Joyce heads up the NSA's Tailored Access Operations (TAO) team, the group charged with breaking into the systems of the United States' foreign adversaries - and occasionally, its friends too.
The TAO has actually existed for some time, but came to light during Edward Snowden's leaks in 2013. Joyce himself has been with the NSA for over 25 years, though only head of the TAO since April that same year Snowden made headlines.
Joyce was understandably tight-lipped on the inner workings of the TAO, but he did shine a light on how the NSA breaks in to systems. The key to success is the virtual key to the server - namely, credentials such as username and password. No, not credentials of the CEO or MD, but that of the sysadmin. Yes, the NSA hunts sysadmins. Such people have the network access and privileges that can reveal all a company's data.
Joyce was explicit: the NSA actively seeks credentials which are hardcoded in software, or passwords transmitted in cleartext. This is another reason to hate websites which send you "password reminder" emails that divulge your password. Not only does this mean they store your password in plaintext (not encrypted) on their end, but now they are broadcasting it to anybody snooping in on your email.
Joyce continued to say no crack is too small to be noticed or exploited. If you perform a penetration test of your network and maybe 97 things pass but three obscure things don't, you cannot actually relax and sit back. It is those three small things which the NSA, and attackers from other nations, will work on.
Even temporary cracks, Joyce revealed, are targets for the NSA. You open up firewall access for a support vendor for the weekend and the NSA will jump right in there, having been passively testing your systems periodically for such a weakness.
BYOD, the buzzword that electronic retailers love to throw around, is a boon to the NSA. Insecure personal devices are being brought into companies, connecting to WiFi behind the corporate firewall, exposing the company to potential risks. Even QR codes can be a trap.
The NSA will target tech you may not even normally think of, such as your heating and cooling systems and other aspects of building infrastructure.
Joyce stated "spies have little trouble getting into your network because they know better than you what's on it."
Perhaps a novel sideline business for the NSA would be to sell documentation to companies. I know when I've gone into a new business and had to figure all this out myself it would be super-handy if I could just phone the NSA and buy their report!
Joking aside, Joyce gave practical tips for those who want to keep hackers out. You know the drill, these are not new. However, they are also not necessarily enforced, and that's the problem.
Limit access privileges to only those who need them.
Segment networks and important data.
Implement application whitelisting.
Don't hardcode passwords.
Don't transmit passwords in plaintext.
However, the biggest way of keeping the hackers out, Joyce said, is to monitor and log network activity and then have a smart sysadmin who actually reviews the info and pays attention. Do you have this person on your payroll?