Guidelines to standardize network security controls

Recommendations will include shifting resources from certifying and accrediting systems to fixing known vulnerabilities in an effort to better secure federal networks.

Computer security professionals plan to release guidelines in the next six months instructing agencies to first fix vulnerabilities in federal networks that hackers are known to exploit most frequently -- a move that represents a significant change from current federal security policy.

Comment on this article in The Forum.The recommendation will be part of the Consensus Audit Guidelines, which will provide agencies a list of controls to stop or quickly recover from known attacks, as well as examples of real-world attacks, to educate agencies about the potential risk of not securing systems. The guidelines are being developed by top security analysts from industry and government, including the Defense, Energy and Homeland Security departments, the National Security Agency and the Government Accountability Office.

One of the recommendations is to concentrate on fixing those vulnerabilities that are the most often exploited by hackers who want to gain access to federal systems. This move,security analysts say, will provide the most improvement in information security. "Let's figure out what are the vulnerabilities being exploited and fix those first," said John Gilligan, president of IT consulting firm Gilligan Group and former chief information officer at the Air Force. "There should be a focus in the investment on what delivers the greatest payout." He spoke on a panel at the Security 2008 conference in Washington, sponsored by 1105 Government Information Group.

The guidelines enable a "defense that is informed by the offense," said Alan Paller, director of research at the SANS Institute, a nonprofit cybersecurity research group based in Bethesda, Md. "Everything is important. But you need to address the known bads first, then move on to the hypothetical."

The strategy to focus on known vulnerabilities was used to develop what eventually came to be the Federal Desktop Core Configuration, which all agencies must follow for computers running the Microsoft XP and Vista operating systems. To create the configuration, NSA conducted briefings with the Air Force on the attack patterns hackers used against the service's systems and found that 80 percent of the attacks were the cause of incorrectly configured commercial off-the-shelf software. Defense established standard security controls for Microsoft operating systems to fix the holes, and OMB later adopted the settings governmentwide in the desktop configuration.

The consensus guidelines essentially will apply the same process to develop the desktop configuration to for networks.

Fixing known vulnerabilities marks a significant change in federal security policy. The consensus guidelines will recommend agencies shift resources to implement and measure the effectiveness of the new controls -- including using automated tools -- and away from the certification and accreditation process required under the 2002 Federal Information Security Management Act.

The legislation requires agencies to identify and inventory IT systems, determine the sensitivity of information stored on systems, find holes that allow hackers access and deploy security controls. But many argue that agencies spend much of their IT budgets complying with the law, leaving little to pay for security practices that provide better results.

"FISMA's intention was good, but unfortunately, it's taken on a life of its own in how it's been implemented," Gilligan said. "The threats are increasing dramatically, and we need more focus. Right now, a good FISMA grade doesn't mean you are secure because FISMA is measuring artifacts."

Gilligan said the legislation was successful for directing more attention on information security, but it has been unsatisfactory in guarding networks from attacks. FISMA has had mixed results in providing security guidance to agencies and encouraging additional cybersecurity investments, he added.

"We're as vulnerable or more vulnerable than ever, and often we think we're better off than we actually are," Gilligan said.

The National Institute of Standards and Technology has published guidelines for implementing information security, but Gilligan said the recommendations are difficult to follow because they are too complex. The NIST risk framework, for example, includes more than 1,200 pages. "The reality is that it takes little talent to come in and find flaws," he said. "It's a target-rich environment."

Gilligan expects the Consensus Audit Guidelines to be available for public comment within six months. Once finalized, he hopes OMB will consider using them to measure how well FISMA has been implemented in agencies.