When one thinks of the National Security Agency, the popular- and arguably not entirely undeserved- stereotypical image is of high tech analysts listening to intercepted phone calls from overseas, trying to decipher whether the animated conversation is actually pointing to a terror plot.
Less known is that for the last six years, the NSA has held a type of computer-intrusion contest among government bureaus to war-game security vulnerabilities. Now, for the first time, the super-secret agency is sharing the results with enterprise IT directors.
First a bit on the project. The exercise, which took place in April of this year, pitted students from the five U.S. military academies and the U.S. Air Force’s postgraduate technology school against “bad guys” portrayed by NSA technicians.
Each team was assigned tainted network software, and had two weeks to find misconfigurations and vulnerabilities. Operating in conjunction with this endeavor, the NSA “bad guys” were tasked with breaking into these networks.
Following the exercise, NSA participant Rigo MacTaggart issued three points of advice for IT security. Summarized in a CNET article on the endeavor, the best practice suggestions are to:
Follow a “deny by default” policy–that is, allow network users to access only the ports and services they truly need. “If you don’t know that you need it, turn it off,” said Pablo Breuer, who led the NSA’s “red team” of hackers. “If someone comes screaming to you, ask them to prove they need the service.”
"?¢ Remove all services, software and user accounts that aren’t necessary to run a particular server. They “can be disabled, but it’s better to go an extra step and have (them) completely removed,” MacTaggart said.
"?¢ Plan for disasters. “No matter how well-designed the network is,” MacTaggart said, “there’s going to be some sort of security incident, an outage, a hard-drive failure.”