With a reported 17,000 people flocking to Europe's largest security conference this week, there is no doubt that the industry is expanding vastly. Here, you’ll find hundreds of vendors, a variety of workshops and a range of sessions for professionals in the field, no matter what level. From technical insights to business risks, the events is a great opportunity not only for networking but also learning from renowned security experts. Below is a short summary of some of the key moments of Infosecurity Europe day one, and some very cool visualizations of the talks created by our graphic recording artist Chrissy Marshall.
Building Cyber Security for Tomorrow
Speaker: Ciaran Martin, Director General for Cyber Security at GCHQ
As the opening keynote, there was a lot of interest around this subject – in particular, the recent discussions around GCHQ and privacy. Ciaran kicked off his talk comparing GCHQ to the Disney film, Monsters, Inc., whose role in security is to be “The Top Scares.” He made a point that it wasn't long ago since people were talking about what was going to happen, and now we’re talking about what is actually happening on a daily basis. From that, Ciaran outlined the three main motives for attacks as money, power and propaganda. He went on to note that there are so many different types of hackers, ranging from small time hackers who aim to take a small amount of money and hardly go noticed, to the more daring hackers, who risk more for larger, more significant amounts. It was also fascinating to see that the cost of a breach for SMBs has more than doubled in recent times, with the average breach now costing between £65,000-£100,000 – simply terrifying statistics for any small business owner. To help reduce the risk, three resources were discussed:
- 10 Steps to Cyber Security – a basic guide offering practical steps that organizations can take to improve the security of their networks and the information carried on them.
- Cyber Essentials –a new Government-backed and industry supported scheme to guide businesses in protecting themselves against cyber threats.
- Common Cyber Attacks: Reducing The Impact (PDF) – a report produced by CESG with CERT-UK covering the threat landscape, vulnerabilities, the structure of a 'typical' cyber attack and case studies.
From the last report, it was highlighted that two words were selecting carefully: common and reduce. You can’t protect everything... there are too many attacks, so you must prioritize the most important assets and reduce your vulnerabilities.
Dear Executives, Parlez-Vous Security?
Speakers: Brain Honan (@BrianHonan), Dwayne Melancon (@ThatDwayne), and Thom Langford (@ThomLangford)
This panel tackled the ever-popular subject of how can we align security and business. Thom Langford started the discussion by talking about how important it is for security folks to understand the business itself. He asked:
"If you don’t understand the business plan, how can you focus on what areas are deemed the biggest risk?"
For example, if your organization is subject to an acquisition in six months, you’ll find that an insider threat from disgruntled employees could be a risk – so, efforts to focus on these threats should be made. But, how do you present that to an audience that may not understand, or even care, what you are saying? Panelists stressed that it’s vital to understand the business objectives and know the audience you are pitching to. One point Dwayne Melancon, Tripwire CTO, raised was:
“How can we bridge the gap between technical and non-technical folks?"
Lot’s of interesting points were made, such as losing the technical jargon – business executives don’t want to know about an APT, using analogies, and finding an area of interest to help make them understand and care about what you’re saying. Brian Honan gave interesting insight on how to make non-techie executives interested in what we're saying. He explained that even if you report to the company that you've blocked a certain percentage of spam per month, your security budget may be lowered because the business executives may say, “OK, that’s great – but that doesn’t help us reduce our expenditure." Instead, he suggested a helpful formula that WILL interest them:
The average time taken to identify spam x the number of total spam emails sent = The cost to the business.
This number will show how using security can align with business objectives, while improving productivity. Typically, not many executives outside of IT really think about security until there is actually an issue. However, panelists stressed that security needs to change in the corporate culture and instead of just being reactive, it needs to start being proactive. Security should be kept in a constant dialogue, as opposed to just spoken to when there is a breach or another incident. Melancon closed the session with some valuable advice: "Be risk centric, don’t focus on everything – look at the areas that are of most value to the business and target those first."
Smart Home Invasion
Speaker: Craig Young (@CraigTweets)
You may be concerned about the raise of the number of connected devices in our home, but the general public doesn't really understand how critical it could be now, and even more so in the future. As with any regular burglary, criminals are highly motived to do anything to get what they need. With home hubs, Craig explained that it's now easier for burglars to enter your home and also provide them with various information regarding when people are at home, or not. This can lead to criminals tracking your every move and then planning a more stealthy attack when they know you're out. Craig started off by talking about three of Amazon's top-selling "Smart Home Hubs" and then ventured in to the technical pros and cons on each device. On describing their potential vulnerabilities, Craig showed the audience how to exploit a Vera hub and then discussed the severity of the issues. What was clear is that no matter how much is at stake with current and future vulnerabilities, the overriding factor is customer satisfaction and experience. If its too complex to configure smart home devices, organisations seem to believe that their customers will move elsewhere and rely on convenience as opposed to choosing a secure device. As the "Internet of Things" moves forward, Craig made it clear that it's vital that organizations work with security professionals to ensure that when creating new devices, they are safe and secure. Stay tuned for more conference highlights this week!
If you're at #infosecurity15, visit us at Booth D20 for a chance to enter our drone giveaways! You can also pick up a free, customized “cyber warrior” tee shirt, and get “caricaturised” by a talented, local artist. Lastly, don’t miss our happy hour on Wednesday, June 3, from 3:30 PM to close!
