After the WikiLeaks dump: Do nothing
You heard it here first. Don’t do a damn thing in response to the WikiLeaks dump that you’re not already doing. Don’t sit still, be vigilant, keep your eye on the targets. Because this isn’t news.
What? Not news?!?
No. Between the three-letter agencies, if they want you, they have you. They’ll find a way. It’s a matter of time. But they’re largely ahead of the ne’er-do-wells. You should expect this.
+ Also on Network World: Apple, Cisco, Microsoft and Samsung react to CIA targeting their products +
If hardware and device makers gasp that their stuff is crackable, it’s only time to snicker. Nothing is foolproof because 1) fools are so ingenious and 2) with a big enough hammer you can crack anything. Even you. You are not impregnable. It’s a matter of degree—and if you can detect the breach quickly.
I’m a small test facility. I’m reasonably diligent. I’ve been cracked. It took trying. And it was my mistake. They ate my http, mail, and another server I had. It wasn’t something simple—a fact that leaves me with a little dignity, but not much. I’m supposed to be good at this. No one is perfect, but you can be very good for at least a while.
It’s the same time-honored song in four-part harmony that goes like this:
Automate and verify your patches and fixes
Before the CIA makes your routers their bitches.
Make sure your iPhones and Androids aren’t rooted
Or your encryption methods will be mooted.
Close those freaking ports in your storm
Or they’ll be breached, and you’ll be forlorn.
Because if they want you, they’ll find a way
It’s not ransomware you’ll have to pay.
But you’ll fight this battle again, on another day.
If you’re not using incredibly rough encryption all over
In this game of spook-walling poker,
Rest assured that the joker
Is no toker.
Security best practices
So, what were you doing before the WikiLeaks revelation that prevented penetration? You tested for penetration by actual professionals that delight in cracking stuff for money. You read your logs. You watched the behavior of your infrastructure to look for anomalous connections. You kept up your patch/fix/update mix at the top of your list. You educated your users. You watched their phones like a hawk for unauthorized apps and rooting behavior.
You encrypted the valuable stuff with draconian keys and air-gapped the key server, using the tightest chain of authorities you can reasonably muster. You were diligent about your business partners. You made your DevOps people prove the sanity of their infrastructure—chapter-and-verse—and you knew their credentials and trustworthiness.
You kept up to date with all of your major vendors’ tech bulletins. Did I mention you looked at the logs?
And more lurks inside of your infrastructure. QA and regression testing seem sometimes to be a thing of the past, but they’re still valid data processing best practices. Remember data processing? Remember best practices?
You’re doing these, right?
Nothing to see here. Move along.