The eleventh Secure South West (SSW11) event was hosted by the University of Plymouth on the 24th October 2018 and offered six presentations delivered by experts drawn from industry and academia, and a panel session. The event was sponsored by Securious Limited; and the south west branches of BCS - The Chartered Institute for IT and the Institute of Information Security Professionals.
Targeted attacks are now an established part of the threat landscape. Some of them are very sophisticated. However, they typically start by manipulating human psychology to establish a foothold in the target organisation. This presentation will outline some of the tricks they use, what we should do to reduce the chances of becoming the means by which a targeted attacker infiltrates our organisations and some thoughts on developing a corporate security culture.
David Emm is Senior Security Researcher at Kaspersky Lab, a provider of security and threat management solutions. David joined Kaspersky Lab in 2004. He is a member of the company's Global Research and Analysis Team and has worked in the anti-malware industry since 1990 in a variety of roles, including that of Senior Technology Consultant at Dr Solomon's Software, and Systems Engineer and Product Manager at McAfee. In his current role, David regularly delivers presentations on malware and other IT security threats at exhibitions and events, highlighting what organisations and consumers can do to stay safe online. He also provides comment to broadcast and print media on the ever-changing cyber-security and threat landscape. David has a strong interest in malware, ID theft and the human aspects of security, and is a knowledgeable advisor on all aspects of online security. David is regularly mentioned in national print press as a cyber-security expert and has a wealth of experience in being filmed for such programmes as Good Morning Britain and BBC News.
The synopsis of content was: NCSC was established in 2016 to help make the UK the best place to live and do business on-line. Everyday we see stories in the news of data breaches and cyber attacks. What is NCSC doing to help prevent them and reduce the impact when they occur?
Chris has worked in Cyber Security for nearly 30 years in a variety of roles, all of which have involved building new capabilities to help organisations protect themselves. As Deputy Director for Cyber Skills and Growth, he is charged with developing the National Cyber Security Centre's research, skills, and innovation expertise, to nurture the UK's cyber security capability.
The Cyber Security Breaches Survey is an Official Statistic and comprises of an annual quantitative and qualitative survey of UK businesses and charities which in 2018 covered: awareness and attitudes towards cyber security, approaches to cyber security, the nature and impact (including estimated costs) of cyber security breaches and differences by size, sector and location. The findings from the latest Cyber Security Breaches Survey helps UK businesses and charities to understand the nature and significance of the cyber security threats they face, and what others are doing to stay secure. The survey also supports the Government to shape future policy in this area.
Kelly Finnerty is a Senior Research Executive in the Employment, Welfare and Skills team within the Ipsos MORI Social Research Institute with five years’ experience in quantitative and qualitative social research. She has project managed several large quantitative and qualitative studies for government clients including HMRC, DWP, the Home Office and DCMS and is currently managing the Cyber Security Breaches Survey on behalf of DCMS as part of the National Cyber Security Programme.
Eva Ignatuschtschenko is leading on behaviour change policy in the Cyber Security Incentives and Regulation Team at the UK Government Department for Digital, Culture, Media and Sport. Her work focuses on how individuals and organisations can be incentivised to take action to improve their cyber security posture. She previously advised on cyber security and cyber harm at the University of Oxford’s Global Cyber Security Capacity Centre, after working on cybercrime, emerging crimes and organised crime at the United Nations Office on Drugs and Crime (UNODC). In her roles in international organisations, academia and government, Eva has worked on a variety of issues, with a focus on the links between cyber risk, digital government, crime and emerging technologies.
This talk will consider the developing prospects for organisations invested in cyber security activity, following the latest update(s) of the UK data protection regulatory framework. This involves not only the increased responsibilities and duties which the General Data Protection Regulation (GDPR) of the EU has put into place, but also the latest instalment of UK Data Protection laws, enacted this year in the form of the Data Protection Act 2018.
