Have you ever been pulled into the false debate over how much IT spending should be spent on security? Some folks point to a rule of thumb that goes something like "ten percent of the IT budget should be applied to security." That old school formula may well be part of the reason we got into the mess we are currently in. It contributes to thoughts that lead you to think security can be separated. By some other ways of thinking, 100% of the budget goes to security and functionality and that is the calculus.
Really, security is about ensuring information confidentiality, availability and integrity. And those constructs are totally connected to functionality of IT. We recommend you try whenever possible to use the term security and functionality in the same context just to underscore that point.
For example, the goal we continually push regarding security in the federal space is not just one dealing with security. We put it this way: "Security and functionality of all federal IT will be increased by two orders of magnitude in the next 24 months." Putting the goal this ways also underscores that it is not security vs. functionality. Both need to increase.
This goal also cries out for the need for metrics in security and functionality. For functionality there are many customer focused survey methods that can help collect the right metrics. For security, I think one metric stands out above all others: Detected unauthorized intrusions. There are many other important metrics for other dimensions of the security problem, but that one is key. So, a goal that expects both security and functionality of federal enterprise IT to improve by two orders of magnitude will expect customer survey satisfaction to go through the roof, and will expect detected intrusions to drop significantly. If there were 50,000 detected intrusions in 2008, there should be less than 5000 in 2010.
That is a dramatic goal. What makes me think it is achievable? In part the dramatic action being put in place today in the federal space. And in part by dramatic new technologies and approaches like private clouds and thin client computing and enhanced identity management and authorization methods. But of more importance and more relevance than all of that, in my opinion, is the coordinated action and leadership underway by CIOs and CISOs and the security experts in the federal space today.
As evidence of this incredible positive action I'd like to bring your attention to a release by a Consortium of US Federal Cybersecurity Experts on Consensus Audit Guidelines. Details of this effort are at http://www.sans.org/cag/
The Consensus Audit Guidelines provide the twenty most important controls and metrics for effective cyber defense and continuous FISMA compliance. These controls and metrics include:
Critical Controls Subject to Automated Measurement and Validation:
- Inventory of Authorized and Unauthorized Hardware.
- Inventory of Authorized and Unauthorized Software.
- Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
- Secure Configurations of Network Devices Such as Firewalls and Routers.
- Boundary Defense
- Maintenance and Analysis of Complete Security Audit Logs
- Application Software Security
- Controlled Use of Administrative Privileges
- Controlled Access Based On Need to Know
- Continuous Vulnerability Testing and Remediation
- Dormant Account Monitoring and Control
- Anti-Malware Defenses
- Limitation and Control of Ports, Protocols and Services
- Wireless Device Control
- Data Leakage Protection
Additional Critical Controls (not directly supported by automated measurement and validation):
- Secure Network Engineering
- Red Team Exercises
- Incident Response Capability
- Data Recovery Capability
- Security Skills Assessment and Training to Fill Gaps
The site at http://www.sans.org/cag provides more details on each, including detailed descriptions of the controls, how to implement them, how to measure them, and how to continuously improve them. The site also spells out the fact that this is a work in progress and processes are in place to ensure this great effort remains relevant and maximizes our ability to protect ourselves.
What should CTOs think about this guidance? We should most strongly endorse it. Appropriate implementation of these controls will reduce unauthorized intrusions in any enterprise.
The deeply respected community leader Alan Paller said it this way:
"This is the best example of risk-based security I have ever seen," said Alan Paller, director of research at the SANS Institute. "The team that was brought together represents the nation's most complete understanding of the risk faced by our systems. In the past cybersecurity was driven by people who had no clue of how the attacks are carried out. They created an illusion of security. The CAG will turn that illusion to reality."
Please give these controls a read, and please help get them into the hands of the security and functionality professionals in your enterprise.