British, US Govts tackle infosec framework

By on
British, US Govts tackle infosec framework

Dormant critical control list enjoys three-month adoption rush.

Large public agencies and private organisations in the US and Britain have standardised on a information security framework that claims to drop measurable risk by 90 percent.

The US Department of Homeland Security (DHS) and the British Centre for the Protection of National Infrastructure are among those that have adopted the framework in the past three months.

The framework, dubbed the 20 Critical Controls, was developed by the National Security Agency (NSA) and a consortium of private sector organisations.

It established a baseline of high-priority ‘technical’ information security measures and controls that are used to improve an organisation's security posture.

The framework was led by four controls that were created last year by the Defence Signals Directorate (DSD) under its Strategies to Mitigate Targeted Cyber Intrusions guide.

Organisations implementing those four controls alone could reduce the incidence of targeted intrusions by 85 percent, according to DSD tests.

 
 
20 Critical Controls (click to enlarge)

The British and US organisations using the framework have begun sourcing tools to automate the controls.

Once this was completed, the framework was expected to be pushed out across US government agencies.

This would be in line with tougher FISMA laws that will force US Federal agencies to report IT security postures using automated tools by September 30.

The controls were expected to gain traction, too, in Britain's private sector after London Police signed on to the framework. The police service could push the framework as part of its function as an advisor to businesses on security best practice.

The nation's largest energy provider, Consumer Energy, had also adopted the framework in what is seen as a test case for other businesses.

The DSD said it had seen a “significant improvement in ICT security across government” due to security awareness “coupled with concerted efforts by government agencies to implement the top four” controls.

“Nevertheless, securing large networks is a complex issue which requires an ongoing effort, both in user education and system improvements,” it said.

Slow starter

The 20 Critical Controls framework has existed for around three years but only the US State Department had adopted the work before November last year.

SANS Institute research director Alan Paller said the rush to adopt the standard was a sign it could quickly spread across state and private sector industries, starting with the DSD recommendations.

“You've got a lot of energy behind this … and all in 12 weeks,” Paller said.

The US State Department said the controls would provide daily “authoritive data on the readiness of computers to withstand attack” and elimate “massive financial waste associated with thick audit reports that are out-of-date long before they are published”.

It boasted that in its first year, the risk score for hundreds of thousands of computers dropped by nearly 90 per cent.

The department was also able to get 90 percent of systems patched within 10 days of the emergence of new threats (left), while other agencies not using the controls patched between 20 and 65 percent of systems over several months.

It tested some 12,000 attacks it fielded and found details of only 7 percent could not be explained by the controls.

The department established that system admininstrators “have about 20 minutes a day to fix things”, Paller said. Administrators in the department assess security priorities daily, rather than weekly or monthly, which has contributed to the massive risk reduction.

Trail blazer

Much of the recent success of the control list was thanks to its creator, the late National Security Agency (NSA) engineer Paul Bartock.

Bartock, described as one of the top security engineers in the US, created a band of high-profile cyber security chiefs within US government agencies, critical infrastructure and banks and began to develop the controls about three years ago.

Paller decribed Bartock as “one of the top security engineers in the United States” and said Bartock had seen the adoption of the controls by British and US agencies before he died aged 58 late last month.

Bartock was the technical director of the NSA's red and blue teams which serve as penetration testers for the US Government.

Paller said that prior to Bartock's control list, agencies had produced “hundreds of thousands” of controls which were overly complex and inevitably dumped.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:
frameworknsapatchingrisksans institutesecurity

Sponsored Whitepapers

Responding To Industry Trends And Our 5m+ Users
Responding To Industry Trends And Our 5m+ Users
The Future of Digital Identity in Government
The Future of Digital Identity in Government
Secure Public Services for Every Australian
Secure Public Services for Every Australian
7½ Questions for Aged Care's Digital Decisions
7½ Questions for Aged Care's Digital Decisions
Creating the Sustainable IT Department
Creating the Sustainable IT Department

Most Read Articles

Australia appoints first cyber security coordinator

Australia appoints first cyber security coordinator
Apple rushes out patches for exploited zero day bugs

Apple rushes out patches for exploited zero day bugs
Perpetual 'extended outage' caused by security incident at third-party

Perpetual 'extended outage' caused by security incident at third-party
Exploit emerges for Cisco VPN client vulnerability

Exploit emerges for Cisco VPN client vulnerability

Digital Nation

Health tech startup Kismet raises $4m in pre-seed funding
Health tech startup Kismet raises $4m in pre-seed funding
More than half of loyalty members concerned about their data
More than half of loyalty members concerned about their data
DeepAI founder on the risks of artificial intelligence
DeepAI founder on the risks of artificial intelligence
COVER STORY: The opportunities and risks of cybersecurity insurance in Australia
COVER STORY: The opportunities and risks of cybersecurity insurance in Australia
How eBay uses interaction analytics to improve CX
How eBay uses interaction analytics to improve CX

Log In

  |  Forgot your password?