3 basic steps to thwart most cyberattacks, courtesy of NSA
Three key practices can help systems withstand about 80 percent of commonly-known attack mechanisms, according to an estimate from the National Security Agency.
Computer systems with proper security and network controls should be able to withstand about 80 percent of known cyberattacks, according to a senior National Security Agency official.
There are common steps that people could take to bolster computer security and make it more difficult for would-be-hackers to gain access, Richard Schaeffer Jr., the NSA’s information assurance director, told the Senate Judiciary Committee’s Terrorism and Homeland Security Subcommittee today. He identified three measures in particular as being especially effective.
“We believe that if one institutes best practices, proper configurations [and] good network monitoring that a system ought to be able to withstand about 80 percent of the commonly known attack mechanisms against systems today,” Schaeffer said in his testimony. “You can actually harden your network environment to raise the bar such that the adversary has to resort to much, much more sophisticated means, thereby raising the risk of detection."
Schaeffer said NSA works directly and indirectly with vendors to develop and distribute configuration guidance for software and hardware. Since 2005, NSA has worked with Microsoft, the U.S. military, the National Institute of Standards and Technology, the Homeland Security Department, and the Defense Information Systems Agency to establish consensus on common security configurations for Microsoft operating systems, he said.
For example, Schaeffer said the announcement by Microsoft of the release of Windows 7 was quickly followed by the release of the security configuration guide for the operating system. He said that NSA, in partnership with Microsoft and parts of the Defense Department, was able to enhance Microsoft’s operating system security guide without hampering a user’s ability to do everyday tasks.
“All this was done in coordination with the product release, not months or years later during the product lifecycle,” he said in prepared remarks.