NSA Net Wargames
A recent NSA excerise in net security - Security agency war game tries to teach Net defense | CNET News.com - has come up with a set of regulations that might be a little familiar They shuld have asked me - these are like CompSec 101
Aside from a streamlined network architecture, MacTaggart and his NSA colleagues offered three other rules of thumb:
• Follow a "deny by default" policy--that is, allow network users to access only the ports and services they truly need. "If you don't know that you need it, turn it off," said Pablo Breuer, who led the NSA's "red team" of hackers. "If someone comes screaming to you, ask them to prove they need the service."
• Remove all services, software and user accounts that aren't necessary to run a particular server. They "can be disabled, but it's better to go an extra step and have (them) completely removed," MacTaggart said.
• Plan for disasters. "No matter how well-designed the network is," MacTaggart said, "there's going to be some sort of security incident, an outage, a hard-drive failure."
At least they tried to simulate a "real world" situation:
In hopes of simulating a real-world situation, the attackers made a point of using the most publicly known exploits during the competition. They also took advantage of common mistakes like the use of weak passwords or the same passwords on multiple systems, and targeted security holes in Microsoft Windows that have readily available patches.Again there are the same problems with these kinds of simulations that I found in the recent simulated cyber attack - no people - and as any IT security analyst knows - people are the weakest link in any IT chain.
Where were the Social Engineering attacks?
They would have been impossible to run - suppose team A phoned up team B and said "hey this is your ISP and we are checking for problems - what it your ID? hmmm ... we have a problem here - do you have your password handy?" - would they have fell for it?
Very unlikely - because they knew they were doing an excercise.
Simulations like this can never replicate the human factor and the applicaton of Murphy's Law - the "fog of war" that all military planners have to cope with.
So what did we learn from this simulation excercise? - a bunch of stuff that I recommended back in 2000 when I wrote Complete Hacker's Handbook
1) Deny by default:
... start by excluding everything and add what you need. Rememer that it is far easier to lock things down really tightly, and then loosen the bits that need loosening, than it is to make everyting loose and then lock down the bits you don't trust.
2) Remove all unused services and software
Turn off all services that are not being used ... remove completely any software that is not on use on the machine.
3) Plan for disaster
If .. your entire building is wiped out overnight you must have a business continuity plan that includes IT disaster recovery .. (this) plan .. needs to be documented and checked every year to make sure it works.
What I want to know is why it took so long for the NSA to come these conclusions when they could have bought a copy of my book and learned it 6 years ago
If it takes the NSA six years to catch up with what was accepted wisdom 6 years ago - what chance have they of catching hackers or fending off a full scale information warfare cyber-attack?
Enquiring minds want to know ...
Tags: nsa, hacking, cyber-warfare, information warfare, compsec 101, complete hackers handbook, hackers handbook, sans institute