back to article NSA’s top hacking boss explains how to protect your network from his attack squads

The United States National Security Agency (NSA) is a notoriously secretive organization, but the head of its elite Tailored Access Operations (TAO) hacking team has appeared at Usenix’s Enigma conference to tell the assembled security experts how to make his life difficult. Rob Joyce has spent over a quarter of a century at …

Silver badge
IT Angle

"use a cloud company you are essentially handing your data over to them and relying on their security, so he warned due diligence is even more important than usual."

I wonder how many cloud computing deals will be queered by that insight.

13
0
Silver badge

Not many, I'll wager. The conference was attended by IT quys, not the guys who sign those deals.

Still, it will add ti the list of things to take into account when drafting such deals.

10
0
Silver badge
Devil

Unless you have Windows 10

In which case they go straight to exploiting data.

5
3

There is no 'cloud' just someone else's computer.

14
1
Silver badge

<quote>"use a cloud company you are essentially handing your data over to them and relying on their security, so he warned due diligence is even more important than usual."</quote>

Words that should be beaten into the heads of damagement until they finally """get it""", and then, maybe they will think twice about embracing the cloud.

It is my position that corporate managers and directors who support such idiotic decisions ought to be removed from their position as unfit to hold them, because they clearly can not see the risks those decisions would expose the company to.

7
2
Sil

My guess is many if not most companies would be more secure in the cloud than on-premise.

8
5
Silver badge

What's your view on people who use an obvious non sequitur in their decision making?

0
0

Truer words have not been spoken

I think there is a strong sense of delusion among corporate IT people that they are better than, say, Amazon, Microsoft or Salesforce at fending off attackers.

With very few exceptions, AWS & Azure are more secure than on-premise machines at 90% of all companies.

6
3
Silver badge
Go

What he's really saying about using the cloud

Is that if you are going to put your data on a cloud, then you'd better only do so after it's been locally encrypted. And all access should use local encryption/decryption, so that when the inevitable compromise of the cloud provider occurs, all anyone can steal from the cloud provider is encrypted data.

7
0
Bronze badge

Nearly all big cheeses have gotten where they are simply because they have a massively myopic kick-the-can-down-the-road mentality. It follows that nearly all corporate strategy decisions are made entirely focussing on very short-sighted business reasons with absolutely no concerns about even the most blindingly obvious future problems/costs/risks/consequences.

They only worry about that stuff after it inevitably bites them hard, and for some weird reason even though it was the obvious outcome from an obviously flawed strategy that they came up with, its never perceived as a clear indicator of their incompetence.

6
0
Silver badge

I've seen hundreds of systems over the years and wherever I've been, security invariably sucks even in the places where they really know it does suck. So, it's not a non sequitir to state that they'd probably be more secure with someone else handling the data at rest part of the equation or data in transit within the cloud provider.

Data in transit and data at rest still on premises will remain key determiners of exactly how the overall security posture rates up or rates down. A proper provider will help the business to lock down the in transit data as well. Then only the on premises setup will be the only part that sucks.

Security is a process and the number of people that actually can read and apply proper processes is vanishingly small it seems to me. And that's assuming that you have personnel, budget, and executive buy-in. So, if some exec goes all goo-goo eyes over the cloud, then it's time to see where you can take advantage of the situation, if possible, to advance your systems security.

2
0
Silver badge
Gimp

"Words that should be beaten into the heads of damagement until they finally """get it""", and then, maybe they will think twice about embracing the cloud."

I do "get it" thank you (MD - but not a doctor.) Please go easy on the quotation marks - I don't get that.

2
0
Anonymous Coward

"I wonder how many cloud computing deals will be queered by that insight."

Not a single one. Reason? The decision to use cloud is made by managers.

Accountants see the financial and operational benefits (and these are very compelling). The cool kids in technology who see a new shiny toy that they really really want to play with.

So management is under huge pressure by the accountants and the cool kids in technology to move to the cloud. Security people are seen to be panicky (and even more boring than accountants), so will have very little influence on the decision - which will essentially be economic.

2
0
Gold badge
Big Brother

Re: Truer words have not been spoken

"With very few exceptions, AWS & Azure are more secure than on-premise machines at 90% of all companies."

Except that while the THE PATRIOT Act is still in place all your data belong to the USG on request.

No warrant required.

No probable cause required.

