In an address to IT professionals and others in January at Usenix Enigma 2016, 25-year National Security Agency veteran and “professional hacker” Rob Joyce* pointed out that cybercriminals have the time, patience and skill to understand their victim’s networks far better than organizational leadership—or even IT staff—does. Speaking to IT professionals, academics and others, he said, “You know the technologies you intended to use in that network. We know the technologies that are actually in use in that network.”
You know the technologies you intended to use in that network. We know the technologies that are actually in use in that network.
Chief of TAO, National Security Agency
Joyce’s goal was to share strategies that would minimize the odds of network intrusion by his team of professional NSA hackers—and, for that matter, any hackers. In doing that, he explained these individuals’ approaches, saying, “We will learn the security functionality of the devices inside that network. We’ll study them, understand them, and find the vulnerabilities. We’ve got people who understand the security technologies and they’ll bring that expertise at a very, very deep level . . . It’s minute attention to detail inside that security layer.”
Joyce’s warning resounded across the room then, and it has taken on even greater importance now, as the “Internet of Things” (IoT) moves more firmly into the spotlight. IoT devices, which interact directly and automatically with other machines without human intervention or knowledge, can streamline low-level activities such as measuring, alerting, monitoring and more, but they are also ripe for exploitation. Here’s just one example.
In June, 2016, researchers discovered that more than 25,000 Internet-connected CCTV (closed circuit television) cameras around the globe had been hacked and turned into a botnet (a network of infected, Internet-connected computing devices) to launch website attacks. The network capability of the cameras was so great that it could execute 50,000 website requests per second. At that rate of speed, it was undoubtedly able to execute a denial of service attack on even the most ardently protected website.
We will learn the security functionality of the devices inside that network. We’ll study them, understand them, and find the vulnerabilities. We’ve got people who understand the security technologies and they’ll bring that expertise at a very, very deep level . . . It’s minute attention to detail inside that security layer.
Chief of TAO, National Security Agency
As IoTs multiply—“wearables” alone have doubled in adoption since 2014—many of them are slipping onto corporate networks, as well. For example, personnel that wear IoT “activity trackers” may keep them synchronized via Bluetooth with smartphones or laptops running on the corporate network, providing a direct access pipeline. For firms that manage “smart” devices such as alarms or cameras over their network, the danger is compounded.
In 2016, IT networking organization Spiceworks released a study that found 90 percent of IT pros believe IoTs are major security and privacy concerns, with increased network entry points topping the list. Yet, many had yet to address the threat effectively.
When organizational leaders are not certain which devices—and what technologies and hardware—are running on their network, they are placing themselves at an extreme disadvantage. Hackers have nothing to lose and a lot to gain by penetrating a network. For business owners, the reverse is true.
As we will discuss in future blogs, securing networks to minimize risk is a long-term, multi-faceted effort, but it is one that organizations must undertake.
*Rob Joyce began serving as the Chief of the National Security Agency’s Tailored Access Operations (TAO) organization in April 2013. As the Chief of TAO, Rob leads an NSA-driven effort to provide tools and expertise in computer network exploitation for harvesting foreign intelligence. We will be providing helpful excerpts from his presentation throughout the year.