The fourth Secure South West (SSW4) event was hosted by Plymouth University on the 10th July 2014, and offered seven presentations delivered by experts drawn from industry and academia, and, a panel session. The event was supported by our exhibitors MetaCompliance, Random Storm Ltd; Stem Group; and, Superfast Business Service.
Presentations/videos (where available) can be found below. PDF copies of slides are made available wherever possible and in most cases a video of the full talk can be accessed from Plymouth University's iTunes U site or our dedicated YouTube channel.
This presentation will look some of the problems with current Authentication solutions, discussing why security keeps making the news and why most of us do not like logging in. The presentation will draw from Geoff's experience as the Co-Founder of PixelPin and his journey to bring a new authentication technology to market.
Geoff has over 20 years of experience of leading the development of complex real time systems and 5 years working in Thales managing the business development for cyber security. Before setting up PixelPin he led the successful business capture activities for a US network security company into a pan government opportunity. PixelPin was set up in July 2012, starting in the Wayra accelerator, funded by Telefonica, and recently completed 3 months in the Accenture led FinTech Innovation Lab supported by 12 banks in Canary Wharf. Geoff is a Fellow of the British Computer Society and has spoken at Warwick University and Tech events in Bath and London.
The Internet reaches in almost every aspect of modern life. We live in an era where malicious code can even be used to create cyber-weapons and we have seen a string of highly-sophisticated cyber-weapons since Stuxnet. It's easy to imagine that such attacks - aimed at 'critical infrastructure' installations - have little relevance for ordinary businesses. But *any* organisation can become a victim. For one thing, all businesses hold data that could be of value to cybercriminals. For another, they can also be used as a 'stepping-stone' to reach other companies. Finally, even if an organisation is not in the direct firing line, it could become 'collateral damage' if it isn't adequately protected. This presentation will outline the cyber-weapons we've seen so far and highlight the implications for ordinary businesses.
David Emm holds the position of Senior Security Researcher at Kaspersky Lab, a provider of security and threat management solutions. He has been with Kaspersky Lab since 2004 and worked in the antivirus industry since 1990 in a variety of roles, including that of Senior Technology Consultant with Dr. Solomon's and Systems Engineer and Product Manager at Network Associates.
David has a strong interest in malware, ID theft and the security industry in general and developed the company's Malware Defence Workshop. He is a knowledgeable advisor on all aspects of online security, and a regular presenter at exhibitions and events, frequently providing comment to both broadcast and print media on the latest security threats and how users can stay safe online.
The exploitation of vulnerable systems represents a significant attack vector for both intruders and malicious code. However, in spite of this, many organisations remain open to attack through not applying patches and security updates. The presentation examines the challenge posed by vulnerability management, and the overheads that it can incur even if organisations wish to take a responsible stance. Consideration is also given to cases in which they heighten their own exposure by continuing to use vulnerable technologies that cannot be adequately secured.
Prof. Steven Furnell is the head of the Centre for Security, Communications & Network Research at Plymouth University in the United Kingdom, and an Adjunct Professor with Edith Cowan University in Western Australia. His interests include security management and culture, computer crime, user authentication, and security usability. Prof. Furnell is active within three working groups of the International Federation for Information Processing (IFIP) - namely Information Security Management, Information Security Education, and Human Aspects of Information Security & Assurance. He is the author of over 220 papers in refereed international journals and conference proceedings, as well as books including Cybercrime: Vandalizing the Information Society (2001) and Computer Insecurity: Risking the System (2005). He is also the editor-in-chief of Information Management & Computer Security, and the co-chair of the Human Aspects of Information Security & Assurance (HAISA) symposium. Further details can be found at the CSCAN website, with a variety of security podcasts also available. Steve can also be followed on Twitter (@smfurnell).
Intel of the last years shows a drastic advancement of attacks on companies. Attacks on systems connected to the Internet are standard and are automated to a high degree. Well-known examples, like the attack on RSA Security LLC or on Target Brands Inc., show that client-side exploits provide the first step into a company's network in recent attacks. Besides describing those attacks in theory, the talk will also cover a practical demonstration on how attackers from the Internet can compromise an internal machine and use it to further advance in the network until domain administrator rights are achieved.
