Skip to content
Naked Security Naked Security

NSA reveals how it beats 0-days

Exploits and vulnerabilities are weaponized against us 24 hours after release, says technical director.

In the ongoing cat-and-mouse game between nation states and attackers, anyone with something to protect has less time than ever to shore up their defenses.
At this week’s RSA conference in San Francisco, Dave Hogue, technical director of the US National Security Agency (NSA), reviewed the organization’s best practices for defense – one of which is to “harden to best practices,” as the NSA often sees attacks against their systems within 24 hours of a new vulnerability being disclosed or discovered in the wild.

Within 24 hours I would say now, whenever an exploit or a vulnerability is released, it’s weaponized and used against us.

This gives the NSA defensive team a very short patching window, especially compared to average patching windows in the private sector, which can measure in weeks or months, certainly not days or hours. Hogue said in his RSA panel that phishing attacks and unpatched systems still account for the majority of attacks that they encounter at the NSA. Understandably, this is why the NSA says keeping their systems as updated as possible, as quickly as possible is “one of the best defense practices.”

This discipline has paid off for the NSA, as Hogue says they have not had any intrusions via a 0-day exploit in the last 24 months. So, while the bad news may be that attackers are moving faster than ever – or at least the ones targeting the NSA are – the good news is that attackers mostly still rely on their old tricks, simply because they’re easier to deploy and usually work.
In fact, the vast majority of the incidents that the NSA deals with aren’t the latest and greatest in APTs or cutting-edge 0-days – 93% of all security incidents in the last year at the NSA were found to be entirely preventable using best practices they already advocated. Attackers are depending on governments and organizations to lapse in the tried-and-true basic principles so they can rely on tried-and-true basic methods, and they don’t have to burn their best (and often more difficult to use) secrets and methods.
For all the headlines that the latest named vulnerability might get, the chances of being hit by this kind of threat are still lower than a phishing email or ransomware causing trouble.


Actually, I’m hoping the NSA systems do get infiltrated since they are in violation of the constitution. There aren’t “bad guys” in this topic since the fbi, NSA, DHS etc are also bad guys violating the liberties of Americans.


You guys wishing the NSA get infiltrated is just stupid. It’s like me wishing your mother gets hit by a car and the rest of your family is robbed.


Mike, Mothers give and nurture life. NSA violates laws, creates illegal weapons, leaked them to criminals (or so we’re told) who used them in some of the of the worst malware attacks yet, then blames them on other countries governments.
The NSA and Mothers have noting in common.


There’s a take-away here that i feel like there’s too little emphasis on…
Everyone, all the way up to the NSA but also all the way down to you and that little forum you host for a games server you run, or the locked down (you think) device hosting your marketing people’s ad content is vulnerable no matter what you do.
Engaging and teaching your end users is the most important step you can take. If you don’t know how to use a carrot to get them involved, “you will lose all your data without a business case to the value of £10,000 if you get yourself infected” makes a mighty effective stick (it WILL make your IT on-site the enemy of the users who need their help the most, so use wisely).
I suspect the NSA are using a stick.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!