Welcome everyone

Please put your questions for our speakers here

Will the slide deck be available for download after the presentation?

Hi Dan, yes they will

We will email the presentation slides along with a recording of the session this afternoon.

Please do ask questions as we go if you have them

How does ryuk affect backups ?

Is it becoming more common recently for attackers to give data back?

You called out a single AD domain as a potential issue. MS best practice states that enterprises which are spanned across multiple locations and regions across the world should use a single forest multi-domain model. This implies that national orgs (or smaller, such as colleges) should use a single forest, single domain setup. Are you advising against this?

Are there any recommendations for tools to help with detection of Trickbot

What do you class as decent anti-virus? System Centre Endpoint Protection?

Noted. Re-phrased then, have you seen breaches where System Centre Endpoint Protection has not been effective?

What specific antivirus features are desirable? heuristics for example

HI David, apologies I have to leave. Look forward to receiving the slides and video recording. Very interesting discussions... Regards, Shah

With RDP infrastructures knocked up quickly by Colleges in response to lockdown are you seeing RDP servers presented directly to the internet or are threat actors getting to RDP servers through RDP proxies and gateways? Possibly unpatched?

Here’s a link to our (NCSC) guidance on anti-virus products: https://www.ncsc.gov.uk/collection/mobile-device-guidance/antivirus-and-other-security-software

What do you recommend as best practice as opposed to RDP? Is it preferable to use SSL VPN/Direct Access etc?

How vulnerable is VMWare Horizons as opposed to RDP?

Is it OK to use RDP if you have it restricted to specific IP addresses and have two factor authentication?

Are we allowed to brute force our own su passwords?

Thanks Harry,

Do NCSC offer a service to audit a colleges RDP and related systems to come up with a threat assessment and improvement plan?

@Graham Harrison or even just Cyber Essentials as a whole

JISC can also help with that

We have CE+ but I do not believe that genuinely checks for the weaknesses

@Graham Harrison - Jisc can help with audits and assessment

Jisc also run pen test services

Have any attacks used the same tools some of us use to support our endpoints like TeamViewer, Remote PC to name a few?

JISC Pen test services are very thorough. Well worth the money

Have been wondering whether tape backups are worth continuing - might put up with them for a while longer...

To be clear, is the RDP protocol the risk element for this or the overall software solution from Microsoft such as its rd gateway and remoteapp portal? We use remote apps via https using a proper certificate, is this mode safer?

Here’s the article that Harry just referenced: https://www.ncsc.gov.uk/blog-post/offline-backups-in-an-online-world

If horizon destroys the machine at logoff will that remove the agents making spread more difficult?

Have any of the ransomware attacks targeted cloud based backups?

If funding agreements prohibit paying a ransom, how would this extend to a 3rd party for example who are used as an outsource IT / storage / backup of data ie in the event that they were infected (and then they chose to pay a ransom?)

understood, thanks.

re password choice, are you still recommending complex passwords with symbols etc or do you now support the "Correct Horse Battery Staple" style concept?

Sure thing :-)

For starters: https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0

that's the same argument I had with an audit (password expiration)

I will mention ‘MailCheck’ in a moment: a service that is relatively newly available for colleges.

For more info on MailCheck and how NCSC can help colleges see this guest blog: https://cybersecurity.jiscinvolve.org/wp/2020/08/10/hitting-dmarc-phishing-emails-can-easily-spoof-university-and-college-domains-dmarc-and-ncsc-mail-check-are-here-to-help/

Are there any easily available/reusable training resources at NCSC .. that are not for *senior* peo[ple.

Is funding set to rise for schools and colleges to help with the fight to mitigate attacks. Either for onsite staffing or to pay for external services.

Roger, we are pushing for this

We rely on the expertise of JISC, good to hear that you strong links.

I echo Roger's comments. FE are not funded as well as Schools and Universities, and simply cannot afford to employ staff with a sole focus on security, which large organisations are able to afford

Do we have any stats on how many educational institutions have been hit by ransomware?

Thank you … that has been very informative

When will you be updating your NSCS Top Tips for Staff free learning module - the current module is clunky, not responsive and can't be integrated into an LMS.

Guy I would agree, it crashes on our LMS, I was told this would be fixed, any update on its progress?

Hi Guy: this too is being updated! I hadn’t realised there were problems integrating it into LMS’s: experience on this seems to be variable.

We've integrated it into our LMS (Moodle) it works, but crashes a lot, and seems to have problems with certain browsers

Here is our blog launching ‘top tips for staff’ online learning package: https://www.ncsc.gov.uk/blog-post/ncsc-cyber-security-training-for-staff-now-available

Hannah - when will it be available? I keep getting told "soon". Now is not soon enough.

I have another webinar starting at 11am so I'm going to have to leave, thanks to all the presenters for a very informative and insightful webinar and I look forward to receiving copies of the slide deck & links by email later

We are working on implementing LME. Hopefully that can help us in early detection

Also, in terms of David’s comments on insurance, we are also working with the major insurers on cyber insurance more broadly and I have fed in this observation. We’re working on it!!

as above, thanks to all the presenters. very informative and useful. Have to go to another meeting now. Graham

And some broad guidelines on cyber insurance we published last month: https://www.ncsc.gov.uk/guidance/cyber-insurance-guidance

Thanks for an informative session. Need to join another meeting now.

Early Warning Service hasn’t yet been launched to colleges but, again, it’s coming!

can you send details on how to sign up to the early warning alerts?

How do we subscribe to the early warning?

Sign up to Early Warning at https://earlywarning.service.ncsc.gov.uk/?referrer=aoc2209

Please can the slides be distributed? Thx for a gr8 session

And yet another link from me: the ‘Planning your response’ module from the board toolkit: https://www.ncsc.gov.uk/collection/board-toolkit/planning-your-response-to-cyber-incidents

I'm in charge of the Early Warning service - it is in Alpha at the moment but I'm happy for people to sign up (it's the updated version of our older CNR service if any of you were aware of that)

Slides and recording will be circulated this afternoon, thanks

I can also encourage people to check out our IM guidance at: https://www.ncsc.gov.uk/collection/incident-management

Thank you.

To contact Janet CSIRT please email irt@csirt.ja.net or call 0300 999 2340.

Thanks so much for hosting, David and all @AoC!

Thanks