Secure South West 2: 25th March 2013

The second Secure South West (SSW2) event was hosted by Plymouth University on the 25th March 2013, and offered eight presentations delivered by experts drawn from industry and academia. The event was supported by our exhibitors Cryptshare and the Stem Group.

Presentations/videos (where available) can be found below. PDF copies of slides are made available wherever possible and in most cases a video of the full talk can be accessed from Plymouth University's iTunes U site or our dedicated YouTube channel.


You are the weakest link...
David Emm (Senior Security Researcher - Kaspersky Lab UK) and Marta Janus (Security Researcher - Kaspersky Lab UK)

Download slides

Humans are typically the weakest link in any security system and the starting-point for many cyber-attacks is to exploit human weaknesses. People are susceptible for a variety of reasons - they may not realise the danger, they may be taken in by the lure of 'something for nothing', or they may cut corners to make their life easier. But all too often, we pay too little attention to the human dimension in corporate security. This presentation will highlight the problem and offer some perspectives on trying to 'patch' human resources in business; and will include a live demo that will highlight the potential technical consequences of 'hacking' humans.

Biography

David Emm holds the position of Senior Security Researcher at Kaspersky Lab, a provider of security and threat management solutions. He has been with Kaspersky Lab since 2004 and worked in the antivirus industry since 1990 in a variety of roles, including that of Senior Technology Consultant with Dr. Solomon's and Systems Engineer and Product Manager at Network Associates.

David has a strong interest in malware, ID theft and the security industry in general and developed the company's Malware Defence Workshop. He is a knowledgeable advisor on all aspects of online security, and a regular presenter at exhibitions and events, frequently providing comment to both broadcast and print media on the latest security threats and how users can stay safe online.

Marta has started to work for Kaspersky Lab in 2009 as a Threat Analyst for the local office and joined the Global Research and Analysis Team in the beginning of 2010. For almost 3 years she was based in Czestochowa, Poland, and responsible for monitoring the local threat landscape. Currently she is based in Oxford, UK, where she works on a position of a Security Researcher. Her main field of interest is malware for non-Windows systems and embedded platforms, including Linux/Unix malware, mobile threats and malware for network devices. Marta graduated in Computer Science at Czestochowa University of Technology. She also holds a master's degree in Archaeology.

David Emm
Marta Janus


Can we escape passwords?
Prof. Steven Furnell (Professor of Information Systems Security - Plymouth University)

Download slides

Prof. Steven Furnell from Plymouth University presents a series of survey findings that illustrate the significant problems that still persist in terms of guidance and usage surrounding passwords. He then goes on to briefly examine some of the possible alternatives that have now started to appear on our devices and online services.

Biography

Prof. Steven Furnell is the head of the Centre for Security, Communications & Network Research at Plymouth University in the United Kingdom, and an Adjunct Professor with Edith Cowan University in Western Australia. His interests include security management and culture, computer crime, user authentication, and security usability. Prof. Furnell is active within three working groups of the International Federation for Information Processing (IFIP) - namely Information Security Management, Information Security Education, and Human Aspects of Information Security & Assurance. He is the author of over 220 papers in refereed international journals and conference proceedings, as well as books including Cybercrime: Vandalizing the Information Society (2001) and Computer Insecurity: Risking the System (2005). He is also the editor-in-chief of Information Management & Computer Security, and the co-chair of the Human Aspects of Information Security & Assurance (HAISA) symposium. Further details can be found at the CSCAN website, with a variety of security podcasts also available. Steve can also be followed on Twitter (@smfurnell).

Steven Furnell


Speed Kills: Countering Future Cyber Threats
David Lacey (Consultant and Strategic Adviser - IOActive)

Download slides

Cyber threats are evolving at an accelerating pace. They can sabotage services or compromise data in a fraction of a second. Yet we continue to manage security at the speed of a Presidential election. The truth is that traditional methods of cyber security management are no longer fit for purpose. This presentation will explain where the problem lies and present a fresh perspective on cyber security, with a focus on speed, intelligence and action.

