Government IT Security Leaders Further Embrace Penetration Testing With Release of Consensus Audit Guidelines (CAG)

Core Security Technologies , provider of CORE IMPACT, the most comprehensive product for proactive enterprise security testing, is proud to recognize and endorse the efforts of leading government and private sector cyber-security experts in releasing a final version of the Consensus Audit Guidelines (CAG). These procedures are a set of twenty IT security controls that the group has recommended for adoption across all U.S. government agencies.

“CAG can be viewed as a template against which government agencies will have their IT security processes as well as systems measured and validated against for many years to come,” said Michael Montecillo, principal analyst at Enterprise Management Associates. “Having penetration testing called out specifically as a critical control highlights the need for public and private agencies to regularly conduct full penetration tests.”

What is CAG?

Developed by a consortium of influential U.S. government agencies and their private sector partners – including the Department of Defense, Department of Energy, FBI and US-CERT, along with NIST and SANS Institute, among many others – the CAG aims to help organizations prioritize critical IT security concerns and identify tools that can help improve their overall standing by “focusing on critical issues and low-hanging fruit.”

The CAG is also noteworthy in that it has already been used by NIST as a basis for the recently revamped version of its Special Document 800-53 – the guidelines used by security auditors conducting FISMA compliance reviews. In addition, the CAG deliberately parallels many of the recommendations laid out in the U.S. Information and Communications Enhancement (ICE) Act, a bill currently under review by Congress as a replacement and update to FISMA.

“Hopefully incidents such as the Heartland data breach has ushered in a paradigm shift in corporate America, one in which security managers begin to refine their risk assessments to include cyber,” said Tom Kellermann, VP Security Awareness, Core Security. “The CAG represents the most proactive baseline to date to assess cyber risk.”

How does CORE IMPACT address the CAG?

The introduction to the CAG guidelines specifically cites the need for cyber-security controls that are tacitly proactive and can “inform defense” of actual attacks that have compromised systems, or those that could transpire to do so.

The CAG also submits that the controls it recommends should be “automated where possible, and periodically or continuously measured using automated measurement techniques where feasible.” Among the listed CAG controls are several that specifically call for agencies to adopt proactive penetration testing and Red Team assessment exercises – along with a number of other guidelines in which such tests can play an integral role.

Critical Control 17

CAG Control 17 recommends that organizations increase their commitment to Penetration Tests and Red Team Exercises:

“Organizations should conduct regular penetration tests to identify vulnerabilities and attack vectors that can be used to exploit enterprise systems successfully. Penetration testing should occur from outside the network perimeter (i.e., the Internet or wireless frequencies around an organization) as well from within its boundaries (i.e., on the internal network) to simulate both outsider and insider attacks.”(Excerpt)

CORE IMPACT Pro can directly address CAG Control 17 by:

  • Providing organizations with the ability to perform ongoing penetration testing of Web applications, network systems, endpoints and email users, and to simulate both external and internal attacks.
  • Automating many of the time-consuming tasks involved in manual penetration testing and reporting functions, and allows testers to add, expand and/or customize onboard exploit code via an extensible Python interface.
  • Proving weaknesses, possible violations and potential improvements required in many of the other Critical Control areas – including validation of vulnerability scans.

For more information on additional CAG controls that CORE IMPACT Pro and automated penetration testing can help government organizations address, visit: Click Here

About Core Security Technologies

Core Security Technologies is the leader in comprehensive penetration testing software solutions that IT executives rely on to expose vulnerabilities, measure operational risk and assure security effectiveness. The company’s CORE IMPACT product family offers a comprehensive approach to assessing the security of network systems, endpoint systems, email users and web applications against complex threats. All CORE IMPACT security testing solutions are backed by trusted vulnerability research and leading-edge threat expertise from the company’s Security Consulting Services, CoreLabs and Engineering groups. Based in Boston, Mass. and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at: .