The guidelines have been developed with knowledge of actual attacks that have compromised systems in order to construct effective defence.
This is not a replacement for other guidelines (i.e. NIST Security Guidelines), but a complement to help CIOs and CISOs to identify their top priorities. The CAG has been developed with the support of NSA, US-Cert, DoD, DoE, GAO and many Federal CIOs and CISOs. Also, a reference to NIST 800-53 Rev 3 Controls has been provided.
Below a summary of the 20 controls. You find the Guidelines here.
Inventory of Authorized and Unauthorized Hardware.
Inventory of Authorized and Unauthorized Software.
Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.
Secure Configurations of Network Devices Such as Firewalls and Routers.
Boundary Defense
Maintenance and Analysis of Complete Security Audit Logs
Application Software Security
Controlled Use of Administrative Privileges
Controlled Access Based On Need to Know
Continuous Vulnerability Testing and Remediation
Dormant Account Monitoring and Control
Anti-Malware Defenses
Limitation and Control of Ports, Protocols and Services
Wireless Device Control
Data Leakage Protection
Additional Critical Controls (not directly supported by automated measurement and validation):
Secure Network Engineering
Red Team Exercises
Incident Response Capability
Data Recovery Capability
Security Skills Assessment and Training to Fill Gaps
3 comments:
Good post.
However, is there any pdf on SANS website. I see that we should crawl web to read all "controls". This is annonying thing.
Unfortunately the document is still in draft, that should be the reason why it is only available on the web. I am sure it will be published in pdf too once it will be finalized.
good post and good blog,
good post and good blog,
If you can Keep updated.
But you are memeber AIIC!!!
regards
mattia Siciliano
mattia.siciliano@gmail.com
Post a Comment