Vulnerabilities / Threats
04:43 PM
Connect Directly

Ex-NSA Official Heads New Global Consortium Issuing Attack-Driven Security Controls

'Volunteer army' issues Top 20 Critical Security Controls that public- and private-sector organizations should use for locking down their environments from the latest attacks

A new international consortium launched today to help government agencies and the private sector prioritize their security defenses in the face of the latest threats and attacks. The Consortium for Cybersecurity Action (CCA) also updated the 20 Critical Security Controls that originated from initial work by the National Security Agency (NSA), with security steps to combat advanced persistent threat (APT)-type attacks.

Tony Sager, the retired chief operation officer of NSA's Information Assurance Directorate and who is heading up CCA, says it's about prioritizing what organizations need to do to protect their computing environments and data. "A great deal of the challenge is the fog of more. Things are changing so quickly," Sager said during a teleconference today. "A lot of times, enterprises just don't know where and how, or what to do. Where's the next dollar best spent?"

The Top 20 Critical Security Controls provides a guide post, of sorts, for how specifically to go about prioritizing and locking down infrastructure. Rather than trying to deploy everything at once, an organization can focus on the little things first, for instance, such as gaining a comprehensive inventory of the authorized -- and unauthorized -- hardware and software in their environments.

CCA is basically a "volunteer army," Sager said, that identifies and prioritizes the most important things to do to prevent breaches. "We've seen their adoption by critical enterprises, and lots of vendors are standing up and saying, 'We can support these controls,'" he says.

Tom Kellermann, who served on The Commission on Cyber Security for the 44th Presidency, says the 20 Critical Controls list is a paradigm shift to basing security defenses on the actual threats and attacks occurring within organizations. "I am a huge proponent of the 20 Critical Controls. They represent a paradigm shift wherein offense truly will inform defense. The fact that they are dynamic ... [that they] are re-evaluated every year is a game changer," says Kellermann, who calls Sager "the Yoda of cybersecurity."

But given the rapidly changing threat landscape, can the list of controls truly keep up with the times? Kellermann, who is vice president of cybersecurity at Trend Micro, says the list will stay timely because it will be based on input from penetration testers and the NSA's red and blue teams. "They can understand what tactics are bypassing defense on depth stratagems," he says. "Threat intelligence must also evolve and become global in nature," as well, he says.

The common strategy of patching vulnerabilities and manually decoding and analyzing packets just isn't working, notes Eric Cole, founder and chief scientist at Secure Anchor. "We sat back and looked at what are the key things that are missing? Why are organizations failing and not being successful" at defense, Cole said during today's teleconference.

Part of the problem, he says, is that organizations are not using a single playbook for securing their infrastructure. IT, security, auditors, and executives all need to have a common set of metrics, he said. That's what the Top 20 Critical Controls list provides, he said.

[Strapped for cash and feeling pinched by the increase in targeted attacks, some federal agencies are coming up with their own solutions for better protecting their information. See Government Agencies Get Creative In APT Battle.]

Among the various updates to the list in Version 4 that reflect the changing attack landscape is running applications on the client side in a separate virtual machine to minimize the impact of an advanced attack, Cole told Dark Reading. "A lot of the additions we've [made in Version 4] focus on APT-style things."

William Pelgrin, president and CEO of the Center for Internet Security, and chair of the Multi-State Information Sharing and Analysis Center (MS-ISAC), says security has historically been too strategic. "It needs to be much more tactical," Pelgrin said in the teleconference today. "Take those areas where you have the highest risk and your critical components and deal with them first."

Organizations can't fight threats all alone anymore, he says. "The days of trying to do this alone are gone ... Anyone who says they can do it on their own is destined for failure."

But Pelgrin and other experts concede that the controls can't stop every determined attacker. "Some things are totally out of our control, like a zero-day exploit, for example," Pelgrin said. "But with the Top 20, you've solved the majority of issues facing your enterprise from being exploited. We really need to have these baseline standards."

While deploying the Top 20 may be the ideal, it's not realistic for all organizations, especially smaller ones with limited resources and budget.

Secure Anchor's Cole says implementing two or three of them can make a big difference. "The biggest problem we see is in asset management, controlling what devices are in your network with BYOD," he says. Automated asset management would be a good start, he says. And automating controls is key to keeping up with the newest threats, he says.

"If I had to pick one, it would be Critical Control #3, configuration management. If you have a secure configuration in hardening and locking down services and ports and software, you're really going to get the best payoff," Cole says. And getting #3 checked off the list would require the asset management pieces in Controls #1 and #2 for asset management of hardware and software, respectively, according to Cole.

So far, more than 13 states in the U.S. have adopted the Critical Controls, including Colorado, Ohio, Michigan, and New York.

Members of the CCA are American Express, Booz Allen Hamilton, Citibank, Core Security, U.K. Centre for the Protection of National Infrastructure, U.S. Department of Defense Cyber Crime Center, U.S. Department of Homeland Security, U.S. Defense Information Systems Agency, U.S. Department of Defense, Goldman Sachs, Mandiant, McAfee, Mitre, nCircle, NSA, Qualys, Symantec, and Tenable.

The full Top 20 Controls list is available here.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-21
The Conrad Hotel (aka com.wConradHotel) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Published: 2014-10-21
The CPWORLD Close Protection World (aka com.tapatalk.closeprotectionworldcom) application 3.4.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Published: 2014-10-21
The Joint Radio Blues (aka com.nobexinc.wls_69685189.rc) application 3.2.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Published: 2014-10-21
The BattleFriends at Sea GOLD (aka com.tequilamobile.warshipslivegold) application 1.1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Published: 2014-10-21
The Diabetic Diet Guide (aka com.wDiabeticDietGuide) application 2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.