CmdR Scotsoft2020 is over but for those who couldn’t make it on the day my key take-aways from the cyber sessions are captured below. All sessions were recorded so are available for viewing in your own time – one of the advantages of a digital event! This was our first virtual conference and with 1200 delegates and almost 40 speakers from around the world we were delighted with the engagement and the feedback we have received.
Rik Ferguson, Global VP, Security Research, Trend Micro was a keynote speaker who kicked off the day after Kate Forbes, MSP, opened the conference and welcomed everyone. Rik Ferguson gave a really interesting and insightful talk exploring the use and importance of data to both business and criminal organisations, classifying data as volunteered, observed and inferred. He talked us through the value and price of data to criminals and how available data is to those willing to pay for it. Data is constantly being mined, sold and re-sold.
Rik also explored how the increase in data volume through IOT, smart cities and the recent mass move to home working will mean that the use of AI and machine learning to manage the data will become even more key, stressing that the pandemic has accelerated data usage before we as a society were ready i.e. did not have the tools to manage the high volume of data. Rik emphasised the need to focus on tool sets and technology to help fill the skills gap, as well as continue to attract people to the industry. AI and machine learning will be key to staying on top of the data triage.
Mark Goodwin, Security Researcher, Hardenize talked about how to secure your tools by breaking them! Looking at your system from an adversarial standpoint opens your mind to how a criminal will seek to exploit and attack your software. Mark explored it from the angle of intent, perspective and knowledge. Cyber criminals are gathering any info that can help them breach the tool and system, and not considering how it should be used so are coming at it from a completely different intent and perspective. And of course, they have a certain skill set and knowledge of how best to attack software as well so are experts in that field whereas not all developers will be! Mark encouraged everyone to be experienced and knowledgeable in the tool set used by criminals so that systems and tools can be built and configured with these in mind.
Chris Yule, Director of Threat Research Capability, Secureworks, gave us real insights into the world of ransomware and how criminal organisations approach this attack type – through careful planning, processes and patience over many months! He demonstrated just how professional cyber-criminal organisations are now, and explained how long criminals may be on your network, gathering intelligence, data and access before they strike. Chris recognised the challenges of patching, but highlights how key it is to minimise exposure to breaches
Alyssa Miller, Hacker and security advocate, talked about the importance of DevSecOps teams focussing on threat intelligence. She discussed the history of dev ops and security coming together as DevSecOps but stressing that there is more work to be done to get this set up correctly across the business. CI/CD needs to include continuous improvement as well as continuous integration and deployment. Threat Monitoring is often forgotten during the DevSecOps processes but really the approach just needs to be changed. Alyssa added that 85% of surveyed companies said they knowingly deploy software with bugs, the main reason being increased pressure to deploy early. Alyssa stressed the importance of using language your business understands – instead of STRIDE framework, talk about Theft, Fraud, interrupted business etc.
Matt Summers, VP of Engagement Management & R&D – Security Testing at Aon’s Cyber Solutions, explained how complex encryption really is with so many decisions to select the right design for your application with 15 algorithms, 12 modes and 7 padding types to choose as an example, not to mention which random number generator to select. Need to ensure the use, application type, and compliance considerations are all factored into the selection and design.
His tips on how to avoid mistakes included understanding best practice, using approved libraries that you trust and getting an independent check when testing (not relying solely on automated tools). He also ended with an ask to avoid the unnecessary overhyping by marketing teams which is a red flag when it comes to encryption – do not refer to it as being unbreakable or military grade encryption.
All of these sessions are available to view so if you missed any then you are still able to go view them in your own time – enjoy!