Before Tuesday it would be safe to say that I was suffering withdrawal symptoms, having not attended a conference since last October when I made it over to IP Expo.
So I was rather keen to get cracking and make my way over to SW6 for 44CON, an event I’d never been to before (the 3-day version sounds overly technical, not to mention expensive, for my tastes).
I had high hopes in advance due to knowing, or at least knowing of, a few of the speakers. And that’s pretty important for me, considering how I had to work until midnight the night before going.
So, up at 04:45 after about 3 hours kip, it was time for my first conference of 2015…
After a long but straightforward trip to West Brompton it was but a short walk to the Ilec Centre, a pretty decent and spacious venue.
After registering I popped into the main hall to see if I could spot anyone I know.
Fortunately I bumped into fellow heavy metal and Slayer fan Quentyn Taylor, then Jerry Gamblin, before catching up with Mo Amin and the now not-so-retired-journalist Dan Raywood.
Let the talks begin…
Quentyn Taylor: Not following the herd – how to make your voice matter in the corporate world
First up was the aforementioned Quentyn Taylor, director of information security at Canon.
His talk began with slides depicting shoals of fish and wildebeest as he explained how security leaders often like to stick together in packs for the sake of protection, but that herd mentality actually came with a risk as it prompted a lack of thinking time and opportunity to gauge the direction you are going in.
Taylor went on to talk of cyber war, making the highly valid point that for many, the risks are overplayed and not entirely relevant on a day to day basis.
Referencing a Verizon DBIR 2012 slide which he freely admitted had been pilfered from my boss, Mr Honan, Taylor demonstrated how 96% of attacks were not difficult in nature and that 97% of those could have been avoided with simple controls.
He said that the basics had been forgotten and that simple web attacks were still a concern, as was poor patch management.
The solution, he said, was for security leaders to actually lead.
Referencing the herd analogy, Taylor said wildebeests could be much better informed on migration, for example, if they took a ‘helicopter view’ of the situation at large.
Much better then, he said, for leaders to lead, by both being “in the dance and on the balcony”.
Taylor finished by reiterating how CISOs should lead and be prepared to take risks, highlighting how home security often works for many, not because they have the most secure home in the street but rather because they don’t have the least secure property.
This analogy, he said, indicates that a business with a leader with a good degree of risk appetite could position itself as “no less secure” than its competitors, thereby achieving objectives without “spending too much”.
Dr Jessica Barker: Cyber Myths and Monsters: how to raise awareness and change behaviours
Fear is a common theme running deep within the security community; used by some to encourage sales of their products or adoption of their services.
Thankfully, Dr Jessica Barker was on hand to provide her own take on fear and how it applies to the infosec industry, as she opened by asking whether we use fear too much and in the wrong way?
Fear, as we all know, is a powerful force and I’m sure it does motivate some people, some of the time, but Barker sees it as a potentially destructive force, typically affecting people in one of two ways – it can either totally paralyse the fearful, or lead to them reacting with ambivalence, almost completely rejecting any thought that the given threat could affect them at all.
To make her point, she explained how 46% of those people who clicked on spammy links were not security unaware, or lacking in security training, but rather that they were conscious of what they were doing.
I know from my own experience that such activity quickly causes such users – a word Barker rightfully identifies as being problematic itself as it suggests negative behaviour, such as the use of drugs or prostitution – to have the ‘stupid’ label applied to them.
What’s more, she said, those people would then cop the blame for the problem with technology being touted as the solution.
The answer, Barker said, was to work with people to find the solutions, but not through the use of fear which tended to have a negative impact if used wrongly.
Barker said the blame culture could be traced back through time via some of the timeless classics, including Dracula and Frankenstein.
Take Pandora, for example. Why did she open the box? Was it out of malice? No, said Barker, as she highlighted how the majority of people act out of curiosity of the unknown.
Or how about anti-anti-hero Gollum from Tolkein’s Lord of the Rings. Over the course of the three books (forget the films, the depth of character isn’t there), Gollum is a regular hobbit-like character called Smeagol. As the story progresses, his desire for the ring that ultimately leads to his downfall corrupts his character to the extent that he appears to be beyond redemption. Yet he warms to Frodo and appears to be capable of salvation, until Sam sticks the boot in. And that pretty much seals his fate.
That scenario, Barker said, is indicative of how people mold themselves to expectations, as she added how Rosenthal’s and Jacobson’s “Pygmalion in the classroom” study had revealed how children leveled out in accordance with the amount of expectation placed upon them by their teachers.
That, she said, demonstrated why companies should not see infosec in such a black and white manner, explaining how the expectation of poor behaviour was a self-fulfilling prophecy.
Instead, she said, companies should not “reject ‘good’ in pursuit of great” and that they should “take encouragement from improvement”.
Jerry Gamblin: Presentation and Communication Skills for Security Professionals
The brief for Gamblin’s talk was “How you communicate in meetings, emails, presentations and hallway talks can make the difference between running a successful security program and a struggling one.”
And, to make a point, he jokingly opened by saying that:
- 95% of security communication sucks
- 4% doesn’t suck
- and a mere 1% was great!
