Day two consisted of talks rather than workshops, although I had issues attending some of the talks I was after (one was packed, the other had its previous talk overrun). I managed to get to a number of talks that were still useful though, as well as catching up with my Rapid7 contact and reseller - but very nice guys. Today's talks were not as in-depth as the workshops yesterday, and often had more of a sales pitch to them.
Keynote: Workplace Culture - Developing and Sustaining High Performance in a Complex World
Today's keynote speaker was former table tennis Matthew Syed, again not talking about the domain of cyber security particularly but instead talking to us about fixed vs growth mindsets. Matthew was a very engaging speaker, although we were a tough crowd.
Becoming complacent is a problem for organisations, particularly if they're at the top of their game. Along with complacency often comes a fixed mindset, and it's in this position that organisations start to stifle innovation. Think "we've always done it that way". Due to a lack of willingness to change, fixed mindset thinkers often tune out or disregard other ideas or criticism without considering how such comments could help improve a product / solution.
Those with a growth mindset, on the other hand, are better at self evaluation, identifying their gaps and then dealing with them. The process acknowledges that one person cannot know everything.
Diversity is also important, but not simply based on demographic (age, race, religion, etc.). Cognitive diversity is needed too, where people that don't necessarily think the same thing but do have related thoughts get together. You can also gain the benefit of tacit (lived experience) knowledge by ensuring teams have a diverse make up.
Make sure diversity is not reduced to a tick box exercise!
Adopting compliance as a specific strategy to future proof business operations
I wasn't expecting to be attending this session, but had held it in reserve. This was a ten minute, quick fire presentation. My favourite quote from this was:
Compliance will not give you good security, but good security will give you compliance
Our speaker highlighted how security and compliance complemented each other, and reminded us that security was an ongoing programme. I was also introduced to the Sherwood Applied Business Security Architecture which I need to do some more reading about when I get back to the office.
Measuring What Matters: Where To Start With Cyber KPIs
The key takeaway from this session was the fact that the business needs effective metrics, not more metrics. Our speaker suggested starting with just four metrics, reporting on them for three months, and then reviewing if they're the right metrics or if they should be removed or others added. We were reminded that "just because you can measure something, it doesn't mean you should" - what are you hoping to gain from the metric?
Part of the reporting process is to start by identifying what you want to track, and then determining what data you have to allow you to do that. Start by considering your existing tools, rather than buying a new tool to generate more metrics.
Remember - metrics help you with your journey, they don't give you the answers necessarily. Metrics are helpful for reducing complex situations down to simpler statistics.
Are You Sure Your Active Directory is as Secure as it Needs to Be?
This talk focused on a product that addressed the problem of Active Directory security after discussing some of the attack chain. It was mentioned that some companies had the same Active Directory for almost 25 years (AD was introduced in Windows Server 2000) which was mind boggling to me - I'd never thought about that. The oldest ADs I've worked on dated back to 2003. Interestingly there was no mention of tools for Azure AD.
A typical attack starts by spying on AD to discover users, servers, computers before then stealing credentials. Due to the increase in computing power since AD debuted, stealing credentials now takes seconds rather than hours.
Once credentials have been obtained, attackers log in and then look to steal data, sabotage systems, or commit further crimes.
As usual, it's important to know what systems and accounts your organisation has and take steps to protect it as necessary.
Managing the Current Demands of a Cyber Workforce Whilst Looking to Secure the Workforce of the Future
This was an interesting panel session that looked at the future workforce. We were reminded that it's very easy to get caught in today's problems, but we need to consider the problems of the future too. In particular, recruitment. This has implications for the education sector, as a number of graduates get their degree but have little experience beyond knowing how to use tools. Often they are lacking the fundamentals (yesterday's keynote speaker commented on how important those were). As information security practitioners, we need to help the further and higher education sectors to ensure the next generation of professionals are adequately prepared.
Let's also not forget that not everyone in security is a graduate, and may have entered the industry via another route.
Unsurprisingly, the topic of working environment came up quickly. Younger workers particularly are generally very keen to work from home, or in a hybrid arrangement with few days in the office. This can be for a whole host of reasons from work / life balance to environmental, and employers have seen candidates turn down roles that were like for like except for the working location.
Working with remote teams was also highlighted, with the advice being to ensure your remote workers have the same social benefits as those in the same place. Celebrating national donut day (our speaker said he made that up) by having donuts in the office? Make sure you send your remote workers donuts too. When onboarding a remote new starter, it's important to take time to make them feel a full part of the team too.
Importantly, give the next generation a voice. Listen to their suggestions, work with them, and mentor them.
Battle-Ready: Innovations in Modern Cybersecurity Tactics
Another vendor based talk, but this one started with an interesting, albeit concerning, statistic in relation to cloud apps - 93% of businesses have rogue cloud apps in use. This is where an employee signs up to use a cloud application that's not approved for use (sometimes also called "shadow IT") which can put the company's data at risk.
Amongst other things, we were reminded to ensure basic IT hygiene was in place as this can often help prevent a number of issues. There was also a discussion on the use of AI (really machine learning, a distinction the speaker and I seem to be equally passionate about) and deep fakes. We were reminded that as much as "AI" could be used to help attackers, it could also be used by us to aid our defense.
Myth Busting - Misconceptions About Asset Risk Management
The final speaker of the day had a good sense of humour, and said that all good presentations had AI mentioned in them. Thus, his contribution is shown below:
Following the initial joke, our speaker moved on to discussing a number of myths:
- Hardware security (or being defeated by a hardware attack) is spy business
- We are safe
- We are of no interest to anyone
- We don't use USB and everything is blocked
- Everything is air gapped
- Everything is cloud
- There's nothing to do, it's just another risk we have to live with
In one example, our speaker commented on how some devices have multiple security profiles managed by different teams. For example, if you consider a modern printer these can often be connected by USB, WiFi, or ethernet. Different teams are generally responsible for the security of each connection type, certainly in larger businesses, and this disconnect can make protecting the organisation quite difficult.
I stopped by the (ISC)² stand and managed to pick up a bag, Rubik's cube with (ISC)² branding on it, and an (ISC)² member pin. Haven't seen anyone issuing t-shirts this year (not a surprise given the economic situation) but back in 2018 I picked up so many I'm still wearing them 😂.
Banner image: Screenshot of the Infosecurity Europe logo.