Look wise, say nothing, and grunt. Speech was given to conceal thought - Sir William Osler
|
|
|
US No Such Agency admits its networks are hackable
THE US NSA (National Security Agency) has admitted that it builds systems on the assumption that they're broken because "there's no such thing as 'secure' any more".
The US agency charged with protecting classified material made the startling admission that its computer networks are fallible. In fact, the agency went one further and said it operates on the assumption that it has already been hacked.
The head of the NSA's Information Assurance Directorate, Debora Plunkett made the statement just days after the US started scratching its head trying to come up with some sort of extradition case against Wikileaks founder Julian Assange. Wikileaks has published a massive trove of classified US material that has embarrassed the US government.
"The most sophisticated adversaries are going to go unnoticed on our networks," she said at a cyber security forum.
Which is strange, given that Assange got most of his information in the time-honoured fashion of journalism, from a source. No hacking, no malware and no bespoke code to extract information from the NSA. Just person A giving person B information he had that the government C didn't want person B telling the world plus dog.
However, Plunkett added, "We have to build our systems on the assumption that adversaries will get in."
We can infer from Plunkett's statements that she wanted to put the NSA in a good light, that it has prepared for every possible contingency and is flexible enough to deal with any threat.
"We have to, again, assume that all the components of our system are not safe, and make sure we're adjusting accordingly," Plunkett continued.
But all that has done is demonstrated that the world's most powerful nation assumes that it has vulnerabilities in its information security defences. That is probably a very realistic assumption. µ
Share this:
Share
I've been up on so-called computer security methods since the 80's. For someone as experienced as myself there are simply 2 types of system: Easy and Hassle. The best security admins will kick up as many hurdles as they can, adding as much hassle in the way of the prize. Unfortunately like any chain it is only as secure as the weakest link. As with the recent Wikileaks, the weak link again was a human element. Whether it be a person using an insecure password, someone who talks too much, or someone daft enough to place that mystery USB drive they found in the parking lot into their work PC people will always be the #1 security risk and there's no firewall for that.
Despite the articles dissenting attitude towards the NSA, from an information security perspective, Plunkett has some very wise words. In this modern age, it is incredibly hard to make your network 'impenetrable' while providing any kind of service. By planning your entire security infrastructure around the assumption that people will break in, you can place sensitive data in more secure locations that are not easily accessed from the general network. Publicly 'admitting' your infrastructure is insecure might not be the best way to announce it, but it is true.
Despite the entire Wiki leaks issue, this is a wise and accurate statement from the spooks that know digital security the best, the NSA
even on seperate networks which they do use for extremely top secret stuff if you know where it is or you work there you can find away to get the information theres always a way if someone wants it enough their going to get it
If your internal network has no contact with your "public" network, how can one be hacked? That is, you work on workstation A, you surf pr0n on workstation B; A is on router 1, B is on router 2 - connected to the net. In a configuration like that you should be safe.... unless you phisically go somewhere where you can access the "protected" network.
At least, that's what we do on mainframes.....