British, US Govts tackle infosec framework

Powered by SC Magazine
 

Dormant critical control list enjoys three-month adoption rush.

Large public agencies and private organisations in the US and Britain have standardised on a information security framework that claims to drop measurable risk by 90 percent.

The US Department of Homeland Security (DHS) and the British Centre for the Protection of National Infrastructure are among those that have adopted the framework in the past three months.

The framework, dubbed the 20 Critical Controls, was developed by the National Security Agency (NSA) and a consortium of private sector organisations.

It established a baseline of high-priority ‘technical’ information security measures and controls that are used to improve an organisation's security posture.

The framework was led by four controls that were created last year by the Defence Signals Directorate (DSD) under its Strategies to Mitigate Targeted Cyber Intrusions guide.

Organisations implementing those four controls alone could reduce the incidence of targeted intrusions by 85 percent, according to DSD tests.

 
 
20 Critical Controls (click to enlarge)

The British and US organisations using the framework have begun sourcing tools to automate the controls.

Once this was completed, the framework was expected to be pushed out across US government agencies.

This would be in line with tougher FISMA laws that will force US Federal agencies to report IT security postures using automated tools by September 30.

The controls were expected to gain traction, too, in Britain's private sector after London Police signed on to the framework. The police service could push the framework as part of its function as an advisor to businesses on security best practice.

The nation's largest energy provider, Consumer Energy, had also adopted the framework in what is seen as a test case for other businesses.

The DSD said it had seen a “significant improvement in ICT security across government” due to security awareness “coupled with concerted efforts by government agencies to implement the top four” controls.

“Nevertheless, securing large networks is a complex issue which requires an ongoing effort, both in user education and system improvements,” it said.

Slow starter

The 20 Critical Controls framework has existed for around three years but only the US State Department had adopted the work before November last year.

SANS Institute research director Alan Paller said the rush to adopt the standard was a sign it could quickly spread across state and private sector industries, starting with the DSD recommendations.

“You've got a lot of energy behind this … and all in 12 weeks,” Paller said.

The US State Department said the controls would provide daily “authoritive data on the readiness of computers to withstand attack” and elimate “massive financial waste associated with thick audit reports that are out-of-date long before they are published”.

It boasted that in its first year, the risk score for hundreds of thousands of computers dropped by nearly 90 per cent.

The department was also able to get 90 percent of systems patched within 10 days of the emergence of new threats (left), while other agencies not using the controls patched between 20 and 65 percent of systems over several months.

It tested some 12,000 attacks it fielded and found details of only 7 percent could not be explained by the controls.

The department established that system admininstrators “have about 20 minutes a day to fix things”, Paller said. Administrators in the department assess security priorities daily, rather than weekly or monthly, which has contributed to the massive risk reduction.

Trail blazer

Much of the recent success of the control list was thanks to its creator, the late National Security Agency (NSA) engineer Paul Bartock.

Bartock, described as one of the top security engineers in the US, created a band of high-profile cyber security chiefs within US government agencies, critical infrastructure and banks and began to develop the controls about three years ago.

Paller decribed Bartock as “one of the top security engineers in the United States” and said Bartock had seen the adoption of the controls by British and US agencies before he died aged 58 late last month.

Bartock was the technical director of the NSA's red and blue teams which serve as penetration testers for the US Government.

Paller said that prior to Bartock's control list, agencies had produced “hundreds of thousands” of controls which were overly complex and inevitably dumped.

Copyright © SC Magazine, Australia


British, US Govts tackle infosec framework
 
 
 
Top Stories
Frugality as a service: the Amazon story
Behind the scenes, Amazon Web Services is one lean machine.
 
Negotiating with the cloud email megavendors
[Blog post] Lessons from Woolworths’ mammoth migration.
 
Qld govt to move up to 149k staff onto Office 365
Australia's largest deployment, outside of the universities.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...

