My second day at Infosec had a much earlier start, attending some breakfast talks. Add to that the fact I now had to walk to the station and the alarm going off at six was not welcome! On the whole though there were some great talks today. Apologies this has gone up late.
I started my day at a breakfast talk hosted by WhiteSource given by Graham Cluley. Graham warned us not to lose sleep over those grand piano security risks (it's possible, but unlikely, that a grand piano will fall from the sky and kill you) and instead concentrate on the more likely threats. Those included loss of data (confidentiality issues, e.g. breaches) and loss of access to data (availability issues, including ransomware). A nation state hack was considered a grand piano although working in local government that's probably more likely for me than some others in the room - the NCSC has explicitly warned local governments about it.
Graham was followed by @ethomson (Ed Thomson) from Microsoft. Ed spoke about their secure development practices, how their red team (ethical hacker) exercises worked and gave a fantastic quote:
Defenders think in lists. Attackers think in graphs. So long as this is true, attackers win. (John Lambert, MSTIC)
To my mind this links in to what was said on the keynote stage yesterday: don't get blinded by compliance. Having a set of tick boxes is fine but that doesn't make you secure. Meanwhile, attackers work out the flow through a system, and how they can divert / subvert it.
Interestingly I think in graphs (spider diagrams to be precise).
The final breakfast talk was given by WhiteSource. My biggest take away from that was even if an open source library (e.g. jQuery) is found to be vulnerable, your project may not be using the vulnerable component and thus can't be exploited with it: prioritise.
Next I headed to geek street where Scott Helme did a talk on his research into "the world's most secure email communication device" by Nomx. Scott was asked, by the BBC, to show just how secure the unit was and the summary was "not very". This was all responsibly disclosed to Nomx last year and they've denied there's any problems ever since. I recommend looking at Scott's research here. Nomx continually refer to Scott as "blogger", rather than ever naming him, and this gave rise to the best quote of the conference so far:
That's multi award winning blogger, bitches.
My final talk of the day was a keynote presentation by Troy Hunt. Troy explained how old tricks are still working when it comes to attacking organisations and shared the alarming statistic that only 2% of the top websites were using free tools like a content security policy (CSP) to help protect against attacks. It seems to be an overarching theme of this conference that buying a shiny box isn't the panacea for all your security problems. It's something we've known for a while but it's nice to hear it said, especially at a vendor based conference.
A CSP would have protected organisations against the cryptominer injection into the BrowseAloud accessibility extension that affected a number of government sites.
Day three is just about to begin. Three keynote talks today, should be good.