1
0

Re: Truer words have not been spoken

Not to mention it increases the magnitude of your vulnerability.

Data hosted locally is potentially compromised by attacks against the company network.

Cloudy data is potentially compromised by attacks against the cloud provider, the company network which can access the data, or the link between the two.

0
0
Silver badge

Re: Truer words have not been spoken

That depends who the attackers are. If you're dealing with regular internet hackers, that may be true. If you're high enough profile to get noticed by nation-state hackers though, then they'll already have their ways of getting into any major cloud service - by means of warrant, threats or hacking - and you can't trust any hardware you don't have physical control over.

Hackers crack your server's authentication. The NSA just strolls over to Microsoft and waves a 'give us your data, tell no-one or you go to jail' letter. Or the FSB might do likewise, and point out that there are billions of dollars to be made in Russia and a company that doesn't cooperate with investigations may not be able to operate in the country. You get the idea.

Identify your threats, choose appropriate countermeasures. Chances are your organisation isn't going to merit the directed attentions of any state intelligence agency, so for the most part you don't have to worry about them - just the standard barrage of opportunistic script kiddies, ransomware, DDoS extortion, hactivists, spammers and all our favourite internet ne’er-do-wells. In which case, Azure or Amazon or some lesser-known cloud may well be more secure than your own team of non-specialists.

0
0
Silver badge

Just a PR friendly, long winded way to say:

"Hello gentlemen. All your base are belong to us."

10
0

Re: Just a PR friendly, long winded way to say:

More like, "When we want your base, it's ours. Until then, we appreciate you building and maintaining it for us."

4
0

Re: Just a PR friendly, long winded way to say:

You know what you saying.

0
0

Re: Just a PR friendly, long winded way to say:

You have no chance to survive make your time.

0
0
Silver badge

“If you really want to protect your network you have to know your network, including all the devices and technology in it,” he said. “In many cases we know networks better than the people who designed and run them.”

This is transferable to all other stuff you want to protect, like buildings, cars, mobile devices, what have you.

4
0
Silver badge

My car is in my garage. When not there, either I'm in it, or it's locked.

Why do I need to know how the engine works to ensure that it is protected ?

I agree that it is good to know how the lock functionality works, but it's not like you can tell the garage to install something else if you don't like it.

0
10

Flawed car analogy. Better would be you can lock your car in a garage, but you need to make sure the key to the garage hasn't been copied for someone else to use (patching), that there's some kind of surveillance that flags people you don't recognise or people you do recognise acting in ways they don't usually act (intrusion detection) and that you're not handing your key to anyone who rocks up at your house claiming to be the car repairman (spearphishing).

9
0
Silver badge
Pint

Why do I need to know how the engine works to ensure that it is protected ?

If you drive a 1963 Aston Martin, you have nothing to worry about. But if you have 2016 model year vehicle with all the whizbang connectivity, there's a good chance that your car can be hacked remotely (assuming you didn't line your garage with cyclone fencing and aluminium siding).

It's the attack vectors that require attention, not most mechanical bits like the engine or tires. So that means you have to study the vehicles weaknesses and design to address those.

In your case, best not to worry about it and head to the pub for a pint.

4
0

Re: Flawed car analogy.

I am reminded of a tale a reformed car thief once told me. While he was still in the business he had a friend who repeatedly robbed a gated mansion. It seems the owner was want to park his unlocked car in the driveway thinking the gate actually deterred entrance to the property. So his friend would hop the gate, get into the car, and then use the garage door opener to enter the house. At which time he could leisurely loot as much as he wanted from the house. And as the car also had the gate remote, his buddy with the loot car could easily enter.

These things are frequently far simpler than the convoluted ways we construct for thieves to carry on their work.

Oh, about a month after he told me that story he demonstrated a HUGE problem with the physical security in our building. All the entrances on all the floor had magnetic locks. Of course the primary entrance had nice fancy glass doors to impress prospective clients. With a half inch gap between them. So he took a yard stick and used a piece of scotch tape to attach a page sized piece of paper to it. He proceeded to stick the yardstick through the gap and wave the piece of paper on the inside of the door. This set of the internal motion detector which was conveniently installed for easy exit. Voila! Unlocked door, in walks the malcontent.

6
0
Facepalm

Re: Flawed car analogy.

I'm generally surprised when I see a facility that isn't vulnerable to the yardstick attack.

0
0
Linux

What wasn't said

“In many cases we know networks better than the people who designed and run them.”

