. Companies should compile a dynamic inventory, controlled by automated monitoring and configuration management, to reduce the chance of an attacker finding and exploiting unauthorised and unprotected systems.
Having a whitelist of authorised software, and an inventory of authorised and unauthorised software, is also important, according to the CAG. Software that is extraneous to business use often introduces security vulnerabilities and, once a machine is exploited, attackers can use it as a staging point for collecting sensitive information from other systems, warned the guidelines. The list of security controls is available from the Sans Institute website.
Experts began to compile the CAG list in 2008 following a series of "extreme data losses" suffered by US defence industry companies, according to a Sans Institute statement. Federal cyber attack and defence experts, including penetration testing teams, began to pool their knowledge of the attack techniques being used against the government and defence industrial base. The result is the list of 20 security controls.
The CAG project is led by John Gilligan, who served as chief information officer for both the US Air Force and the US Department of Energy. In a statement Gilligan said that it was obvious that organisations should implement these controls.
"It is a no-brainer," said Gilligan. "If you know that attacks are being carried out, you have a responsibility to prioritise your security investments to stop those attacks."
The CAG will have a 30-day review period following publication, during which time security experts are invited to comment on the document and propose additions. The list of controls will then undergo pilot implementations in several federal agencies, after which it will be reviewed by the CIO council to determine how it can be used across the US government to focus and prioritise security expenditure.
Last month US security organisations in conjunction with Sans Institute published a list of the top 25 coding errors that introduce security vulnerabilities into software.
Talkback
At last, we have official endorsement of the best kept secret for protecting the desktop - Whitelisting - this is surely the most effective way to prevent direct harm to computers from viruses and malware. Comprehensive application whitelisting – like Lumension Security Endpoint Protection Solution also offers many more benefits to organisations and the IT environment:
* Increased performance and stability. When only authorised applications can run on a computer, there is far less chance that inappropriately installed programs or hardware drivers will corrupt an operating system. Combined with Lumension Security Vulnerability Management Solution, patches and updates are rolled out in a uniform and approved manner, ensuring that all computers operate on the same release level.
* Control of computer and network utilisation. Computers have an unfortunate tendency to become cluttered with junkware, games, and web software that consume computing resources and
network bandwidth. Whitelisting offers a way to keep such programs from interfering with business operations.
* Decreased IT support costs. With no viral attacks to thwart, malware to hunt down, or incompatible applications to invoke the blue screen of death, IT can spend more time and resources on improving operations instead of constantly fixing computers.
* Increased data security and compliance with privacy laws.
This is why the CAG re-enforces the importance of this security measure.
There are other advantages:
Preventing programs not on the whitelist from running on any computer obviates the chance for spyware, keyloggers, and
sniffers to steal passwords, address books, customer files, or other sensitive data from otherwise physically secure computers. Combined with Lumension Security Data Protection Solution, which
prevents sensitive information from leaking out through lost or stolen storage devices, a whitelist creates a strong infrastructure that makes it possible to comply with privacy regulations.
A further benefit to application whitelisting is the ability – and the opportunity – to better understand your IT environment. What applications are your people really running? Which are necessary to your operations? Are you buying more bandwidth than you really need to conduct business? Getting an accurate view of IT usage is the first step in controlling your information and your business.
Whitelisting simply means defining what is “good,” then allowing only good programs and processes to load and execute in memory. Everything not on the whitelist – the virtual blacklist – cannot run. To increase flexibility, especially in the beginning, you can extend the concept of trusted change by implementing a Graylist. This permits safe but potentially undesirable programs to run until you decide whether they are really needed. Whitelisted applications run. Graylisted applications can launch with logging that notifies you when and where they are running. Anything else cannot run at all. Even corrupted or hacked applications on the whitelist are recognised as altered, and prevented from running. Zero-day attacks through malware, worms, and Trojans are automatically prevented from running because they are not on the whitelist, and therefore never get the chance to launch and corrupt.
I can see a number of problems with this approach.
The first is, how do you determine a program is safe? It is quite possible to write some malicious code that only goes bad after (say) 10,000 data saves.
The most common integrity check is md5, but I read over a year ago that someone had proved that it is, not easy, but if the stakes are high enough, possible to produce patched code that gives the same md5 sum (especially if the code is a large sprawling mass).
How do you protect the verification code itself. In my yoof, I wrote a nice little patch that overwrote a BBC B game's security code with NOPs. Now I know that's simplistic, but there are some very savvy malware writers these days.
I think it is very dangerous to have a system that assesses something as safe, then goes on to assume it will always remain safe. That doesn't even allow for interactions between two different applications that seemingly behave perfectly by themselves, but (for example) when run together on the same machine create some nasty race condition that locks out all access to the storage media - that doesn't even require one of the applications to be malicious, just badly programmed!
Finally. All this only applies to closed software. Open source software simply doesn't have the problem as the geek fraternity will be all over it like a rash, and very loudly howl about anything remotely dodgy that they find.