Ian Levy: It's broke, let's fix it.
Ian Levy: It's broke, let's fix it.

We have the tools in place to make email and the internet significantly more secure, but organisations aren't using them – leaving all of us much more vulnerable than we need to be.

That was the damning theme of Ian Levy's keynote speech at the CRESTCon & IISP Congress 2017, held yesterday in London. It was a speech laced with criticism of everyone from internet service providers to government for the sad state of online security.

Levy is the technical director at the National Cyber Security Centre (NCSC) and is well known for his outspoken comments about cyber-security, but as he delivers more speeches to the professional community, he seems to be warming to his theme and hitting the points with ever increasing vigour.

If he had been pulling his punches in the past, he wasn't doing so any longer.

One of Levy's bete noirs is the way that the border gateway protocol (BGP) is implemented which allows distributed denial of service (DDoS) attacks to take place using computers on UK domains.

“DDoS is not an axiomatic requirement of an internet,” he told the audience of about 200 cyber-security professionals. “It happens because ISPs allow it to happen, and the reason is BGP, generally speaking.”

Attempts to layer security on top of BGP with RPKI and S-BGP don't work because “in the end you are trusting something that you don't necessarily trust”.

A case in point that illustrates the weakness of BGP was uncovered in March 2015 by Doug Madory, director of internet analysis at Dyn. He discovered that Ukraine's Vega telecom announced a bad route that resulted in requests for the UK Atomic Weapons Establishment and the Royal Mail to be routed through the Ukraine. Another victim was a Lockheed Martin VPN connection.

Levy was at pains to say the redirection was an ‘accident' but it underscores the fragility of the global internet routing system which is still based on trust.

“Let's re-engineer the BGP peering and transit relationship so that hijacks don't happen,” Levy said, adding that would be possible at the same time to make it impossible for hackers to do trivial source spoofing and prevent UK systems from being used in DDoS attacks.

If the UK can do this, he said, “It means I can publish the plan, prove it, generate data, publish a standard and go to every other internet exchange in the world and say, ‘hey guys, you should do the same'.”

The UK can have a disproportionate impact on the rest of the world by showing the way, he said, and for those countries that don't follow along, his solution would be simple – ridicule them.

“If they don't [take our advice], we are going to point and laugh [at them],” he said.

The NCSC has also done a significant amount of work on DMARC, the domain-based message authentication, reporting and conformance email-validation system designed to detect and prevent email spoofing.

When implemented recently by HMRC, DMARC reduced the number of phishing emails being sent out – purporting to be from HMRC enticing users to click on a link to receive a “tax refund” – from tens of thousands of emails a day to zero.

Unfortunately, DMARC is not widely implemented and Levy said that one of the worst offenders has been BT, which breaks the sender policy framework (SPF) which in turns breaks DMARC. Fortunately, the NCSC has discussed the problem with BT which is working to fix the problem, he said.

Government guinea pigs

As we have seen, part of the NCSC's strategy for raising standards across the web is to start with central government sites and then, having proved the concept, make the advice public and push it out to local government and commercial providers.

The NCSC has developed Webcheck, an online tool to find and fix common security issues affecting government digital services. Currently in alpha trials with 60 government websites, Levy revealed that it has identified five critical vulnerabilities including one in a popular web front end, the name of which he wouldn't disclose. But, he said, he is particularly proud of the discovery because “it's really quite dumb”.

However, there is a far bigger problem at local level, with the plethora of .gov.uk domains registered by local authorities. Levy said they are currently trying to assess how many there are but currently reckon the number is greater than 22,000.

Many of these sites are being attacked and defaced on a regular basis which is evidenced by the number that are listed on the Zone-H.org website. A full-text search on .gov.uk reveals that there are over 1000 sites which have been attacked, in many cases being defaced by activists promoting political messages.

“I want it to be harder to deface, ‘pwn', whatever, gov.uk websites. It someone is going after a government service to pull data or defraud it, Webcheck isn't going to help – that's other stuff, pentesting included – but to gently raise the bar, Webcheck is there.”

To be clear, though, he considers Webcheck to be a basic service compared to some of the commercial services available. “We are not trying to rebuild NESSUS or anything else. Webcheck is for dumb stuff,” he said. “But we are still finding stuff, and then we get professionals to do proper vulnerability checks.”

Pentesting

Webcheck may be moving in the right direction, as far as Levy is concerned, but not every government service is having the desired effect.

Turning his attention to the CHECK pentesting service, which he is generally a fan of, he said it still needs to be developed because it is having unanticipated effects, driving “weird behaviour” among system administrators.

Pentesting provides a security snapshot which is both its strength and weakness. While it is good at finding unexpected vulnerabilities, in some cases, savvy sys admins are turning off problematic services when they know a pentester is coming to avoid a negative report. “That tells me that pentesting is not having the outcome that I want,” he said.

How to fix it? “My vision for CHECK is that I don't want reports, I want an XML blob. I want to be able to reason about the security state and pentests give me useful data to be able to do that but reports don't. Give me an XML blob that I can ingest and automatically reason about the state of it – that would be really cool,” he said.

The NCSC is currently reviewing CHECK with a particular focus on finding out what government departments want from pentesting. The results of its work will be published as a consultation document in May or June.

Gathering data about the patch status of every government service – including servers, desktops and infrastructure – to see how far out of date they are would also be a positive step, he said, especially if the data were published. But rather than publish the data by department, what about publishing it by service integrator who runs the system on behalf of the government department?

It was a comment that drew a nervous laugh from the audience of system administrators and service providers.

“Let's have the data to start having a conversation about the contracts because in my experience it's the contracts that are broken,” he said, adding: “Point and laugh works brilliantly if you can do it at scale.”

Risk assessment

A theme running through Levy's public speeches is the need to base decisions on data to help people make informed decisions about the risks facing them and the organisations they work for. “I want to have data, evidence, that we can publish that will help people make better decisions in their lives, so we can protect the majority of people, the majority of the time from the majority of harm,” he said.

Most organisations won't be targeted by a nation state attack, he said, adding that if they were to be targeted, most organisations wouldn't stand a chance against a well resourced national intelligence service anyway.

To that end, NCSC is developing a series of guidance documents aimed at the very small organisations such as schools which often lack the personnel trained in how to operate and maintain their systems.

“The majority of people in this country are harmed by cyber-crime. They are harmed by ransomware. Let's fix that,” he said. “That's what the strategy is about. Go from fear – from the things that are currently peddled as security solutions which are generated solely by fear – to published evidence and analysis so you can target your investment in the right way, and let's do that on a national scale. That's what I'm at the NCSC to do.”