Learning from NSAThis is the first in a series of two blogs. Check back tomorrow for part 2! Believe it or not, some of the best hackers in the world work for our own government. Not only do government entities like the NSA have some of the best talent working for them, but they are also supplied with nearly infinite resources and remove the threat of going to prison for trying to exploit vulnerabilities in some of the most secure networks in the world. This is why when Rob Joyce, the NSA Chief of the Tailored Access Operations (TAO), talks about things you can do to disrupt nation state intruders from gaining access to your network, you should listen. In order to protect your network, you must really know your network Hackers are often successful intruding into a network simply because they know the network better than the people who set up and secured the network in the first place. Protecting your network involves thinking like someone who plans to attack it. You know the soft underbelly of your network; you know the projects you failed to implement or that were poorly implemented; you know how you can bypass your security to get the job done... You should absolutely believe your attackers know these things as well. Rob Joyce offered quite a few suggestions during his 35-minute presentation which will make it harder for his elite team of hackers to gain access to your environment. In today’s blog, we’ll review the first 5 of 10 of Rob Joyce’s tips. Tomorrow’s we’ll review the remaining 5. As well, we’ll review some best-practices guidance on how to make these tips real in your environment. 1. Limit access to privileged accounts There are two schools of thought when it comes to limiting access to privileged accounts. The approaches can be done independently or in conjunction with one another.
  • Implement a least privilege strategy so users are granted only the rights needed to carry out the duties of their role. Any least privilege solution should be bound by a policy which dictates who can do what, where they can do it, and when and under what conditions said things can be done.
  • Leverage a password management solution to properly secure access to privileged accounts. This allows for automatic credential rotation and delegated access. It can also act as a bastion or jump host to grant access to systems in segmented areas of your network.
2. Segment networks Implement vLans or other secure network segmentation strategies on resources that are considered high targets and need secure interaction with other high target resources. The goal is to place strict controls around points where communication originates, where communications go, traffic analysis, and controlling ports and protocols. Undertaking this project requires companies to create bastion hosts or jump hosts to permit admins to move from the corporate network to the secured segments. This makes it more difficult for attackers access these high target resources. 3. Patch systems 99.9% of exploited vulnerabilities in 2014 cited in the 2015 Verizon Data Breach Investigations Report were known vulnerabilities made public in prior years. Patching is about discovering, prioritizing and remediating. Anyone tasked with vulnerability management will say it is not feasible to patch EVERYTHING. However, we can patch or implement available mitigation techniques. The goal should be to reduce the time you remain vulnerable. 4. Application whitelisting Controlling what applications are permitted to launch greatly reduces the attack options of would-be hackers. This functionality should, at a minimum, be performed on servers and other critical machines. Servers typically run fewer applications than desktops which makes this project easier. 5. Remove hard-coded passwords Removing hard-coded passwords is a product of implementing a password management solution. All enterprise solutions provide options to remove passwords from scripts and applications, and replace them with secure retrieval from a password manager. Limiting access to privileged accounts, and enforcing good network, system and password hygiene represent only a few of the suggestions to adapt your defense to the NSA. Check back tomorrow for more best practices.