NSA’s top hacking boss explains how to protect your network from his attack squads The United States National Security Agency (NSA) is a notoriously secretive organization, but the head of its elite Tailored Access Operations (TAO) hacking team has appeared at Usenix’s Enigma conference to tell the assembled security experts how to make his life difficult. Rob Joyce has spent over a quarter of a century at …
<quote>"use a cloud company you are essentially handing your data over to them and relying on their security, so he warned due diligence is even more important than usual."</quote>
Words that should be beaten into the heads of damagement until they finally """get it""", and then, maybe they will think twice about embracing the cloud.
It is my position that corporate managers and directors who support such idiotic decisions ought to be removed from their position as unfit to hold them, because they clearly can not see the risks those decisions would expose the company to.
I've seen hundreds of systems over the years and wherever I've been, security invariably sucks even in the places where they really know it does suck. So, it's not a non sequitir to state that they'd probably be more secure with someone else handling the data at rest part of the equation or data in transit within the cloud provider.
Data in transit and data at rest still on premises will remain key determiners of exactly how the overall security posture rates up or rates down. A proper provider will help the business to lock down the in transit data as well. Then only the on premises setup will be the only part that sucks.
Security is a process and the number of people that actually can read and apply proper processes is vanishingly small it seems to me. And that's assuming that you have personnel, budget, and executive buy-in. So, if some exec goes all goo-goo eyes over the cloud, then it's time to see where you can take advantage of the situation, if possible, to advance your systems security.
I think there is a strong sense of delusion among corporate IT people that they are better than, say, Amazon, Microsoft or Salesforce at fending off attackers.
With very few exceptions, AWS & Azure are more secure than on-premise machines at 90% of all companies.
"With very few exceptions, AWS & Azure are more secure than on-premise machines at 90% of all companies."
Except that while the THE PATRIOT Act is still in place all your data belong to the USG on request.
No warrant required.
No probable cause required.
Not to mention it increases the magnitude of your vulnerability.
Data hosted locally is potentially compromised by attacks against the company network.
Cloudy data is potentially compromised by attacks against the cloud provider, the company network which can access the data, or the link between the two.
That depends who the attackers are. If you're dealing with regular internet hackers, that may be true. If you're high enough profile to get noticed by nation-state hackers though, then they'll already have their ways of getting into any major cloud service - by means of warrant, threats or hacking - and you can't trust any hardware you don't have physical control over.
Hackers crack your server's authentication. The NSA just strolls over to Microsoft and waves a 'give us your data, tell no-one or you go to jail' letter. Or the FSB might do likewise, and point out that there are billions of dollars to be made in Russia and a company that doesn't cooperate with investigations may not be able to operate in the country. You get the idea.
Identify your threats, choose appropriate countermeasures. Chances are your organisation isn't going to merit the directed attentions of any state intelligence agency, so for the most part you don't have to worry about them - just the standard barrage of opportunistic script kiddies, ransomware, DDoS extortion, hactivists, spammers and all our favourite internet ne’er-do-wells. In which case, Azure or Amazon or some lesser-known cloud may well be more secure than your own team of non-specialists.
Is that if you are going to put your data on a cloud, then you'd better only do so after it's been locally encrypted. And all access should use local encryption/decryption, so that when the inevitable compromise of the cloud provider occurs, all anyone can steal from the cloud provider is encrypted data.
Nearly all big cheeses have gotten where they are simply because they have a massively myopic kick-the-can-down-the-road mentality. It follows that nearly all corporate strategy decisions are made entirely focussing on very short-sighted business reasons with absolutely no concerns about even the most blindingly obvious future problems/costs/risks/consequences.
They only worry about that stuff after it inevitably bites them hard, and for some weird reason even though it was the obvious outcome from an obviously flawed strategy that they came up with, its never perceived as a clear indicator of their incompetence.
"I wonder how many cloud computing deals will be queered by that insight."
Not a single one. Reason? The decision to use cloud is made by managers.
Accountants see the financial and operational benefits (and these are very compelling). The cool kids in technology who see a new shiny toy that they really really want to play with.
So management is under huge pressure by the accountants and the cool kids in technology to move to the cloud. Security people are seen to be panicky (and even more boring than accountants), so will have very little influence on the decision - which will essentially be economic.
“If you really want to protect your network you have to know your network, including all the devices and technology in it,” he said. “In many cases we know networks better than the people who designed and run them.”
This is transferable to all other stuff you want to protect, like buildings, cars, mobile devices, what have you.
My car is in my garage. When not there, either I'm in it, or it's locked.
Why do I need to know how the engine works to ensure that it is protected ?
I agree that it is good to know how the lock functionality works, but it's not like you can tell the garage to install something else if you don't like it.
Flawed car analogy. Better would be you can lock your car in a garage, but you need to make sure the key to the garage hasn't been copied for someone else to use (patching), that there's some kind of surveillance that flags people you don't recognise or people you do recognise acting in ways they don't usually act (intrusion detection) and that you're not handing your key to anyone who rocks up at your house claiming to be the car repairman (spearphishing).
