Secure South West 10 -awareness-raising and access to expertise

Securious supports Plymouth University Secure South West 10 – 13th February 2018.

The Secure South West 10 event was jointly organised by the University of Plymouth and Plymouth City Council, and is supported by the south west branches of BCS – The Chartered Institute for IT; and the Institute of Information Security Professionals.

Secure South West 10  “is specifically offered for the benefit of organisations in the south west, giving an opportunity for awareness-raising and access to expertise without the need to travel out of the region.”

Will biometrics replace passwords?

The schedule started with  a presentation by Alan Goode from Goode Intellience about whether biometrics would replace passwords.  Goode talked about how the use of biometrics is now seen as a more convenient method to access mobile phones – especially with the small size of touch screens and trying to enter long and complex passwords.

Goode explained that 80% of hacking related breaches are the result of weak or stolen passwords. He also discussed the ability to identify ‘liveness’ so that a live person can be identified rather than a picture or worse (digit that had removed to use for fingerprint!). However, he also highlighted that these type of attacks were target attacks and not scalable.

He also discussed the barriers to the adoption of Biometrics, and some of this being down to a lack of standardisation which the FIDO Alliance are trying to address.

Securing the supply chain – 3rd party collaboration

Anne Sercombe from the  Met Office discussed the benefits of collaboration between 3rd party suppliers and organisations to create a more secure environment. She highlighted that there is always a risk when you allow a third party connection to your environment.  Example incidents historically include

  • Target in 2013 where an external party who serviced their air-conditioning, had access to their network ,
  • TalkTalk (2014 & 2015) where support was outsourced to India and the use of a third party to create their website, and
  • Dominos 2017 where a third party were no longer being used but still had their information.

Sercombe said that obviously compliance certificates such as ISO 27001 and Cyber Essentials are important in this assurance process together with assurance questionnaires, but using Attack Trees (introduced by Bruce Schneider in 1999) proved to be a useful methodology for the Met Office to model threats against computer systems with third party suppliers, as part of a collaborative exercise and then to working together to mitigate the risks that had been identified.

Phishing emails – how easy are they to spot?

Ismini Vasileiou, a lecturer at the University of Plymouth, talked about social engineering, particularly phishing emails. She had us all up out of our seats examining the screens to determine whether example emails were real of fake, and then using voting buttons to communicate our thoughts.  We then also worked together on our tables using example phishing emails to identify the key triggers for spotting phishing emails.

Are passwords dead?

Steven Furnell of the University of Plymouth had to step in to fill in for one of the presenters who had been unable to attend at the last minute. He talked about enhancing passwords, and  despite the long predicted death of passwords, he asked us to confirm that the majority of attendees had either used a password that day or the preceding day.

The main takeaway is that though good advice is to use strong passwords (in excess of eight characters, using upper and lower case, alphanumeric, an additional character, not being a dictionary words and not including personal information) this was not enforced on all websites when creating user accounts. Even if it was, often there was no guidance at the point of creating that password which would help individuals to create stronger passwords. When guidance was in place, the passwords that ere used became significantly better.

Technology – or the way we use it?

Stuart Baker from Securious was one of the panellists discussing “what’s the problem-technology or the way we use it?” followed by Jonathan Burnett from Microsoft who gave a presentation on Security awareness. This was the first Secure South West event Stuart had attended. He said

” Secure South West is a great opportunity to meet both  Cyber Security professionals and students – the panel discussions are a great way to get everyone involved and to share knowledge”

Developing a guide for cyber security

To end the day Andrew Martin, a professor from the University of Oxford, presented project CyBok: Developing and using a guide to the body of knowledge in cyber security. They are working on creating a pathway with academics and professionals gathering a body of knowledge to decide what cyber security actually is – 20 pages on 20 cyber security subjects. This would identify the most important qualities and break this down at each level of knowledge from schools through to professionals.

Secure South West events are free and held bi-annually at the University of Plymouth and are always a highly informative event and well worth attending. Videos of previous presentations are available on the Secure South West website

Read more about Secure South West