Infosec Europe 2023, day 3
Thursday was the final day of the conference and I managed to attend a lot of sessions, some that I hadn't originally planned.
Keynote: Malicious Innovation - What We Can Learn From Hackers
Our keynote speaker today was Keren Elazari who highlighted to us that hackers force us to evolve. Keren also showed us how cyber criminal gangs acted like businesses, caring about their brand, issuing press releases, and that some even had human resources departments. It's also worth noting that cyber criminals invest more in their infrastructure than some businesses (one group investing $20,000,000), and they have the funds to do so as a result of their victims paying up.
Some groups are contacting members of the public, whose data has been involved in breaches, asking them to contact the company that was breached or "your data will be released". This further puts pressure on victims to pay ransoms. Meanwhile, some other groups recruit accomplices from their victims by offering to restore their data, or reduce the price, if the victim provides access to another company.
Mitigating Zero-day Exploits and Vulnerabilities with Speed and Confidence
Starting this presentation were a lot of stats, which certainly focused the mind (and have you thinking "could my company survive that?"):
- $6 trillion losses from cyber attacks in 2022
- $4.35 million average cost of a security breach
- A DDoS can now be 71 million requests per second (3.45 Tbps or 809 million packets per second)
- 42% of Internet traffic is bots (some legitimate and useful, others not)
- 34% of login attempts in 2022 were from bots (source: Okta, research into bot activity)
This was a product talk from EdgeIO who offer web application firewall (WAF) services to clients. They use a "double WAF" configuration, so traffic first passes through an audit ruleset and then through to a blocking ruleset. This allows companies to see what impact a rule change would have before making the change in production, although honestly I'm not sure that's a novel concept in itself. I must have missed some of the finer details.
‘Culture Eats Strategy for Breakfast’ - Building a Strong Cybersecurity Awareness Culture
Our speaker made a lot of references to psychological and behavioural information, which was quite a useful reminder that you need to "bring the people with you" rather than forcing controls on them. When asking people to do another security thing ("turn on MFA", "use strong passwords" "don't click links"...) you should consider that they likely want to understand why they're being asked to do something. How does this help them? Can this help them at home too?
Culture remains a key factor when it comes to having an effective security programme. Don't blame colleagues that fell for a phishing scam, remember they are victims too. We were also reminded to meet our colleagues where they were, with training tailored and relevant to them.
The next big threat to cyber security? The mental health of your security team!
Some years ago I heard the statistic that a Chief Information Security Officer (CISO) tends to last two years before burning out. Our speaker gave some further stats too, including the not surprising fact that every CISO finds their role stressful with 64% saying this stress impacts their mental health. I'm a SISO (lower than a CISO in organisational terms) but also the only dedicated resource at my employer, and certainly at times the role is stressful! Around 17% of CISOs either medicate or use alcohol in order to deal with the stress of the role.
Leading straight into a panel event titled "mental health and insider risk as the next big threat to cyber security", our speaker was joined by four others from different industries. Our new guests shared some incredibly personal experiences and there was a good discussion around changes that we, our leaders, and companies as a whole need to make. Employees need to feel that if they are becoming stressed that they can bring those concerns to their managers without fear of negative consequences. We need to lose the stigma associated with mental health issues.
Meetings dominate many of our lives, so much so that sometimes it's hard to feel like you get any work done. The advice was to start shortening these where possible, so people had time to relax between meetings (and get refreshment!).
I particularly liked this quote from Thom Langford:
"we deal in secrets, we're measured on failures"
Case Study: Attack Surface Operations
This was an interesting case study on Nationwide Building Society's recently formed attack surface operations team. This provides the society with a dedicated, ring-fenced (time protected) security resources whose goal is to continually review the organisation's attack surface and make improvements. This is not just about vulnerability management, and the team looks to be proactive with skills in numerous areas. In the event of a problem this team also provides additional engineering resources to remediate problems, working with other teams.
One of their goals, and perhaps something I need to do too, is to identify the top 25 things that will reduce the attack surface without investment. I'm probably doing some of that subconsciously, but it'd probably be worth putting some dedicated time to it.
Hack the Brain – Social Engineering Innovation in 2023
Our speaker for this was a trained psychologist who now works in information security. He described an attack where a user was continually sent multi factor authentication prompts and eventually, just to make it stop, the user provided the approval. As a result the attacker gained access to the system. Verizon's research showed that 82% of breaches involve a human layer, and research from Sosafe (the company giving this talk) showed 33% of people fall for phishing, with 50% of those giving away credentials.
You won't be shocked to hear that "AI" was mentioned in this presentation too. Interestingly, a spear phish (targeted phish) written with Chat GPT4 were found to have an increased interaction rate over Chat GPT 3.5. "AI" is clearly getting better. Voice impersonation is also on the rise.
Next Gen Cyber Strategy: When Cyber Risk Quantification Meets Cyber Threat Intelligence
This was a vendor solution presentation that I didn't take much from conceptually. The product seemed to produce a quantified measure of risk and linking that to financial impact.
Swag
I bagged some mints and a charging cable today, as the conference was closing. Also got a copy of the Opentext 2023 threat report, which I plan to read, and found out Opentext now own EnCase - a digital forensics tool I used years ago.
Banner image: Screenshot of the Infosecurity Europe logo.