A recent article in Forbes Magazine reports that big banks including Bank of America and J.P. Morgan Chase are pulling out all the stops when it comes to their cybersecurity budgets. According to the article, B of A CEO Brian Moynihan has declared that cybersecurity is the only area of his company that has no budget constraints whatsoever. Another financial giant, J. P, Morgan reportedly doubled its budget in 2015 from $250 million to $500 million.

The increased investment in cybersecurity should come as no surprise. As Infosecurity Magazine reported last year, the financial services industry is 300 times more likely to be the target of a data breach than any other sector. In another study, insurance company Lloyds of London found that cyber-attacks can cost organizations as much as $400 billion a year.

Putting more focus and dollars into data security is a wise move. However, increasing security posture depends as much on what you invest in, as it does on how much you spend. Like all industries, financial services is facing an increasing number of threat vectors and security challenges, including dependence on cloud-enabled services, an explosion of mobile devices in the workplace, and BYOD, to name a few. These vulnerabilities are being exploited by increasingly sophisticated and connected criminal hacker syndicates and nation-state attacks bent on thwarting whatever security solutions are put in their way. One only has to survey the high profile data breaches in 2015 to realize that throwing more money at blocking threats from gaining entry won’t necessarily solve the problem.

The answer is not to abandon critical preventive measures such as AV/heuristic indexes, sandboxing and IPS. These are important technologies that have a place in a sound cybersecurity strategy. But organizations need to consider adding technology that can protect the network after the evasive malware bypasses security, but before they have to call in the disaster recovery team to assess their losses. One way to accomplish this is to add traffic anomaly detection. This is technology that continuously monitors all outbound network traffic to detect anomalous behavior and contain suspicious data transfers before an active infection is discovered. Such technology can augment preventive measures like sandboxing, but it requires that banks and other organizations first accept that no security tools exists that can stop 100% of malware. Even with unlimited budgets, stronger cybersecurity readiness can’t begin without that acceptance.

This is the second entry in a two-part series covering the NSA’s chief hacker’s recent talk at a security conference. Rob Joyce, the head of the Tailored Access Operations program put in place by the NSA to conduct cyberespionage operations on foes and allies alike, briefly revealed how state-sponsored hackers infiltrate their targets’ networks, often successfully.

Rob Joyce quickly ran through a list of to-dos for those who are looking to make his job harder. He could be forgiven for cutting short this particular portion of his talk.

Speaking candidly, the NSA hacker-in-chief explained that special access privileges to critical systems ought to be restricted to a select few. This inherently makes the NSA’s task difficult as the number of targeted are lowered. Furthermore, he nodded toward segmenting networks and vital information and data. Such a move makes it harder for hackers to gain access to what they’re looking for.

The NSA employee also recommends patching systems regularly. Application whitelisting is also important for trust. Hardcoded passwords are a strict no-no and ought to be removed. So too should legacy protocols that aren’t updated and are still functional. More specifically, protocols that transmit passwords in the clear, should be curbed.

Joyce also pointed to roadblocks that make his job significantly harder. One such roadblock is an “out-of-band network tap.” This is a device that continually monitors network activity and maintains logs that can record anomalous activity. When these logs are being looked and read into regularly by a system administrator the game is up.

Another insight revealed by Joyce goes against popular opinion that state-sponsored hackers via the NSA or other agencies around the world. He claimed that the NSA does not rely on zero-day exploits, not extensively anyway. He says the NSA doesn’t heavily look at zero-days, simply because they don’t have to.

“[With] any large network, I will tell you that persistence and focus will get you in, will achieve that exploitation without the zero days,” he says.

There’s so many more vectors that are easier, less risky and quite often more productive than going down that route.

The National Security Agency’s hacking chief reveals insights and tips to block the world’s best hackers.

Here’ how NSA’s hacker-in-chief Rob Joyce began a recent security conference in San Francisco.

I will admit it is very strange to be in that position up here on a stage in front of a group of people. It’s not something often done

My talk today is to tell you, as a nation state exploiter, what can you do to defend yourself to make my life hard.

As the head of NSA’s Tailored Access Operations – the team tasked by the government to infiltrate foreign adversaries and allies’ computer systems and networks, even Joyce made light of the awkward situation. He was in a room packed with security professionals, journalists and academics, telling them exactly how they could keep state-hackers like him away from their computers and networks.

The NSA Trap

The NSA isn’t one to look for the login credentials of any targeted firm or organization’s management. Instead, the agency looks for the credentials of network and system administrators, those with high levels of network access and privileges. The NSA, as reported by Wired, also seeks to find hardcoded passwords embedded in software. Similarly, the agency also sniffs for passwords transmitted and used by legacy protocols. Basically, the entire sphere where it detects a vulnerability, none of which goes unnoticed by the agency.

Joyce said:

Don’t assume a crack is too small to be noticed, or too small to be exploited.

If users ran penetration tests of their network and infrastructure to see 97 devices pass the test while three failed, Joyce claimed that those three seemingly harmless vulnerabilities are the ones that the NSA or other state-sponsored attackers will see as sweet spots.

We need that first crack, that first seam,” explained Joyce, noting that every single vulnerability matters. “And we’re going to look and look and look for that esoteric kind of edge case to break open and crack in.”

If a user is approached by a vendor to open the network, however brief, to fix a concern remotely, Joyce advises it. Such a situation is just one of the many opportunities that nation-state hackers are looking for as vulnerabilities, he added.

Surprisingly, Joyce also pointed to personal devices such as laptops that are used by office employees that are running gaming platform Steam, as a favorite attack target of the NSA. When the employee’s kids load Steam games on to the laptops and the works subsequently connect to the organization’s network, an attack vector is opened.

Basically, the NSA and state-sponsored spies and hackers in general are well equipped to get into a user’s network, simply because they know more about the network than most users do.

We put the time in …to know [that network] better than the people who designed it and the people who are securing it,” he stated. “You know the technologies you intended to use in that network. We know the technologies that are actually in use in that network. Subtle difference. You’d be surprised about the things that are running on a network vs. the things that you think are supposed to be there.”