According to Dave Hogue, the technical director of the NSA’s Cybersecurity Threat Operations Center, the technology used to implement cyber attacks evolves over time but the tactics used to carry them out rarely changes. Hogue told the crowd at the CyberUK conference in Manchester, “Every day we’re battling a new cyber-threat, but the more that things change the more that they stay the same.”
Dave Hogue is the technical director of the NSA CTOC, and claims that they have not responded to any ‘zero-day’ cyber attacks in two years.
To illustrate his point, Hague spoke about a US Navy hack in 2012, which caused an estimated $12m of damage, and the 2017 Equifax hack where a known vulnerability was taken advantage of, costing an estimated $600m to date to rectify. “These two stories, five years apart, are discretionally similar in nature,” he said. “We have sophisticated adversaries using unsophisticated means to cause great damage. In fact, I’ll tell you as the overseer of NSA’s operational teams, we have not responded to a zero-day in over 24 months.”
Even as technology evolves and the tools used by both cyber criminals and cyber security professionals change, the tactics employed to carry out cyber attacks remain similar, with criminals targeting widely-known security vulnerabilities and taking advantage of human error.
“Adversaries are getting into networks using non-technical means, taking advantage of hardware and software technologies that are not compliant with the latest offerings, and taking advantage of bad security practices such as solutions that are no longer vendor-supported. There are a lot of outdated things that are making a comeback.”
Many of these cyber attacks are entirely preventable using widely available cyber security advice and solutions, such as application whitelisting, two-factor authentication, role-based access controls and end-user security awareness training. Another point that we frequently see cropping up is how very costly incidents such as last year’s NotPetya mass-ransomware attack could have been prevented had affected companies learned the lessons from WannaCry, a mass-ransomware attack that took place mere months prior.
Hogue has called for a change in the way organisations view cyber security, starting with every person there seeing themselves as part of the solution, “as the adversary goes after everything and everyone to achieve their objectives.”
Hogue also called for more predictive and preventative measures to protect against cyber attacks, something we at Tech Guard regularly mention in our articles. He specifically called for better collaboration within the industry, to build a picture “that involves working across industry, government and academia sectors to have thorough and sustained campaigns that make it costly for the adversary to operate.”
Cyber security has no silver bullets, but must be made up of a thorough and comprehensive framework, combined with cyber security and basic cyber hygiene training for all members of an organisation, be it large or small. Building this ‘human firewall’ can be a crucial element of any cyber security strategy.