GCHQ's National Cyber Security Centre opens for business following delays

Sarastro

LE
Kit Reviewer
Book Reviewer
#41
At the risk of being beaten to death with my own keyboard - why is Cyber under the remit of HM Forces - I would have thought one of the intelligence agencies would have been better positioned to conduct this.
It isn't. Neither is the NCSC.

But all organisations have a responsibility towards their own defensive measures (CND or IT Security in old money). So HM Forces, the MOD etc each and collectively have their own bits of CND capability, and have done for at least 4 decades or more.
 

A2_Matelot

LE
Book Reviewer
#43
From what is available openly, it is primarily a policy and advice shop, not an operational centre...
"If you’re browsing this website, you might be wondering how the new National Cyber Security Centre (NCSC) will actually help everyone in the UK? Of course, the NCSC is working to protect UK government information and services, our armed forces and the critical national infrastructure - such as our energy and water supplies. But the NCSC is also here to help make the UK the safest place for everyone to live and do business online, whether you run a small business or charity, look after the IT systems in a local school, or simply want to make sure your home IT is less vulnerable to malware and online crime.

How will that work in practice? Well, we want to make it easy for people and organisations to understand how to protect their information and IT from cyber attacks, in the same way as they understand how to protect themselves and their property from other kinds of crime. If you understand what’s important and the options available, you can make the choices that are right for you. Just as you might protect an old bike differently to your new car, or decide where and when your kids are allowed to go out alone, there’s no single right answer. We can’t tell you what to do in every situation - but we want to make it easier for you to take some sensible steps to make yourself safer.

Part of this is about advice and information, and helping communities share their knowledge. Here on the NCSC website, we show where to get expert help you can trust, such as cyberaware and getsafeonline.org. These government-backed services have the latest easy-to-follow advice and can even answer your specific questions via social media. For organisations and businesses, the Cyber-security Information Sharing Platform (CiSP) lets you join with people in similar circumstances to discuss common threats and strategies, and the Cyber Essentials scheme gives you the tools to implement - and demonstrate - good ‘cyber hygiene’.

But the NCSC will also be working behind the scenes to improve the underpinning technologies we all rely on. This might involve working with service providers to take action to reduce the known scamming and phishing emails in circulation, or encouraging IT providers to make their products more secure before you buy them. This will mean you can spend less time worrying about whether your systems are protected, and more time getting on with the other important things in your life. And it will mean that overall, our economy - and the UK as a whole - becomes more resilient to cyber attack."

Read Ian's blog Active Cyber Defence - tackling cyber attacks on the UK - NCSC Site he openly comments on how NCSC will be "Go looking for badness and take it down" .
 
#45
Thanks all

I did suspect I was asking dumb questions - rest assured I can be taught.



Is this the correct time to ask if Cyber is taken seriously down south and is there a crack RAF team on 24hr standby to ensure the Argies cant remote forge a flight plan for 50 B747 loads of Commandoes ?
 

Sarastro

LE
Kit Reviewer
Book Reviewer
#46
Read Ian's blog Active Cyber Defence - tackling cyber attacks on the UK - NCSC Site he openly comments on how NCSC will be "Go looking for badness and take it down" .
Interesting blog, anyway. I thought he was saying something massively controversial but possibly true about DNS filtering, then I re-read it and realised he was saying the opposite.

Also, this:

However, there are certain services and groups of users who are so high risk that we think that service differentiation based on software age is appropriate. We haven't got to exactly what this means yet, but as a hypothetical example tax accountants may not be able to submit new returns on their customers’ behalf if they consistently use out of date software. Yes, we've thought about the attacker just using new software - there's some simple stuff that can be done to make this a sensible response.
Sounds perfectly reasonable in theory, but is hugely problematic in practice, and I don't see how they are going to solve it to anyone's satisfaction without a lot of reasonable objection from users. The paranoid-but-often-correct part of me also thinks it would be very easy to include, say, users of certain outdated FTP, P2P and I2P protocols into that mix...
 
