#infosec19 at Olympia from the balcony - awesome quantity of cyber!
This huge 3-day exhibition/trade show is organised yearly by Infosecurity Group/Reed Exhibitions and is where to go if you want to hear keynotes from top people in infosec and visit technology stands from Akamai Technologies (edge security platform) to Yubico, (USB keys for multi-factor authentication).
Why would we be interested? 1/ Cyber security is everyone's business. 2/ We translate technical patents often covering aspects of computing and network design. 3/ Every aspect of life is moving online and data security is a vital part of this.
I went on the closing day, Thursday, and attended talks by Ciaran Martin, CEO of NCSC, the UK government's cyber security centre and part of GCHQ, Chief Constable Goodman of Derbyshire Police, Lead for Cyber, NPCC, and last but not least, Troy Hunt, security researcher and creator of the Have I been pwned data breach notification service; as well as visiting an unreal number of trade stands.
These are the main points I took away from the talks:
Initially after its inception in 2016, NCSC advice focused on the "fear factor", but found that this tended to lead to business calling in "experts" and feeling that cyber security was all too scary and difficult, and something beyond their understanding. Now the decision has been taken to pivot advice towards business taking responsibility for what they can do, while letting government agencies such as NCSC deal with, for example, major criminal and nation-state actors. The area easiest to improve is cyber security in businesses. No business, however big or small, can assume that they won't be affected, with the example of the "accidental" impact of WannaCry and NotPetya, when many businesses were affected without being specifically targeted. Analysis of 1,600 cyber security incidents has led to the conclusion that the attacks are often fairly simple, using low-level techniques and well-known malware that exploits known weaknesses, especially in out-of-date software. This means that straightforward measures such as using complex passwords, 2-factor authentication, guarding against phishing attacks and making sure that software has the latest patches are worthwhile. Cyber risk is just another business risk that needs to be managed, but to do this, managers must ensure that they have some understanding of this risk.
Most police forces now have a unit - albeit usually small - dealing with cyber crime. These now have increasing expertise. Many businesses are reluctant to report cyber crime incidents, as they don't think the police will be able to help, or they are afraid officers will report them to the ICO. This isn't the case, as they can and will help, with as little disruption to the business as possible, and although they may encourage businesses to report themselves, they won't report them to the ICO. The message was please alert the police to cyber crime incidents, it will help them to help us.
Troy was inducted into the Infosecurity Hall of Fame 2019 at the exhibition for his outstanding work as a security researcher and creator and curator of Have I been pwned. His talk was entitled "Rise of the Breaches". Data breaches keep occurring relentlessly - recent incidents involve the Internet of Things: cars, watches, and kids' soft toys in which a database of children's and parents' information was leaked, including children's audio files. Credential stuffing - where attackers use huge lists of breached usernames and passwords to try to log into accounts - is only successful because humans keep reusing passwords. We need to do passwords differently, getting away from mandated complexity and mandated rotation and towards unique strong passwords with password managers and multi-factor authentication.
Troy demonstrating the Cloudpets data breach.
Photos: Priory Translations Anne Hargreaves