“Every day we’re battling a new cyber-threat, but the more that things change the more that they stay the same.”
Speaking at the CyberUK conference in Manchester, Dave Hogue, technical director of the NSA’s Cybersecurity Threat Operations Center (NCTOC) talked about a hack of the US Navy in 2012 that caused over $12m of damage and caused a network to be taken down twice, however in 2017 hackers used a known vulnerability to hit Equifax and it has cost over $600m to fix so far.
“These two stories, five years apart, are discretionally similar in nature,” he said. “We have sophisticated adversaries using unsophisticated means to cause great damage. In fact, I’ll tell you as the overseer of NSA’s operational teams, we have not responded to a zero-day in over 24 months.
“Adversaries are getting into networks using non-technical means, taking advantage of hardware and software technologies that are not compliant with the latest offerings, and taking advantage of bad security practices such as solutions that are no longer vendor-supported.”
Hough said that advice and solutions are widely available, such as application whitelisting, two-factor authentication and role-based access controls. “There are a lot of outdated things that are making a comeback,” he said. “How can we get a better focus that the security industry is not conveying? Are we making progress? Probably not.”
Hough called for a change in the paradigm, which he starts with everyone seeing themselves as part of operations “as the adversary goes after everything and everyone to achieve their objectives.”
He said that the second part is to be more predictive and preventative, and build layers of defenses to defeat common layers of attack. This includes better collaboration and working to build a picture “that involves working across industry, government and academia sectors to have thorough and sustained campaigns that make it costly for the adversary to operate.”