SANS has a course coming up in a few weeks in DC on implementing the Consensus Audit Guidelines. That caused me to take another look at www.sans.org/cag. Looks like they published an updated draft on May 9th. 2009. The name seems to have morphed from Consensus Audit Guidelines to 20 Critical Security Controls. What really drew my eye was the “critics” page.
The critics page contains solely glowing praise. Often that praise is from people who wrote the CAG. Maybe I’m taking “critics to literally, but I am reminded of the movie “critics” that write with the goal of their review being included in the advertising.
There has been plenty of criticism of the CAG.
Richard Bejtlich points out that it doesn’t help keep score, its controls are reactionary. Additionally its controls map to the already existing 800-53 so its redundant if you’re already doing that.
Guerilla CISO comments in LOLCats format. He also says “My initial impression is that CAG controls provide worthwhile recommendations but the framework for implementation needs development.” Even that sort of mild criticism is missing from SANS CAG Critics page. Then again in this post, he tears into it more thoroughly. (Thats a lot of blog mileage from the CAG. I should take a lesson.)
I’m starting to think the CAG (sorry now its CSC – Critical Security Controls) is like the SANS FBI Top 20. Its not written for me. Its written to get in the press. Its written for people who have no clue where to start. For me, I’m taking away some idea on how to proactively audit some of the CAG items, but the box is already checked in FISMA for those items so buying anything new is a tough sell right now.
I’m still going to try to get the company to send me to the 20 Critical Security Controls: Planning, Implementing and Auditing 2009. I just found the SANS CAG Critics page amusing.
Archive for June 2009
CAG Critics
iPhone and CIS Secure Config Guide
The Center for Internet Security released a secure configuration benchmark for the iPhone.
SCMag touts this as a good thing “For the first time, enterprises can apply security configuration best practices to Apple iPhones being used by their employees.” I would argue that there are a couple things wrong with this statement.
First it seems to admit that the iPhone isn’t secure and needs to be locked down. When Microsoft releases a hardening guide, Alan Paller of SANS goes ape and encourages the government to use their buying power to force Microsoft to apply a “secure” configuration prior to shipment. Second, reading the document, I’m not convinced that the CIS config allows enterprises to to enforce security best practices.
The first half of the CIS security guidelines are settings for the user to do on their phone. Fine for the individual, but not for a enterprise. The second half focuses on settings in the iPhone Configuration Utility. I’ve never used this utility and I dont own an iPhone, but it appears that this utility creates a config file you then mail to the user to apply or place on a website. Great way to distribute security policy. Doesn’t seem like a mandatory security policy either. There are a few mentions of ActiveSync which would enforce policy, but it is not explored enough for my tastes in this document.
Recommendation: Keep firmware up to date.
Doing this requires the installation of iTunes. My skin kind of crawls when someone wants that buggy bloated software installed in a business environment in order to load phone firmware. But hey, at least the user gets to sync their music at the same time. The CIS paper does not report a way that the enterprise could verify the installed versions on each deployed iPhone.
Recommendation: autolock at 5 minutes I wish we could enforce an autolock at five minutes. Ours is a bit longer.
With the Blackberry you can set it to lock when holstered. I dont believe the iPhone can do that.
If you needed someone to tell you to set a PIN and a password timeout on a device with, you probably need someone to tell you to come in out of the rain.
Adobe PSIRT Advance Notice of Adobe Acrobat/Reader updates
Adobe’s Product Security Incident Response Team (PSIR) has announced:
Adobe expects to deliver security updates for Adobe Reader and Acrobat versions 7.x, 8.x, and 9.x for Windows and Macintosh on Tuesday, June 9. This is the first quarterly security update for Adobe Reader and Acrobat as described in our May 20 blog post, and incorporates the initial output of code hardening efforts.
I dont know about you but I’m suffering some upgrade fatigue. I’m not sure why Adobe thinks its helpful to release the update the same day as Microsoft. I imagine some patching products must allow the deployment of Microsoft and third party updates all at once. The patching product we use does not.
Quicktime 7.6.2
Apple has released Quicktime 7.6.2 to deal with multiple security vulnerabilities. Their writeup is posted here.
Hopefully they also fixed the issue in their MSI file that was preventing installs on a few computers. We extract Quicktime.msi from Apple’s installer in order to avoid having to deploy the Apple Software Updater to our computers.
BEEP
At work, they’ve implemented a lockdown. They’ve enabled the badge readers and locks on doors as you leave the elevator lobby on each floor or come off the stairs. There is some construction work to be done on the 8th floor, so they want to make sure those workers aren’t visiting other floors and helping themselves to cash left unattended in purses.
My office is pretty close to the elevator lobby, so I get a full day of false alarms.
-Door is opened, short beep as the badge swiped.
-Someone leaves, the seeing eye unlocks the door, it is opened, it swings shut, and beep as the door “bounces”.
- Long beep as some freaking ignoramus pulls on the doors without swiping the badge. If they would release immediately there wouldn’t be an alarm. But no, they keep pulling.
- And then there is regular security alarm that does off a couple times a day as well.
I’m thinking of setting up in the conference room to see what these people are doing wrong. Its not that hard to work a door people.
And I though it was annoying hearing the BING for the elevator all day.
