CrestCon and IISP congress – Dr Ian Levy presentation

Today I attended the CrestCon and IISP congress.  One of the keynote presentations was by Dr Ian Levy the technical director of the NCSC (National Cyber Security Centre).  This was titled ‘NCSC – WTF’.  It was a very interesting and refreshingly forthright talk, so I thought I would share it!  He covered a lot of the work and plans of the NCSC along with some of his personal thoughts.

My notes from the presentation are below, I have included various links for ease of reference, and definitely recommend reading the materials they lead to.

 National Cyber Security strategy 2016-2021

    • Basically – information sharing is not enough, get off your arse and do something about it! (his words 😉 )

NCSC;

  • Should be single government / legal point of contact you got to for anything Cyber.
  • A different sort of agency
    • Collaborate with the NCSC – Secondments for Cyber experts to work with and help the country’s cyber security

 

APTs are in the press a lot, however lets be honest;

    • Anatomy of most unprecedented, sophisticated cyber attacks;
      • Attacker does a bit of research
      • Attacker sends a spear phishing email to an admin
      • Admin opens email using admin account, exploiting unpatched stuff
      • Attacker does nefarious stuff as admin
      • Monitoring does not work
      • Attacker takes data or changes data
      • Profit

Most APT is not APT at all.  Is the focus correct? APT – less Advanced Persistent Threat – more likely Adequate Pernicious Toe-rag.. (heard this before, not sure who first coined the term..)

 

XKCD – Security tips cartoon!  Highlighting that some security advice is not always the best..

 Some general thoughts;

    • Admins must not browse the web or use email with admin account – if you still allow this, you should get a new job..
    • Have a different, complex password for each system you use – stupid advice!
    • (not)Awesome advice – Don’t open an attachment unless you trust the email.. – How do people ‘trust an email’???
      • If you own an email domain and don’t use DMARC you should be ashamed..
      • NCSC have open sourced their DMARC management solution – could we use this rather than paying for something?  They even have a dashboard that will be open source soon.
      • https://www.ncsc.gov.uk/blog-post/open-sourcing-mailcheck

 

The NCSC is trying to reduce harm by asking nicely – automatically asking ISPs and hosting providers to take down malicious sites

 

Recursive DNS is my friend.

    • Hosting their own DNS – moving all public sector organisations to using the NCSC DNS – they will automatically not provide details for known bad sites / services so unless you connect by IP you just wont get to them

 

NCSC – Active Cyber Defence programme.  This provides a great overview of many of their initiatives and how they hang together;

https://www.ncsc.gov.uk/blog-post/active-cyber-defence-tackling-cyber-attacks-uk

 

Read Understanding Uncertainty – ‘Medicine, poison, poison, poison’;

 

Goal for NCSC – From fear to published evidence and analysis

    • So you can target you security strategy and spending appropriately!

 

Keep security advice basic, brief and relevant

E.g. 5 tips for email.. 5 tips for phones etc. something like – encrypt, keep up to date, use a pin, don’t jailbreak, only install apps from google play / apple store.

 

‘Hacking back’ / Offensive security – his opinion

    • Should be reserved for government, potentially not legal for private firms.
    • Must be very organised, concerted effort.  Attribution is very hard..
    • Any private company doing this is mad, due to potential repercussions.

If you have any questions I’ll try to answer them, but I hope you have found this and the links interesting!

K

13 Security Myths Busted.. My thoughts.

I was recently sent a link to an article covering what were described as ’13 security myths – busted’ and asked my opinion.  As it was a fairly light and interesting I thought I would share the article and my thoughts;

The original article can be found here;

http://www.networkworld.com/slideshow/86918/13-of-the-biggest-security-myths-busted.html?source=NWWNLE_nlt_afterdark_2013-02-21

Have a read of the myths and why they thin they are myths, read my thoughts below, and it would be great to hear your thoughts.

1. AV – Possibly not super efficient, but I think still necessary – they kind of mix apples and oranges with the targeted attack comment, as it is not designed for that, but it still prevents the vast majority of malware, and general attacks.  Possibly and an environment where literally no one runs with admin privileges and there is strong white listing you could do without AV, but generally I’d say it is still relevant and required.

2. This one is hard to know as there is so much FUD around.  It is clear that in many circumstances (stuxnet etc, Chinese APT , US government espionage etc.) that governments are investing huge sums of money and employing extremely bright people to attack and defend in cyber land.  I suspect much will never be known as the NSA / Mi6 / <insert secret government money pit here> are by definition very secretive.  Remember all the speculation around the NSAs ability to crack encryption in the past..

3. Totally agree – just look at most businesses and the trouble they have getting control of authentication via AD / IAM.  However, many are moving in the right direction though so maybe soon we’ll have everything in IAM and / or AD..

4. I think this one proves itself incorrect in the text – Risk management is needed, you just need to work on understanding your adversaries and the actual risks you face, which includes understanding their motivations and the value they place on your data and IP.

5. This I totally agree with.  I have already highlighted I don’t really like the fact we as an industry use the term ‘best practice’ all over our standards and policy documents etc – who defines what it is? Is it best in any specific environment with it’s support skill sets and technology stack etc?

6. Half agree they are a fact of life, however you can have effective responses and strategies around privilege control and application controls etc. to massively mitigate the risks these pose.

7. I can’t comment on this one, but most national infrastructures are inadequately protected and tend to rely on old legacy systems for many of their functions so this is probably try in the UK for much supporting infrastructure as well.

8. Completely agree with this.  Compliance is a useful checklist, but compliance with standards should be a by product of good secure design and processes, not something we strive for as a product in itself.  If provides a driver but is very much the wrong focus if you want to be secure rather than compliant.

9. Agree – CISO may own security policy and strategy etc., but security is everyone’s problem and everyone should be accountable for performing their duties with security and security policies in mind.  I’m a big fan of security awareness training as a regular thing to help educate people and keep security at the forefront of the way we do business.

10. Likely has been true, in the same way as Mac / Linux are ‘safer’ than Windows, as it has not been the focus of as much malicious attention and has not been carrying as much functionality and valuable data.  This is rapidly shifting though as we rely more and more on mobile devices for everything from banking to shopping to actual business.  So I think this one is rapidly if not already becoming a myth.

11. Agree – you can likely never be 100% secure if you want to have a life or business online.  I think it was an American who coined ‘eternal vigilance is the price of freedom’  we should work to be secure, but freedom both individually and as a business is too important and hard won to give up.  Obviously some personal freedoms to do whatever you want with corporate devices have to be given up, but I think my point stands as a general concept.  As the guy in the article says (and I do above) work to understand your adversaries, their motivations and tools.

12. Agree with this one also – continuous monitoring, trending and learning are key to understanding and preventing or at least capturing todays advanced long term threats such as APTs.

13. I agree with this final one as well, and have actually blogged about this before.  We live in an ‘assume you have or will be breached’ world.  Put the detective measures and controls in place to ensure you rapidly detect and minimise the damage from any breach.  Read last years Verizon data breach report..

It would be great to hear your thoughts on this light article.

K