NSA Considers Its Networks Compromised

Orome1 writes "Debora Plunkett, head of the NSA's Information Assurance Directorate, has confirmed what many security experts suspected to be true: no computer network can be considered completely and utterly impenetrable — not even that of the NSA. 'There's no such thing as "secure" any more,' she said to the attendees of a cyber security forum sponsored by the Atlantic and Government Executive media organizations, and confirmed that the NSA works under the assumption that various parts of their systems have already been compromised, and is adjusting its actions accordingly."

Which is the sane thing to assume

[alfredos]

What I can't fathom is that there is still people out there believing that a firewall is all the protection they need. Or that it is a protection they need, even.

Re:Which is the sane thing to assume

[datapharmer]

yeah, I mean who really needs a firewall anyway.... I run my computers unpatched with all the ports open. They are much faster and more reliable that way. None of that antivirus nonsense to deal with and I stay virus free since the botnets duke it out for who gets control. It saves time when shopping online too, as I don't even have to tell the nice people my credit card info - they all already know it! It is especially useful when they send me great offers by email for replica rolex watches and discount prescriptions as I don't even have to search for the best prices!

Re:Which is the sane thing to assume

[B'Trey]

What I can't fathom is that there is still people out there believing that a firewall is all the protection they need. Or that it is a protection they need, even.

A firewall is reasonable protection for most people, just as a dead bolt on the front door is reasonable protection for most homes. If you're the online equivalent of a jewelry store - that is, a high profile target - then obviously you need much more than that.

Re:Which is the sane thing to assume

[_Sprocket_]

You're actually cutting edge. You've out-sourced your personal information security and set up a fully flexible payment schedule to support it. You're clearly executive material and deserve that Rolux you've had your eye on.

Re:Which is the sane thing to assume

[JackOfAllGeeks]

Of course, that's not really all that a modern firewall does.

And this is why the original poster is wrong.

If you're just relying on a Firewall to block access to ports you shouldn't have open anyways, then yeah, you don't need the firewall: just close the ports. But in that scenario, it's really just a misapplication of an otherwise useful security device.

A Firewall can be useful, as you said, to proxy various protocols or block certain outgoing (or unsolicited incoming) traffic. It can also be used if potentially-harmful traffic belongs on the network, but not going to or from certain hosts (ie, remote administration of servers might be desirable, but only from certain hosts).

The point is, yes a Firewall isn't The Solution to all security problems, and it can be misapplied, but that doesn't mean it's not a useful device in the right situation.

Re:Which is the sane thing to assume

[FormOfActionBanana]

If you have on your computer:
  - access to online banking;
  - personal information;
  - spare CPU to do somebody else's processing;
  - spare bandwidth to store or handle someone else's illegal data;
  - company confidential information;
  - etc... ... you are an electronic jewelry store.

NSA

[Demoknight]

Not Secure After-all

Definition of security

[girlintraining]

Security is achievable provided you start with good parameters. Believing your systems are "unhackable" is silly. No physical security is impenetrable, why would electronic security be different? But what you can do is make the cost of breaching that security more than the value of whatever it is being protected. Keep in mind though that what you're protecting also includes access, not just the data itself.

Problem is, in the private sector you have all these companies trying to control the internet, instead of keeping it as a public commons. The net result is that the cost to access it is often the main price consideration, at least in the United States.

Re:Definition of security

[DrgnDancer]

The problem is that the NSA has, or at least it believes it has and other believe it has, information whose value is essentially beyond price. Therefore they feel reasonable expecting that other parties will pay nearly any cost for access. The whole dynamic of "make it more expensive to get than it's worth to have" goes out the window when what it's worth to have is essentially infinite. Then it becomes "protect it as much as possibly can and hope it's enough".

Don't get me wrong, I typically agree with you, and I've posted that very thing quite recently in response to something else recently. It's just that the theory kinda goes out the window when you have bad actors with the resources of an entire nation behind them as your most likely threat vector. Now of course everything that the NSA protects isn't that valuable, and much of it is probably protected with precisely the theory you promote. The rest is just protected with every possible resource they can think of.

So much for the cloud

[T1girl]

The idea of sticking all my data out in cyberspace on somebody else's servers always seemed a little fluffy anyway.

The only secure system...

[ChefInnocent]

Is the one buried a mile under ground in 100' radius of concrete connected to nothing. Preferably in an undisclosed location. Even then, it is only as secure as the guards protecting it.

Re:The only secure system...

[Colourspace]

CVS?? According to you she doesn't even seem to have heard of antivirus, and you want her to use control versioning?

Re:Well

[Abstrackt]

They probably figured it out a long time ago, what they're doing now is admitting it.

Think of systems as prisons

[devleopard]

In other words, no internal trust. You eliminate all assumptions in-house with the requisite sandboxes, minimal privileges, etc. Like prison: no one is your friend, you merely have alliances that can be severed at the moment that trust is no longer needed.

Now for TSA to make the same realization

[ColoradoAuthor]

Complete security is a fleeting deception. What we need is RESILIENCY to cope with the attacks (physical or cyber) which will inevitably occur. Wise people have known that for approximately forever (that's how we got this thing called the Internet, after all).