I am reminded of a tale a reformed car thief once told me. While he was still in the business he had a friend who repeatedly robbed a gated mansion. It seems the owner was want to park his unlocked car in the driveway thinking the gate actually deterred entrance to the property. So his friend would hop the gate, get into the car, and then use the garage door opener to enter the house. At which time he could leisurely loot as much as he wanted from the house. And as the car also had the gate remote, his buddy with the loot car could easily enter.
These things are frequently far simpler than the convoluted ways we construct for thieves to carry on their work.
Oh, about a month after he told me that story he demonstrated a HUGE problem with the physical security in our building. All the entrances on all the floor had magnetic locks. Of course the primary entrance had nice fancy glass doors to impress prospective clients. With a half inch gap between them. So he took a yard stick and used a piece of scotch tape to attach a page sized piece of paper to it. He proceeded to stick the yardstick through the gap and wave the piece of paper on the inside of the door. This set of the internal motion detector which was conveniently installed for easy exit. Voila! Unlocked door, in walks the malcontent.
I read a news story years ago - during some court case, two blokes wearing brown overalls came in, and the judge asked them what was going on. They replied they was here to service the grandfather clock in the corner, so he let them take it away as quick as possible so he could get on with the trial.
That was it - the clock was never seen again.
Why do I need to know how the engine works to ensure that it is protected ?
If you drive a 1963 Aston Martin, you have nothing to worry about. But if you have 2016 model year vehicle with all the whizbang connectivity, there's a good chance that your car can be hacked remotely (assuming you didn't line your garage with cyclone fencing and aluminium siding).
It's the attack vectors that require attention, not most mechanical bits like the engine or tires. So that means you have to study the vehicles weaknesses and design to address those.
In your case, best not to worry about it and head to the pub for a pint.
“In many cases we know networks better than the people who designed and run them.”
This is probably true of most "good" hackers. To use an analogy, the poacher knows the reserve better than the warden if he wants to stay out of jail(neck unstretched, fingers, etc..)
He actually sounds like one of my compsec instructors. Low hanging fruit gets plucked first.
Makes you feel all fuzzy to know they're using standard hacking methodology, doesn't it?
"Zero days are overrated" I imagine massive clusters, unlimited cycles and OEM backdoors are too. Lots of time, huge budget, never see a jail card, where do I apply?
A lot of what he said is simply good advice, and he is the sort of person who should know that. Sadly a lot of organisations simply don't take security seriously, including a good many gov departments handling sensitive data, hospitals, etc. I know from my own small work area (hence AC) that we are not "best practice" in terms of:
- automated patching (for some control machines that is too risky, so they get done manually every so often one at a time and tested before critical events)
- non-supported OS (laziness, or odd bit of software that won't work on newer version)
- risky devices not segmented on network (e.g. printers and stuff with web servers in them, not updated EVER by the supplier)
- various other minor things like file permissions rather lax to make life easy, etc.
However, to address all of this properly is a major re-design of our systems and lots and lots of testing and debugging to follow. so given the low value of our data and lack of money and resources (hey, we work to gov grants!) its just going to happen...
He is offering good advice. Doesn't matter though as advice is mainly ignored by way of 'It'll never happen to us' being the most common justification.
I'm consulting for a company at the moment and offered them such advice that was about to largely be ignored. Then I get a phonecall of how they have been compromised by a popular ransomware and I have to resist the urge to say 'told you so' :)
Hopefully this scare will make them take note.
AC obviously :)
<quote>'m consulting for a company at the moment and offered them such advice that was about to largely be ignored. Then I get a phonecall of how they have been compromised by a popular ransomware and I have to resist the urge to say 'told you so' :)</quote>
You DID triple your rate, didn't you???? (assuming you went out and cleaned things up)
Kudos to him for making the appearance and answering questions. I'm sure he didn't share all he knew, but who would in his position? Personally I would agree that whitelisting devices is the way to go. Currently where I work, anyone can plug anything in and get an IP. Vendors and visitors are in and out all day and conference rooms abound with wired LAN connections. Not that it would necessarily be that hard to spoof a MAC address, but it would be a good start, though admittedly a headache for our WAN team to deal with.
802.1x? Corporately-owned devices get on the internal network; anything else (assuming a location where visitors are allowed) goes to the guest network. (Of course, if you don't already have appropriate physical security controls on your wiring closets, you've got bigger problems to take care of first.)
802.1x has been around for a very long time (in relative tech time), as have many other technologies (anti-spoofing filters, IDS/IPS/DLP, firewalls, anti-malware, automatic security update patching etc..) that would improve security dramatically *if* deployed correctly, and monitored rather than just purchased as some sort of magic talisman,which is then left either not configured or poorly tuned, resulting in it then either not working or routinely ignored for being 'too noisy'.
Which sadly from what I have seen to be the 'normal' in far too many places.
Good security is more about attitude and culture than tech IMO.
(Also overly restrictive security that gets in the way of people doing their jobs, makes people do silly things, sometimes creating vulnerabilities!)
