With security experts and research organizations announcing that it is impossible to completely defend against cyberattacks, many business leaders may be wondering, will we ever reach a point where the threat of a security breach isn’t ever present? Will businesses ever be safe again?
While no one has a crystal ball, most analyses have found that the threat of cybercrime is not going away as long as organizations and individuals use the Internet. With the advance of “the Internet of Things,” where devices can connect to the Internet and to each other without human intervention, it’s likely going to get worse before it gets better. Nevertheless, that doesn’t mean experts are not working around the clock to explore and develop ways to beat cybercriminals at their own game.
A “Hacker” Takes the Podium
At a recent security conference presentation, National Security Agency (NSA) “Hacker in Chief” Rob Joyce, used his session to explain to a group of security professionals and academics how they might keep hackers out of computer systems.
Joyce is head of the NSA’s Tailored Access Operations (TAO)—the elite government hacking team that conducts nation state anti-espionage cyber operations. His advice was too lengthy to cover here in its entirety, but we can share 10 of his key points.
- Well run networks make a hacker’s job hard.
- Don’t assume any crack is too small to be found; and if found, exploited.
- Network boundaries are becoming amorphous, but you still have to know what is in your trusted zone. You know the technologies that you intended to use in your network, they know the technologies that are actually in use on your network.
- Most attacks come through one of three vectors: email; malicious websites; removable media (e.g. thumb drives).
- Do not rely on users to make the right choices; is your architecture designed to defend itself when your users make bad choices?
- Don’t have a “gooey center.” Segment the network and high-value assets. Whitelist key applications.
- Monitoring inside the network is just as important as edge security. If you don’t know what is “normal” activity how will you recognize activities that are meant to harm you?
- Unencrypted traffic is an extreme vulnerability.
- Work under the assumption that you are already compromised.
- Red team your network, have outside penetration testers challenge your defenses.
Everyone Is a Target
Joyce’s overall gist was this: No matter how well you think you know your network, hackers know it better. Only through continual persistence and never assuming anything can you reduce the chances of becoming a victim. If you are interested, you can view the presentation here. Most organizational leaders will benefit even more from asking a security expert to explain the situation in greater depth.
Even as you are reading this, the US Secretary of Defense is advocating for Silicon Valley innovators to host a cyber “war game” to help plan the response to future cyberattacks, per at least one report. Mechanisms like this will continue to help us define the dangers, but only organizational leaders themselves, with the help of their IT partners, can address them.