A great deal has been said about the NSA’s abilities to sneak into corporate networks. Now the agency’s hacker chief says how to protect your network.
During the Usenix Enigma security conference in San Francisco, Rob Joyce, who is the NSA’s so-called hacker-in-chief (a joke-ish title by Wired which reported the event) took the stage to describe how to keep his team, or other hackers and governments, out of corporate networks. Joyce heads the Tailored Access Operations (TAO) team of NSA, which devises clever hacking tactics to overcome cyber defense systems.
The TAO team was first unveiled by the documents leaked by Edward Snowden in 2013. While Joyce didn’t and couldn’t really speak in great details about TAO or other NSA teams or projects, he did say a little about the tactics they use. The most attacked people within a company are not the CEOs and other top managers. Instead, the hackers focus their efforts on getting the credentials of the people who (should) know best – the network administrators. With their privileged accounts, the hackers can then get access to the entire network with ease.
This may seem counterintuitive as the network admins are supposed to know the social engineering tricks and should use strong passwords and take all precautions to make sure their accounts are secured. But even the best security is not foolproof, plus the admins’ accounts usually get much activity so catching something unusual could take time.
The NSA also scans for hardcoded passwords in software or passwords that are transmitted by old, legacy protocols since they don’t encrypt them or have low security. Given that a lot of companies use dated protocols and there were several huge vulnerabilities found in Open SSL and other “safe heavens”, this is also an option that it is often pursued by hackers.
“Don’t assume a crack is too small to be noticed, or too small to be exploited. If you do a penetration test of your network and 97 things pass the test but three esoteric things fail, don’t think they don’t matter. Those are the ones the NSA, and other nation-state attackers will seize on. We need that first crack, that first seam. And we’re going to look and look and look for that esoteric kind of edge case to break open and crack in”, he says.
This includes short term vulnerabilities (zero days) that are open for mere days, which are also exploited by NSA and other hackers, although they are not a big priority. “With any large network, I will tell you that persistence and focus will get you in, will achieve that exploitation without the zero days. There’s so many more vectors that are easier, less risky and quite often more productive than going down that route.”
Joyce also said to never open your network for vendor access, even temporary for support for example, as hackers wait for such opportunities. It would be more expensive, but the vendor should troubleshoot the problem within the network and not remotely. Another often used way to get into the system is hacking personal devices employees use at their office without them being properly secured by the network admins. Even the heating and cooling systems and other equipment is not safe. It can also provide a way into the corporate network.
Joyce noted that access privileges for core systems should be limited, networks should be segmented and the same goes for important data. The networks should use device and app whitelisting and everything should be regularly patched. He also adds that the NSA really, really hates devices that monitor and log the network activity and sysadmins who then actually read those logs.
In the end, a good administrator is at the front of a well guarded network. It takes a lot of knowledge to be on top of everything that is going on. The Coursedot IT training marketplace can help you find those courses to help you get to know the software better and be able to work with it with ease.
Image credit: Flickr (CC) / Alexandre Dulaunoy