Biography

David Lacey has more than 25 years experience of managing information security in organisations such as the Foreign & Commonwealth Office, Royal Dutch/Shell Group and the Royal Mail Group. David is a keen innovator and has developed many contemporary methods and standards. He was the creator of the text that is now ISO 27002 (it's not his fault!) and the founder of the Jericho Forum. More interestingly, he was a pioneer of computational immunology for fraud detection and is a keen futurist. David is now an independent researcher, writer and director, and the author of the books "Managing the Human Factor for Information Security", "Managing Security in Outsourced and Offshored Environments" and "Business Continuity Management for Small and Medium Sized Companies". David is a visiting senior research fellow of the University of Portsmouth, an honorary fellow of the Jericho Forum, a member of IOActive's Strategic Advisory Board, and a member of the Infosecurity Europe "Hall of Fame". He also writes a popular security blog for Computer Weekly.

David Lacey


Testing our Security Defences
Dr Maria Papadaki (Lecturer in Network Security - Plymouth University)

Download slides

Focal point of this presentation is to examine how penetration testing can help assess the robustness of our security defences. On one hand, it can test for human as well as software vulnerabilities, and it can highlight the business impacts of discovered holes. On the other hand, it carries risks if not done properly; a false sense of security, disrupted operation for production-based systems are a few examples of risks. The benefits and risks of penetration testing will be reviewed, along with an overview of penetration testing practices that span from initial information gathering to post exploitation.

Biography

Dr Maria Papadaki is a lecturer in Network Security, at Plymouth University, UK. Prior to joining academia, she was working as a Security Analyst for Symantec EMEA Managed Security Services (MSS), UK. Her postgraduate academic studies include a PhD in Intrusion Classification and Automated Response (2004), and an MSc in Integrated Services and Intelligent Networks Engineering (2000), University of Plymouth, UK. Her research interests include intrusion prevention detection and response, network security monitoring, incident prioritisation, security usability, and security education. Dr Papadaki is a GIAC Certified Intrusion Analyst (GCIA), GIAC Penetration Tester (GPEN) and is a member of the GIAC Advisory Board, as well as the British Computer Society. Further details can be found at www.cscan.org/mpapadaki.

Maria Papadaki


The Threat landscape and how it can affect your business
Sarb Sembhi (GAWN Director - Consulting Services IncomingThought)

Download slides

This session will provide a brief overview of what is happening in the world that may affect your business in terms of the threat landscape. It will cover the latest developments in: the EU Data Protection Regulations, cyber-attacks, cyber security, malware, cyber risks.

Biography

Sarb is the Chair of the ISACA Government & Regulatory Advisory Sub-Committee for Europe and Africa (region 3), and a Past-President of the London Chapter of ISACA. His paid role is as Director of Consulting Services at Incoming Thought, having been a Senior Consultant and Researcher. He is also the Faculty Head of Security Convergence for www.InfoSecSkills.com.

Sarb has a background in the public Sector as a Management Consultant, before entering the software development field as a programmer analyst and then project manager. It was as a development project manager that Sarb came into the Security field. Since his accidental entry into security Sarb has experience in all aspects of security, as practitioner, and as a contributor to the industry (through research and standards). Sarb's research includes "vulnerabilities of network CCTV systems", "data integrity attacks" and "cyber threats". Sarb is a regular speaker at Information Security Conferences around the world, including RSA Europe, HITB, BCS, ISACA, ASIS, IPSec, IFSec. Sarb is the founder of the International Secure System Development Conference, which will be going into its 3rd year.

Memberships and roles: Chair of ISACA Region 3 Government and Regulatory Advisory Sub-Committee, and member of the ISACA International GRA Committee; member of the ISACA Cloud Computing Task Force; and is a Past-President of ISACA London Chapter); Founder and first Chair of the Security Advisory Group of ISACA London Chapter; a member of InfoSecurity Magazine Editorial Board; a member of ISSA UK Advisory Board; member of the iGRC Advisory Group; Eurim; and an individual member of the Parliamentary IT Committee (now PICTFOR).

Sarb was recently voted 32nd in the IFSEC 40 most influential people in security and fire.

