How to Cope With Intelligence Agency ExploitsProf. Woodward's Tips for Dealing with Security Uncertainties
Intelligence agencies, of course, have a mandate to gather intelligence. Hence it's not surprising that the Equation Group - believed by many to be the U.S. National Security Agency and its Tailored Access Operations team - developed exploits to hack equipment from numerous networking vendors, including Cisco, Fortinet, Juniper and Topsec, says Alan Woodward, a University of Surrey computer science professor (see NSA Pwned Cisco VPNs for 11 Years).
"The bottom line is: intelligence gathering stops wars and it helps governments protect their position, which is what the people of most countries would want, I would think," says Woodward, who's also a cybersecurity adviser to the EU's law enforcement intelligence agency, Europol.
Unfortunately, in the course of that intelligence-gathering mission, intelligence agencies may seek out and develop exploits for the technology that the nation's organizations rely on to secure their data. "If you're buying technology to keep yourself secure and you have your own government apparently undermining it, people are going to sort of throw up their arms and say, 'What's the point?'" Woodward says in an interview with Information Security Media Group.
The point is that enterprises must factor likely intelligence agency efforts into their due diligence and risk assessments every time they evaluate which technology to buy, how and when to patch it and when to get rid of it.
"The big lesson out of all of this is there's no such thing as 100 percent security," Woodward says. "You can guarantee if your own government is doing it somebody else is doing it as well. So ... be prepared for the fact that what you buy may have flaws in it and you've got to do your due diligence - don't just rely totally on going to your local equipment vendor and assuming if they say it's all secure that it is."
In this interview (see link to audio below photo), Woodward also discusses:
- The likelihood that the Equation Group is in fact the NSA;
- How code in equipment can be altered and steps that organizations might take to combat that;
- The implications of the delay between when the Equation Group tools were stolen - apparently in 2013 - and their only having been recently released;
- The tension inherent in having vendors deliver advice about vulnerability severity while regularly urging customers to buy new equipment.
In addition to his role as a visiting professor at the department of computing at University of Surrey, Woodward is a cybersecurity adviser to Europol's European Cybercrime Center, as well as non-executive director at TeenTech, which encourages teenagers to pursue careers in the fields of science, engineering and technology.