Securious sponsored Secure South West 13 last week – an event held specifically for the benefit of organisations based in the South West that attracts delegates from private and public sector organisations, who present and discuss a range of security topics relevant to the current market. The event is jointly organised by the University of Plymouth and Plymouth City Council, and is supported by the south west branches of BCS – The Chartered Institute for IT; the Chartered Institute of Information Security and Securious.
This year’s speakers included:
- Dan Raywood – Infosecurity Magazine
- Michael Dieroff – BIT (Bluescreen IT)
- Amanda Finch – Chartered Institute of Information Security
- Steven Furnell – University of Plymouth
- Vic Harkness – F-Secure
- Jeremy Ward – Security Consultant
- Nathan Clarke – University of Plymouth
- Neil Glasson – Cornwall Council
- Annette Sercombe – Met Office
Dan Raywood started the event with his presentation ‘State of Cybersecurity Report – Extended Play’, where he compared the results of his 2018 and 2019 surveys to discover what people currently working in Cyber Security feel is driving the industry. He found a varied response among the 60 researchers, CEOs, practitioners and analysts surveyed with 31 distinct trends being listed, the top five of which were:
- Product problems: “We are sitting on a mountain of old technology” stated one responder. The inefficiency of legacy technology was the number one reported challenge.
- The Human Factor: Areas of concern included breaches, skills shortage and social engineering.
- Compliance: A significant number of organisations reported struggling to keep up with the compliance of numerous protocols inc. PCI DSS, GDPR, PSD2, ISO27001, CCPA to name a few.
- Company and Board Engagement: Pinning down the responsibility of Cyber Security to a nominated person is creating difficulties in many organisations with many Board Members not fully understanding the language of cyber threats.
- Automation – AI and Machine Learning: The benefit that AI and machine learning could deliver to an organisation is balanced by an equal amount of fear and Dan urged that the focus on the next generation of cyber people should be to develop careers which embrace working alongside AI.
Next to take the stage was Michael Dieroff, who delivered a compelling presentation examining the rising capability within cybercrime and the fact that, at the extreme, even rogue nations can attack the small business supply chains to get to government targets. The variety of threats and scams can represent significant challenges to SMEs who have little budget or skills available to address them. In 2019, a Cyber Security Consultant needs to be proficient in all the following:
- Familiarity with the huge amount of programming languages
- GDPR – responsibility for people’s data
- Policing against adversaries – criminal gangs – organised crime
- Nation state risk – nations hacking nations
- Social Engineering
- Law – compliance
Michael further reported that this year has shown a serious movement in the pyramid of crime, with scams now presenting the number one threat. Alarmingly, the average age of a hacker is just 17yrs – skilled youngsters are being lured to ‘commit the hack’ by the offer of a relatively small reward compared to the worth of the overall prize. The cyber gangs that recruit these youngsters are not the ones who risk getting convicted and a criminal record.
During the panel question time, Annette Sercombe highlighted the opportunities for youngsters to engage with Bug-Bounty Schemes to encourage them down the ‘White Hat’ path.
Michael urged that collaboration is the critical in fighting cybercrime – we must share what scams are out there and ensure our systems are patched. He also recommended that we run Social Engineering Tests… “the 3 Ps”:
- Private – direct engagement to extract information, ie face to face or telephone.
- Professional – ie create a fake Facebook account and join staff groups – ask ‘colleagues’ for critical information.
- Political – look for posts made on social media by employees, it is likely that someone making a political post would be drawn into a discussion with someone who seemed to oppose their ideas.
Having a strong password is widely accepted as the first step to protecting our devices and accounts, and Steve Furnell delivered a presentation on ‘Password Meters – Inaccurate advice offered inconsistently?’ He stated that despite the promises that passwords will soon become a thing of the past, they remain the dominant form of user authentication “and we continue to use them, badly”. He was interested in the credibility of Password Meters designed to assist us in selecting a strong password but after conducting an experiment with 16 Password Meters, discovered that often, weak passwords were being rated as acceptable and better choices were being dismissed as very weak. For example, Password1! is a notoriously bad password choice, yet having upper and lower-case letters, a number and a special character it reaches the criteria set by many Password Meters to earn it a medium to good rating.
His study suggested that Password Meters may often be undermining good security choices by giving misleading information and found that a password consisting of three random words would offer the strongest option and could take centuries to crack.
Amanda Finch (CIISP) shared the significant step of being awarded a Royal Charter status and what it means for the organisation and the industry, bringing a need to adapt to their new status and obligations in raising standards in the Cyber Security Profession.
Echoing the points of previous speakers regarding the broad skills set required by today’s Cyber Security professionals, Amanda described how very frequently, organisations seek one person to cover it all. CIISec is working on creating better career pathways to recognise skills through multiple certifications. However, she acknowledged this is not always a simple thing to do as some important skills, such as social intelligence and communication skills, are learnt and developed over time.
Amanda rounded up her presentation by discussing the CyBOK (Cyber Book of Knowledge) project, which is an extensive exercise involving mapping and analysis of relevant top-level knowledge areas to create an extensive go-to resource for the Cyber Security Professionals.
The penultimate speaker was Vic Harkness, who discussed different ways of disguising our faces in order to avoid facial recognition in CCTV cameras. Her concern stems from the growing number of innocent people who find themselves on ‘watched’ lists due to false positive errors.
Her recommendations varied from having unusual hairstyles that confuse the ‘plain forehead’ that facial recognition software looks for, wearing glasses with inbuilt UV lights, painting black blocks onto your face or wearing a mask.
Vic shared an amusing story of a gentleman who is selling masks of his own face in the hope that we will all walk around looking like him!
Jeremy Ward provided the final discussion on ‘Organisational Politics – Where cyber security theory meets operational reality’. He discussed the ways in which cyber security professionals fail to engage effectively with management, leading to bad resourcing decisions and a lack of adequate support for cyber security.
After such a thought-provoking and positive event, this was a poignant note on which to end.
About Secure South West
These events, held bi-annually, are specifically offered for the benefit of organisations in the south west, giving an opportunity for awareness-raising and access to expertise without the need to travel out of the region. The programme includes presentations and discussion addressing a range of security topics relevant to the current market. These are delivered by representatives from leading companies in the IT security industry, alongside recognised academic experts from the University of Plymouth.