“Why don't airplanes have square windows?”, was the question posed by Dr Ian Levy, technical director of the National Cyber Security Centre (NCSC) at today's SC Congress London 2017.
The industry resolved to set up whole systems of harm and risk reduction over the ensuing years. The process of managing those vulnerabilities has resulted in a massive de-escalation of risk since then. There is little such equivalent in the realm of cyber-security, but according to Levy, this is exactly what we must do and what the NCSC has set out as its core mission.
Levy showed the audience a 1972 warning about buffer overflow vulnerabilities, before matching it with the Heartbleed bug, publicly disclosed in 2014 – and pointed out that this makes it a 42-year-old vulnerability.
It's clear, added Levy, “We are not going to fix this problem by getting people to write better code”, but we have to build systems that are resilient to fault.
The way you talk about things matters, said Levy. Fear marks the language that the security industry speaks. This is wrong. He's been told off before by the security industry for “saying they peddle witchcraft and magic amulets” but he vowed to carry on saying it.
Instead of Advanced Persistent Threats (APTs), Levy prefers the term “Adequate Pernicious Toerags” because many make it so very easy for them: “We don't make them try very hard.”
SQL injection is not acceptable anymore, added Levy.
And he said the slack security culture in some organisations is their greatest failing. “If your admins browse the web on an account where they do important things then your security culture is broken,” he said, adding that he would refuse to even work with an organisation that allowed that to happen.
The government is taking steps to fill these gaps. It has already implemented DMARC across gov.uk and thanks to the efforts of Ed Tucker, HMRC. The effect was profound. On the first day gov.uk discovered 50,000 attempting to phish with that domain. On the third day, that had dropped to just four.
Levy announced plans to building a public scale DNS Service, which can stop harm at source: “As soon as we see an attack, we can stop it for everyone else,” he said.
All of this, including the recently released national cyber security strategy are “part of an ecosystem we want to build over the next couple of years”. In five years, concluded levy, we want to be in a place where, “By default your ISP should protect your data”.