Software configuration controls essential to cybersecurity

Absolute security remains impossible but disciplined configuration controls can thwart majority of attacks

It's impossible to get absolute security on enterprise networks, including those run by the government, warned former Air Force Chief Information Officer John Gilligan during a cybersecurity forum Wednesday. But deploying a comprehensive baseline of security measures, including software configuration controls and the discipline to enforce them, could block 85 percent of attacks and provide the foundation to address new ones, he said.

Gilligan, who was a member of the Commission on Cybersecurity and is now president of the Gilligan Group, said the biggest struggle most agency executives face is learning how best to assess cybersecurity risks and where to focus their information technology resources.

One approach government officials might consider is to assess the degree of sophistication of cyberattacks breaching agency networks on one axis of a matrix and charting it against agency functions, and how critical they are, on another axis, he said.

The lesson he learned as Air Force chief information officer, he said, based on controlled attacks by the National Security Agency on Air Force networks, was that 80 percent of breaches were tied to software configuration irregularities. Those early findings eventually led to the creation of the Federal Desktop Core Configuration, which standardized computer settings on machines using Windows operating systems across the Air Force, and was subsequently adopted across the federal government. 

By standardizing software configurations and applying a list of 20 so-called critical controls established by a consortium of security groups, agencies could dramatically reduce the vast majority of cyber breaches and channel their remaining resources into protecting their most critical information assets.

The controls, known as the “Consensus Audit Guidelines,” were issued a year ago and include inventorying authorized and unauthorized hardware and software, and applying continuous vulnerability testing and remediation.


Related stories

CAG includes 15 controls that can be validated in an automated fashion

CAG plays complementary role on security


Those types of controls are now being deployed at the Justice Department, according to Holly Ridgeway, deputy chief information security officer, who also spoke at the forum organized by the Association for Federal Information Resources Management.

“The department is in the process of deploying a solution that maps our entire network, that will have a central console, with real time situational awareness,” she said. When it’s completed, it will have details on the software installed on every work station matched up against approved workstation configurations and have the ability to identify variances on request, she said.

“We’ll know every piece of software on our network—including iTunes,” she said.

The solution, which she declined to identify, “had a 95 percent pass rate on the first run on 80,000 work stations,” out of 120,000 work stations across Justice, she said, and would be instrumental in helping the department assess cyberattack risks across the its 40 component agencies.

Establishing clearer measures of vulnerability is essential to assessing overall risks, said a third panelist, Dennis Heretick, former Justice chief information security officer.

Heretick said risk assessment boils down to gauging the scope and likelihood of vulnerability threats, including such factors as the motivation and capability of potential attackers, and then factoring them against the ability to take countermeasures, including detecting threats and attribute the source of the threats.

About the Author

Wyatt Kash served as chief editor of GCN (October 2004 to August 2010) and also of Defense Systems (January 2009 to August 2010). He currently serves as Content Director and Editor at Large of 1105 Media.

Reader Comments

Fri, Feb 26, 2010 Buddy In The USA

Here is question you folks should address this folks making decision on what should be DISABLED in software in the Government. DO THEY FOLLOW THEIR BELIEF and do the same settings on their HOME PC software? I mean if its so good, they should be doing it home. Example. Like this idiotic YES/NO message for Internet Explorer related to JavaScript. Jeesh if i had that at home, I go freaking nuts! Almost ready to go nuts here. Not to mention the Carpal Tunnel syndrome for useless clicking. So ask em, DO YOU do what you PREACH on security of software in your PRIVATE life, I bet the answer is no!

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above