New group strives to clarify, simplify cyber basics for agencies

Monday - 11/5/2012, 5:20am EST

Tony Sager, director, Sans Institute

Download mp3

The constant battle agencies face to secure their computers and networks is filled with acronyms, laws, polices and best practices. With changes and attacks coming at chief information officers at a 1,000 miles per minute, a public-private sector consortium is trying to clarify and simplify certain aspects of cybersecurity.

The Consortium for Cybersecurity Action, a newly-formed international group of government agencies and private organizations from around the world, today will release an updated baseline of the 20 most important cyber controls, and it wants to become a resource to help agencies implement those security checks.

Tony Sager, a director with the Sans Institute and a former chief operating officer of the National Security Agency's Information Assurance Directorate, said many of these 20 controls are basic, but important.

"When I worked at NSA, I always said if you are going to be a defender, job one is visibility. Do you know what's on your network? Do you know how it's configured? So there are a number of things that have that flavor to them early in the controls," he said in an interview with Federal News Radio. "There are more advanced and complex things for the advanced. It really deals with a wide range of things."

He said simple things can have tremendous value in forcing the bad actors to take risks or spend money they don't want to.

Sans, the Center for Strategic and International Studies and others led an effort in 2009 to create the Consensus Audit Guidelines, which detailed these 20 critical controls.

DHS drafts RFP to include controls

Sager said this update comes as the Homeland Security Department is using the guidelines as part of its effort to implement continuous monitoring. DHS also is preparing a solicitation to buy continuous monitoring-as-a-service and tools that includes some of these security steps.

"It's a complementary piece. The notion is it does help you implement that," Sager said of how the critical controls fit into the continuous monitoring effort. "It brings focus and priority to the things that are really worth measuring as part of your continuous monitoring program. One of the reasons this notion of critical controls and a small number like 20 has really caught on, I think, is businesses are really full of really long lists of things you ought to do. Thousands of things, giant frameworks, and all kinds of options, vendors tools and standards, and what I found is you can produce great security guidance and all these great things, but still the customers I was trying to serve were just overwhelmed by the incredible number of options, and you have all these different compliance things and things you have to do deal with. So trying to get past the do it all to let's just focus on a small number of things that have the highest value is a really important notion that DHS is really focused on and we think it's a perfect fit."

He added the controls bring people together, who understand the attacks and technology, to choose a small number of ways to best defend agency networks.

"It doesn't mean you don't do other things, but it means let's focus first on a small number of things, and then this notion of continuous monitoring is about what things you should look at that has the most value, that are most likely to indicate bad things are happening," Sager said.

Agency use of controls limited

Even though the critical controls have been around for more than three years and garnered a lot of attention, agency progress toward implementing them has been mixed.

A handful of agencies such as the Air Force and the State Department, have implemented many of the critical controls, but many agencies continue to struggle with basic cyber hygiene.

The Federal Communications Commission launched a task force to determine how the critical controls can best be applied to protect the telecommunications industry, the consortium said.

Sager said he doesn't have a good idea of how widely agencies are using the critical controls.

"One of the things we are doing as part of this is trying to synchronize with other folks. Even 20 is a lot to chew on in the first step. We are bringing more focus to a smaller number like four or five, must-do, highest priority. We are synchronizing that with lots of folks like the Australian and British governments," he said. "That gives you a natural starting point from which other things start to build."