Software configuration controls essential to cybersecurity
Absolute security remains impossible but disciplined configuration controls can thwart majority of attacks
It's impossible to get absolute security on enterprise networks, including those run by the government, warned former Air Force Chief Information Officer John Gilligan during a cybersecurity forum Wednesday. But deploying a comprehensive baseline of security measures, including software configuration controls and the discipline to enforce them, could block 85 percent of attacks and provide the foundation to address new ones, he said.
Gilligan, who was a member of the Commission on Cybersecurity and is now president of the Gilligan Group, said the biggest struggle most agency executives face is learning how best to assess cybersecurity risks and where to focus their information technology resources.
One approach government officials might consider is to assess the degree of sophistication of cyberattacks breaching agency networks on one axis of a matrix and charting it against agency functions, and how critical they are, on another axis, he said.
The lesson he learned as Air Force chief information officer, he said, based on controlled attacks by the National Security Agency on Air Force networks, was that 80 percent of breaches were tied to software configuration irregularities. Those early findings eventually led to the creation of the Federal Desktop Core Configuration, which standardized computer settings on machines using Windows operating systems across the Air Force, and was subsequently adopted across the federal government.
By standardizing software configurations and applying a list of 20 so-called critical controls established by a consortium of security groups, agencies could dramatically reduce the vast majority of cyber breaches and channel their remaining resources into protecting their most critical information assets.
The controls, known as the “Consensus Audit Guidelines,” were issued a year ago and include inventorying authorized and unauthorized hardware and software, and applying continuous vulnerability testing and remediation.
CAG includes 15 controls that can be validated in an automated fashion
CAG plays complementary role on security
Those types of controls are now being deployed at the Justice Department, according to Holly Ridgeway, deputy chief information security officer, who also spoke at the forum organized by the Association for Federal Information Resources Management.
“The department is in the process of deploying a solution that maps our entire network, that will have a central console, with real time situational awareness,” she said. When it’s completed, it will have details on the software installed on every work station matched up against approved workstation configurations and have the ability to identify variances on request, she said.
“We’ll know every piece of software on our network—including iTunes,” she said.
The solution, which she declined to identify, “had a 95 percent pass rate on the first run on 80,000 work stations,” out of 120,000 work stations across Justice, she said, and would be instrumental in helping the department assess cyberattack risks across the its 40 component agencies.
Establishing clearer measures of vulnerability is essential to assessing overall risks, said a third panelist, Dennis Heretick, former Justice chief information security officer.
Heretick said risk assessment boils down to gauging the scope and likelihood of vulnerability threats, including such factors as the motivation and capability of potential attackers, and then factoring them against the ability to take countermeasures, including detecting threats and attribute the source of the threats.