Zoom Logo

Ransomware Webinar with NCSC: How to minimise and mitigate attacks - Shared screen with speaker view
AoC Events Team
17:48
Welcome everyone
AoC Events Team
18:36
Please put your questions for our speakers here
Dan Jackson
25:12
Will the slide deck be available for download after the presentation?
david corke
25:25
Hi Dan, yes they will
AoC Events Team
31:05
We will email the presentation slides along with a recording of the session this afternoon.
david corke
31:56
Please do ask questions as we go if you have them
Kate Dawson
34:34
How does ryuk affect backups ?
James Grasham
35:58
Is it becoming more common recently for attackers to give data back?
Guy Baxter
37:31
You called out a single AD domain as a potential issue. MS best practice states that enterprises which are spanned across multiple locations and regions across the world should use a single forest multi-domain model. This implies that national orgs (or smaller, such as colleges) should use a single forest, single domain setup. Are you advising against this?
Steve Cant
42:05
Are there any recommendations for tools to help with detection of Trickbot
Guy Baxter
42:48
What do you class as decent anti-virus? System Centre Endpoint Protection?
Guy Baxter
43:48
Noted. Re-phrased then, have you seen breaches where System Centre Endpoint Protection has not been effective?
Daniel Walker
44:15
What specific antivirus features are desirable? heuristics for example
Shah Ali
45:38
HI David, apologies I have to leave. Look forward to receiving the slides and video recording. Very interesting discussions... Regards, Shah
Dave Birks
46:25
With RDP infrastructures knocked up quickly by Colleges in response to lockdown are you seeing RDP servers presented directly to the internet or are threat actors getting to RDP servers through RDP proxies and gateways? Possibly unpatched?
Hannah H
47:01
Here’s a link to our (NCSC) guidance on anti-virus products: https://www.ncsc.gov.uk/collection/mobile-device-guidance/antivirus-and-other-security-software
James Grasham
47:26
What do you recommend as best practice as opposed to RDP? Is it preferable to use SSL VPN/Direct Access etc?
Mark Heaton
50:25
How vulnerable is VMWare Horizons as opposed to RDP?
Dan Jackson
51:26
Is it OK to use RDP if you have it restricted to specific IP addresses and have two factor authentication?
Ian Meaton
51:27
Are we allowed to brute force our own su passwords?
Mark Heaton
51:30
Thanks Harry,
Graham Harrison
51:39
Do NCSC offer a service to audit a colleges RDP and related systems to come up with a threat assessment and improvement plan?
Dan Jackson
52:12
@Graham Harrison or even just Cyber Essentials as a whole
Dave Birks
52:35
JISC can also help with that
Graham Harrison
52:50
We have CE+ but I do not believe that genuinely checks for the weaknesses
John Chapman
52:59
@Graham Harrison - Jisc can help with audits and assessment
david corke
53:01
Jisc also run pen test services
Paul Warren
53:03
Have any attacks used the same tools some of us use to support our endpoints like TeamViewer, Remote PC to name a few?
Dave Birks
53:34
JISC Pen test services are very thorough. Well worth the money
Chris Tooze
53:53
Have been wondering whether tape backups are worth continuing - might put up with them for a while longer...
Austen Lowe
54:45
To be clear, is the RDP protocol the risk element for this or the overall software solution from Microsoft such as its rd gateway and remoteapp portal? We use remote apps via https using a proper certificate, is this mode safer?
Hannah H
54:49
Here’s the article that Harry just referenced: https://www.ncsc.gov.uk/blog-post/offline-backups-in-an-online-world
Mark Heaton
54:52
If horizon destroys the machine at logoff will that remove the agents making spread more difficult?
Dave Gartside
54:56
Have any of the ransomware attacks targeted cloud based backups?
Jon Whattam - Linkage Trust
55:21
If funding agreements prohibit paying a ransom, how would this extend to a 3rd party for example who are used as an outsource IT / storage / backup of data ie in the event that they were infected (and then they chose to pay a ransom?)
Austen Lowe
56:01
understood, thanks.
Dan Jackson
01:00:06
re password choice, are you still recommending complex passwords with symbols etc or do you now support the "Correct Horse Battery Staple" style concept?
Hannah H
01:00:21
Sure thing :-)
Hannah H
01:00:58
For starters: https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0
Austen Lowe
01:01:21
that's the same argument I had with an audit (password expiration)
Hannah H
01:01:38
I will mention ‘MailCheck’ in a moment: a service that is relatively newly available for colleges.
