I was at the RSA Conference USA 2015 expo, and picked up a couple of pamphlets from the booth of the National Security Agency’s Information Assurance Directorate (IAD). It’s a nice little booklet; full of stuff you want to share with your friends and family. Most people attending the conference would say: “Nice, but this is all kids' stuff. We’re pros and we need to go 10 steps beyond! I want sophisticated threat intelligence systems, I want the latest devices, etc.” Fair enough, and I would have agreed.
Later on, I went to a conference session titled The Sophisticated Attack Myth: Hiding Unsophisticated Security Programs by Ira Winkler of Secure Mentem and Araceli Treu Gomes of Dell Secureworks. (Great talk, by the way.) The topic was whether the so-called sophisticated epic breaches at places like Sony Pictures, Target, and CENTCOM (to be fair, CENTCOM only had its Twitter and YouTube feeds pwned) were indeed sophisticated, or if they were just the results of bad security.
I was piqued to see whether or not the IAD’s suggestions for regular families would have helped these organizations. So my two questions are:
- Would the basic home network security behavior recommended in the pamphlets have prevented these widely publicized breaches?
- Does the IAD's brochure live up to its vision of “Confidence in Cyberspace” and the mission of “Protect Information and Outmaneuver Cyber Adversaries"?
The answers are (1) Yes and (2) Yes.
These are simple things that you ought to do at home, which some professionals have neglected. Now, I’m not saying that the pros were totally ignorant—they were probably chasing many alerts and lots of false positives. But still, it was surprising that some basics were ignored. Here are a few items that IAD recommends, and whether the well-publicized victims heeded them.
- Change passwords every 60 days. The breaches suffered from admin passwords not changed on a periodic basis. Some passwords were even hard coded into malware! Duh!
- Keep security suites updated at all times. One of the victims was attacked by well-known malware. So if they kept their detection systems up to date, it would have at least raised an alarm. Danger! Danger!
- Open attachments from trusted senders only. One well-known breach started with a phishing message. Lesson: Stop and think before clicking.
- Avoid intermingling content (i.e., home vs. work content on one login). The breach victims suffered from improper network segmentation, so it’s a similar problem of mixing zones.
- Use two-factor authentication. A major bank acknowledged that a recent hack resulted from not using multi-factor authentication.
You get the idea. Simple tools and behaviors can go a long way toward securing the most professionally managed environments from mega breaches.
So does the IAD live up its mission? Yes, its suggestions are useful for everyone—ranging from grandmothers to money center banks.
The title of my blog is an exaggeration, since these hints are not all you need to know. These are necessary but not sufficient conditions to secure your systems.
Do you still need to put in something like a Fortinet or Palo Alto firewall, Cisco Advanced Malware protection, or a Blue Coat proxy? Yes, enterprises can’t ignore those. Or do you want to monitor networks using Lancope or ExtraHop systems? They give you the visibility you need. But you can’t ignore the basics either. Do endpoint protection products from companies like Symantec or Intel Security/McAfee apply to both homes and enterprises? Yes, they do.
If you want to learn more about the IAD guidelines, visit their site for their "Best Practices for Securing a Home Network" or watch their instructional video. I also recommend a site called “STOP. THINK. CONNECT.” developed by the The Anti-Phishing Working Group (APWG) and the National Cyber Security Alliance (NCSA), which led the development of the campaign. The content is easy to read and navigate. Even more useful guidance is available at https://www.nsa.gov/ia/mitigation_guidance.
By the way, the IAD video is quite thorough and is accompanied by calm jazz music. Some specifics are bit out of date (Windows Vista? Hello?) but the core lessons are all still valid. The bad guys in the video are using Ubuntu Linux and drinking bottled beverages in a dark room, so it must be real :)
Take away: What's good enough for amateurs is sometimes good enough for pros.