This is probably true of most "good" hackers. To use an analogy, the poacher knows the reserve better than the warden if he wants to stay out of jail(neck unstretched, fingers, etc..)

He actually sounds like one of my compsec instructors. Low hanging fruit gets plucked first.

Makes you feel all fuzzy to know they're using standard hacking methodology, doesn't it?

"Zero days are overrated" I imagine massive clusters, unlimited cycles and OEM backdoors are too. Lots of time, huge budget, never see a jail card, where do I apply?

0
0

Re: Flawed car analogy.

I read a news story years ago - during some court case, two blokes wearing brown overalls came in, and the judge asked them what was going on. They replied they was here to service the grandfather clock in the corner, so he let them take it away as quick as possible so he could get on with the trial.

That was it - the clock was never seen again.

0
1
Anonymous Coward

Sound advice

A lot of what he said is simply good advice, and he is the sort of person who should know that. Sadly a lot of organisations simply don't take security seriously, including a good many gov departments handling sensitive data, hospitals, etc. I know from my own small work area (hence AC) that we are not "best practice" in terms of:

- automated patching (for some control machines that is too risky, so they get done manually every so often one at a time and tested before critical events)

- non-supported OS (laziness, or odd bit of software that won't work on newer version)

- risky devices not segmented on network (e.g. printers and stuff with web servers in them, not updated EVER by the supplier)

- various other minor things like file permissions rather lax to make life easy, etc.

However, to address all of this properly is a major re-design of our systems and lots and lots of testing and debugging to follow. so given the low value of our data and lack of money and resources (hey, we work to gov grants!) its just going to happen...

4
0
Silver badge

Re: Sound advice

I'm taking this a bit further. His advice is solid. I believe that. But there's enough people who will say "he's from NSA and lying" and then promptly do the opposite.

1
0
Anonymous Coward

Solid advice

He is offering good advice. Doesn't matter though as advice is mainly ignored by way of 'It'll never happen to us' being the most common justification.

I'm consulting for a company at the moment and offered them such advice that was about to largely be ignored. Then I get a phonecall of how they have been compromised by a popular ransomware and I have to resist the urge to say 'told you so' :)

Hopefully this scare will make them take note.

AC obviously :)

7
0
Silver badge
Joke

Re: Solid advice

<quote>'m consulting for a company at the moment and offered them such advice that was about to largely be ignored. Then I get a phonecall of how they have been compromised by a popular ransomware and I have to resist the urge to say 'told you so' :)</quote>

You DID triple your rate, didn't you???? (assuming you went out and cleaned things up)

0
0
Silver badge
Meh

Kudos

Kudos to him for making the appearance and answering questions. I'm sure he didn't share all he knew, but who would in his position? Personally I would agree that whitelisting devices is the way to go. Currently where I work, anyone can plug anything in and get an IP. Vendors and visitors are in and out all day and conference rooms abound with wired LAN connections. Not that it would necessarily be that hard to spoof a MAC address, but it would be a good start, though admittedly a headache for our WAN team to deal with.

2
0
Alert

Re: Kudos

802.1x? Corporately-owned devices get on the internal network; anything else (assuming a location where visitors are allowed) goes to the guest network. (Of course, if you don't already have appropriate physical security controls on your wiring closets, you've got bigger problems to take care of first.)

1
0

Re: Kudos

802.1x has been around for a very long time (in relative tech time), as have many other technologies (anti-spoofing filters, IDS/IPS/DLP, firewalls, anti-malware, automatic security update patching etc..) that would improve security dramatically *if* deployed correctly, and monitored rather than just purchased as some sort of magic talisman,which is then left either not configured or poorly tuned, resulting in it then either not working or routinely ignored for being 'too noisy'.

Which sadly from what I have seen to be the 'normal' in far too many places.

Good security is more about attitude and culture than tech IMO.

(Also overly restrictive security that gets in the way of people doing their jobs, makes people do silly things, sometimes creating vulnerabilities!)

1
0

Is he making his own job harder...

... or does he know that at the end of the day much of this stuff comes down to the time and money an organisation is prepared to devote to IT security, which is not going to change?

Still, I'd rather have him out there saying this stuff.

