maxkabakov - Fotolia

Government to name and shame departments failing to secure email

The NCSC is piloting various cyber security intiatives with government departments such as Dmarc and other email security measures, and plans to name and shame those which fail to comply

Government departments that fail to implement adequate cyber security measures are to be named and shamed by the UK's new National Cyber Security Centre (NCSC).

As part of its active defence programme, the NCSC has mandated that all government bodies should implement the domain-based message authentication, reporting and conformance (Dmarc) protocol for all email traffic to detect malicious emails spoofing their domains, along with other security measures.

The NCSC hopes to have all departments running the Dmarc protocol as soon as possible to eliminate malicious emails that appear to come from government.

The Dmarc protocol builds on the widely deployed sender policy framework (SPF) and DomainKeys Identified Mail (DKIM) protocols to authenticate email senders and identify fraudulent emails, adding a reporting function that allows senders and receivers to improve and monitor protection of the domain from fraudulent email.

In this way, the NCSC plans to sinkhole emails that appear to come from legitimate government bodies but are, in fact, being sent by attackers in an attempt to lure recipients to malicious websites that steal credentials or trick recipients into clicking on links that install malware.

The NCSC plans to incentivise government domain owners to implement Dmarc and other email security measures such as encryption and password protection by setting up a dashboard of red, amber and green indicators based on the level of email security in each government domain.

“In six months the dashboard goes public as an incentive for government departments to take action or face being named and shamed,” said Ian Levy, technical director of the NCSC.

“And once this has been done across government, I am going to go around every industry sector that has a high public impact and encourage them to do the same, offering them the use of our centralised reporting capability,” he told a CW500 Security Club meeting in London.

This centralised system, said Levy, processes all the Dmarc reports and automates responses such as sinkholing the fraudulent emails and alerting government domain owners about spoofing activity.

“In the first six weeks of running the system, we closed 50 open email relays. It is all automated so we can have effect on this stuff at scale,” he said.

Levy said rolling out Dmarc across all 3,258 government domains is a key element of the NCSC’s active defence programme, because fraudulent emails that trick people into downloading malware are typically the first step in a cyber attack campaign.

Dmarc is one way public and private sector organisations can make it more difficult to spoof an email by enabling domain owners to take control over who can send emails using that domain.

“It is not a difficult thing to do. Dmarc is a well understood internet protocol, yet few organisations are doing it,” said Levy.

“Governments tend to tell organisations what they should be doing without following the same guidelines, but one of the key principles of the NCSC is that everything we want others to do, we are going to do ourselves,” he said.

Using Dmarc to reduce the risk of breaches and cyber attacks

In a recent trial, the NCSC set a Dmarc record on the top-level domain to identify any email sent from instead of @[department]

On the first day, there were around 50,000 spoofed email messages being sent from [email protected], and a similar number on the second day.

By the third day, the sender had noticed that none of the spoofed email sent on the previous two days was getting any response, so they switched tactics to test four different spoofed email addresses

On the fourth day, the sender once again sent around 50,000 messages that were all sinkholed, and since then, the number of spoof emails using has fallen to zero, said Levy.

Using Dmarc at scale works by changing the ROI for attackers, he said, and when spoofing fails to yield any return, the attackers go somewhere else that is not as well defended.

Another key element of the NCSC’s active defence programme is what Levy described as “automated takedown work” to eliminating brand phishing against government brands such as HMRC anywhere in the world, any phishing that is hosted physically in the UK, and web-injected malware that is hosted physically in the UK.

“Before we started our campaign against brand phishing, the average lifetime of fraudulent websites [that appear to be government websites] was 46 hours, but that has been reduced to less than two hours, which means there is a far less chance of people clicking links to it while it is still live,” he said.

Any brand phishing physically hosted in the UK has gone from 26 hours to less than one, and the web inject malware being served out of the UK has gone from 530 hours to 19, which shows you can have a big effect on this stuff,” said Levy.

“The NCSC will publish all this data – real data about cyber security – so you can really understand the threat rather than the hyperbole,” he said.

Patrick Peterson, founder and executive chairman of Agari, an email security firm and a founding member of Dmarc, said email is the number one entry point for data breaches, and the use of Dmarc for all .gov email domains will greatly reduce the risk of breaches and cyber attacks.

