Enhancing Security and Functionality At The Same Time

Bob Gourley February 24, 2009

Have you ever been pulled into the false debate over how much IT spending should be spent on security? Some folks point to a rule of thumb that goes something like “ten percent of the IT budget should be applied to security.” That old school formula may well be part of the reason we got into the mess we are currently in. It contributes to thoughts that lead you to think security can be separated. By some other ways of thinking, 100% of the budget goes to security and functionality and that is the calculus.

Really, security is about ensuring information confidentiality, availability and integrity. And those constructs are totally connected to functionality of IT. We recommend you try whenever possible to use the term security and functionality in the same context just to underscore that point.

For example, the goal we continually push regarding security in the federal space is not just one dealing with security. We put it this way: “Security and functionality of all federal IT will be increased by two orders of magnitude in the next 24 months.” Putting the goal this ways also underscores that it is not security vs. functionality. Both need to increase.

This goal also cries out for the need for metrics in security and functionality. For functionality there are many customer focused survey methods that can help collect the right metrics. For security, I think one metric stands out above all others: Detected unauthorized intrusions. There are many other important metrics for other dimensions of the security problem, but that one is key. So, a goal that expects both security and functionality of federal enterprise IT to improve by two orders of magnitude will expect customer survey satisfaction to go through the roof, and will expect detected intrusions to drop significantly. If there were 50,000 detected intrusions in 2008, there should be less than 5000 in 2010.

That is a dramatic goal. What makes me think it is achievable? In part the dramatic action being put in place today in the federal space. And in part by dramatic new technologies and approaches like private clouds and thin client computing and enhanced identity management and authorization methods. But of more importance and more relevance than all of that, in my opinion, is the coordinated action and leadership underway by CIOs and CISOs and the security experts in the federal space today.

As evidence of this incredible positive action I’d like to bring your attention to a release by a Consortium of US Federal Cybersecurity Experts on Consensus Audit Guidelines. Details of this effort are at http://www.sans.org/cag/

The Consensus Audit Guidelines provide the twenty most important controls and metrics for effective cyber defense and continuous FISMA compliance. These controls and metrics include:

Critical Controls Subject to Automated Measurement and Validation:

Inventory of Authorized and Unauthorized Hardware.
Inventory of Authorized and Unauthorized Software.
Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
Secure Configurations of Network Devices Such as Firewalls and Routers.
Boundary Defense
Maintenance and Analysis of Complete Security Audit Logs
Application Software Security
Controlled Use of Administrative Privileges
Controlled Access Based On Need to Know
Continuous Vulnerability Testing and Remediation
Dormant Account Monitoring and Control
Anti-Malware Defenses
Limitation and Control of Ports, Protocols and Services
Wireless Device Control
Data Leakage Protection

Additional Critical Controls (not directly supported by automated measurement and validation):

Secure Network Engineering
Red Team Exercises
Incident Response Capability
Data Recovery Capability
Security Skills Assessment and Training to Fill Gaps

The site at http://www.sans.org/cag provides more details on each, including detailed descriptions of the controls, how to implement them, how to measure them, and how to continuously improve them. The site also spells out the fact that this is a work in progress and processes are in place to ensure this great effort remains relevant and maximizes our ability to protect ourselves.

What should CTOs think about this guidance? We should most strongly endorse it. Appropriate implementation of these controls will reduce unauthorized intrusions in any enterprise.

The deeply respected community leader Alan Paller said it this way:

“This is the best example of risk-based security I have ever seen,” said Alan Paller, director of research at the SANS Institute. “The team that was brought together represents the nation’s most complete understanding of the risk faced by our systems. In the past cybersecurity was driven by people who had no clue of how the attacks are carried out. They created an illusion of security. The CAG will turn that illusion to reality.”

Please give these controls a read, and please help get them into the hands of the security and functionality professionals in your enterprise.

Looking for other research topics? Browse our reports directory here. Would you like to task us with research on these or other topics? As A CTOlabs Pro subscriber you may use our “Ask The CTO” section and let us know what we can do for you.

About Bob Gourley

Bob Gourley is the CTO and Co-Founder of the due diligence and cybersecurity consultancy OODA LLC , which publishes CTOvision.com and OODAloop.com. Bob's background is as an all source intelligence analyst and an enterprise CTO.

Gain Decision Advantage With Innovative Enterprise Software

For over 10 years CTOvision has consistently provided strategic context on the nature of technology and how to best leverage it for your personal and business objectives. We maintain the site in a way meant to help you find insights you need as fast as possible. To kick off a search use the search box […]

Gain Powerful Insights Into The Future With OODA Loop’s Technology Tracking

In a continuation of our journey to bring the best, most actionable technology content to enterprise decision-makers we have merged our research and reporting activities into the OODAloop.com site (both CTOvision.com and OODAloop.com are owned and operated by OODA LLC). CTOvision will focus only on one small niche, a vision for a technology enabled future. […]

Mitigating Advanced Threats with Scalable and Automated Malware Analysis: An interview of Chad Loeven and Mike Hylton

Mitigating Advanced Threats with Scalable and Automated Malware Analysis: An interview of Chad Loeven and Mike Hylton Scalable automated malware analysis has become a critical component of enterprise defense. When properly implemented it can be key to mitigating malware threats that otherwise bypass perimeter defenses. In this post we provide context enterprise architects and security […]

CTOvision and OODA: Big Changes Coming Soon

In a continuation of our journey to bring the best, most actionable technology content to enterprise decision-makers we are merging our research and reporting activities into the OODAloop.com site (both CTOvision.com and OODAloop.com are owned and operated by OODA LLC). This will give our community access to the same technology summaries we currently produce as […]

The Short Story From Arthur C. Clarke Every Officer in The Military Should Read and Heed

Like so many others in the national security domain I am tracking what I can about the new US Space Force, the newest US military force. I believe their mission is important and establishing Space Force was the right move. Space is, by definition, a domain that will require deep technological expertise to enable mission […]

This One Little Configuration Change Will Make It Harder For People To Steal Your Information

Editor’s note: We are aiming this tutorial at the non-technical person. Please share with anyone in your life who could benefit from this. -bg Cyberspace is a complex domain and our adversaries are always seeking new ways to steal information or spread their malicious code or hold our data for ransom. This is the big reason […]

Think Twice Before Deciding To Use A Personal VPN: You could be getting some really bad advice

From the 1930s to 1950s (far too long) the medical community just would not wake up to the fact that cigarettes could cause harm (see More Doctors Smoke Camels). Why did they stick with this misperception for so long? When so many good people come to the wrong conclusion it probably means some deeply human […]

Science Fiction Gadgets You Can Get Today

Technology is advancing pretty fast, at times influenced by the exciting world of Science Fiction. This video captures 10 of the tech developments first seen in SciFi that are available now. A key point of this, if you want to know what is in our future, watch more SciFi!

Super Bowl Ads Indicate Big Businesses Think You Are Afraid of AI

Tom Loftus provided an insightful review of some of Super Bowl ads in the 4 Feb 2019 Wall Street Journal. Like AI parody in SNL, these ads really poked fun at computers: Seriously, did anyone catch the commercials? If the Super Bowl is the zeitgeist, then it is safe to say that America is not […]

HBO’s Westworld: The Man In Black is a special kind of Twitter user

HBO’s Westworld is a modern take on the Michael Crichton SciFi tale of a robotic amusement park. The HBO version has a new twist. The creators/writers were all exposed to years of Twitter, which has influenced every episode and the entire arch of two seasons of the show. Now that season two is wrapping up, […]

Related