State Dept. Success Revealed

In March 2009, the State Department implemented a bold strategy to continuously monitor cyberspace for malicious computer attacks. Chief Information Security Officer John Streufert led the effort.

Part of what Streufert wanted to determine was whether or not he could tailor his security model to the 20 critical security controls, a set of risks that over 100 security experts determined to be the most common and likely security vulnerabilities facing government computer systems. Prior to these controls, the National Institute of Standards and Technology concluded that there were 110 or more ways computer systems could be attacked. Former Energy Department and Air Force CIO John Gilligan changed all that when he brought together a powerful consortium to determine if there was a subset of those 110 risks that was substantially more important based on the damage they could inflict and the likelihood of them occurring. As a result, the 20 critical controls were born.

Streufert opened a 24-hour security help desk to count the number of security incidents occurring on a daily basis. For fiscal 2008, State opened 2104 tickets. By fiscal 2009, the number went up to 3085. Different kinds of attacks occurred, but the most prevalent was malicious code, which rose from 39 percent in 2008 to 70 percent in 2009.

"So we went through the numbers and said 'you know, the people who did the 20 most critical controls are on to something here,'" said Streufert.

Streufert found 1700 unclassified attacks in the 11 months before 2009, so he sent two computer engineers though the list and asked them to test the 20 critical controls theory. The team checked the attacks one by one, and the theory checked out.

"We seemed to be the first organization that actually tested the theory of whether the instincts of the experts was actually true on the ground," Streufert said. "In that respect began a formal program of trying to build a case study implementation in real life of what the 20 most critical controls were. "

The last piece of the puzzle was to do penetration testing to determine if the 20 critical controls were accurate. Penetration testing is done by giving permission to trusted sources to try and break into an organization's computer systems. State did this and found that of the break-ins, 80 percent of those judged to be successful used known vulnerabilities and weaknesses to do their work.

"From these three vantage points we confirmed in our minds that the 20 critical security controls were worth our concentration, and built our approach and long term plans with these critical controls in mind," Streufert added.

When Streufert told me this, it became increasingly clear just how important the 20 critical controls have become. I went through SANS' website, where the controls are hosted and read carefully. One of my jobs at SANS is to figure out how to disseminate information more broadly. I thought there was a huge opportunity with the critical controls. The text was bulky and the information overwhelming. So I dreamed up an online interactive graphic model, and with the help of a developer made the dream become a reality. I knew Streufert's story told in detail would help convey the importance of the controls and the reason for building the interactive. It's a nice resource, and I encourage everyone to check it out.