CAG offers triage for security
- By Wyatt Kash
- Mar 06, 2009
Chief information and chief security officers at government agencies and other enterprises are starting to look closely at a new set of recommendations designed to reduce ever-escalating cybersecurity threats. And those who haven’t done so should examine them now.
The recommendations, known as the Consensus Audit Guidelines (CAG), establish a baseline of 20 top-priority security measures and controls that organizations should implement right away to guard against high-risk network vulnerabilities.
What makes the guidelines significant is not just the stature of the government and private-sector experts who helped craft them. It is those experts’ detailed, firsthand knowledge about specific cyberattacks on military, government and financial networks. That knowledge is reflected in the new guidelines.
Those experts include specialists from the National Security Agency’s Red Team, which looks for ways to circumvent military cyber defenses; NSA’s Blue Team, which is called in when military commanders discover that their systems have been compromised; the U.S. Computer Emergency Readiness Team, which civilian agencies and companies call on to identify the most likely methods behind significant security breaches; the Defense Department’s Defense Cyber Crime Center; and a host of other military and private-sector forensics experts and penetration testers.
Their recommendations, which are available for public comment at www.sans.org/cag/guidelines.php, are clearly no substitute for the National Institute of Standards and Technology’s much more comprehensive security guidelines for federal agencies issued in Special Publication 800-53.
However, the new recommendations provide a much-needed priority list of essential security strategies and step-by-step measures that reflect lessons learned from some of the country’s most serious cyberattacks.
We have high regard for NIST’s work. However, the problem for organizations trying to follow NIST’s guidelines amid today’s increasing cyberthreats is akin to confronting a raging new pandemic with an encyclopedic field guide to holistic health care.
“We’re bleeding badly. And we need triage to focus on the things that will keep the patient alive,” said CAG project leader John Gilligan, who formerly was CIO of the Air Force and Energy Department, at a news conference last month.
What’s needed now is for a variety of federal agencies to conduct pilot implementation projects to validate and refine the CAG initiative. The outcome has the potential to significantly strengthen not only federal information systems but also enterprise networks worldwide.
Wyatt Kash served as chief editor of GCN (October 2004 to August 2010) and also of Defense Systems (January 2009 to August 2010). He currently serves as Content Director and Editor at Large of 1105 Media.