The fifth Secure South West (SSW5) event was hosted by Plymouth University on the 2nd April 2015, and offered seven presentations delivered by experts drawn from industry and academia, and, a panel session. The event was supported by our exhibitors Random Storm Ltd and iStorage UK Ltd.
Presentations/videos (where available) can be found below. PDF copies of slides are made available wherever possible and in most cases a video of the full talk can be accessed from Plymouth University's iTunes U site or our dedicated YouTube channel.
The arrival of Digital Transformation or "The New Style of IT", has turned the technology world on its head, but how do security strategies and risk management programmes need to adapt to embrace and deliver tangible business benefits in this new world of IT. This presentation will looks the some of the fundamental changes that have happened and how these can utilise security to provide true business benefit.
Chris is the Security Strategy and Transformation Practice Leader for HP Enterprise Security in the UK, leading a team of senior consultants who work with companies and organisations across the private sector to develop security strategies and transform their security to the benefit of the business. Chris is also a Security Client Principal specialising in the security of Retail and Financial Services sectors. In addition, Chris is also a member of the ISACA Professional Standards and Career Management Committee (PSCMC) and a member of the Accreditation Committee of the IISP. Since graduating from the Plymouth University, Chris has worked at a number of public and private sector organisations building over 15 years of extensive security experience in industry leading areas.
Within the information security field, there is a (bewildering) array of qualifications, certificates and letters that individuals can hold and list after their name. As a customer or consumer, it's difficult to understand what these qualifications mean and how these relate to experience, knowledge and the ability to get the job done. Adrian Davis of (ISC)2 will provide an overview of the most common security qualifications held by individuals, the requirements of those certifications and the breadth of subjects covered. Adrian will also tie these certifications into job roles and profiles, to help you as customer understand what you are buying and how to better specify the knowledge and experience you require.
Adrian heads the Europe, Middle East and Africa (EMEA) team for (ISC)2, the global, not-for-profit leader in educating and certifying information security professionals throughout their careers. His responsibilities include developing and implementing a strategy for the EMEA region, working with the EMEA Advisory Board and supporting the (ISC)2 global vision and mission.
Before joining (ISC)2, Adrian worked for the Information Security Forum, where he led the Leadership and Management group within the Global Team. He was responsible for the delivery of practical business solutions within a commercial setting to the ISF’s global, blue-chip, Membership.
Adrian is regularly presents at, and chairs, conferences and contributes articles for the press. He also contributed to the development of ISO/IEC 27014: Governance of information security and currently acts as a co-editor for ISO/IEC 27036 Information Security in Supplier Relationships, Part 4: Guidelines for security of Cloud services.
Mobile devices of all kinds have assumed an increasingly important role for today’s organisations. Whether issued by the business itself, or operating in a BYOD context, it is increasingly likely that our employees are carrying around both the organisation’s data and a means to access its systems. This presentation outlines the resulting threats, to both the devices themselves and the data they hold. The discussion then considers what users consequently need to know about security and privacy, the extent to which they can now find themselves interacting with related features on their devices … and the challenges this can pose.
Prof. Steven Furnell is the head of the Centre for Security, Communications & Network Research at Plymouth University in the United Kingdom, an Adjunct Professor with Edith Cowan University in Western Australia, and an Honorary Professor with Nelson Mandela Metropolitan University in South Africa. His interests include security management and culture, computer crime, user authentication, and security usability. Prof. Furnell is active within three working groups of the International Federation for Information Processing (IFIP) - namely Information Security Management, Information Security Education, and Human Aspects of Information Security & Assurance. He is the author of over 250 papers in refereed international journals and conference proceedings, as well as books including Cybercrime: Vandalizing the Information Society (2001) and Computer Insecurity: Risking the System (2005). He is also the editor-in-chief of Information Management & Computer Security, and the co-chair of the Human Aspects of Information Security & Assurance (HAISA) symposium. Further details can be found at the CSCAN website, with a variety of security podcasts also available. Steve can also be followed on Twitter (@smfurnell).
In the IT-security industry, we are at the moment releasing articles about how hackers and researchers find vulnerabilities in for example cars, refrigerators, hotels or home alarm systems. All of these things go under the term IoT (Internet of Things), and is one of the most hyped topics in the industry. The only problem with this kind of research is that we cannot really relate to all of it.
I decided to conduct a some research from which I thought was relevant, trying to identify how easy it would be to hack my own home. What can the attacker actually do if these devices are compromised? Is my home "hackable?". Before I started my research I was pretty sure that my home was pretty secure, I mean, I've been working in the security industry for over 15 years, and I'm quite paranoid when it comes to applying security patches. It turned out I was wrong, and that i had a lot of devices connected to my network.
Just imagine a scenario where you notice that you have been compromised, you do everything that's written in the book to bring it back to normal again, you do backup of your data, re-install your devices and make sure that the new installation has protection against malicious code, all updates are installed, but then six months later, you get compromised again, and all your new data is stolen again. Once the attacker might have compromised your network storage device and turned it into a backdoor which is undetected and unfixable unless you replace the entire device. This is what I tried to achieve in my research. Several "0day" vulnerabilities where discovered in my devices, which allowed me to obtain unauthorized access to all my files, obtain administrative access on most of the devices and also install backdoors on the devices transforming them into zombies in botnets. Even some "hidden" features where identified in my DLS router allowing someone to actually taking control over my device. The only question left is, who is that 'someone' and how do they get access to my device?