Sarb Sembhi


On the Internet, Nobody Knows You're a Dog
Paul Simmonds (CEO - The Global Identity Foundation)
Co-editor, Cloud Security Alliance "Guidance" v3.0
Co-founder & board of Management - Jericho Forum

Download slides

The famous cartoon is celebrating it's 20th birthday, yet it's more true today than ever before, and we (the security industry) still have not addressed the problem. The goal of one, single, strong identity that is also privacy enhancing may seem like a fanciful dream, but the solution to beating the cyber-criminals lies in BYOiD and leveraging the identity and attributes of all the components in the transaction chain to make good risk-based decisions.

This session will provide some background to the issue, why the Global Identity Foundation has been formed and what it aims to achieve.

Biography

Paul is a co-founder and board member of the Jericho Forum and security consultant. Until recently he was the global CISO of AstraZeneca and prior to that the global CISO of ICI. Paul's varied career has included Electronic Countermeasures, Theatre & TV Lighting, designing North Sea Oil control systems, network management for JET (Nuclear Fusion Research) and setting up a number of commercial radio stations. Prior to his time at ICI he was Head of Information Security with a high security European web hosting company and before that spent seven years with Motorola, as global information security manager. He’s been awarded "Chief Security Officer of the year" at the SC Magazine Awards, awarded "Best Security Implementation" at the 2006 SC Awards and twice listed as one of Network World's "most powerful people in networking". In addition to the Jericho Forum, Paul sits on the advisory board of a number of leading-edge computing companies, as well as the Executive Advisory Board of ISSA UK. Paul is also one of the three global editors of the CSA (Cloud Security Alliance) Version 3 guidance document. Paul has a degree in Electronic Engineering and a City & Guilds in Radio Communication. He also is a British Canoe Union Level 3 Kayak Coach. His linked-in profile is: http://uk.linkedin.com/in/psimmonds and occasionally tweets as @simmonds_paul.

Paul Simmonds


Cyber, Schmyber - The Relevance of Principles
Andrea Simmons (Global Head of Policy & Risk Governance - HP Enterprise Services)

Download slides

The presenter contends that worshipping at the foot of all things "cyber" (or indeed "cloud") is proving to be a distraction that is taking us off course from succeeding at our necessary information security endeavours - from building security in across both the software design landscape and the infrastructure architecture, to ensuring board level understanding. There is less of a "cyber skills crisis" and more of an "understanding crisis". This presentation will seek to cut through the cyber-waffle and bring us back to the basics in a strongly impassioned plea. "cyber" requires a full and detailed understanding of the basics; basics that still hold true as first principles and must be learned in the same way as learning that Tuesday follows Monday, or "30 days hath September, April, June and November"...

Biography

Andrea is an experienced professional expert delivering high level, strategic consultancy relating to compliance with information management/risk/security/governance/assurance legislation, regulation and standards. Accomplished presenter, writer, trainer, delivery and implementation one-woman whirlwind!


With everything connected, how will it ever be secured?
Christopher Smith (Vice President of Marketing – Green Hills Software)

Our world continues to experience an exponential growth of network-connected electronic systems. We rely and trust them for commerce, critical infrastructure, and life-critical functions, but we should not forget that these systems are also an attractive target for determined attackers. Everything from medical equipment, power plants, cars and smartphones, all are connected to the Internet. Can we really secure all this? It is possible! This presentation will include a demonstration of latest technology.

Biography

Christopher Smith is Vice President of Marketing for Green Hills Software. Green Hills hold the most safety and security certifications and the best track record for solving embedded problems since 1982. Christopher has over 25 years experience in the engineering, sales and marketing of embedded and real-time systems and software. He has been with Green Hills since 1998 and directs the company marketing strategy and communications across Aerospace and Defence, Automotive, Consumer, Industrial, Medical, Mobile, Networking, Telecom and Wireless. He is also Vice President of Marketing in EMEA for INTEGRITY Global Security, providing EAL6+ High Robustness security to the Enterprise.

Christopher Smith
Sorry, no video available.