"Consortium of US Federal Cybersecurity Experts Establishes Baseline Standard of Due Care for Cybersecurity – The Top Twenty Most Critical Controls" (brief)
Here is the first thing I thought about it:
- 2000 - SANS Top 20 vulnerabilities comes out (in its early form)
- 2009 - CAG "Top Twenty Most Critical Controls" comes out.
- Does it mean we are moving towards "control-based" security?
- Does it automatically mean we are moving away from "risk-based" security?
- How many times the term "risk management" is mentioned in a full CAG doc?
On vulnerabilities: "Verify that vulnerability testing of networks, systems, and applications are run no less than weekly. Where feasable, vulnerability testing should occur on a daily basis."
On logs: "Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include dates, timestamps, source addresses, destination addresses, and various other useful elements of each packet and/or transaction." (CEE gets mentioned here too)
On web apps: "Test [production - A.C. ] web applications for common security weaknesses using web application scanners prior to deployment and then no less often than weekly as well as whenever updates are made to the application."
On integrity checking: "In particular, most endpoint security solutions can look at the name, file system location, and/or MD5 [yes, MD5, really!] hash of a given executable to determine whether the application should be allowed to run on the protected machine."
In any case, go read the CAG.
UPDATE: LOLCATS on CAG.