Security manager James Gosnold was at the recent ISSA Chapter event, held at the HMS President, and he reports back for IT Security Guru.
The opening keynote was given by Tony Neate, the CEO of Get Safe Online (GSO) who gave out real and pragmatic advice for a better more secure online experience for the general public, I thought in particular the resource looked very useful for protecting children from the pitfalls and threats on the internet and older users from fraud. Several family members of mine in the latter category have targeted recently, and repeatedly.
Neate, an ex policeman, did say “things aren’t that bad, there is too much scaremongering.” An example of the sensationalism around the cyber threat was when the story about the GameOver Zeus Trojan broke and a two week timebomb was proclaimed, and the traffic generated by members of the public wanting more detail knocked the GSO site offline for a time.
Neate said he had been frustrated by Facebook’s apparent lack of interest in educating children, who responded that the minimum age criteria of 13 years old is an effective enough control! There is a Get Safe Online week running from the 20th to 24th October, and I hope more businesses get involved.
The ISSA Dragon’s Den ran in two parts and offered vendors a strictly enforced ten minute slot to pitch their wares. Ken Munro from Pen Test Partners chose not to do so directly and instead imparted – at high speed – some general observations and advice. Ken strongly recommends businesses now look into cyber liability insurance policies and compared it to driving a car without insurance.
I particularly liked Ken’s concept of a ‘HoneyNet’ as a preventative/detective measure by setting up a number of fake but realistic looking profiles on social networks, purporting to be of employees of your organisation and then closely monitoring them to understand if they (and therefore your business) are being targeted. Getting the marketing department to manage the profiles and use them to promote the business was also something you could see working effectively.
Also, Core Security gave a general overview of the Core Impact suite and solutions. Lieberman Software offers a Privileged Access Management (PAM) platform which supports most enterprise technologies and is built on the concept that actual credentials for systems are never known (by the user/admin). If I were in the market for a tool to solve my PAM issue I would definitely contact them.
Rapid 7 (best known for acquiring Metasploit in 2009) gave a fairly standard presentation, often quoting the Verizon report although I was particularly taken with the statistic that with all the talk of highly advanced cyber warfare tactics, “77 per cent of breaches are from unsophisticated sources”.
I did think the Rapid 7 ‘User Insight’ product looked useful and I wondered if it is one of the technologies underpinning the recent activity I’ve witnessed from large online entities where they are alerting users based on logins (successful or otherwise) from geographically dispersed locations in a short space of time?
The first afternoon keynote saw Professor Angela Sasse take to the stage to give her thought provoking view on the current state of security awareness. Professor Sasse is running with research funded by GCHQ who are concerned that security decisions are being taken when not based on facts and hard data/evidence.
The research demonstrated that:
- People have too much policy/compliance to take on board.
- They spend too much time on activities not related to their core job.
- People actually have a threshold for that, Sasse felt security should be no more than three per cent of someone’s workload – and that includes logging in!
- Many organisations have staff who spend three weeks a year simply logging in. This was a revelation to many CEOs and CISOs exposed to the research.
- Non compliance with security policy is rarely a result of complete disregard for the rules and users often create shadow security practices (such as password protecting documents etc).
Sasse feels there are too many campaigns which all fail to tell users exactly what they need to do, as opposed to perpetual repetition of policy. The 2014 ISF report demonstrated that most organisations don’t measure the effect of security awareness campaigns, but those that do observe no discernible improvement, the conclusion being “it’s just noise”. It needs to be better targeted, as 90 per cent of human behaviour is habitual so we need to change habits by:
- Connecting desired behaviour to core values, streamlined (and targeted) communication is key to this.
- Targeting habits 1 by 1.
- Enforcing and being seen to enforce.
- People follow others – leadership must be involved.
- “No fault” reporting by users of difficulties following security policy – set up a helpline or mailbox where users can communicate why they can’t follow a security requirement.
Sasse believes we need better collaboration across industry sectors so that a clear set of rules can be created that we can all follow. Sasse discussed the image of security and how it needs to be more pro-social and positive and finished by saying that email phishing as a service is a “waste of time” and “will simply hack your users off”.
The second part of the Dragon’s Den kicked off with Palo Alto presenting on their Next Generation Firewall technology, the concept being that it doesn’t work with straightforward ports and identifies traffic based on other characteristics.
GroundLabs introduced their three data discovery products focused on card, data and enterprise reconnaissance. There are other data discovery products in the marketplace but from the ten minutes I saw no reason to discount this one if I were working on such a solution.
ITC Secure Networking promoted their managed security monitoring service by explaining a simple five step architecture, all based on ArcSight. They integrate dynamic threat feeds from Threat Stream and Digital Shadows.
Qualys used their ten minutes to explain how they have evolved from a plain old vulnerability scanning operation to a more effective “continuous monitoring” service. They are offering a free trial of QualysGuard through to November.
The next presentation was from Campbell Murray, technical Director of Encription. He discussed the Cyber Skills Gap, especially in the area of penetration testing. The two most interesting soundbites I captured were that a study (with NCC) showed there is only an extra cost of 11 per cent to produce secure code, and he did not feel that agile development is a friend of security.
Finally a Panel Session on “Snowden: The global impact” was made up of Tim Grieveson (G4S CIO and CISO), Dai Davies (lawyer), Drew Perry (CEO of Tiberium) and Peter Warren (a BBC journalist).
Grieveson thinks that we still have a long way to go and that the board “knows security is an issue but doesn’t know what to do with it”.
Davies explained how the NSA didn’t break any laws because the US constitution explicitly protects US citizens, not other countries. Drew Perry felt that the youth of today have “already given up their privacy” when they signed up for all of the various social networks and simply “don’t care”.
Warren said that interest in encryption has increased a great deal as a consequence of th
e Snowden revelations which also served to highlight the power of technology. Warren also feels there is a business for privacy so it’s win/win for the security industry.
Finally he said that the language we use in Cyber Security is “impenetrable and not plain English” but I’m not sure I agree with that. Just the other day I was explaining deep packet inspection and private/public key technology to my mother and she smiled nicely.