Secure South West 6: 9th February 2016

The sixth Secure South West (SSW6) event was hosted by Plymouth University on the 9th February 2016, and offered six presentations delivered by experts drawn from industry and academia, and, a panel session. The event was sponsored by Securious Limited.

Presentations/videos (where available) can be found below. PDF copies of slides are made available wherever possible and in most cases a video of the full talk can be accessed from Plymouth University's iTunes U site or our dedicated YouTube channel.


We would like to thank our SSW6 sponsor Securious Limited without whom we would not have been able to run this event.

Securious Limited

Securious Limited

Securious is a cyber security consultancy based in Devon. We provide end to end security consultancy solutions, including gap analysis and workshops for PCI DSS and ISO 27001 together with penetration testing and Cyber Essentials compliance to keep you, your business and your private data safer online.
We are the first company in the South West to qualify as a certification body for the Government's Cyber Essentials programme. This means we can help companies in the region, and country wide, take essential steps to protect themselves against cyber threats.


Data Protection - Past, present and future
Robert Bond (Charles Russell Speechlys LLP)

Download slides

In this presentation, leading legal expert, Robert Bond will review the global data protection frameworks and look to the future challenges for managing data protection compliance.

Biography

Robert Bond is a Partner and Notary Public at Charles Russell Speechlys LLP and a Certified Compliance & Ethics Professional. He is a legal expert and author in the fields of e-commerce, computer games, media and publishing, data protection, information security and cyber risks. Robert is Listed in Legal 500 for Data Protection where is described as "astounding" and in Band 1 for Data Protection in Chambers UK 2015 and clients describe him as "a brilliant lecturer, a meticulous lawyer" and state he "is a great expert who can give off-the-cuff advice". "Everyone gravitates towards him. A very good communicator and very generous with his time."

He is named in the National Law Journal's list of 50 Governance Risk & Compliance Trailblazers, listed in the top 10 in "Who's Who of Information Technology Lawyers 2014" and in "Best Lawyers in UK" and in "Who's Who of Telecommunications Media & Technology 2015" and has specialised in data protection & information security law since 1983. He is Chairman of the Governance Board of the Data Protection Network, is in the UN Global Pulse Privacy Advisory Group, on the Big Data and Analytics Council of Tech UK, on the Advisory Board of the Data Protection Academy of Malaysia, a non- Exec Director of the Data Protection Jobs Board, an Ambassador for Privacy by Design and is on the Advisory Panel of the College of Law for their Legal Network TV. He is a Liveryman of Stationers and also City of London Solicitors, a Fellow of the Institute of Advanced Legal Studies, a Companion of the British Computer Society and an Honorary Member of the Institute of Export. Robert is author of "Negotiating Software Contracts" published in its 5th Edition in 2013 by Bloomsbury Professional, "Software Contracts" published by Tottel and "Negotiating International Software Licenses and Data Transfer Agreements" published by Sweet & Maxwell and is legal editor of "IT Policies & Procedures" published by WoltersKluwer.

Robert Bond


Practical exploitation
Paul Dowland (Plymouth University)

Download slides

This talk will examine common exploitation techniques and will aim to discuss the underlying vulnerability as well as providing a practical demonstration of system compromise. The talk will consider recent high profile incidents as well as historic examples of exploitation. The live demo nature of this talk will demonstrate that while some attacks may be technically simple, they often go wrong (sometimes with unexpected side-effects). The attacks will be demonstrated in a virtualised environment using freely available tools.

Biography

Dr Paul Dowland is a member of the Centre for Security, Communications & Network Research and the Associate Head (Computing) within the School of Computing, Electronics and Mathematics at Plymouth University. His interests include network and system security, user authentication, security education, and learner/learning analytics. Dr Dowland is the secretary to the International Federation for Information Processing (IFIP) working group 11.1 (Information Security Management) and a Fellow of the BCS. He is the author of over 50 papers in refereed international journals and conference proceedings, edited 26 books and co-authored "E-Mail Security: A Pocket Guide" (2010). Further details can be found at the CSCAN website. Paul can also be followed on Twitter (@pdowland).

Paul Dowland


What the consultant doesn't tell the customer...
Henrik Kiertzner

Download slides

"What the consultant doesn’t tell the customer...

...unless he's pragmatic and independent.

The world of information security is littered with acronyms, buzzwords, magic products and ‘silver bullets’, all certified to eliminate all threats, mitigate risk to near zero and give your users a whole new world of security.

The reality is that the information security space is chaotic, the threats constantly evolving and the responses to those threats frantically playing catch-up. We are stil seeing major information security incidents occurring, painfully, with much accompanying publicity and many operators and enterprises are wondering whether they are obtaining real value for money from the significant investments they are making in information security.

Consultants, many of them, provide professional services as part of a larger transaction, involving the delivery of hard- or software or outsourced security services. They will offer good advice, but it’s necessarily offered through the filter of the associated products and services they represent.

