Dr Naranson spoke at a high level about security at scale - mentioning especially the problems DWP face deploying systems at scale and what happens if these go wrong. She gave a few examples, including tackling DDoS at scale (mentioning DWP had suffered 16 large DDoS attempts just last month).
Next, she spoke about how this isn't just a Government issue: Walmart processes 2.5petabytes of data per hour. She went on to say that tackling this huge amount of data is important and the strategy for doing it should be shared in order to help everyone. Finally, she spoke about embracing social media and whilst it is a great tool, it should be monitored to avoid accidental breaches and information disclosures.
Speaker: Emma W from NCSC
Emma introduced the topic stating that for too long we have looked to users as the problems. That they are the ones causing issues and that for too long they have taken the hit.
She went on to say that you can train people as much as you want not to click links or to learn how to “trust email” but some phishes are simple too good. Phishing emails are designed to provoke a response and training happens at a thinking level. When these emails come through you are no longer at a thinking level.
The last thing about phishing was not to punish users for clicking on links because no matter who you are, at some point, you will get phished. Punishment just disgruntles users and makes them less likely to report personal errors when they make them. If you make it easy and reassuring for users to report when they have made mistakes it will improve your security.
The last part from Emma was on Password Guidance (as she is one of the lead authors of the NCSC's password guidance. Opening with “there is no evidence that changing passwords regularly improves security. No evidence.”. She pushed businesses and users to go and read the guidance and adopt it. At the end of the talk there was a really good but short video about security (I will try to find it and post the link).
Speaker: Chris O'B from NCSC
Chris spoke about the work he and NCSC is doing with Stix 2.0 and how using this they are improving the threat intelligence they get and give out. He gave examples of reports that give limited context which makes it hard for sysadmins/network defenders to make an informed decision about a threat.
He went on to talk about many indicators and the example he gave was malware pining 22.214.171.124 ( Google's DNS server). This is common for malware to do to see if it can talk to the internet. On its own this is not malicious and Chris did not recommend using this indicator on its own to determine if traffic was malicious. Instead he added to what is known so far about a threat and if other indicators were seen it could build up a clearer picture to the network defenders about what was happening.
Lastly, Chris spoke about the work the NCSC are doing with their customers where they are generating a list of known bad and if any of this known bad is seen, a sighting object is generated from their customers networks, this feeds back into the threat intelligence platform the NCSC are developing (this is still a work in progress, more on this in the future I think).
Speaker: Katie Moussouris from Luta Security
Katie gave a brief intro on herself and her area of expertise - vulnerability disclosure and bug bounty programs. Katie has helped the US DoD begin their "hack the pentagon" initiative as well as Microsoft and a whole bunch of other people.
Katies main message was about the effectiveness of a bug bounty program. You can't substitute pen testing with a bug bounty and just because you pen test doesn't mean you catch all the bugs _(you should get most)_ and bug bounties don't have to be expensive. Offering hunters swag, unique prizes and prestige. Its not all about cash rewards but they do work too.
When bugs are reported they should be fed back to the pen testing team to see if there is a type of bug they aren't testing for, how can they catch this type of bug next time, etc.
Finally and most importantly she said “You can't bug bounty your way to secure”.
Speaker: Dave Chismon, MWR Infosecurity
Dave began by giving us a run down on typical honeypots. Then benefits of the 3 main types, low interaction, medium interaction and high interaction honey pots. Noting that the simpler the honey pot, the less effective it becomes.
He then went on to talk about strategically setting your honey pots, there isn't much point having some random, non-priv honeypot because that is not what attackers are looking for. Honeypotting file shares, R&D docs/shares and the like will draw attackers in as that is what they typically look for.
Be convincing. Don't have 1 or 2 things in plain site like admin-password-list.txt because its really obvious and depending on who you are defending against it is unlikely they will take the bait.
Using canary tokens and honey tokens in databases is also a good starting point. Thus means if data is dumped you can be notified on the false credentials appearing on pastebin. There were a huge list of other deceptive methods that can be used in networks too which I won't recursively list.
Speaker: Ollie Whitehouse, NCC Group
A flash through time covering the improvement of operating systems, why exploiting them is becoming harder and a comparison between desktop on mobile platforms. Locking down what the user can do and keeping all the nasty kernel stuff total separate. A very technical talk.
I went and played this threat game with Thales, which is designed to teach board-level executives about the importance of cyber security. The game runs as 2 players: a defender and an attacker.
Defender starts with 250 points and the attacker with 125. Each play, you choose a card to deploy or you buy something (you can deploy user training to your organisations/you can buy a SOC). As the types of attack move on the defender can use cards together which boost their effectiveness. For example if you add staff monitoring software and block USB ports this boosts. Similarly an attacker can install a root kit and then propagate any malware. Therefore rootkitting across the defenders estate, maximising damage. Additionally there is an intel feed that has news sites and social media integration so if you deploy a card, an employees social media post relating to it might pop up there, informing the opposition of what you are doing.
There are 12 rounds and the winner is where the most momentum is at the end. We didn't survive all 12 rounds. A fun game to play though!
Speaker: Gavin Rawson from Nominet & Rob G from NCSC
This talk was an intro to the work Nominet is doing along with the NCSC in building a public sector DNS server. The aim of this is to make phishing and malware harder to do against public departments. The Public Sector DNS is funded by the NCSC and scaled for 7.5m users. It'll be free at the point of use.
Nominet is responsible for the .uk domain and has around 170 employees. They have developed a tool called [Turing](https://www.turing.net/) which does DNS traffic analytics. It gives lots of info about traffic and does analytics looking for spam, malware C2 and also can take intelligence inputs from 3rd parties and add it into its knowledge base. E.g. a threat report comes out giving malware c2 IP addresses - these can be automatically learned by Turing to look for in its client's requests and block.
The whole tool is really good and at the end a delegate from Cambridge University asked âThis is great and for the public sector but what about academia?â. Rob, from NCSC, answered saying hopefully this can be extended in the future but didn't want to promise anything or put his foot in it.
Organiser: Royal Holloway
This seminar/workshop was run by Royal Holloway. Round tables of 6 were out and 6 questions were asked to each person. We had to write down the answers to questions which included “How did you get into cyber security?”, “what keeps you in the industry?” and “what will an information security professional look like in 20 years?”
Once we all wrote down our answers or illustrated them there was a discussion at each table. Then each table had to summarise with the goal of identifying what, if anything, we all had in common. The only real commonality found was that we all ended ip in the industry by accident/fell into it. The answers from the workshop are for a study getting carried out by Royal Holloway.
Speaker: Alex Lucas, Amazon Web Services
Alex went over common myths with cloud services.
Myth #1: Sysadmins can do everything - A common one which Alex said that assuming your sys admins leads to problems you cannot see and neither can they.
Myth #2: Your data could be anywhere - Cloud users are worried that data can be anywhere. This can be particularly problematic when reporting to the information commissioner or for organisations whos data can leave the UK or EU. In AWS data is put where users pick, regions are geographically isolated by design, data isn't replicated in other geographical locations unless users explicitly ask it to.
Myth 3: Good crypto is hard in the cloud - Another vague myth where there are many types of crypto: authentication, authorisation, data at rest, data at transit. I didn't manage to get a list of what tools he listed, but there are many.
Myth 4: Monitoring can't be done - Alex asked what are you trying to achieve? There are network logs/cloud trail for API actions/CloudWatch logs all available through AWS and other providers also offer these features. A live demo showed these can be activated at the click of a button.
Speaker: Ioana Boureanu
Speaker: CTO Leidos