Gaining attention for advocating a practical shift in how IT leaders think about security, the Consensus Audit Guidelines offer 20 controls to measure and monitor IT-system and network security. Though worries about increased cost often accompany any notion of improving security, John Gilligan, a consultant who developed the guidelines, says he implemented a subset of the controls when he was the Air Force CIO (from 2001 to 2005) and saved money on IT and risk management. Gilligan's recommendations include:
1) Know your network. Inventory all devices on your network with an asset recovery tool. Record network addresses, machine names, the purpose of each device and person responsible for it. Encrypt this information. Likewise, devise an encrypted list of software authorized to run on your network. Periodically test your software inventory tool by deploying new software to see when it's detected. Note the delay; that's a vulnerable time.
2) Test and verify. Document and test security settings on system images before deploying laptops, workstations and servers. Sample systems once a month to see that settings are correct. Store master images on secured servers or offline machines.
3) Seize control. At network connection points, implement filters to allow use of only those ports and protocols with a documented business need. Use two-factor authentication and encrypted sessions on all network devices. Require people logging in remotely to use two-factor authentication, too.
4) Be suspicious. Set audit logs to record dates, time stamps and source and destination addresses for each piece of software. Devise profiles of common activity and tune logs to look for anomalies. Deploy firewalls to look for common Web attacks. Test source code for malware and backdoors before deploying.
5) Watch your back. Run vulnerability scans at least weekly (preferably daily). Compare sequential scans to ensure previous problems were addressed. Install critical patches within a week. Report daily on locked-out and disabled accounts, as well as accounts with passwords set to never expire or with passwords exceeding maximum age. Get explanations for these accounts. Check machines daily and push out updates for malware protection.
For more details about these and the rest of the guidelines as well as an explanation of how attackers exploit the lack of each control, visit www.gilligangroupinc.com.