It could be debated to what extent the GDPR expectations introduce anything fundamentally new to what was already there under the previous regime, at least as far as general standards of good practice are involved. Still, the Regulation provides for expansive legal interpretations of elements casually present in online activity, such that were not considered before and relevant organisations ought to be alert to. At the same time the Data Protection Act 2018 frames the more particular national setup, giving more detail but also pointing to the UK’s data protection future beyond Brexit.
Dr Nicholas Gervassis joined the University of Plymouth in 2013, as Lecturer in Law at the School of Law, Criminology and Government. His research interests cover Information Technology Law, Digital Rights, Intellectual Property Law and Corporate Social Responsibility. His current work focusses on informatisation and the ways in which regulation seeks to balance social and economic forces, as human-based and vital to human development information and knowledge become transferable objects on the market.
It's funny how the world turns. I started off in security working for a bank. The model there was very much build it, break it, fix it with our Operational Security team aligning with platform and application support teams to build the projects the business wanted. Very soon after I joined it became clear that despite our best efforts (and we were scanning our systems nightly for new vulnerabilities even 15 years ago), that sometimes things go wrong and you need logs. As a result, we kicked off a project to implement mandatory access control and auditing across our entire estate. The lessons we learnt then are still being learnt by other organisations today. Notably, in the intervening period of time, having become a security consultant, I lost count of the number of times I tried to encourage organisations for whom we were doing technical assurance work (over 50% of Security Advisory engagements in EMEAR 2017), that they needed logging and auditing and they needed it to monitor their business systems and data. Sometimes they listened but many times they did not. This talk is a summary of my thoughts on this thorny topic.
Tim Brown joined Cisco as part of their acquisition of Portcullis for whom he worked for almost 12 years. He is equally happy performing white box assessments with access to source code or where necessary diving into proprietary binaries and protocols using reverse engineering methodologies. Tim has contributed to a number of Cisco’s bespoke methodologies covering subjects as diverse as secure development, host hardening, risk and compliance, ERP and SCADA. In 2016-2017, Tim looked at targets as varied as Active Directory, z/OS mainframes, power stations, cars, banking middleware and enterprise SAP Landscapes.
Outside of the customer driven realm of information assurance, Tim is also a prolific researcher with papers on UNIX, KDE, Vista and web application security to his name. Tim is credited with almost 150 vulnerability advisories covering both kernel and userland, remote and local. Tim particularly like to bug hunt enterprise UNIX solutions.
Taking examples of 3 recent breaches Pete Woodward will explain how these occurred, the steps that the organisations should have had in place to prevent this type of breach, and the typical post breach process. He will also explain the common misconceptions that organisations have around being PCI DSS compliant and the confusion that is commonplace around this. Pete Woodward is an experienced PCI QSA and has experience of working post breach to help companies put the correct controls in place to meet the mandatory compliance standards of the PCI council.
Pete Woodward is a co-founder of Securious, a Cyber Security Compliance Company based in the Science park in Exeter. He has a wealth of knowledge around cyber security, system architecture and networks. Pete is a CISSP and a Payment Card Industry (PCI) Qualified Security Assessor (QSA). He works with organisations to help them achieve PCI DSS compliance and assess them against the PCI Data Security Standard. Pete comes from a military background, and has worked on security projects in the public and private sectors for organisations including Devon and Cornwall Police, Met Office, Capita, BP, HP and some of the UKs largest retailers. He co-founded the South West Cyber Security Cluster, a not for profit collaboration working with the police to raise awareness in the region around current Cyber Security threats, and with the vision to establish a ‘Centre for Cyber Excellence’ in the South West.
The requirements and sanctions introduced by GDPR have the laudable aim of increasing organisations’ responsibilities for dealing with cyber security, and holding them accountable for negligence that lead to breaches. Moreover, the requirement to notify and disclose details means that more incidents are now open to public scrutiny.
However, while many organisations have used GDPR as a spur to improve their security, it is fair to say that many are still on the journey. As such, we will likely see a growth of reported incidents, with the obligation to disclose them having arrived before the security is mature enough to prevent them.