John Chapman
01:03:25
For more info on MailCheck and how NCSC can help colleges see this guest blog: https://cybersecurity.jiscinvolve.org/wp/2020/08/10/hitting-dmarc-phishing-emails-can-easily-spoof-university-and-college-domains-dmarc-and-ncsc-mail-check-are-here-to-help/
Kate Dawson
01:03:35
Are there any easily available/reusable training resources at NCSC .. that are not for *senior* peo[ple.
Roger Laurenti
01:03:38
Is funding set to rise for schools and colleges to help with the fight to mitigate attacks. Either for onsite staffing or to pay for external services.
david corke
01:04:12
Roger, we are pushing for this
Joe Yeadon
01:06:05
We rely on the expertise of JISC, good to hear that you strong links.
Steve Cant
01:06:31
I echo Roger's comments. FE are not funded as well as Schools and Universities, and simply cannot afford to employ staff with a sole focus on security, which large organisations are able to afford
Graham Harrison
01:07:02
Do we have any stats on how many educational institutions have been hit by ransomware?
Steve Cant
01:08:05
Thank you … that has been very informative
Guy Baxter
01:08:48
When will you be updating your NSCS Top Tips for Staff free learning module - the current module is clunky, not responsive and can't be integrated into an LMS.
Paul Knee
01:10:03
Guy I would agree, it crashes on our LMS, I was told this would be fixed, any update on its progress?
Hannah H
01:10:04
Hi Guy: this too is being updated! I hadn’t realised there were problems integrating it into LMS’s: experience on this seems to be variable.
Paul Knee
01:10:41
We've integrated it into our LMS (Moodle) it works, but crashes a lot, and seems to have problems with certain browsers
Hannah H
01:10:43
Here is our blog launching ‘top tips for staff’ online learning package: https://www.ncsc.gov.uk/blog-post/ncsc-cyber-security-training-for-staff-now-available
Guy Baxter
01:10:53
Hannah - when will it be available? I keep getting told "soon". Now is not soon enough.
Dan Jackson
01:10:56
I have another webinar starting at 11am so I'm going to have to leave, thanks to all the presenters for a very informative and insightful webinar and I look forward to receiving copies of the slide deck & links by email later
Anicet Fopa Tchoffo
01:11:00
We are working on implementing LME. Hopefully that can help us in early detection
Hannah H
01:11:36
Also, in terms of David’s comments on insurance, we are also working with the major insurers on cyber insurance more broadly and I have fed in this observation. We’re working on it!!
Graham Quint
01:12:21
as above, thanks to all the presenters. very informative and useful. Have to go to another meeting now. Graham
Hannah H
01:12:35
And some broad guidelines on cyber insurance we published last month: https://www.ncsc.gov.uk/guidance/cyber-insurance-guidance
Jonathan Wilkinson
01:13:27
Thanks for an informative session. Need to join another meeting now.
Hannah H
01:14:29
Early Warning Service hasn’t yet been launched to colleges but, again, it’s coming!
Simon Powell
01:14:56
can you send details on how to sign up to the early warning alerts?
Anicet Fopa Tchoffo
01:15:27
How do we subscribe to the early warning?
Harry W (NCSC)
01:15:28
Sign up to Early Warning at https://earlywarning.service.ncsc.gov.uk/?referrer=aoc2209
Graham Harrison
01:15:34
Please can the slides be distributed? Thx for a gr8 session
Hannah H
01:15:57
And yet another link from me: the ‘Planning your response’ module from the board toolkit: https://www.ncsc.gov.uk/collection/board-toolkit/planning-your-response-to-cyber-incidents
Harry W (NCSC)
01:16:12
I'm in charge of the Early Warning service - it is in Alpha at the moment but I'm happy for people to sign up (it's the updated version of our older CNR service if any of you were aware of that)
AoC Events Team
01:16:20
Slides and recording will be circulated this afternoon, thanks
Harry W (NCSC)
01:16:57
I can also encourage people to check out our IM guidance at: https://www.ncsc.gov.uk/collection/incident-management
Paul Warren
01:17:28
Thank you.
John Chapman
01:17:29
To contact Janet CSIRT please email irt@csirt.ja.net or call 0300 999 2340.
Hannah H
01:17:30
Thanks so much for hosting, David and all @AoC!
Matthew Higgs
01:17:30
Thanks