Tuesday, February 24, 2009

Consensus Audit Guidelines (CAG) draft 1.0 released

A small revolution is going on almost silently in US: SANS published the first version of "Consensus Audit Guidelines" (CAG) a set of 20 recommendations to better protect federal Systems. SANS is open to receive comments till March 25 2009.

The guidelines have been developed with knowledge of actual attacks that have compromised systems in order to construct effective defence.

This is not a replacement for other guidelines (i.e. NIST Security Guidelines), but a complement to help CIOs and CISOs to identify their top priorities. The CAG has been developed with the support of NSA, US-Cert, DoD, DoE, GAO and many Federal CIOs and CISOs. Also, a reference to NIST 800-53 Rev 3 Controls has been provided.

Below a summary of the 20 controls. You find the Guidelines here.

  1. Inventory of Authorized and Unauthorized Hardware.

  2. Inventory of Authorized and Unauthorized Software.

  3. Secure Configurations for Hardware and Software on Laptops, Workstations, and Servers.

  4. Secure Configurations of Network Devices Such as Firewalls and Routers.

  5. Boundary Defense

  6. Maintenance and Analysis of Complete Security Audit Logs

  7. Application Software Security

  8. Controlled Use of Administrative Privileges

  9. Controlled Access Based On Need to Know

  10. Continuous Vulnerability Testing and Remediation

  11. Dormant Account Monitoring and Control

  12. Anti-Malware Defenses

  13. Limitation and Control of Ports, Protocols and Services

  14. Wireless Device Control

  15. Data Leakage Protection

Additional Critical Controls (not directly supported by automated measurement and validation):

  1. Secure Network Engineering

  2. Red Team Exercises

  3. Incident Response Capability

  4. Data Recovery Capability

  5. Security Skills Assessment and Training to Fill Gaps


Anonymous said...

Good post.

However, is there any pdf on SANS website. I see that we should crawl web to read all "controls". This is annonying thing.

A. Rigoni said...

Unfortunately the document is still in draft, that should be the reason why it is only available on the web. I am sure it will be published in pdf too once it will be finalized.

Mattia said...

good post and good blog,

good post and good blog,

If you can Keep updated.

But you are memeber AIIC!!!

mattia Siciliano