Last edited:

Wordsmith

LE
Book Reviewer
#47
I'm not sure how putting it in bold changes the fact the words are talking, primarily, about policy and advice...
Ultimately cyber security depends on the people that implement it and how savvy the users are. Both can be outstandingly dumb.

Earlier this week I emailed a certain local council suggesting it might not be the brightest of ideas to have its recent penetration test results accessible from the internet. (Somehow Google had managed to index the document). Answer came there none.

A lot of organisations can't even get the basics right. They have the classic user name enumeration/weak password policy/no account lockout combination on their website. Something that can be exploited by even the dumbest hacker.

Cross site scripting is rife, with XML External Entity (XXE) attacks coming up on the rails. Clear text data transmission is another favourite, as is publicly exposing admin interfaces and not having effective AV software.

The problem is cyber security is seen an an overhead by most commercial companies - and they tend to spend as little as they can get away with. Your average script kiddie or casual hacker may not bother with a lot of the websites. If the companies are significant enough, a state sponsored hacker might.

Wordsmith
 

rampant

LE
Kit Reviewer
Book Reviewer
#48
Thanks all

I did suspect I was asking dumb questions - rest assured I can be taught.



Is this the correct time to ask if Cyber is taken seriously down south and is there a crack RAF team on 24hr standby to ensure the Argies cant remote forge a flight plan for 50 B747 loads of Commandoes ?
If asking dumb questions was a crime, most of us on this site would have been banged up for life along time ago.

Cyber is not really my field, are we still utilising Tiger Teams and "outside contractors"?
 

Sarastro

LE
Kit Reviewer
Book Reviewer
#49
@Wordsmith

Completely agree. Even the supposed professionals are astonishingly bad at times. A while ago I was running some training in, for want of a better description, vulnerability assessment. As a final exercise we used the host organisation (high level professional organisation) as a target. Students with a few days training managed, within a couple of hours, using just the public-facing website as a start point, to correctly identify: a discreet physical location; two undisclosed attached organisations, including positive proof of a link; a whole mess of accessible unlisted sub-domains; including a couple on which a secret web portal was hosted, and managed to log in using predictably default passwords. The same web portal login box also yielded a huge long error message with lots of useful info (including database key strings), without even using a SQL injection.

At which point, I stopped the exercise, and started writing an email headed "URGENT:".

I would also say, a great example of the depth of problems is:

They have the classic user name enumeration/weak password policy
Part of the reason for that is that the standard industry recommendations, including those taught on CISP, are wrong. This XKCD panel explains why perfectly:



The problem is also that most "IT Security professionals" or people who are trained in this stuff are basically not competent, for example the relatively simple calculations of the cryptography behind the above are way beyond them, and they don't actually understand how password cracking works. Observationally, this is because the vast majority of them are ex-20th century security professionals of some kind (military, plod, whatever) who realised they had to retrain, and did so in a system that rewards box-ticking over understanding, competence or expertise. So you have a load of old fudders who have gotten their CISP or other tick in the box, but know about as much as Jon Snow. As a result, companies think they are implementing good practice, when in fact they are making bad and ineffective rules that simply haven't caught up to reality, because reality - in this area - moves too fast.

This is broadly going to be the weakness behind the centralised, NCSC approach to national cybersecurity. Yes, it will improve the low-hanging fruit, and that will have an impact. The high-level stuff is already broadly taken care of. But it is going to have real difficulty changing the fact that the middle ground of security problems are really caused by organisational culture issues with change, personnel and responsiveness, and a centralised push-driven approach to solving those simply won't work, as it hasn't worked so far.
 

A2_Matelot

LE
Book Reviewer
#50
I'm not sure how putting it in bold changes the fact the words are talking, primarily, about policy and advice...
Because ""working behind the scenes to improve the underpinning technologies" and "Go looking for badness and take it down" is indicative of action not just policy and advice.
 
