Friday, February 27, 2009

Consensus Audit Guidelines Are Still Controls

Blog readers know that I think FISMA Is a Joke, FISMA Is a Jobs Program, and if you fought FISMA Dogfights you would always die in a burning pile of aerial debris.

Now we have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Consensus Audit Guidelines (CAG) published by SANS. You can ask two questions: 1) is this what we need? and 2) is it at least a step in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right direction?

Answering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first question is easy. You can look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 graphic I posted to see that CAG is largely anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r set of controls. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, this is more control-compliant "security," not field-assessed security. Wait, you might ask, doesn't cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CAG say this?

What makes this document effective is that it reflects knowledge of actual attacks and defines controls that would have stopped those attacks from being successful. To construct cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 document, we have called upon cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people who have first-hand knowledge about how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 attacks are being carried out.

That excerpt means that CAG defines defensive activities that are believed to be effective by various security practitioners. I am not doubting that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se practitioners are smart. I am not doubting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir skills. What I am trying to say is that implementing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 controls in CAG does not tell you cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 score of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 game. CAG is all about inputs. After implementing CAG you still do not know any outputs. In ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r words, you apply controls (an "X"), but what is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 outcome (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "Y"). The controls may or may not be wonderful, but if you are control-compliant you do not have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 information produced by field-assessed security.

Does anyone real think we do not have controls already? The CAG itself shows how it maps against NIST SP 800-53 Rev 3 Controls. Five are shown below as an example.



For example, looking at CAG, how many of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se strike you as something you didn't already know about?

Critical Controls Subject to Automated Measurement and Validation:

  1. Inventory of Authorized and Unauthorized Hardware.

  2. Inventory of Authorized and Unauthorized Software.

  3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.

  4. Secure Configurations of Network Devices Such as Firewalls and Routers.

  5. Boundary Defense

  6. Maintenance and Analysis of Complete Security Audit Logs

  7. Application Software Security

  8. Controlled Use of Administrative Privileges

  9. Controlled Access Based On Need to Know

  10. Continuous Vulnerability Testing and Remediation

  11. Dormant Account Monitoring and Control

  12. Anti-Malware Defenses

  13. Limitation and Control of Ports, Protocols and Services

  14. Wireless Device Control

  15. Data Leakage Protection


Additional Critical Controls (not directly supported by automated measurement and validation):

  1. Secure Network Engineering

  2. Red Team Exercises

  3. Incident Response Capability

  4. Data Recovery Capability

  5. Security Skills Assessment and Training to Fill Gaps



Don't get me wrong. If you are not implementing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se controls already, you should do so. That will still not tell you cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 score of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 game. If you want to see exactly what I proposed, I differentiated between control-compliance "security" and field-assessed security in my post Controls Are Not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Solution to Our Problem.

So, to answer my second question, CAG is a step in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 right direction away from FISMA. It doesn't change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 game, especially if you are already implementing NIST guidance.


Richard Bejtlich is teaching new classes in Europe in 2009. Register by 1 Mar for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 best rates.

2 comments:

Anton Chuvakin said...

Also, CAG seems pretty "anti-risk", which might be a good thing (as few people understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir risk) or a bad thing (just do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CAG-> feel secure mentality)

Anton Chuvakin said...

BTW, see this on CAG also (re: inputs vs outputs)

http://www.slideshare.net/Gilligan.Group.Inc/consensus-audit-guidelines-2008-presentation