4
0

I worked as a security consultant for 25 years and performed some security duties for the 10 years before that. There is nothing in his talk that is unknown, there is nothing that should come as a surprise or a revelation. But in that 35 years I can count on 1 finger the number of companies, huge, large or small, or the number of government agencies, State local or federal, that actually do much about any of it. "Tell me what product to install and run." is the usual comment. We are insecure not because we lack the technology but because management is unwilling to demand & pay for the hard work of creating a secure environment.

10
0

And that is exactly why 'cloud' services like Salesforce & AWS are way more secure than on-premise for the vast majority of companies.

2
2
Bronze badge

Re: Netminder

The 'tell me the product' is caused by a mindset that values things more than people. The ultimate truth behind all this is that you need skilled, knowledgeable and motivated people minding the store but having them around implies that the corporation has to 'share' with those people. The prevailing attitude is usually that people are expensive stop-gaps that you keep around because you haven't found the right box to replace them with. Yet.

3
0
Vic
Silver badge

Re: Netminder

The 'tell me the product' is caused by a mindset that values things more than people.

And just look at how many of those claim to be "Agile".

The very first element of the Agile Manifesto reads:

Through this work we have come to value:

Individuals and interactions over processes and tools

Vic.

2
0
Anonymous Coward

More cynical

To repeat my suggested explanation for Microsoft issuing registry entry fixes for Win 10 issues, only to we types who know how to find them in the 1st place: yes, essentially this guy is just saying what we already know. He isn't saying it to the masses any more than Microsoft are explaining how to stop certain unwanted behaviours to them. In both cases the explanation is more likely to be to put us off our guard?

0
0
Black Helicopters

Nice of 'em to get so SOCIAL...

...rather than just ENGINEERING...

2
1
Anonymous Coward

Wouldn't you think?

It makes you wonder about the groups that have people like the NSA come in to do evaluations on their security. If they told you that "Hey, This and this are a problem and oh by the way we accessed all this from this exploit." Wouldn't that be a big sign that oh we might need to fund the upgrades and updates to fix this?

AC for obvious reasons

0
0

Re: Wouldn't you think?

No, but only because of experience.

About a decade ago the IT department I was working in was so fucked, the CEO of the company ordered the CTO to hold a retreat where the entire IT department was free to speak their mind. And things were so bad they actually did. After airing a fair lot of dirty laundry the CTO made an unprecedented gesture. He actually opened the floor to the entire IT staff to plan the next set of upgrades. Mostly it was the networking team, as was appropriate. So they all sat down in a big meeting, discussed all of the things they'd like to do, and proposed what the next step for the organization would be. There were several projects, an upgrade to the current version of Exchange server to replace the aging 95 version we were running, a proposal for a secure wireless system, some server replacements, a new core switch to replace the used one that was purchased four years before when we moved into the building, and building out a new high end SAN.

After discussion and looking at the budget everyone (including the Exchange guy and you know how much THEY hate to pass on upgrades) agreed that although it would require the entire budget for only one project, the SAN should be the next project. So they wrote it all up including the options to do everything but the SAN. The one project they absolutely didn't want to do was the secure wireless. So they handed it to one of the junior techs and said "price this out gold plated so it gets rejected" which he happily did. The first project that was approved? Yep, the gold plated wireless proposal. The project that was scrapped without much discussion? The SAN. Yes, it did get built about two years later.

0
0

Of course he could also have said that IT managers should not allow any system using Windows to allow anyone to logon as 'Administrator' or as 'root' in Linux.

Router login passwords often set at default make it easy to gain entry, 'Firewall' settings too.

Sensible advice about external devices such as mobile phones,digital cameras, memory cards of any kind.

Perhaps the most hazardous security risk is that which is using the keyboard or other input device.

Sometimes a 'keylogger' installed by IT can be useful to log activity,system,event or app logs are a two way sword,okay for logging,but not so when sending such logs through the network to servers.

0
0

IN OTHER NEWS

Wolf advises sheep on security.

0
0
Silver badge

Re: IN OTHER NEWS

Well he doesn’t want the other wolves to eat them!

2
0
Silver badge

QR Code

he displayed a QR code for attendees to scan for more information, joking that who’d really trust something like that from the NSA.

The first thing I thought when I saw the image was, " Who would scan that?"

0
0

Re: QR Code

Me, because my phone tells me what it contains and gives me options instead of just automatically executing. Didn't seem to get a good enough picture to decode though.

Cue folks saying "that you know" in 3, 2...

2
0

This post has been deleted by its author

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017