Tuesday, June 16, 2009

Disturbing Trend

I don't mean to be an alarmist or whatever. But that's how newspapers get sold and stations get ratings. What is this mystical issue? The answer is Control Implementation Prioritization.

Way back in February 2009 we were greeted with the Consensus Audit Guidelines (CAG). I personally do not care for CAG. Some people will get their controls implemented faster, better, cheaper. At a minimum, the guidelines are misleading since it had little to do with actual auditing or system security testing.

At the beginning of May, they revised CAG into 20 Critical Security Controls (CSC). Well at least now, there is some truth in the title. They are sold to us as controls that every system should implement. Well ... thanks. Let's take a quick look then.

Ahhh. Ok. So where is the part about laying down a strategy or developing an initial policy that needs to be followed. Its not there. Where is the part about strength and cost of the control implementation as measured against the risk. I couldn't find that either.

Apparently, that doesn't matter anymore. It is clear from the beginning that the focus of CSC is not about system-specific risk analysis anymore. So that is that, but then in Appendix D of the 800-53 Rev 3, Final Public Draft. What do my eyes find, CONTROL PRIORITIZATION. On a scale of 1 to 3 and a 0 for unspecified.

Now for the meat - why is this bad. Its bad because management types will focus on the number 1. "I have to do these controls first, because NIST told me so". Or "I have money for the top 20 then I will deal with the rest".

It has been proven time and time again security comes from determining risk and implementing controls comensurate with that risk. Then reassessing that risk and control effectiveness over time using adequate metrics. Plan for the worst with contingency and incident handling plans. Et cetera.

Implementation of the CSC will not make you safer, it will make the vendor richer. A total soup-to-nuts program is still the only way from my opinion. This would include selecting controls that you deem necessary.


Anonymous said...

I'd love to see *evidence-based* controls. Even better, cost-effectiveness can be measured too.
For example, consider one of the Quick Wins: "Organizations should protect web applications by deploying web application firewalls that inspect all traffic flowing to the web application for common web application attacks".
So let's have figures of average number (or range of numbers) of exploitable web vulnerabilities in typical web apps, cost of testing and fixing vulnerabilities, cost of web app firewall, proportion of known and unknown attacks stopped by WAF, etc.
Which would help me decide if this really was a quick win. Maybe it is for my ecommerce system; but maybe it isn't for my internal Christmas Party booking system. But the guidelines at present don't distinguish the two.

Andrew Yeomans

Smith said...

I found that distributing technologies faces lot of problems while dividing and sharing the data in the small independent system and integrating them in to a big system

i found network security here