« Cybersecurity: How Far Should The Government Go To Protect Cyberspace? | Main | A Solution To The Problem »
Get Ready! New Cybersecurity Standard For American Businesses.
By Dominique Levin
VP Marketing and Strategy
The Cybersecurity Act proposes to give the President capabilities to “shut down the Internet”. While this got a lot of public attention (and outrage), the more significant part of the Act is the effort to create a “minimum bar” for security in a broad range of industries, including the Federal Government and “critical infrastructure” such as telecommunications, energy, financial services, transportation and healthcare. Such new security standard could have even greater consequences than the already widely adopted Payment Credit Card Industry Data Security Standard. This blog examines what the Cybersecurity standard could look like and what it would mean for American business.
The Cybersecurity Act would require the National Institute of Standards and Technology to develop cybersecurity standards for government, contractors and operators of the systems that control the nation's critical infrastructure. A newly created acquisitions board would certify that products the federal government purchased meet security standards, and regional cybersecurity centers would be set up to support small- and medium-size businesses complying with the standards.
From the draft act:
SEC. 6. NIST STANDARDS DEVELOPMENT AND COMPLIANCE.
(a) IN GENERAL- Within 1 year after the date of enactment of this Act, the National Institute of Standards and Technology shall establish measurable and auditable cybersecurity standards for all Federal Government, government contractor, or grantee critical infrastructure information systems and networks in the following areas:
…
(2) SECURITY CONTROLS- The Institute shall establish standards for continuously measuring the effectiveness of a prioritized set of security controls that are known to block or mitigate known attacks.
…
Other areas for research and standards development by NIST include security metrics, software security and software configuration.
"The market has failed by definition and thus public policy is necessitated," said Tom Kellermann, vice president of security awareness at Core Security Technologies and former senior data risk management specialist for the World Bank treasury security team. "Hopefully, the private sector will comprehend that legislation like this creates long-term comparative advantage for American industry and subsequent technological sustainability."
A complementary bill is also circulating: the ICE (Information and Communications Enhancement) Act (print here) replaces the 2008 Federal Information Security Management Act, a rewrite of the 2002 law that the Senate never voted on. Presumably the ICE Act will not only take guidance from the current National Institute of Standards and Technology standards, but also look to a list of “Top 20 Security Controls”.
Many in the security industry believe that so far NIST has been too focused on security configuration, rather than on controls that truly prevent attacks. Alan Paller director of research at the SANS Institute and other security professionals argue that the approach is little more than a paper-pushing exercise and doesn't secure systems from known threats. Instead the SANS Institute is pushing (and appears to be getting some traction) with their own “Consensus Audit Guidelines” – a list of twenty relatively inexpensive controls every business should implement to prevent attacks.
Twenty Most Important Controls and Metrics for Effective Cyber Defense and Continuous FISMA Compliance
The SANS Institute
http://www.sans.org/cag/print.php
- Critical Control 1: Inventory of authorized and unauthorized hardware.
- Critical Control 2: Inventory of authorized and unauthorized software; enforcement of white lists of authorized software.
- Critical Control 3: Secure configurations for hardware and software on laptops, workstations, and servers.
- Critical Control 4: Secure configurations of network devices such as firewalls, routers, and switches.
- Critical Control 5: Boundary Defense
- Critical Control 6: Maintenance, Monitoring and Analysis of Complete Audit Logs
- Critical Control 7: Application Software Security
- Critical Control 8: Controlled Use of Administrative Privileges
- Critical Control 9: Controlled Access Based On Need to Know
- Critical Control 10: Continuous Vulnerability Testing and Remediation
- Critical Control 11: Dormant Account Monitoring and Control
- Critical Control 12: Anti-Malware Defenses
- Critical Control 13: Limitation and Control of Ports, Protocols and Services
- Critical Control 14: Wireless Device Control
- Critical Control 15: Data Leakage Protection
- Critical Control 16: Secure Network Engineering
- Critical Control 17: Red Team Exercises
- Critical Control 18: Incident Response Capability
- Critical Control 19: Data Recovery Capability
- Critical Control 20: Security Skills Assessment and Appropriate Training To Fill Gaps
The bills "could do more to improve cybersecurity than any action in the last decade," said Jim Lewis, director and senior fellow for the technology and public policy program at the Center for Strategic and International Studies.
"This looks like the game-changer -- or at least the conversation-changer," said Alan Paller, director of research at the SANS Institute, a nonprofit cybersecurity research group based in Bethesda, Md. "Its reach is far greater than any cyber bill I have ever seen, extending deep into corporate America."
Having a government endorsed “minimum bar” for security that applies to a broad range of industries would definitely be a positive for the security industry and for American businesses. The bill could make it a lot easier for executives in business to get approval for investments in security. Additionally, security is only as strong as the weakest link in the chain, so any initiative that can raise the bar is a good thing.
Posted May 05, 2009 in | Permalink
August 2010
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 | 31 |
Categories
Archives
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005
Blogroll
Blogroll
Compliance
Good Reading
- Internet and Web Security Review
- Log Management ROI
- Log Management Best Practices
- SANS Institute Log Management White Paper