I worked as a security consultant for 25 years and performed some security duties for the 10 years before that. There is nothing in his talk that is unknown, there is nothing that should come as a surprise or a revelation. But in that 35 years I can count on 1 finger the number of companies, huge, large or small, or the number of government agencies, State local or federal, that actually do much about any of it. "Tell me what product to install and run." is the usual comment. We are insecure not because we lack the technology but because management is unwilling to demand & pay for the hard work of creating a secure environment.
The 'tell me the product' is caused by a mindset that values things more than people. The ultimate truth behind all this is that you need skilled, knowledgeable and motivated people minding the store but having them around implies that the corporation has to 'share' with those people. The prevailing attitude is usually that people are expensive stop-gaps that you keep around because you haven't found the right box to replace them with. Yet.
The 'tell me the product' is caused by a mindset that values things more than people.
And just look at how many of those claim to be "Agile".
The very first element of the Agile Manifesto reads:
Through this work we have come to value:Individuals and interactions over processes and tools
Vic.
To repeat my suggested explanation for Microsoft issuing registry entry fixes for Win 10 issues, only to we types who know how to find them in the 1st place: yes, essentially this guy is just saying what we already know. He isn't saying it to the masses any more than Microsoft are explaining how to stop certain unwanted behaviours to them. In both cases the explanation is more likely to be to put us off our guard?
It makes you wonder about the groups that have people like the NSA come in to do evaluations on their security. If they told you that "Hey, This and this are a problem and oh by the way we accessed all this from this exploit." Wouldn't that be a big sign that oh we might need to fund the upgrades and updates to fix this?
AC for obvious reasons
No, but only because of experience.
About a decade ago the IT department I was working in was so fucked, the CEO of the company ordered the CTO to hold a retreat where the entire IT department was free to speak their mind. And things were so bad they actually did. After airing a fair lot of dirty laundry the CTO made an unprecedented gesture. He actually opened the floor to the entire IT staff to plan the next set of upgrades. Mostly it was the networking team, as was appropriate. So they all sat down in a big meeting, discussed all of the things they'd like to do, and proposed what the next step for the organization would be. There were several projects, an upgrade to the current version of Exchange server to replace the aging 95 version we were running, a proposal for a secure wireless system, some server replacements, a new core switch to replace the used one that was purchased four years before when we moved into the building, and building out a new high end SAN.
After discussion and looking at the budget everyone (including the Exchange guy and you know how much THEY hate to pass on upgrades) agreed that although it would require the entire budget for only one project, the SAN should be the next project. So they wrote it all up including the options to do everything but the SAN. The one project they absolutely didn't want to do was the secure wireless. So they handed it to one of the junior techs and said "price this out gold plated so it gets rejected" which he happily did. The first project that was approved? Yep, the gold plated wireless proposal. The project that was scrapped without much discussion? The SAN. Yes, it did get built about two years later.
Of course he could also have said that IT managers should not allow any system using Windows to allow anyone to logon as 'Administrator' or as 'root' in Linux.
Router login passwords often set at default make it easy to gain entry, 'Firewall' settings too.
Sensible advice about external devices such as mobile phones,digital cameras, memory cards of any kind.
Perhaps the most hazardous security risk is that which is using the keyboard or other input device.
Sometimes a 'keylogger' installed by IT can be useful to log activity,system,event or app logs are a two way sword,okay for logging,but not so when sending such logs through the network to servers.
This post has been deleted by its author
I've worked on very confidential projects where the main software tools used are all cloud based with no other secure versions available for use on airgaps, thankfully these projects were not at the competition stage whereby UK companies bidding against US companies would have to worry about economic espionage. However, if they were, regardless of any kind of special relationship what possible guarantees would a non US company have that their intellectual copyright is secure in these circumstances? Especially as the the software providers no longer offer non cloud based versions of the software. When working at a smaller scale, in what way could a UK based startup for instance sign an NDA for a client?
If the US were really, really interested they would rifle through the filing cabinets etc in your office, during office hours (or maybe the lunch break).
As mentioned earlier, what the nice man from from the NSA was doing was asking us to make life a bit more difficult for their competitors. Seems churlish to refuse.
"As for the NSA’s own collection of zero-day exploits, Joyce said that in fact the agency had very few and each new one was discovered was evaluated by an outside committee to see when software manufacturers should be informed to build a patch. The NSA doesn’t have the final decision on this, he claimed."
Have I read this correctly ?
The NSA is just the finder and yet another outside alphabet agency makes a decision ?
Home land security ?
Big business ?
They whom then decide whether to patch or exploit...
Tin foil was never really the best material to make a hat with.
Luckily my lead lined technicolor dream coat will keep me safe from the back door.
> Step one : Stop listening to NSA tips on how to stop the NSA from spying on you.
I really dislike using analogies, but I am going to use one: if I, or any other competent boxer, tell you¹ I'm going to give you a left hook to the liver, I tell you in detail how to defend against the attack, and then I do exactly what I said I was going to do, you still have no chance of stopping the hit no matter how much I warned you about it. Why? Because I've got the conditioning, practice, and skill, and all you've got is a bit of information.
However, if some random punk decides to attack you, that bit of information I've given you may come in handy after all.
So no, do not discount what he says just because he's good enough at it that he can afford to reveal some of his tricks.
¹ Assuming you are not a competent boxer yourself.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
