The NSA's infosec tips won't stop you from being hacked

Earlier this month, the NSA’s cyber security wing released its best practice guide to defending against ‘destructive malware’ - presumably with one eye on the beleaguered Sony bosses who continue to deal with the fallout from the company’s high profile hack.

The report (PDF) focuses on cost-effective countermeasures that can be easily established in your organisation to make life more difficult for the average attacker.

Starting with controls such as segregation of networks, protection and restriction of the use of administrative privileges, and whitelisting authorised application execution on your systems, the tips aim to circumvent the damage cyber bad guys can do.

But is the NSA's new fact sheet just wishful thinking from the US spy agency? Would any of this information have stopped something like the Sony attack from happening?

I have scoured the content of the document in search of anything new. I didn't find it.

None of this is groundbreaking advice (and none of it should be new to the security team at Sony).

The NSA best practice controls will already be familiar to anyone following our own Australian Signals Directorate (ASD) guidelines on attack mitigation strategies, including its highly regarded ‘Top 4 Strategies to Mitigate Targeted Cyber Intrusions’ - a mandatory requirement for government departments adhering to the Protective Security Policy Framework (PSPF).

Whitelisting, reduction of administrative privileges and a comprehensive approach to patching feature heavily in the ASD’s top four. Its top 35 adds even more defensive measures that can be implemented to protect your organisation. 

Nearly all of the mitigations listed in the NSA document - such as the use of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) and subscribing to cloud-based reputation services - are also covered in the ASD documentation.

As a result I was rather disappointed with this latest effort from the NSA. Realistically, the only valuable advice in this document is a warning for organisations to prepare for the worst.

The real issue here is that absolute security is impossible. Unlike many aspects of IT, where user-focused outcomes are delivered, security is not about gaining absolutes; instead it’s about risk management, probabilities and likelihoods.

A defensive stance is not about being impenetrable. It is about being stronger than your competitors. If your defences are better than the next business, they will be the one most likely to get done over.

The situation is no different to the house on the street with the high gates and the obvious alarm. It is the place next door where none of these countermeasures are apparent that gets burgled.

That said, if the criminals want someone specific from your house, they will probe deeper, conduct more surveillance, work up the social engineering angle and build a targeted attack.

And these sorts of attacks are much harder to mitigate than the random drive-by malware hacks the NSA paper is really focusing on.

So how could the NSA advice have been more helpful to the business community?

A good incident response and recovery plan pays dividends should you fall foul of a targeted attack. Consider staging some war games to test your security team’s ability to react under stress, and check that all your processes stack up and deliver the outcomes you expect.

At the end of the day, we are all potential targets. It’s so easy (and cheap) to commission custom attacks from the cyber crime syndicates in Russia, China or Brazil. All it takes is one disgruntled employee, greedy competitor or offended foreign government to put that target on your back.

I'd wager the NSA's money would have been better spent on a media campaign that helps raise general public awareness, rather than regurgitating the same old stuff that cyber security teams already know only too well.