With this in mind, it is worth considering the possible side effects of increased reporting. By shining a light on more breaches having occurred, do we risk harming confidence and trust in technology and the businesses that use it? This panel discussion reflects upon how mandatory disclosure, and the increased media focus, is potentially impacting upon end-user trust. How do we get the public to trust technologies that may now be looking ever more vulnerable?
Steven Furnell (Professor of IT Security, Plymouth University)
Prof. Steven Furnell is the head of the Centre for Security, Communications & Network Research at Plymouth University in the United Kingdom, an Adjunct Professor with Edith Cowan University in Western Australia, and an Honorary Professor with Nelson Mandela University in South Africa. His interests include security management and culture, computer crime, user authentication, and security usability. Prof. Furnell is the current chair of Technical Committee 11 (Information Security and Privacy) within the International Federation for Information Processing (IFIP), and a Board member and Fellow of the Institute of Information Security Professionals (IISP). He is the author of over 300 papers in refereed international journals and conference proceedings, as well as books including Cybercrime: Vandalizing the Information Society, and Computer Insecurity: Risking the System. He is also the editor-in-chief of Information & Computer Security, and the co-chair of the Human Aspects of Information Security & Assurance (HAISA) symposium. Further details can be found at the CSCAN website, with a variety of security podcasts also available. Steve can also be followed on Twitter (@smfurnell).
John Finch (Information Governance Manager, Plymouth City Council)
John Finch is the Information governance manager for Plymouth City Council, responsible for Data protection, security policy development and management, managing the Information Asset Register, managing security incidents, providing security advice for the Council and partners, providing security awareness education for senior management. John is a current CISSP, and undertook an IT masters degree at Plymouth University in 2001, with a thesis in Approaches to establishing IT security culture.
Maria Papadaki (Associate Professor of Cyber Security, University of Plymouth)
Maria Papadaki is an Associate Professor of Cyber Security at the University of Plymouth. Her research interests include insider threats, incident response, maritime cyber security, security assessment, social engineering, security usability, and security education. Her research outputs include 24 journal and 31 conference papers. Dr Papadaki is active in a variety of professional bodies, and is a Fellow of Higher Education Academy, Member of the BCS, IISP, ISACA and GIAC Advisory Board. Maria has held GCIA, GPEN, CEH professional certifications. Further details can be found at www.cscan.org/papadaki/
Chris Wills (CARIS Research Ltd)
Chris Wills is a Director of CARIS Research Ltd, an IT research consultancy based in Fowey, Cornwall. Prior to CARIS, he worked as the Director of an Information Systems research centre at Kingston University, London. Educated at the universities of Oxford and Brunel, Chris has managed and undertaken IS and computing research and consultancy projects on behalf of a range of organisations, including the UK’s Defence Evaluation Research Agency, the UK’s MOD Tri Services, the UK Police Service, the Health Service, the UK’s Department for Transport, the UITP and The Mass Transit Railway Corporation of Hong Kong. Chris is a systems analyst / designer with more than 30 years experience in the formulation of user requirements and in the design of socio-technical systems. His specialist areas of interest include those of software process in safety critical systems and threat and risk assessment in ITC systems and it is in these areas of computing systems that he has undertaken work for the Royal Navy, scoping the design of naval command and control systems. He has worked for the security services, both in the preparation for and during, the London Olympics. Currently, Chris’s company CARIS Research, is undertaking work in the field of cyber security as a partner in the CS-Aware project (a €4.7 million Horizon 2020 Cyber Security project funded by the EU). His company’s role in the project is that of leading the systems and dependency analysis of the pilot use-cases in the project, the cities of Rome and Larissa. Chris is a Freeman of the City of London and a Liveryman of the City of London’s Worshipful Company of Information Technologists. In 2011, he was awarded the Finnish Signals Cross and Clasp.