Tuesday, February 24, 2009

CAG Out!

OMFG... is this the most ambitious project in security (eh... maybe not :-)) or what?

"Consortium of US Federal Cybersecurity Experts Establishes Baseline Standard of Due Care for Cybersecurity – The Top Twenty Most Critical Controls" (brief)

Here is the first thing I thought about it:
Now, think:
  • Does it mean we are moving towards "control-based" security?
  • Does it automatically mean we are moving away from "risk-based" security?
  • How many times the term "risk management" is mentioned in a full CAG doc?
Finally, some misc highlights:

On vulnerabilities: "Verify that vulnerability testing of networks, systems, and applications are run no less than weekly. Where feasable, vulnerability testing should occur on a daily basis."

On logs: "Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include dates, timestamps, source addresses, destination addresses, and various other useful elements of each packet and/or transaction." (CEE gets mentioned here too)

On web apps: "Test [production - A.C. ] web applications for common security weaknesses using web application scanners prior to deployment and then no less often than weekly as well as whenever updates are made to the application."

On integrity checking: "In particular, most endpoint security solutions can look at the name, file system location, and/or MD5 [yes, MD5, really!] hash of a given executable to determine whether the application should be allowed to run on the protected machine."

In any case, go read the CAG.


Dr Anton Chuvakin