Conference review: Infosecurity 2018
Written by David Adams
Infosecurity Europe 2018 provided visitors with a blend of warnings about familiar risks and new reasons to feel anxious. At the first post-GDPR show, talk of data protection policies competed for attention with eye-catching tales of nation state attacks and evolving threats related to the Internet of Things (IoT) and artificial intelligence (AI).
The opening keynote on day one was delivered by Baroness Dido Harding, now chair of NHS Improvement, but formerly chief executive at TalkTalk when the company was hit by a major cyber attack in 2015. That had resulted in the leak of almost 160,000 customers’ personal details and a record £400,000 fine for the company from the Information Commissioner’s Office (ICO).
Harding said the attack was caused by the company’s reliance on legacy technology - targeted by a conventional SQL injection attack - which she described as “the IT equivalent of an old shed in a field … covered in brambles… all we saw was the brambles and not the open window”.
Even if many were frustrated by the Baroness not wanting to be pinned down in relation to mistakes TalkTalk made in 2015, it was good to see a former boss who had been through such an experience being prepared to get up on stage and talk about it – something that would have been impossible to imagine just a few years ago.
Other presentations on the first day included a description by cyber security consultant Jessica Barker of work with a major European financial services organisation to create a risk-aware culture. She described talking to people across the organisation and discovering that a strong awareness of cyber security issues was overwhelmed by a “fear-based culture” that discouraged employees from reporting problems or concerns.
To change that culture, the company ran events including hacking demonstrations, sessions in which staff were encouraged to try to draft their own phishing emails, and a family day when staff could learn how to protect their families against cyber threats. It also established a champions programme, with people volunteering to be cyber security champions across then business.
On day two, Paul Chichester, director of operations at the National Cyber Security Centre (NCSC) discussed the organisation’s key mission - “to protect everybody from everything” - and its role in helping to coordinate responses to major incidents, such as the WannaCry ransomware attack in May 2017. Acknowledging critics who said the NCSC had been slow to issue guidance, Chichester said that in future it might “be braver” in the event of a similar incident and issue guidance at an earlier stage, with the caveat that it might then need to change as further intelligence became available.
He was joined on stage by Infosec stalwart James Lyne, head of global security research at Sophos, who described current and emerging threats. He highlighted the continuing use of old-fashioned file and document-based malware and phishing attacks. Some examples have been in use for years, yet still work, because they prey upon human gullibility and greed. They remain popular in part because advances in security technology mean browser-based attacks are now more difficult and expensive.
Lyne provided some entertaining illustrations, such as the spreadsheet that looks as if it will reveal the salaries of everyone else in your office, and a harmless piece of malware that locks up your computer temporarily, administers a severe telling off for your poor security habits, then unlocks the machine again and uninstalls itself.
He also revealed some interesting effects of market forces on cyber security threats. It is now possible not just to buy readymade ransomware, but also to buy ‘freemium’ versions, that ask for no up-front payment in return for taking a majority of the income derived from its use.
Troy Hunt, Microsoft regional director and founder of the Have I been Pwned? service, stressed the need for organisations to think very carefully about all the software they are using within their IT estate, highlighting the case of thousands of US government websites being exploited by cryptocurrency mining software embedded in a widely used plugin called Browsealoud.
He also made a point upon which every organisation reviewing data protection, security and incident response strategies should reflect. It is increasingly the case, said Hunt, that consumers and other service users are now “judging organisations more on their response to an incident than on the fact that they had a breach in the first place”.
Food for thought – and also the reason why some former TalkTalk customers might have bristled at Baroness Harding’s fluent, yet slightly evasive, mea culpa in her speech on day one.