The reality is that proper security is messy and complicated and depends on getting the details right. There are no silver bullets and, however much money is spent, time must still be spent integrating and tuning the various components which go into sensible, risk-managed, affordable security architectures which are effective but do not impact operations or legitimate use of the systems they protect.

Henrik Kiertzner, a pragmatic and independent consultant with no corporate affiliation, will describe and discuss the vital components of just such a sensible security architecture and the metrics which can be used both to justify an investment and qualify its value once made.

Biography

Henrik Kiertzner, after a long career in the British Army, during which he served worldwide largely on intelligence duties, has been, variously, IT DIrector of an international engineering firm and a security and risk consultant in both the physical and cyber realms for the last 15 years. He is a Member of the IET and a Chartered Fellow of the British Computer Society.

Henrik Kiertzner


The 800lb Gorilla meets the Elephant in the room – why compliance needs to give security the respect it deserves
Giles Letheren (Delt Operations Director, Delt Shared Services Ltd) and James Stubbs (Business Development Manager, Babcock MSS)

Download slides

Babcock International Group recently took itself from nearly the bottom of the MODs league table of cyber aware/capable suppliers to the top in less than 18 months and is now using this learning to help others. Delt Shared Services Ltd provides IT services to over 6500 public sector users at 200 sites throughout the South West. Recognising that compliance with cyber security directives is only half the story, it has recently formed a partnership with Babcock Managed Security Services to enable best in class security monitoring and analysis across its estate. This presentation will tell the story of the changes in the threat landscape that lead to the development of a SOC, that needed a dedicated cyber analysis team, that lead to the development of a company and a subsequent partnership with Delt.

Biography (Giles Letheren)

Husband, father, magician, hypnotist, race car driver, IT guy and shared services evangelist, Giles Letheren is Operations Director for the innovative partnership between Local Government and the NHS that is Delt Shared Services. His career, which began in the entertainment industry (and arguably never left it) has been split evenly between the US and the UK including radio, live television, theatre, IT and nuclear submarines. As a speaker he's presented at OracleWorld in San Francisco, The Institute of Directors in London and a very sleazy club behind the British Consulate in Atlanta.

Biography (James Stubbs)

James Stubbs has over 15 years experience in the IT, communications and broadcasting industries. Working with leading broadcasters, James enabled emerging technologies to deliver higher quality content faster, with increased reliability and assurance. Moving into the IT space, James developed a passion for solving business challenges through understanding the problem, and evangelising technical solutions across all business levels. As the cyber challenge broadened to cover all businesses and operations, James focussed his expertise at cyber security solutions, and is currently working in business development for Babcock MSS, a specialist Managed Security Service Provider (MSSP) defending government, CPNI and other high end business from the cyber threat.

Giles Letheren
James Stubbs


Can we insure against cyber security disaster?
Jeremy Ward (Business Development Manager for Security Consulting Services, HP Enterprise Security Services)

Download slides

When the cyber security function deals with risk, management and mitigation are the first option - and risk transfer is often neglected. However, there are signs that transferring risk through cyber insurance may be the "next big thing" for the insurance industry. This talk will look at the advantages (and disadvantages) of cyber risk insurance - and what it might mean for cyber security in future.

Biography

In May 2011, Jeremy Ward took on the role of business development manager for security consulting services for HP Enterprise Security Services.

Jeremy is responsible for ensuring that innovative and customer-centered services are developed, delivering strategic and governance risk and compliance. Especially services concerned with business-driven information security risk management; including security operations services.

Before he took on his new role, Jeremy was responsible for running his own consultancy business; with contracts that delivered information security risk management solutions to banks, telecommunications companies and governments. He also delivered contracts for the European Network Information Security Agency (ENISA) on emerging and future risks and on national risk management for EU countries.

Until then, Jeremy worked as service development director for Symantec; responsible for process development and as internal security auditor for Symantec Security Operations Centres (SOCs). He was also responsible for thought leadership in information security risk management and the development of new services to solve information security risk management issues for customers, working with many large enterprise customers globally. He developed the Symantec IT Risk Management Report and was principal subject matter expert on IT risk management.

Prior to that Jeremy was at the UK Government Cabinet Office, where he was involved in writing 'Encryption and Law Enforcement' and 'e-commerce@its.best.uk' which set the agenda for the development of information age policies in the UK government. He then helped set up the Office of the e-Envoy; given responsibility by the Prime Minister for driving forward those policies.

Before working at the Cabinet Office, Jeremy was at the UK Ministry of Defence, specializing in security-related matters and managing major IT and telecommunications projects.

Jeremy has been heavily involved in information security policy formulation with bodies such as the Confederation of British Industry (CBI) and the OECD. He helped to draft the OECD's Guidelines on Information Security, published in August 2002, as well as the ISO 27005 information security risk management standard. He is an ENISA registered expert and has been chairman of the ENISA Risk Assessment and Management Working Group and is a member of the ENISA Working Group on the Economics of Security. He has also been a member of the Steering Committee of the UK Government's Cyber Security Knowledge Transfer Network.

