Some security gems from around April 2015.

Last Week Tonight with John Oliver: Government Surveillance (HBO)

Application Security Meme

CNBC: Execs We’re Not Responsible for Cybersecurity, “…executives like CEOs and CIOs, and even board members — didn’t feel personally responsible for cybersecurity or protecting the customer data…” (Twitter: @ArigatoDamato)

Video: Execs We’re Not Responsible for Cybersecurity

Laws and regulations have not kept pace with growth of Internet technologies.  No clear expectations have been communicated to the software industry or users of these services by policy makers.  Executives have responsibility for protecting customer data but enforcement remains selective.  In the most egregious incidents, top C-level execs have been terminated for poor cybersecurity (e.g., Target).

Rob Joyce, Chief, Tailored Access Operations, National Security Agency(NSA) presents on defending against nation states and criminals.  Joyce provides a number of tips useful for defending against advisories.  Some points from his presentation enumerated.

  • “0-days not necessary”, persistence and exploration will get you in,  continuous defensive work required
  • Top intrusion vectors: email, web site, removable media 
  • Use software improvements, automatic/rapid patching and anti-exploitation features
  • Use secure host [and software] baselines
  • Training, NSA trains and teaches exploitation.  Are you actively teaching defense?
  • Monitoring, if you were hacked how would you know?  You can’t fix a problem you don’t know exists.  Incident response plans necessary.
  • Trust, don’t allow untrusted devices within the trusted perimeter.  Home computer with Steam installed brought into the corporate[trusted] environment.
  • Discriminate between nation state and criminal intruders.  Nation states select targets and persistent in their efforts.  Criminals are opportunistic, catch the weak gazelle.
  • Specific tips: 2FA makes stealing credentials challenging, limited account privileges and super user access, dynamic privileges based on location, network segmentation, no passwords in scripts, defend pass the hash, block sites on neutral or bad reputation.

The talk provided few surprises and was more of a reaffirmation for keeping tidy systems – an incredible challenge in practical application.  While simple, Joyce’s advice is difficult to apply at scale.  Other advice, creates a computing environment some users consider unfriendly.  In the end there are no silver bullets or quick fixes.  Be vigilant, keep tidy systems, and invest in your staff through education.