3 basic steps to thwart most cyberattacks, courtesy of NSA

Best practices, proper configurations and network monitoring can enable systems withstand 80 percent of attacks

Schaeffer's big three

National Security Agency information assurance director Richard Schaeffer says these three basic steps will enable your agency to withstand 80 percent of known cyberattacks:

  1. Implementing best security practices
  2. Proper network configurations
  3. Strong network monitoring

Computer systems with proper security and network controls should be able to withstand about 80 percent of known cyberattacks, according to a senior National Security Agency official.

There are common steps that people could take to bolster computer security and make it more difficult for would-be-hackers to gain access, Richard Schaeffer Jr., the NSA’s information assurance director, told the Senate Judiciary Committee’s Terrorism and Homeland Security Subcommittee today. He identified three measures in particular as being especially effective.

“We believe that if one institutes best practices, proper configurations [and] good network monitoring that a system ought to be able to withstand about 80 percent of the commonly known attack mechanisms against systems today,” Schaeffer said in his testimony. “You can actually harden your network environment to raise the bar such that the adversary has to resort to much, much more sophisticated means, thereby raising the risk of detection."

Schaeffer said NSA works directly and indirectly with vendors to develop and distribute configuration guidance for software and hardware. Since 2005, NSA has worked with Microsoft, the U.S. military, the National Institute of Standards and Technology, the Homeland Security Department, and the Defense Information Systems Agency to establish consensus on common security configurations for Microsoft operating systems, he said.

For example, Schaeffer said the announcement by Microsoft of the release of Windows 7 was quickly followed by the release of the security configuration guide for the operating system. He said that NSA, in partnership with Microsoft and parts of the Defense Department, was able to enhance Microsoft’s operating system security guide without hampering a user’s ability to do everyday tasks.

“All this was done in coordination with the product release, not months or years later during the product lifecycle,” he said in prepared remarks.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Reader Comments

Mon, Nov 23, 2009

Or to put it another way - "Ladies and gentlemen, please fasten your seat belts and put your seat backs in the upright position. The pilot is pleased to announced that we have an 80% chance of a successful landing today." Please - this is not a model for true cybersecurity - it's still reactive. What is needed is intelligence - in real-time - about the motivations of attackers, their tools, and capabilities.

Thu, Nov 19, 2009

What a load of MALARKEY, Give it a break. The best thing for security is to take the final making decision authority away from the Senior leaders and DAAs who let people do what they want for the sake of a promotion.

Thu, Nov 19, 2009 Smithwill

Actually, it is that simple if you remove all the techno-geekery and haaakerfogg. Security practices don't require Nth degree Ninja degrees or "special moves." It's truly about defining one's goals, process and controls and then verifying everything falls within these parameters. Sure, there are literally millions and millions of threat conditions and flaws that can compromise a system, network or data. By contrast, there are 30 to 100 parameters that "should" be found on the network. The administrators only advantage against the bad guys is "KNOWING WHAT SHOULD BE ON THE NETWORK." Armed with this knowledge it's a helluva lot easier to pick the hairs out of your pizza rather than chugging all the Infosec beer and slamming the pizza in one gulp.

Thu, Nov 19, 2009

Ben, Thanks for the effort on this article.

Thu, Nov 19, 2009

Did I miss something? It seems like after all this hard work and so many professional minds collaborating, that foresight would have taken hold. I didn't read where they applied their knowledge and implemented their theory so that the standard default configuration for Windows 7 would reflect "Best security practices,
Proper network configurations, and
Strong network monitoring>" If the goal is to secure the network why not secure it for those COT's type of "plug and play" consumers?

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above