Astonishing, that the list of 20 controls was FOUO/Classified!
Just astonishing!
(This is long, and not really catering to the "sound-bite-minded"...)
I read the first 16 pages, and when I looked at the list 2-3 times, it increasingly seemed reminiscent of what any sysadmin taking Netware System Administration from 1996 might conjure up.
When I was a temp assigned to a Lockheed office in Sunnyvale, I was assigned to work in a "cage" (more of an inventory control room, not a sensitive area like other DOD contractors' "cages"). When not roaming doing installs of Win95, updaing .dot files, or removing the "I love you" crap, or installing or tweaking Resumex, etc., I was in my cage playing with Lotus Approach. I was teaching myself databases, and decided to enhance my inventory of what I was told to inventory. I thus included EVERYTHING that contained an ID, serial number, MAC hardware address, or other form of info that would help my various managers not only monitor costs, but monitor how much junk or obsolete hardware was sitting around, what types the hardware were, to whom they were assigned, how old they were, how many times they'd been looked at or suspected as trouble hardware, what OS version and so on were on what machines, in which rooms, on what tables, and more. All the NICs, hard drives, mice, keyboards, CRTs, modems (only a very few people in that building of around 80 people had a modem, hehehe), and sos on were in my database.
Theoretically, this would form the basis for implementing a secure and robust IT filter system to monitor traffic, employees, entry and exit of information, and more, not just relying on the then-available MS server and domain related monitoring tools. Netware and other tools of the day were in place, too. But, I only did that to maximize my non-programming use of Lotus Approach, learning to create forms, views, charts, reports, and master-detail views to get at relationships between hardware and assignment.
Later, when seting up an Internet Cafe business plan, I did something similar, starting out with the intent to create a receipts tracker in the event I were ever audited, I ended up creating a prototype fraud-sleuthing database. That's just playing around.
I don't see how that list of 20 items would be so useful to obscure. Security through obscurity at the highest of levels - in a security-conscious working group! Those individual items are everything any due-diligence IT manager of even 1999 would pursue, and it would have been casual conversation in those IT trainers we were sent to for something like $99 to $400 per day.
Am I overreacting?
It seems to me that the top users among the commercial entitiess are just trying to avoid spending money. If they all follow the typical topology, layers, protocols, filtering, and other standards, and implement dynamic access controls that tie in with customers and customer's plans, a boatload of attacks could have been prevented over the last 15 years -- or would have spurred the attackers of the time frame to innovate around the 20 measusres/controls. To their credit, though, the ATTBIs and Comcasts of the early 2000 inadvertently helped with security in some limited way: via the use of their "branded" IE browser CDs, they could keystroke or otherwise monitor their customers and detect early signs of malicious or hijack activity, and by manipulating the routers they provided, could deprive the customer of exceeding the 3-count limit of devices.
But, when I figured out their game, and figure they just wanted to extract more money for no work, or to limit me, I my own routers and switches and attached all my test machines on my side of the demarc and defied them to do a damned thing about it. I wasn't increasing bandwith, since I only had two hands and was not using automated process on all 8 or 9 machines, and what happened on my side of the demarc that was not a disruption to the network outside was NONE of THEIR damned business. They also hated that I used Linux, and no IE disk they customized was going to run on my LAN. So, I regularly was on their shitlist and regulary had connectivity issues, invariably being blamed on some drunk driver slamming into a green service box off the freeway. Liars. Or so I think they were being.
But, though that list was "secret" or FOUO for around 2 years doesn't mean that most companies lacked any of their own intelligence to implement the same effects. They probably just didn't want to spend the money.