David is an security evangelist who is currently working as Senior Security Researcher for Kaspersky Lab. He is responsible for not only research but also technical PR activities in the Nordic and Benelux region where his tasks often include vulnerability and threat research. He also performs a lot of product and security audits, penetration tests, security research and public speaking engagements around the world. His day to day job is about improving awareness of the current and future threats and vulnerabilities to which both consumers and large enterprises are exposed and fight cybercrime.
David have about 15 years of experience working in the IT security field. This have given him the opportunity to work in many interesting fields such as: Vulnerability and Threat Management, Customer Experience, Penetration Testing, Development and Fighting Cybercrime.
Sorry, no video available.
We all know by now what one of the biggest information security flaws currently hitting the field is, and we also know (begrudgingly) that it can’t just be patched, fixed and monitored, that flaw is the threat that our own employees present to us.
This presentation will focus highly on bringing our weakest links from an information security point of few, our employees, and making them our frontline, stalwart defenders against the current dangers we face within the information security industry effectively bringing our human firewall up to par with the rest of our systems.
We will discuss how it is we can go about filling in these gaps in people’s knowledge and why these gaps in people’s knowledge exist in the first place, lack of interest, or lack of information presented to them in an engaging informative manner? We will also tackle exactly what we can do to change people’s perception of information security as well as the behaviours surrounding it.
Melanie Oldham is MD of Bob’s Business. With a business background gained in hotel management, event management, project management and IT, she now heads up a cybersecurity training company that challenges employee behaviours, helping businesses to develop a secure culture that minimises vulnerability and risk.
This presentation will look some of the aspects of threat intelligence (security industry buzzword of 2014!), discussing its importance and hype. We will start by defining threat intelligence and its types, sources and use cases as well as some current challenges. Then, an overview of threat intelligence feeds, tools and platforms will be presented focusing mostly on the open source solutions. The presentation will finish with a discussion on trends and more specifically about security automation and threat information sharing using STIX and TAXII standards.
Andreas Sfakianakis is a Threat Intelligence Consultant and works for ECS, an IT consultancy and services company for enterprise clients. In the past, Andreas has worked for Foundation for Research and Technology Hellas (FORTH), European Commission and European Union’s Network and Information Security Agency (ENISA). His publication track record includes reports and academic papers for the cyber threat landscape, e-banking authentication, CERT training and web censorship.
Andreas has a strong interest in incident response, threat management as well as threat intelligence. He is also working on security automation and threat information sharing through standardisation (i.e. STIX and TAXII). His Twitter handle is @asfakian.
Why is cyber security so difficult? Why can’t the IT team just make our systems secure? Why doesn't the government protect us from cyber crime? Mike StJohn-Green will demystify a topic that is too often shrouded in secrecy, obscured by abbreviations and characterised by 'Fear, Uncertainty and Doubt'. For example, what is the real significance of stories like Shellshock and Heartbleed? What are the trends we should be anticipating over the next few years? Hear Mike tackle these questions, put your own questions, and find out what you should be doing about this topical and increasingly important issue.
Mike is well-known within the cyber security community as a subject matter expert, speaker and conference chairman. He is working with a range of clients on reviews and audits of information security and its governance. He has also developed advice on securing information in the supply chain and written pragmatic policy and guidance on improving cyber security. Mike retired from the UK government after more than 30 years working for GCHQ where latterly he ran the information security policy teams who set the rules for the UK government. Mike was also Deputy Director in the Cabinet Office’s cyber security team.
To quote from a survey once conducted by Information Security magazine, one of the biggest hurdles for organisations to overcome in addressing security is the problem of "unalert, uninterested, lax, ignorant, uncaring end users". This panel session considers the challenge of getting staff on board with the security message, and adopting the behaviours it expects as a result. From simply raising awareness, through to embedding a true security culture, the panel will share thoughts and experiences of tackling the issue and the techniques likely to deliver the best results.
Moderator: Steven Furnell (Plymouth University)
Panel: John Finch (Plymouth City Council), Nigel Jackson (Plymouth University), Melanie Oldham (Bob's Business)
John Finch, Information Governance Manager, Plymouth City Council
John Finch is the Information governance manager for Plymouth City Council, responsible for Data protection, security policy development and management, managing the Information Asset Register managing security incidents, providing security advice for the Council and partners, providing security awareness education for senior management.
Previously John spent 7 years in a technical security role, as IT Security manager for Plymouth City Council, managing the compliance of the Council network and technical breaches.
John has been chair of several regional security forums, including the SW WARP and Devon Information Security partnership, and has been a conference speaker at National Information Security conference in 2008 and 2010. He was involved with the delivery of the IA guidelines for the Public Services Network delivered by the cabinet office.
John is a current CISSP, and undertook an IT masters degree at Plymouth University in 2001, with a thesis in Approaches to establishing IT security culture.
Nigel Jackson (Plymouth University)
Dr Nigel Jackson is Reader in Persuasion and Communication. Having spent a number of years in political lobbying, public relations and marketing Nigel's research interest is in how organisations can enhance desired behavioural change in their internal and external stakeholders. He has particularly concentrated on how the Internet can be used as a persuasive tool.
Melanie Oldham (Bob's Business)
Melanie Oldham is MD of Bob's Business. With a business background gained in hotel management, event management, project management and IT, she now heads up a cybersecurity training company that challenges employee behaviours, helping businesses to develop a secure culture that minimises vulnerability and risk.