Defending Against Government IntrusionsSteps to Take in Post-Snowden Era
Government intelligence agencies' information security offensive capabilities may far outstrip businesses' collective defenses, but organizations can still tap a variety of techniques to defend themselves against many types of intrusions.
That was the opening message delivered at the "Defense Post-Snowden" roundtable Oct. 17 at the Black Hat Europe conference in Amsterdam, which was moderated by conference founder Jeff Moss.
Moss asked his audience to share the technological and organizational changes they've made since former U.S. National Security Agency contractor Edward Snowden's leaks became public. The information stolen by Snowden, which continues to be leaked, has highlighted the numerous ways in which the NSA can physically subvert computing equipment as well as remotely hack into targets, using a vast arsenal of customized physical "implants" and malware, among other techniques.
"We can assume if NSA is doing it then probably other intelligence agencies around the world are doing it too," said Moss, formerly the chief security officer for the Internet Corporation for Assigned Names and Numbers, or ICANN, and now a nonresident senior fellow at think tank Atlantic Council's Cyber Statecraft Initiative. "A lot of organized crime groups learn a lot from them too."
Based on the ensuing discussion, here are some of the top takeaways for anyone charged with defending networks in the post-Snowden era:
Get top executives involved. Snowden's leaks have focused senior management attention on the state of their business's information security defenses. "We in security may have had a clue, but now it's the more senior executives that are listening to the lessons a little more," said one attendee who works for a cloud services firm. He said his business has been encrypting more data as well as increasing its monitoring of network traffic to watch for signs of attack.
Guard the supply chain. The NSA reportedly has the ability to intercept computer equipment shipments, divert them to a bugging facility, and then return them to be delivered to the intended recipients. But knowing about this capability and guarding against it are two different matters, Moss said, although one potential solution is to only buy anonymously. "The first thing that comes to mind is, don't let them know you're buying anything, which seems really irrational," he said. But such an approach creates logistical challenges for enterprises. "You can't go to CompUSA to buy all of your servers," he said.
Travel with less. Attendees singled out China as being on a short list of countries to which their employees are only allowed to take a simple device that contains, at best, little more than a Web browser, which they can use to surf the Internet and access e-mail. "We physically destroy it, when it comes back from China," one attendee said. A Switzerland-based attendee, however, said that his executives have begun rethinking the types of information they keep on their primary laptop as well. "We can't simply destroy all devices when they come back from the U.S. or France or China," he said.
Record everything. For defending against any attacker - not just the NSA - organizations need good logs, so they can tell if they've been hacked. Moss noted: "When I was at ICANN ... I used one-way fiber caps [captures], and I recorded everything, ... and if I ever got suspicious, I had these one-way logs," meaning that while an attacker could have attempted to jam the logs with data, they couldn't access or erase them. "That's a very after-the-fact mechanism but it's one strategy people are using."
Adopt open source. If domestic manufacturers must comply with their government's demands, the same likely isn't true of the globally dispersed development teams behind some of today's top open source software, Moss said. That's one reason why he adopts open-source options, whenever possible. "It's really hard to serve a national security letter on a distributed development team all over the world," he said.
Simplify. Attendees agreed that one of the best approaches for securing any environment is to disable as many services as possible. "Simplify radically; don't have 59 plug-ins on your WordPress site, just have one," Moss said. But turning off as many services as possible can lead to complaints, because, for example, disabling SSL on browsers causes some Internet Explorer 6 users to not be able to connect to a site. "That's a big issue we saw with the POODLE vulnerability, that backwards compatibility can really compromise security," one attendee said, referring to the recently discovered SSL vulnerability. "But if your visitors use IE6, you don't want them to connect."