#52
"If you’re browsing this website, you might be wondering how the new National Cyber Security Centre (NCSC) will actually help everyone in the UK? Of course, the NCSC is working to protect UK government information and services, our armed forces and the critical national infrastructure - such as our energy and water supplies. But the NCSC is also here to help make the UK the safest place for everyone to live and do business online, whether you run a small business or charity, look after the IT systems in a local school, or simply want to make sure your home IT is less vulnerable to malware and online crime.

How will that work in practice? Well, we want to make it easy for people and organisations to understand how to protect their information and IT from cyber attacks, in the same way as they understand how to protect themselves and their property from other kinds of crime. If you understand what’s important and the options available, you can make the choices that are right for you. Just as you might protect an old bike differently to your new car, or decide where and when your kids are allowed to go out alone, there’s no single right answer.

But the NCSC will also be working behind the scenes to improve the underpinning technologies we all rely on. This might involve working with service providers to take action to reduce the known scamming and phishing emails in circulation, or encouraging IT providers to make their products more secure before you buy them. This will mean you can spend less time worrying about whether your systems are protected, and more time getting on with the other important things in your life. And it will mean that overall, our economy - and the UK as a whole - becomes more resilient to cyber attack."
.
So what happened when the NHS was taken down in May?
 
#53
The problem is also that most "IT Security professionals" or people who are trained in this stuff are basically not competent, for example the relatively simple calculations of the cryptography behind the above are way beyond them, and they don't actually understand how password cracking works.
Don't forget the other two XKCD strips relevant to the subject at hand, mentioned in threads long gone by... specifically regarding compromise by other means...

Protective security top-tips

ICT Acquisition - a tale of woe
 

Wordsmith

LE
Book Reviewer
#56
This is broadly going to be the weakness behind the centralised, NCSC approach to national cybersecurity. Yes, it will improve the low-hanging fruit, and that will have an impact. The high-level stuff is already broadly taken care of. But it is going to have real difficulty changing the fact that the middle ground of security problems are really caused by organisational culture issues with change, personnel and responsiveness, and a centralised push-driven approach to solving those simply won't work, as it hasn't worked so far.
The answer is indeed complex and will have to be multi faceted.

I've always been taken with Bruce Schneier's suggestion that software companies should be made legally liable for faults in their software, much like car companies are responsible for selling a product that has been safely designed and put together. At present a software company can put out a product with glaring security holes and not be legally liable if the end user gets breached because of it. Make the software company legally liable and maybe they'd make their software a bit more secure.

Ship the software with a strong default configuration and require the company installing it to keep a risk register if they relax that default configuration and so on. Even better, hard code in requirements so you can't configure the software below certain minimum standards - for example all passwords must be a minimum of 8 characters long, have a mixture of upper case letters, lower case letters, numbers, special characters and and can't use any of (say) 500 common dictionary words as a base for the password.

It'll take a holistic approach like the above to make some form of impact on the problem.

Wordsmith
 
#59
The answer is indeed complex and will have to be multi faceted.

I've always been taken with Bruce Schneier's suggestion that software companies should be made legally liable for faults in their software, much like car companies are responsible for selling a product that has been safely designed and put together. At present a software company can put out a product with glaring security holes and not be legally liable if the end user gets breached because of it. Make the software company legally liable and maybe they'd make their software a bit more secure.

Ship the software with a strong default configuration and require the company installing it to keep a risk register if they relax that default configuration and so on. Even better, hard code in requirements so you can't configure the software below certain minimum standards - for example all passwords must be a minimum of 8 characters long, have a mixture of upper case letters, lower case letters, numbers, special characters and and can't use any of (say) 500 common dictionary words as a base for the password.

It'll take a holistic approach like the above to make some form of impact on the problem.

Wordsmith
When you say software companies are you referring to all companies or just the big players like microsoft etc.

I ask as I constantly hear about problems with apps and software where the client has specified things have to work a certain way that then lead to completely predictable problems.
 
#60
I would say its allot more to do with drone security shows such as 24 etc depict ate an enemy that could take over a drone remotely while the thought of this would be a terrifying prospect how would they be able to regain control a quick manor to avert disaster.