Vulnerabilities / Threats

04:43 PM
Connect Directly

Ex-NSA Official Heads New Global Consortium Issuing Attack-Driven Security Controls

'Volunteer army' issues Top 20 Critical Security Controls that public- and private-sector organizations should use for locking down their environments from the latest attacks

A new international consortium launched today to help government agencies and the private sector prioritize their security defenses in the face of the latest threats and attacks. The Consortium for Cybersecurity Action (CCA) also updated the 20 Critical Security Controls that originated from initial work by the National Security Agency (NSA), with security steps to combat advanced persistent threat (APT)-type attacks.

Tony Sager, the retired chief operation officer of NSA's Information Assurance Directorate and who is heading up CCA, says it's about prioritizing what organizations need to do to protect their computing environments and data. "A great deal of the challenge is the fog of more. Things are changing so quickly," Sager said during a teleconference today. "A lot of times, enterprises just don't know where and how, or what to do. Where's the next dollar best spent?"

The Top 20 Critical Security Controls provides a guide post, of sorts, for how specifically to go about prioritizing and locking down infrastructure. Rather than trying to deploy everything at once, an organization can focus on the little things first, for instance, such as gaining a comprehensive inventory of the authorized -- and unauthorized -- hardware and software in their environments.

CCA is basically a "volunteer army," Sager said, that identifies and prioritizes the most important things to do to prevent breaches. "We've seen their adoption by critical enterprises, and lots of vendors are standing up and saying, 'We can support these controls,'" he says.

Tom Kellermann, who served on The Commission on Cyber Security for the 44th Presidency, says the 20 Critical Controls list is a paradigm shift to basing security defenses on the actual threats and attacks occurring within organizations. "I am a huge proponent of the 20 Critical Controls. They represent a paradigm shift wherein offense truly will inform defense. The fact that they are dynamic ... [that they] are re-evaluated every year is a game changer," says Kellermann, who calls Sager "the Yoda of cybersecurity."

But given the rapidly changing threat landscape, can the list of controls truly keep up with the times? Kellermann, who is vice president of cybersecurity at Trend Micro, says the list will stay timely because it will be based on input from penetration testers and the NSA's red and blue teams. "They can understand what tactics are bypassing defense on depth stratagems," he says. "Threat intelligence must also evolve and become global in nature," as well, he says.

The common strategy of patching vulnerabilities and manually decoding and analyzing packets just isn't working, notes Eric Cole, founder and chief scientist at Secure Anchor. "We sat back and looked at what are the key things that are missing? Why are organizations failing and not being successful" at defense, Cole said during today's teleconference.

Part of the problem, he says, is that organizations are not using a single playbook for securing their infrastructure. IT, security, auditors, and executives all need to have a common set of metrics, he said. That's what the Top 20 Critical Controls list provides, he said.

[Strapped for cash and feeling pinched by the increase in targeted attacks, some federal agencies are coming up with their own solutions for better protecting their information. See Government Agencies Get Creative In APT Battle.]

Among the various updates to the list in Version 4 that reflect the changing attack landscape is running applications on the client side in a separate virtual machine to minimize the impact of an advanced attack, Cole told Dark Reading. "A lot of the additions we've [made in Version 4] focus on APT-style things."

William Pelgrin, president and CEO of the Center for Internet Security, and chair of the Multi-State Information Sharing and Analysis Center (MS-ISAC), says security has historically been too strategic. "It needs to be much more tactical," Pelgrin said in the teleconference today. "Take those areas where you have the highest risk and your critical components and deal with them first."

Organizations can't fight threats all alone anymore, he says. "The days of trying to do this alone are gone ... Anyone who says they can do it on their own is destined for failure."

But Pelgrin and other experts concede that the controls can't stop every determined attacker. "Some things are totally out of our control, like a zero-day exploit, for example," Pelgrin said. "But with the Top 20, you've solved the majority of issues facing your enterprise from being exploited. We really need to have these baseline standards."

While deploying the Top 20 may be the ideal, it's not realistic for all organizations, especially smaller ones with limited resources and budget.

Secure Anchor's Cole says implementing two or three of them can make a big difference. "The biggest problem we see is in asset management, controlling what devices are in your network with BYOD," he says. Automated asset management would be a good start, he says. And automating controls is key to keeping up with the newest threats, he says.

"If I had to pick one, it would be Critical Control #3, configuration management. If you have a secure configuration in hardening and locking down services and ports and software, you're really going to get the best payoff," Cole says. And getting #3 checked off the list would require the asset management pieces in Controls #1 and #2 for asset management of hardware and software, respectively, according to Cole.

So far, more than 13 states in the U.S. have adopted the Critical Controls, including Colorado, Ohio, Michigan, and New York.

Members of the CCA are American Express, Booz Allen Hamilton, Citibank, Core Security, U.K. Centre for the Protection of National Infrastructure, U.S. Department of Defense Cyber Crime Center, U.S. Department of Homeland Security, U.S. Defense Information Systems Agency, U.S. Department of Defense, Goldman Sachs, Mandiant, McAfee, Mitre, nCircle, NSA, Qualys, Symantec, and Tenable.

The full Top 20 Controls list is available here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.