“This includes targeted email attacks such as business email compromise and spear phishing, which target governmental staff by impersonating senior officials, and phishing attacks that target members of the public by spoofing the .gov brand,” he told Computer Weekly.

DNS filtering by default

Levy also mentioned the widely reported DNS filtering initiative the NCSC is spearheading, but said the NCSC was not trying to build a “great firewall of Britain” as reported by the Financial Times, despite the fact that NCSC chief Ciaran Martin did not use the phrase in detailing the initiative in a speech at the Billington Cyber Security Summit in Washington DC on 13 September 2016.

“We are not building that. Nobody is daft enough to suggest GCHQ through the NCSC should run DNS for the UK. What we are doing is building a big DNS for government, for the public sector, that public sector organisations will all use,” he said. 

“This means we can take all the data we have just talked about and feed it into this system, and say if anybody tries to click these [malicious] links, do not let them go there, sinkhole it, and if any malware tries to talk to its command and control domains, block it,” added Levy.

He said that while it is not possible to change the habits of the UK population, it is possible to mitigate the impact of citizens’ behaviour through base technology.

“The NCSC is working with UK ISPs [internet service providers] to ask them to change their view about whether it is okay for users to be sent unknowingly to sites that are going to harm them. I don’t think it is. I think they have a community responsibility to protect people who cannot protect themselves,” he said.

The NCSC would like ISPs to filter DNS by default, said Levy, and while users will be able to opt out by default if they want, if they get a phishing email that has got through all the other defences and they click the link, they are protected from harm by being prevented from reaching any malicious content.

Levy said the NCSC is also piloting the use of 10 questions for a company chairman or the chairman of the audit committee to ask the CIO, such as, “Do your admins use the same machine or account to browse the web and receive email as they do for their admin stuff?”

“And more importantly, we are providing the cheat sheet answers because they are going to try and blind you with science,” he said.

Make sense of cyber security threats and risks

Levy urged information security professionals and companies to be honest about cyber security threats and risks to avoid ending up with a fear response that is illogical.

“TalkTalk originally described its breach as a sophisticated cyber attack, but it was a structured query language (SQL) injection attack, supposedly by a 15-year-old, and when the vulnerability is older than the perpetrator, you can’t call it advanced,” he said.

Levy said these and other initiatives in the active cyber defence programme will be detailed in the new national cyber security strategy that is due to be published before the end of 2016.

He called on all UK business owners to collaborate with the NCSC: “Together, we can fundamentally change the return on investment of cyber attack against the UK and send the attackers somewhere else.”

Finally, Levy said that while there will still be a “top secret bit”, the NCSC is intended to be an open organisation that provides a single point of contact with government for businesses and critical national infrastructure operators for anything to do with cyber security.

“We want to give advice that works for a big company down to a charity and a hairdresser in Cheltenham. We want to be able to give people services that will protect them if they choose to use them at all of those different scales. We want to give people technology advice and risk advice that makes sense to them.

“A lot of existing guidance is written by techies for techies, but cyber security is not a technical problem, it is a business problem, and we plan to recodify everything we are doing in business language to provide good advice on topics such cyber threats, security design and incident response,” he said.

“Defending against everyday cyber threats has to be a collaborative effort, where everyone shares responsibility and does their part, rather than looking to the government to fix the problem”
Gordon Morison, Intel Security

Gordon Morison, director of government relations at Intel Security, said the formation of the NCSC is an “immensely positive” move by the UK government, and commended the NCSC for its leadership through the Dmarc and DNS filtering initiatives, but he challenged UK business to do its part.

“Bringing all the cyber-related agencies together will enable a more coherent, focused and co-ordinated approach and provide a single point of contact for help and advice, but UK businesses should not expect to be spoon fed, and should instead make an effort to engage with the NCSC, look at the guidance it publishes, and implement recommended best practices in cyber security,” he told Computer Weekly.

Morison said Intel Security, which already works with the government on things like the Cyber Essentials Scheme, will engage with UK customers to raise awareness about the NCSC and its function, as well as contributing cyber threat reports to the NCSC.

“We will be talking about the NCSC and directing people to it to encourage them to take heed of the guidance that is available. Whether they are a small, medium or large company, defending against everyday cyber threats has to be a collaborative effort, where everyone shares responsibility and does their part, rather than looking to the government to fix the problem,” he concluded.

Read more on Hackers and cybercrime prevention