Thomas Hackner is managing director of HACKNER Security Intelligence GmbH, an independent security consultancy company for high demands in security assessments. HACKNER Security Intelligence is known for high-quality assessments and customer-oriented design of security checks and trainings. Ongoing research and development together with their experience from real-life penetration tests give HACKNER Security Intelligence GmbH the possibility to correctly rate and assess current threats and attack techniques. Besides, Thomas Hackner is teaching "Advanced Penetration Testing" and "Physical Security" at the University of Applied Sciences in Hagenberg, Upper Austria and gains his experience from a wide range of penetration tests in different sectors, like energy, manufacturing, critical infrastructure and IT services.
Technological solutions alone cannot protect an organization's critical information assets. Businesses need information security staff with appropriate skills, behaviours and qualification who can give them a leading edge by providing the highest standard of security for their stakeholders and organizational information assets.
But in this hyper connected world, there is no single skill & behaviour that will keep them secure but rather information security requires multiple interrelated skills & behaviours, and each one is potentially influenced by different factors.
During session we will be addressing importance of skills, behaviours and certification, the difference that it can make to effective security management, and the ways in which businesses might identify the certifications that are most appropriate to their needs.
Rehan Haque has over 13 years of hands-on experience in IT including IT Management, Software Engineering, Information Assurance, IT Security and regulatory Compliance. He is currently working as Control & Compliance Manager at BP within Group Finance function. Prior to BP, he held a variety of IT Risk, Information Security and IT Auditing positions including roles in engineering, education and professional services sectors. He earned MSc degree in Distributed Information Systems from Brunel University and has CISA, CRISC, CISM, ABCP and ISO27001 Lead Implementer certifications on his profile.
He is currently serving ISACA International on their Student & Academic Subcommittee and ISACA London Chapter as Academic Relations & Research Director. He is also assisting UK Govt. in developing apprenticeships and CPD frameworks as part of the Cyber Security Skills Strategy.
This presentation will provide an overview of the Government's Cyber Security strategy; the cyber threat; and, introduce the findings from the recent Information Security Breaches Survey (ISBS) 2014 before looking at the Government's approach to working in partnership with industry.
Orla is an Assistant Director of Cyber Security at the Department for Business, Innovation and Skills, where she is responsible for sector-based partnerships with the private sector. Prior to this, she has held a number of roles across government, including at Border Force, the Intelligence and Security Committee and the Better Regulation Executive.
Sorry, no video available.
For decades now, research into Information Security – and particularly research into Cyber Crime and Cyber Security has focused on computers and computing. Hardware, software, data communications and mobile communications have all been critical components of this research. However, it is tragic to think that for a very long time, the human aspects of Cyber Security and Information Security (i.e. InfoSec) have been overlooked. Very little contemplation leads us to realise that the best passwords on the most sophisticated software on the most high-tech computing facilities become useless when the password is written on a sticky note and placed on the monitor for easy access, or told to anyone who asks for it. The most expensive firewall on well-protected servers can do nothing when an executive clicks on a link in an email that states that the government requires certain information "immediately, or else". We humans – that is, what we think, what we know, what we do, how we do it and why we do it – are perhaps the key to the "silver bullet" of increasing and maintaining an acceptable level of information security within your organisation. Or maybe not!
Dr Malcolm Pattinson is a Research Fellow in the Business School of The University of Adelaide and an independent Information Security Consultant. He has been lecturing and researching in the area of information security for more than 20 years. His current research focuses on the human aspects of information security and he is widely published in this area. He has been an active member of the Adelaide Chapter of ISACA for more than 15 years and has the certifications CISA, CISM and CGEIT. He is also a Member IFIP TC-11 Working Group 11.12, Human Aspects of Information Security & Assurance (HAISA).
Does security expect too much of those expected to use it? How easily do users learn what is expected of them? What can be done to make things better? These and other questions are considered in this panel discussion.
Moderator: Steven Furnell
Panel: Geoff Anderson, Andy Barker, Paul Dowland and Ram Herkanaidu