Latest VideosSee all videos »

The great data centre opportunity on Australia's doorstep
The great data centre opportunity on Australia's doorstep
Scott Noteboom, CEO of LitBit speaking at The Australian Data Centre Strategy Summit 2014 in the Gold Coast, Queensland, Australia. http://bit.ly/1qpxVfV Scott Noteboom is a data centre engineer who led builds for Apple and Yahoo in the earliest days of the cloud, and who now eyes Asia as the next big opportunity. Read more: http://www.itnews.com.au/News/372482,how-do-we-serve-three-billion-new-internet-users.aspx#ixzz2yNLmMG5C
Interview: Karl Maftoum, CIO, ACMA
Interview: Karl Maftoum, CIO, ACMA
To COTS or not to COTS? iTnews asks Karl Maftoum, CIO of the ACMA, at the CIO Strategy Summit.
Susan Sly: What is the Role of the CIO?
Susan Sly: What is the Role of the CIO?
AEMO chief information officer Susan Sly calls for more collaboration among Australia's technology leaders at the CIO Strategy Summit.
Meet the 2014 Finance CIO of the Year
Meet the 2014 Finance CIO of the Year
Credit Union Australia's David Gee awarded Finance CIO of the Year at the iTnews Benchmark Awards.
Meet the 2014 Retail CIO of the Year
Meet the 2014 Retail CIO of the Year
Damon Rees named Retail CIO of the Year at the iTnews Benchmark Awards for his work at Woolworths.
Robyn Elliott named the 2014 Utilities CIO of the Year
Robyn Elliott named the 2014 Utilities CIO of the Year
Acting Foxtel CIO David Marks accepts an iTnews Benchmark Award on behalf of Robyn Elliott.
Meet the 2014 Industrial CIO of the Year
Meet the 2014 Industrial CIO of the Year
Sanjay Mehta named Industrial CIO of the Year at the iTnews Benchmark Awards for his work at ConocoPhillips.
Meet the 2014 Healthcare CIO of the Year
Meet the 2014 Healthcare CIO of the Year
Greg Wells named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at NSW Health.
Meet the 2014 Education CIO of the Year
Meet the 2014 Education CIO of the Year
William Confalonieri named Healthcare CIO of the Year at the iTnews Benchmark Awards for his work at Deakin University.
Meet the 2014 Government CIO of the Year
Meet the 2014 Government CIO of the Year
David Johnson named Government CIO of the Year at the iTnews Benchmark Awards for his work at the Queensland Police Service.
Q and A: Coalition Broadband Policy
Q and A: Coalition Broadband Policy
Malcolm Turnbull and Tony Abbott discuss the Coalition's broadband policy with the press.
AFP scalps hacker 'leader' inside Australia's IT ranks.
AFP scalps hacker 'leader' inside Australia's IT ranks.
The Australian Federal Police have arrested a Sydney-based IT security professional for hacking a government website.
NBN Petition Delivered To Turnbull's Office
NBN Petition Delivered To Turnbull's Office
UTS CIO: IT teams of the future
UTS CIO: IT teams of the future
UTS CIO Chrissy Burns talks data.
New UTS Building: the IT within
New UTS Building: the IT within
The IT behind tomorrow's universities.
iTnews' NBN Panel
iTnews' NBN Panel
Is your enterprise NBN-ready?
Introducing iTnews Labs
Introducing iTnews Labs
See a timelapse of the iTnews labs being unboxed, set up and switched on! iTnews will produce independent testing of the latest enterprise software to hit the market after installing a purpose-built test lab in Sydney. Watch the installation of two DL380p servers, two HP StoreVirtual 4330 storage arrays and two HP ProCurve 2920 switches.
The True Cost of BYOD
The True Cost of BYOD
iTnews' Brett Winterford gives attendees of the first 'Touch Tomorrow' event in Brisbane a brief look at his research into enterprise mobility. What are the use cases and how can they be quantified? What price should you expect to pay for securing mobile access to corporate applications? What's coming around the corner?
Ghost clouds
Ghost clouds
ACMA chair Chris Chapman says there is uncertainty over whether certain classes of cloud service providers are caught by regulations.
Was the Snowden leak inevitable?
Was the Snowden leak inevitable?
Privacy experts David Vaile (UNSW Cyberspace Law and Policy Centre) and Craig Scroggie (CEO, NextDC) claim they were not surprised by the Snowden leaks about the NSA's PRISM program.
Latest Comments
Polls
Which bank is most likely to suffer an RBS-style meltdown?





   |   View results
ANZ
  21%
 
Bankwest
  9%
 
CommBank
  11%
 
National Australia Bank
  17%
 
Suncorp
  24%
 
Westpac
  19%
TOTAL VOTES: 1455

Vote