I spent most of the final day of Infosec 2018 in talks. This post is going up later than planned as I've now processed what I saw / heard and, frankly, I'm no longer quite so tired.

I'll be honest, I found day three a bit of an anticlimax. Day 2 had some fantastic talks but these didn't really stack up the same. I actually walked out of one talk, and I don't like doing that, as it didn't meet expectations at all. I think the problem with the final talks and panel sessions is that they didn't particularly match their titles. That and I think speakers were feeling a lack of energy as the buzz was finishing.

Overarching themes

It struck me that the need for user training and awareness was commented on several times, with presenters highlighting that you can't just buy a shiny box to fix the problem or risk. An important message for those on the board too:

Information security isn't an IT problem, it's a business issue.

In other words, don't just assume IT will fix the problem. You need to be thinking about information security from the board level down. I often see our clients miss this critical point and, at the end of the day, the risk to their data, reputation and bank balance is significantly greater than the risks to me.

Following on from the shiny box comment, it's important for businesses to note they're missing out on some key, free, protections they can employ. I commented on Content Security Policies (CSP) following Troy Hunt's presentation. A key statistic from that talk:

Only 2% of the top sites are using a Content Security Policy

If you want to know more about CSPs, I recommend a look at Scott Helme's introduction to CSP. He's also put together a handy cheat sheet. Clearly organisations will want to test before deploying a CSP (there's a report only header that allows you to do that) but it's worth the time and effort. It'll also help with PCI DSS as it's now considered a failure if HTTP security headers, including a CSP, are missing.

Summary

It was a good conference and I certainly consider it was worth attending. My initial concerns about using scantily clad women to attract people to a company's stand seem to now, mostly, be resolved. One company had two ladies in red cocktail dresses, handing out chocolate and fake diamonds. Didn't see what their product was as I was headed off to a talk at the time.

Clearly, as a vendor based conference there were many stands fighting for attention. What I don't remember from years ago were all the talks being given at each stand. For the most part that worked and it was nice to see respect among the vendors fitting their talks in around each other.

I wouldn't necessarily attend every year but I do think it's worth sometime from an organisation's security team popping along, seeing what's out there and getting into some talks / workshops.

On the subject of workshops, I completely forgot about those. As I was planning my trip programme somewhat last minute so it was too late to book. Something noted for next time.