The following is a review of the day by
The cluster were lucky enough to attend the Cyber Security Europe Event hosted by ‘Agenci’, our 4.30 meeting would tag on to the tail end of the event. For a full line up of the speakers please click here.
The event opened with an anonymous style video message, a little out there – but intended to welcome the guests with an overview of cyber crime. Agenci CEO Stuart Barker opened the day with his two children performing a ‘MindHack’:
Think of a country beginning with D, take the second letter of that country, think of an animal beginning with that letter and think of a colour of that animal.
So if you thought of a grey elephant from Denmark, your brain was on the right track for the event.
After a brief intro of hacking the gibson and excerpts from the film wargames and clips of thermonuclear war gave a broader overview of the event. Talking of his history of all things cyber and the way he learnt the game, focussing on ancient languages such as pascal.
Speakers throughout the day were briefed on 10 commandments of the day, mainly revolving around this not being a sales event!
Stuart is a big part of the CiSP platform and actively tries to promote this essential service (link here)
He passionately spoke about cyber crime and touched upon the TalkTalk hack and how they are now a Get Safe Online member – something of a necessity by all means.
Stuart’s talk led onto an overview of IoT and how internet connected devices have gone from 1 IoT device per person on the planet, to a now 6 devices per person! All of which can be hacked apparently.
It wasn’t all scare stories though and many tips followed the talk, mainly revolving around education, not clicking the links and making sure things are setup correctly and tested. Stuart isn’t a public speaker by all means but his passion for cyber carries him through, he is eager to share the good things government organisations are doing to help.
I’ve personally had the pleasure of knowing Tarun for quite a while, he is one of the most committed CISO’s I know. Continually sharing and raising awareness of attacks, methods of defence. He is currently leading Findel in the fight against all things cyber.
His talk was nicely statistics based! This is always nice to see. Social Engineering scored highly on his agenda in defence focus. Covering employee negligence and how we can use DLP to fight this. It was more than user analytics though he advised companies to incorporate a full strategy focussing on the data it’s self – where is the data, locate it, analyse it.
Who is the owner of it, who is responsible, who has access to it, what are they doing with it
Phil talked about how digital law can influence how a company operates.
Should we report data breaches? There is apparently no requirement to report a data breach to the ICO. I personally beg to differ but it is interesting to hear this stance from a lawyer who specialises in data legality.
Andy Gambles – ServerTastic
Andy’s talk was about phishing. Starting with the way phishers operate and some classic typo domains ‘p.aypal.info’ and UTF-8 character encoding in URL’s – some great on the ball information.
You don’t often hear people talk of the downsides of HTTPS but Andy’s talk again hit the nail on the head, it’s nice to hear a talk from a person obviously competent with his chosen trade.
SSL means encryption – not legitimacy! EV means legitimacy!
Andy follows this with interesting stories and real life cases of complex spear phishing attempts. Tesla’s OWA hack, Loosing an iPhone and ending up getting phished and more.
Andy can be found at @AndyGambles on Twitter and I personally suggest you do!
By the end of his talk, after covering the WIFI Jasager/Karma attacks most people were reaching for the WiFi setting on their phones.
Dr Dionysios Demetis
Dr Dionysios Demetis is a Lecturer at the Business School of the University of Hull in the United Kingdom. He is also an Adjunct Professor for Henley-Putnam University in the United States (where most academic staff come from the CIA, U.S. Secret Service, FBI, NSA, and all branches of US military). His talk was absolutely amazing.
He touched upon some funny points, using humor in general, his talk flowed extremely well and the internet of things i’ve never seen more scarily covered. Internet enabled mattresses that report on all kind of analytics! Fridges that were compromised and used for a botnet. He has a site (and a book) that is probably worth a look in and if it’s half as informative and entertaining as his talk then it should be worth a look in.
She helped some people using Twitter and change.org, demonstrating the power of social media and how it can change people day to day lives.
Jenny’s talk was of course about the human side of security, she’s known as the ‘human hacker’.
The talk opened with famous instances of social engineering. Jacintha Saldanha the nurse who famously put the call through to Kate Middleton from the Australian radio station – an event that ended badly. The point was that social engineering effects people directly.
Covering topics from her past in social engineering, Jenny details how recon would aid an attack. She doesn’t stop at recon though, she uses traditional OSINT to find an exploit weaknesses in staff members. Knowing Jen personally for many years has been a pleasure and her client commissioned escapades beggar belief.
She asks companies to focus on this. Drop the blame culture, get the people onside and work with employees.
Ask employees to talk about social engineering. Get them to look for it – even if that means hanging up the phone sometimes, refusing entry to that smartly dressed person and saying no!
Your people are your key to not get hacked.
D.I. Geoff Halpin
Geoff is a Detective Inspector with the NPCC North East Regional Policing team with extensive experience investigating serious organised cybercrime while leading the Yorkshire & Humber Regional Cybercrime Unit.
His talk on ‘How to rob a bank’ is designed to make people think differently.
Taking three people to the stage he actually outlines the stages:
Find the weak spot
Find inside help
Get out… Cash out!
Melanie Oldham – Bob’s Business
Melanie has a background in events, IT and project management but she’s always had a vested interest in information security. As founder of Bob’s Business Ltd, she has gained 10 years experience in the industry and has become a reputable and well respected force within the industry.
Bob’s Business provide Information Security e-Learning and Phishing Services. The products was developed to demystify the world subject of information security, often thought of as an inaccessible and dry subject. The use of animation and humour is key to the approach and is proven to change employee behaviours and instill a secure culture.
Melanie’s top ten don’ts of cyber security comes on the back of her 10 years in the industry and she urges to people to connect with their corporations security. It was refreshing to see such passion and openness surrounding talking about aspects of security.
Panel: Melanie Oldham, Stuart Hyde, Gary Hibbard, Geoff Halpin
Q1 – Why is the public sector so far behind?
Melanie – They are actually engaging currently, doesnt feel they are.
Geoff – They are slowly turning, they have they own teams now.
Q2 – ISO:27001 and Cyber Essentials, does it prepare a company for GDPR?
Gary – The current data protection act actually states you implement a framework, eg ISO 27001.
Melanie – Has found Cyber Essentials very beneficial, not just for business.
Q3 – Do I pay a ransom?
Geoff – Personally thinks you should treat each case on a case by case basis.
Q4 – Whats the best way to protect against worms?
Gary – Prevention!
Mel – Think about it before it happens.
Q5 – How is Cyber Crime reported?
Geoff – Not as good as it could be, the police are starting to change this. Acknowledges the need for people to report crime.
Q6 – If I store a document on a ‘cloud’ platform is safer?
Gary – Cloud services specialise in security, you might not do! Files are only as strong as people resiliance to social engineering.
The original article in full can be found here: https://ycsc.org.uk/index.php/2016/10/18/cyber-security-europe/