A couple of spooky surprises…

Henry Harrison

I’m spending an increasing amount of time talking to people about the UK National Cyber Security Centre (NCSC) guidance published earlier this year on “Safely Importing Data” (https://ncsc.gov.uk/guidance/pattern-safely-importing-data). There are a couple of rather surprising things about it.

Firstly, the fact that it’s available on the web at all. Back in the old days there was CESG. According to Wikipedia, CESG (the Communications Electronic Security Group) was merged into GCHQ in 1969, having previously been the separate Communications Electronic Security Department. CESG was the defensive arm of GCHQ and its remit was to protect the security of UK government systems, and in particular the high-security systems used for the government’s most sensitive information. CESG used to publish quite a lot of guidance – but overwhelmingly that guidance was restricted to government readers.

In 2016, the UK government created the National Cyber Security Centre (NCSC). It’s also part of GCHQ, but it absorbed the old CESG activities as well as various other cyber defence activities around UK government. In contrast to CESG, NCSC has a remit to protect the cyber security of the UK as a whole – not just government systems. As a result, NCSC is starting to make available much more widely the sort of guidance which was previously restricted to government readers – indeed, since nobody has yet worked out a way to communicate to UK citizens alone, the guidance is now available to the whole world via the web.

The second surprising thing is how readable the guidance is. For anyone who has a background in government security, this is somewhat unexpected! But I guess it goes together with the extended NCSC remit – there’s no point making guidance available to everyone if it’s written in the sort of language that can only be interpreted by the traditional government security community. I really encourage you to read it.

But the main reason you should read it is that the pattern it describes introduces a couple of concepts that to date really haven’t been mainstream in the commercial cyber security world.

The first of those is the concept of data transformation as a security measure. With complex content, detecting and stopping bad things is increasingly difficult. So the transformation approach is to take that complex content and transform it to a much simpler format where it’s much easier to verify the security. Of course, we might then transform it back again afterwards.

The second new concept is the idea of “flow control”. For those with some electronics background, you’ll spot that the symbol for flow control in the NCSC guidance is a diode – and for many years the high security world have been extensive users of “data diode” technologies. The basic concept here is that you enforce a unidirectional flow of data, and that this can play a useful role in frustrating a potential attacker (they can send you malware, but since they can’t get any response back again – not even a TCP ACK! – that malware has to work perfectly first time, without any sort of feedback loop). Of course, you shouldn’t rely only on flow control – you need to combine it with transformation and verification as per the broader pattern, so that any malware fails the verification stage.

The whole pattern maps very well to the way that we do things here at Garrison, although of course a practical implementation can be a little more involved than the basic pattern – for example, we have various interleaved transformation, validation and flow control stages that mean we get an even greater level of fault tolerance and robustness to attack.

I reckon there’s a good chance we’ll see further “surprising” bits of guidance in this sort of area published by NCSC over the coming months. Keep your eyes peeled!