Rob Joyce, Chief, Tailored Access Operations, National Security Agency(NSA) presents on defending against nation states and criminals. Joyce provides a number of tips useful for defending against advisories. Some points from his presentation enumerated.
- “0-days not necessary”, persistence and exploration will get you in, continuous defensive work required
- Top intrusion vectors: email, web site, removable media
- Use software improvements, automatic/rapid patching and anti-exploitation features
- Use secure host [and software] baselines
- Training, NSA trains and teaches exploitation. Are you actively teaching defense?
- Monitoring, if you were hacked how would you know? You can’t fix a problem you don’t know exists. Incident response plans necessary.
- Trust, don’t allow untrusted devices within the trusted perimeter. Home computer with Steam installed brought into the corporate[trusted] environment.
- Discriminate between nation state and criminal intruders. Nation states select targets and persistent in their efforts. Criminals are opportunistic, catch the weak gazelle.
- Specific tips: 2FA makes stealing credentials challenging, limited account privileges and super user access, dynamic privileges based on location, network segmentation, no passwords in scripts, defend pass the hash, block sites on neutral or bad reputation.
The talk provided few surprises and was more of a reaffirmation for keeping tidy systems – an incredible challenge in practical application. While simple, Joyce’s advice is difficult to apply at scale. Other advice, creates a computing environment some users consider unfriendly. In the end there are no silver bullets or quick fixes. Be vigilant, keep tidy systems, and invest in your staff through education.