Friday, April 03, 2009

SANS Consensus Audit Guidelines (Draft 1.0)

On Feb 23, 2009 SANS publishes the first draft of the Consensus Audit Guidelines (CAG). As represented in the press release, the CAG includes 20 controls, 15 of which can be automated and 5 are not.

The 20 Critical Controls subject to automated measurement and validation (AMV):
  1. Inventory of Authorized and Unauthorized Hardware.
  2. Inventory of Authorized and Unauthorized Software.
  3. Secure Configurations for Hardware and Software For Which Such Configurations Are Available.
  4. Secure Configurations of Network Devices Such as Firewalls And Routers.
  5. Boundary Defense
  6. Maintenance and Analysis of Complete Security Audit Logs
  7. Application Software Security ***
  8. Controlled Use of Administrative Privileges
  9. Controlled Access Based On Need to Know
  10. Continuous Vulnerability Testing and Remediation
  11. Dormant Account Monitoring and Control
  12. Anti-Malware Defenses
  13. Limitation and Control of Ports, Protocols and Services
  14. Wireless Device Control
  15. Data Leakage Protection
  16. Secure Network Engineering (not AMV)
  17. Red Team Exercises (not AMV)
  18. Incident Response Capability (not AMV)
  19. Assured Data Back-Ups (not AMV)
  20. Security Skills Assessment and Training to Fill Gaps (not AMV)
Two (2) points I would like to make here:
  • When your only tool is hammer (For*ify), you tend to see every problem as a nail. Hey dude, *** is only 1/20 of the entire infosec.
  • RedTeam Exercise isn't an automated measurement and validation.