IT security checklist focuses on consequences of breaches

A contractor for the Homeland Security Department has released a draft cybersecurity checklist intended to help enterprises focus on real-world consequences of security breaches.

The U.S. Cyber Consequences Unit is an independent research group that supplies DHS with information on the consequences of cyber-attacks and evaluate the cost-effectiveness of countermeasures. As part of this work, director and chief economist Scott Borg and research director John Bumgarner began on-site visits to evaluate systems in critical industry sectors.

"We started seeing huge vulnerabilities," Borg said Wednesday at the GovSec conference in Washington, where the draft document was released. Most of the systems were compliant with current security checklists and best practices. "And portions of those systems were extraordinarily secure. But they were Maginot Lines," susceptible to being outflanked.

The problem is that existing best practices are static lists based on outdated data. The new USCCU list shifts the focus from perimeter security to monitoring and maintaining internal systems. The problem with perimeter security is that there is always some way to circumvent it, Borg said.

"We are way into diminishing returns on our investments in perimeter defense," he said. "To deal with it now, you have to think of the problem of cybersecurity not from a technical standpoint, but by focusing on what the systems do, what you could do with them and what ' the consequences [would] be."

The list is based on real-world experience and on economic analysis of breaches. Surprisingly, the researchers found that simply shutting a system down is not the biggest threat in most areas of critical infrastructure.

"Shutting things down for two or three days is not that costly," Borg said. The larger threat is disruption of systems in ways that are not immediately evident.

The checklist contains 478 questions grouped into six categories: hardware, software, networks, automation, humans and suppliers.

"All of the things we are talking about are already under way," Borg said, but some of the items in the checklist have no cost-effective commercial solutions. Borg said he hopes industry will step up to the plate to create solutions, and that government will adapt its acquisition policies to create incentives for these developments.

Borg said there is no schedule for final DHS approval of the draft. Additional information about the checklist is available from Borg at mailto:[email protected].

About the Author

William Jackson is a Maryland-based freelance writer.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.