Large public agencies and private organisations in the US and Britain have standardised on a information security framework that claims to drop measurable risk by 90 percent.
The US Department of Homeland Security (DHS) and the British Centre for the Protection of National Infrastructure are among those that have adopted the framework in the past three months.
The framework, dubbed the 20 Critical Controls, was developed by the National Security Agency (NSA) and a consortium of private sector organisations.
It established a baseline of high-priority ‘technical’ information security measures and controls that are used to improve an organisation's security posture.
The framework was led by four controls that were created last year by the Defence Signals Directorate (DSD) under its Strategies to Mitigate Targeted Cyber Intrusions guide.
Organisations implementing those four controls alone could reduce the incidence of targeted intrusions by 85 percent, according to DSD tests.
The British and US organisations using the framework have begun sourcing tools to automate the controls.
Once this was completed, the framework was expected to be pushed out across US government agencies.
The controls were expected to gain traction, too, in Britain's private sector after London Police signed on to the framework. The police service could push the framework as part of its function as an advisor to businesses on security best practice.
The nation's largest energy provider, Consumer Energy, had also adopted the framework in what is seen as a test case for other businesses.
The DSD said it had seen a “significant improvement in ICT security across government” due to security awareness “coupled with concerted efforts by government agencies to implement the top four” controls.
“Nevertheless, securing large networks is a complex issue which requires an ongoing effort, both in user education and system improvements,” it said.
The 20 Critical Controls framework has existed for around three years but only the US State Department had adopted the work before November last year.
SANS Institute research director Alan Paller said the rush to adopt the standard was a sign it could quickly spread across state and private sector industries, starting with the DSD recommendations.
“You've got a lot of energy behind this … and all in 12 weeks,” Paller said.
The US State Department said the controls would provide daily “authoritive data on the readiness of computers to withstand attack” and elimate “massive financial waste associated with thick audit reports that are out-of-date long before they are published”.
It boasted that in its first year, the risk score for hundreds of thousands of computers dropped by nearly 90 per cent.
The department was also able to get 90 percent of systems patched within 10 days of the emergence of new threats (left), while other agencies not using the controls patched between 20 and 65 percent of systems over several months.
It tested some 12,000 attacks it fielded and found details of only 7 percent could not be explained by the controls.
The department established that system admininstrators “have about 20 minutes a day to fix things”, Paller said. Administrators in the department assess security priorities daily, rather than weekly or monthly, which has contributed to the massive risk reduction.
Much of the recent success of the control list was thanks to its creator, the late National Security Agency (NSA) engineer Paul Bartock.
Bartock, described as one of the top security engineers in the US, created a band of high-profile cyber security chiefs within US government agencies, critical infrastructure and banks and began to develop the controls about three years ago.
Paller decribed Bartock as “one of the top security engineers in the United States” and said Bartock had seen the adoption of the controls by British and US agencies before he died aged 58 late last month.
Bartock was the technical director of the NSA's red and blue teams which serve as penetration testers for the US Government.
Paller said that prior to Bartock's control list, agencies had produced “hundreds of thousands” of controls which were overly complex and inevitably dumped.