Today I attended the CrestCon and IISP congress. One of the keynote presentations was by Dr Ian Levy the technical director of the NCSC (National Cyber Security Centre). This was titled ‘NCSC – WTF’. It was a very interesting and refreshingly forthright talk, so I thought I would share it! He covered a lot of the work and plans of the NCSC along with some of his personal thoughts.
My notes from the presentation are below, I have included various links for ease of reference, and definitely recommend reading the materials they lead to.
National Cyber Security strategy 2016-2021
- Sets out government cyber policy for the next few years – read this!
- Basically – information sharing is not enough, get off your arse and do something about it! (his words 😉 )
- Should be single government / legal point of contact you got to for anything Cyber.
- A different sort of agency
- Collaborate with the NCSC – Secondments for Cyber experts to work with and help the country’s cyber security
APTs are in the press a lot, however lets be honest;
- Anatomy of most unprecedented, sophisticated cyber attacks;
- Attacker does a bit of research
- Attacker sends a spear phishing email to an admin
- Admin opens email using admin account, exploiting unpatched stuff
- Attacker does nefarious stuff as admin
- Monitoring does not work
- Attacker takes data or changes data
Most APT is not APT at all. Is the focus correct? APT – less Advanced Persistent Threat – more likely Adequate Pernicious Toe-rag.. (heard this before, not sure who first coined the term..)
XKCD – Security tips cartoon! Highlighting that some security advice is not always the best..
Some general thoughts;
- Admins must not browse the web or use email with admin account – if you still allow this, you should get a new job..
- Have a different, complex password for each system you use – stupid advice!
- NCSC – password security
- (not)Awesome advice – Don’t open an attachment unless you trust the email.. – How do people ‘trust an email’???
- If you own an email domain and don’t use DMARC you should be ashamed..
- NCSC have open sourced their DMARC management solution – could we use this rather than paying for something? They even have a dashboard that will be open source soon.
The NCSC is trying to reduce harm by asking nicely – automatically asking ISPs and hosting providers to take down malicious sites
Recursive DNS is my friend.
- Hosting their own DNS – moving all public sector organisations to using the NCSC DNS – they will automatically not provide details for known bad sites / services so unless you connect by IP you just wont get to them
NCSC – Active Cyber Defence programme. This provides a great overview of many of their initiatives and how they hang together;
Read Understanding Uncertainty – ‘Medicine, poison, poison, poison’;
- Great overview of understanding risk and uncertainty, but in context..
- Context is key to ensuring you really understand and focus correctly
Goal for NCSC – From fear to published evidence and analysis
- So you can target you security strategy and spending appropriately!
Keep security advice basic, brief and relevant
E.g. 5 tips for email.. 5 tips for phones etc. something like – encrypt, keep up to date, use a pin, don’t jailbreak, only install apps from google play / apple store.
‘Hacking back’ / Offensive security – his opinion
- Should be reserved for government, potentially not legal for private firms.
- Must be very organised, concerted effort. Attribution is very hard..
- Any private company doing this is mad, due to potential repercussions.
If you have any questions I’ll try to answer them, but I hope you have found this and the links interesting!