Jeremy is a qualified IT project manager and lead auditor for ISO 27001. He was responsible for achieving ISO 27001 certification for Symantec's Security Operating Centres in the UK, USA, Germany and Australia. He has also consulted on ISO 27001 compliance for a number of large organizations internationally.

Jeremy Ward


A look into the payment card industry (PCI) - how to gain and maintain compliance
Peter Woodward (Chief Information Officer, Securious Limited)

Download slides

A talk on what PCI DSS means to SMEs and large corporations. As a Qualified Security Assessor, Pete will discuss some of his experiences gained through working within large retail as well as smaller merchants, to help you understand and get to grips with the latest PCI DSS standard.
I will demonstrate that it isn't all plain sailing...

Biography

Pete Woodward is the founder and Chief Information Officer at Securious Limited. He is a security expert and has a wealth of knowledge around cyber security, system architecture and networks.

Pete comes from a military background, and has worked on security projects in the public and private sectors for organisations including Devon and Cornwall Police, Met Office, Capita, BP, HP and some of the UKs largest retailers.

Pete’s experience is backed up with leading security and network accreditations, such as CISSP, CEH, RSA Security, CCNP, CCDP, and IPv6, along with TOGAF v9 certification.

He is also a PCI-DSS Qualified security assessor, and works on many compliance projects.

Pete cemented his passion for cyber security and founded the South West Cyber Security Cluster with the vision to establish a ‘Centre for Cyber Excellence’ in the South West.

Peter Woodward


PANEL: Breaching our own security: Can we keep a secret anymore?

It is fair to say that many people typically perceive security to be synonymous with concepts such as secrecy and confidentiality. This being the case, it is equally fair to say that we seem to find ourselves progressively less able to maintain it thanks to the way that technology has enabled and encouraged data sharing.

This panel session explores the impacts of our modern online behaviours, with themes including:

  • How has the Internet in general, and social media in particular, changed the culture of information sharing?
  • What do modern attitudes towards confidentiality and privacy mean for corporate data security?
  • Assuming we have a problem, what steps can be taken to address it?

Moderator

Steven FurnellSteven Furnell (Professor of Information Systems Security, Plymouth University)

Prof. Steven Furnell is the head of the Centre for Security, Communications & Network Research at Plymouth University in the United Kingdom, an Adjunct Professor with Edith Cowan University in Western Australia, and an Honorary Professor with Nelson Mandela Metropolitan University in South Africa. His interests include security management and culture, computer crime, user authentication, and security usability. Prof. Furnell is active within three working groups of the International Federation for Information Processing (IFIP) - namely Information Security Management, Information Security Education, and Human Aspects of Information Security & Assurance. He is the author of over 250 papers in refereed international journals and conference proceedings, as well as books including Cybercrime: Vandalizing the Information Society (2001) and Computer Insecurity: Risking the System (2005). He is also the editor-in-chief of Information Management & Computer Security, and the co-chair of the Human Aspects of Information Security & Assurance (HAISA) symposium. Further details can be found at the CSCAN website, with a variety of security podcasts also available. Steve can also be followed on Twitter (@smfurnell).

Panelists

Paul FerrierPaul Ferrier (Enterprise Security Architect, Plymouth University)

Paul Ferrier is the Enterprise Security Architect at Plymouth University, responsible for information security policy development, management of security incidents and investigations; providing advice and guidance to University projects, researchers and staff across the organisation.

Paul is currently qualified as a Payment Card Industry approved Internal Security Assessor for the University.

Paul completed both an HND and degree at Plymouth University graduating in 2002 and has been working with the University since 2003, predominantly focussed on the development of enterprise wide Identity and Access Management between 2005 and 2012 before moving into the Strategy and Architecture Team.

John FinchJohn Finch (Information Governance Manager, Plymouth City Council)

John Finch is the Information governance manager for Plymouth City Council, responsible for Data protection, security policy development and management, managing the Information Asset Register managing security incidents, providing security advice for the Council and partners, providing security awareness education for senior management.

Previously John spent 7 years in a technical security role, as IT Security manager for Plymouth City Council, managing the compliance of the Council network and technical breaches.

John has been chair of several regional security forums, including the SW WARP and Devon Information Security partnership, and has been a conference speaker at National Information Security conference in 2008 and 2010. He was involved with the delivery of the IA guidelines for the Public Services Network delivered by the cabinet office.

John is a current CISSP, and undertook an IT masters degree at Plymouth University in 2001, with a thesis in Approaches to establishing IT security culture.

Ram HerkanaiduRam Herkanaidu

Ram is an independent IT Security and Education specialist. Currently, he is working to promote digital literacy and security awareness amongst young people in Thailand, and pursuing PhD research aligned to this activity.

Previously he worked for Kaspersky Lab for 13 years in various technical roles and rose to become Education Manager where he helped organise Kaspersky's CyberSecurity student conferences and undertook projects engaging schools and universities. With his security researcher hat on he also has extensive experience as a media spokesperson and conference speaker.

Jeremy WardJeremy Ward (Business Development Manager for Security Consulting Services, HP Enterprise Security Services)

Biography can be found above.