CrestCon and IISP congress – Dr Ian Levy presentation

Today I attended the CrestCon and IISP congress.  One of the keynote presentations was by Dr Ian Levy the technical director of the NCSC (National Cyber Security Centre).  This was titled ‘NCSC – WTF’.  It was a very interesting and refreshingly forthright talk, so I thought I would share it!  He covered a lot of the work and plans of the NCSC along with some of his personal thoughts.

My notes from the presentation are below, I have included various links for ease of reference, and definitely recommend reading the materials they lead to.

 National Cyber Security strategy 2016-2021

    • Basically – information sharing is not enough, get off your arse and do something about it! (his words 😉 )

NCSC;

  • Should be single government / legal point of contact you got to for anything Cyber.
  • A different sort of agency
    • Collaborate with the NCSC – Secondments for Cyber experts to work with and help the country’s cyber security

 

APTs are in the press a lot, however lets be honest;

    • Anatomy of most unprecedented, sophisticated cyber attacks;
      • Attacker does a bit of research
      • Attacker sends a spear phishing email to an admin
      • Admin opens email using admin account, exploiting unpatched stuff
      • Attacker does nefarious stuff as admin
      • Monitoring does not work
      • Attacker takes data or changes data
      • Profit

Most APT is not APT at all.  Is the focus correct? APT – less Advanced Persistent Threat – more likely Adequate Pernicious Toe-rag.. (heard this before, not sure who first coined the term..)

 

XKCD – Security tips cartoon!  Highlighting that some security advice is not always the best..

 Some general thoughts;

    • Admins must not browse the web or use email with admin account – if you still allow this, you should get a new job..
    • Have a different, complex password for each system you use – stupid advice!
    • (not)Awesome advice – Don’t open an attachment unless you trust the email.. – How do people ‘trust an email’???
      • If you own an email domain and don’t use DMARC you should be ashamed..
      • NCSC have open sourced their DMARC management solution – could we use this rather than paying for something?  They even have a dashboard that will be open source soon.
      • https://www.ncsc.gov.uk/blog-post/open-sourcing-mailcheck

 

The NCSC is trying to reduce harm by asking nicely – automatically asking ISPs and hosting providers to take down malicious sites

 

Recursive DNS is my friend.

    • Hosting their own DNS – moving all public sector organisations to using the NCSC DNS – they will automatically not provide details for known bad sites / services so unless you connect by IP you just wont get to them

 

NCSC – Active Cyber Defence programme.  This provides a great overview of many of their initiatives and how they hang together;

https://www.ncsc.gov.uk/blog-post/active-cyber-defence-tackling-cyber-attacks-uk

 

Read Understanding Uncertainty – ‘Medicine, poison, poison, poison’;

 

Goal for NCSC – From fear to published evidence and analysis

    • So you can target you security strategy and spending appropriately!

 

Keep security advice basic, brief and relevant

E.g. 5 tips for email.. 5 tips for phones etc. something like – encrypt, keep up to date, use a pin, don’t jailbreak, only install apps from google play / apple store.

 

‘Hacking back’ / Offensive security – his opinion

    • Should be reserved for government, potentially not legal for private firms.
    • Must be very organised, concerted effort.  Attribution is very hard..
    • Any private company doing this is mad, due to potential repercussions.

If you have any questions I’ll try to answer them, but I hope you have found this and the links interesting!

K