Duh

[PPH]

Any good security policy assumes that, if the system has not already been penetrated, it will be soon. There must be procedures for detecting intrusions, repairing weaknesses and plugging holes, and compartmentalizing data so as to minimize damage once a part of the system has been breached. And there needs to be ongoing R&D into the various techniques the enemy could use to break into systems and applicable countermeasures.

What scares me is that the NSA is "adjusting its actions accordingly". They should have been thinking this way from day zero.

Re:Open source government?

[mangu]

So to me this raises a fundamental philosophical question: why keep secrets at all, as a government?

Because we need the military to protect us. You wouldn't want an enemy country to know all about the military operations in your country. And before you propose to completely eliminate the military, remember 1939.
 

Good for them

[mewsenews]

If you've played around with any rootkits you know how devious an attacker can be with your system. If you read about the Gawker story, they had a couple signals that their systems were compromised but nothing catastrophic had happened so they carried on their merry way.

This is how most businesses are approaching IT security: if it ain't broke, don't fix it.

It almost takes a govt organization to sit down and say "wait a minute, we could be hacked and not even know it". Especially a very, very high profile target like the NSA. They're facing legions of hackers funded by foreign governments. This isn't the dawn of the Internet anymore, it has to be taken seriously.

Re:Well

They didn't say their networks are compromised. To be on the safe side, they just assume they are.

Levels of security

[formfeed]

Many large organizations still operate under the bad internet vs. good intranet principle.

What considering "the assumption that various parts of their systems have already been compromised" means is that you go away from that model.

There can be multiple levels, walls between various areas, zones according to task, etc. And the auditing system can be much more complex than a firewall.

Think of something like the "unusual activity" trigger software for your credit card. Low ranking security person reading a low level cable? -fine. Reading 10000 cables in one hour? very unusual.

The NSA know their stuff, I see this talk not as someone admitting that they are compromised, but as someone talking shop.

What?

[natehoy]

What? You mean there's another option?

Any network administrator worth half their income should always consider their LAN to be compromised. That's why you use secure transfer protocols to transfer any data containing any sensitive information between company systems. That's why you have active network monitors that turn off network ports when they encounter an unknown MAC address. That's why you don't allow anonymous logins to your active directory, and you strictly control access to everything by at least department.

Security is done in layers. Firewalls can and will be breached. If it is, your goal is to slow the attacker down until you can detect the breach and close it. Honeypot servers, data encryption, network segmentation, network resource security, all of these things are vital.

Re:Well

[Captain+Splendid]

'Hope for the best, assume the worst' should be the mantra for everyone working in any kind of security. Glad to see the NSA living up to that.

I wonder, though, if the prominence of Wikileaks had anything to do with this, and I don't mean specifically, as in they anticipate a lot of NSA-related document drops in the near future, but more generally, as in the landscape has changed and Wikileaks is a signifier.

Re:Open source government?

[DrgnDancer]

Well you see it's like this... As a former soldier I'd have been a bit miffed to be say, escorting a convoy, only to discover that bad people with guns knew my route, numbers of troops, and level of armament. It really ruins your day when bad people show up in precisely the right place with way more troops and guns than you have. Especially if they set up explosives. That takes things to whole new level of "ruined day". And before you comment on my simplistic view of "bad people", please understand that my overall opinion of you shifts dramatically toward "bad" when you start shooting at me. As far as I am concerned anyone who shoots at me is by definition a "bad person", no matter what their initial motivation may have been.

Manufacturing is key

[J4]

The fact that we outsource chip fabrication ought to be a clue as to why they can't pretend any more.
OT: It's even money that every piece of military hardware with computers has an illicit kill switch embedded in it.

Game over USA.

Re:Open source government?

[wjousts]

Do you really think the bad guys don't know these things?

Suspecting it and actually confirming it for them with an official US government document are two separate things. And you still haven't given a reason why it should be released.

Security

[theamarand]

It always makes sense to operate based on the assumption that you may already be compromised. If you take a look at your data, and you think that impenetrable firewall is going to keep people from accessing it, you're delusional. Security, or lack thereof, is measured in time. If what you're securing is important, the question is not can this information be accessed but how long until it can be accessed. Compartmentalization is an important part of any security plan. Finding ways of keeping people out is something the security field has been working on for ages. Have different passwords for everything. Change passwords regularly. Audit data accesses. Watch for suspicious behavior. Keep off-site backup of data and forensics information. Create different subnets and VLANs to segregate traffic. Train all employees in basic security measures. Ensure that no employees are above security - no backdoors, everything audited. I'd say the most important thing to recognize, though, is exactly what they said: unless a resource is sitting in a heavily-guarded Faraday-cage, inside a vault, turned off, and not connected to anything else, it can not be considered 100% secure. Everything else is risk management.

Re:Well

[afabbro]

They didn't say their networks are compromised. To be on the safe side, they just assume they are.

Yep it's a RIAA/MPAA model. Assume guilt until proven otherwise, in this case compromised until proven otherwise. Makes you wonder what the NSA is really good for.

Wow...you've leaped from a national security organization adopting a policy of extreme care to a comparison with the recording industry lawsuits. Do you have some sort of associative-compulsive disorder or are you really stating there is any relationship between the two? Or are you just bitter?

Re:Well

[Stargoat]

Iran thought that, but sneakernets are capable of transmitting viruses behind airwalls.