Since becoming part of the Fidelis Network Defense & Forensics Team a year ago, I’ve had the opportunity to have some great discussions with our customers. We’ve talked about their pain points and how the various vendors offer to help them increase their cybersecurity posture. One of the main buzz words that I kept hearing was “industry best practices.” This sounds so professional and exactly like the thing that would interest anyone looking for help in defending their network. What amazed me though is that when I asked what standard the vendor was using for their security assessment I would often get the response “I don’t know.”
We all know that each customer will have a unique environment based on infrastructure architecture, various equipment, legacy systems that must be maintained, and many other variables. However, there are some baselines that everyone should be following in order to ensure they are defending themselves. Having worked at an International Organization for Standardization (ISO) accredited laboratory, I’ve had the opportunity to see the value of working from a community wide accepted standard. While it does take some work to meet those standards, using a standards tool as the basis for an assessment is invaluable. Standards allow you to methodically and efficiently help your customer assess where they stand in defending their network. They also allow you to branch off to additional lines of questions when coming across those unique environments.
There are many organizations that have published standards on cybersecurity such as NIST, ISO, ANSI, IASME, and IETF. Here at Fidelis we use the Consensus Audit Guidelines (CAG 20) (PDF), also known as the “Twenty Critical Security Controls for Effective Cyber Defense” for those who prefer the proper name. The twenty critical security controls is a bit misleading though as there are 184 sub-controls in the current standard. We use this standard as the basis for the proactive assessments that we do for our customers as well as keeping it in mind as we help customers remediate from a breach.
The CAG 20 is a subset of the very in-depth NIST SP 800-53 (PDF) document and is intended to be immediate high-value actions that an entity can accomplish to increase their security posture. It was developed by a consensus of government and commercial entities. Some of the agencies that were involved in the initial development of the CAG 20 are US-CERT, DC3, Department of Energy, the banking industry as well as the various ISACs. It is now maintained by the Council on Cybersecurity which is an international non-profit organization.
I would be remiss without including the CAG 20 as a point of reference for everyone.
1: Inventory of Authorized and Unauthorized Devices
2: Inventory of Authorized and Unauthorized Software
3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
4: Continuous Vulnerability Assessment and Remediation
5: Malware Defenses
6: Application Software Security
7: Wireless Access Control
8: Data Recovery Capability
9: Security Skills Assessment and Appropriate Training to Fill Gaps
10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
11: Limitation and Control of Network Ports, Protocols, and Services
12: Controlled Use of Administrative Privileges
13: Boundary Defense
14: Maintenance, Monitoring, and Analysis of Audit Logs
15: Controlled Access Based on the Need to Know
16: Account Monitoring and Control
17: Data Protection
18: Incident Response and Management
19: Secure Network Engineering
20: Penetration Tests and Red Team Exercises
If you get a proposal from a vendor offering to use “industry best practices” make sure that you ask questions so you know what you are getting. If they don’t have an answer or seem to be uncomfortable with discussing the details, you should start to wonder…they may be talking the talk but can they walk the walk?