He then went on to offer various tips for those security practitioners who wished to improve their communications and exert additional influence when liasing with the board.
Beyond a quick mention of body language – would you say “no” to Jerry if he gave you the look below? – and how standing face to face was infinitely preferable to trying to communicate sideways, he gave us a number of slides that outlined his version of CISSP:
- C – be clear
- I – be informative
- S – keep it simple
- S – stay succinct
- P – be passionate
Beyond that, he made the quite valid point that talking isn’t always the key to good communication that some think – we can, and often do, say too much in fact.
Gamblin suggests that the attention span of the average executive, much like everyone else, is actually quite short, highlighting a study from MIT which suggested that only the first 3 lines of an email garner any real attention – food for thought there, eh?
Then, as he moved onto presentation skills, he made a point I’m sure will resonate with all of you who have attended higher education – that lectures are a far from ideal medium for transferring knowledge and, in his opinion, are effective for little more than reinforcing a lecturer’s standing as an authority on their chosen subject.
Instead, Gamblin suggested shorter, more direct communication was the way to go, highlighting mediums such as the TED talks where speaking time is quite limited, as well as shorter talks at conferences where attendees’ were likely to have an attention span in the range of 30-40 minutes tops.
Gamblin then ended with a suggestion that encompasses far more than just the communication aspects of working within the infosec field – find a mentor.
Dai Davis: Legal drivers for cyber security
Last year at the Security Bloggers Meet-up John Leyden introduced me to Dai, bigging him up as an authority on cyber law and such a description from one of the industry’s finest was sufficient motivation to catch Dai in action at 44CON.
In all honesty I can’t remember much about the talk though – my lack of sleep was catching up with me by this point and, coming as it did straight after lunch, the timing was not great for me.
Dai is an engaging and knowledgeable speaker, no doubt, and I wish I had been more alert rather than, quite literally, nodding off at this time of day.
I do remember him talking about how much an individual would have to hand over to prosecute a company that had mistakenly let their data enter the public domain – about £50-70k – and how the ICO have thus far initiated very few investigations or prosecutions, possibly due to a lack of time and money.
There was also a reference to The Hitchhiker’s Guide To The Galaxy – cool – and how the planet Earth went from being rated harmless to mostly harmless over the course of the books – much like the effectiveness of the Data Protection Act.
Next time I listen to Dai I definitely need to prepare with some Red Bull or something though – I’m sure I missed a lot of other useful information this time around.
Ian Maxted: Law Enforcement and Technology, how is the future looking?
Next up was Ian Maxted, a security professional who has now entered the field of law enforcement.
His talk began with some statistics that highlight just how much data is now available online:
- YouTube is acquiring 100,000 hours of new video every day
- Twitter is seeing users post 88,000 tweets per minute
- Facebook posts receive 1.2m likes per second
The rate at which new content is added to the web, he said, means that 90% of all the data in existence was created in the last 2 years alone.
As for the topic of crime, the above slide makes it quite clear just how many people are suffering at the hands of online ne’er-do-wells, suggesting that about one third of all the adults in the UK were victims of such activity last year.
Unsurprisingly, to those in the security industry at least, is the fact that 20% of victims had taken no action whatsoever to protect themselves, along with the fact that the cost of cybercrime he quoted was a mere £800m.
As for the future of online policing, Maxted made the very valid point that law enforcement was very good at siloing information but not at sharing it, a stance he says needs to change in order to better address the challenges faced by modern police forces and other organisations.
Interestingly, Maxted offered the forward-thinking view that law enforcement needs industry help –
We need to share nationally with what works and what doesn’t. We welcome sensible discussions to move things forward, because you can’t do it on our own. If you can help, with any advice, please tell me. We do care.
– but could only achieve such an aim by reconsidering its approach to the sharing of data, whilst offering the industry itself a return on its investment.
But its not only better links with industry that are required – Maxted also pointed out something we already likely know – better education is also required, both among members of the constabulary who maybe don’t have the required level of knowledge in the field, and between law enforcement and the populace at large.
Kevin Williams: The current picture (literally) of European Cyber Crime
Erm… yeah… so there was a break between talks and I found myself having a good chat with Mo Amin and then someone said “free bar” and any thought of attending the last talk of the day went out of the window.
I’m sure Kevin’s efforts were appreciated by all but, for me, the whisky won out.
It’s a wrap
Overall, I had a great day – the conference was well run, the talks were all highly informative and well delivered and the company was excellent (I’m not even going to try to mention everyone I met, save for Sam, a consultant originally from Belfast, with whom I had an excellent chat about women in infosec, as well as her own experiences of social engineering – a topic I’ve been thoroughly interested in since hearing Jenny Radcliffe at the RANT Conference last year).
Would I go again? Yes, definitely, it was well worth the price of admission, and would have been even better if I’d have had time to attend the after-party.
So now it’s time for patience as I count down the days until the next conference – or three – on my calendar: June will see me at InfoSecurity, BSidesLondon and RSA London.
See you there?