Posted on 22/06/2018 by Peter Sanders
Infosecurity Europe - Infosec for short - is the largest and most comprehensive information security conference on the continent.
This year’s event at Olympia London brought together 400 exhibitors and nearly 20,000 delegates. I was back there this year (after a great event in 2017) for three days of interesting insights and networking.
Last year, the skills gap, GDPR and AI were on everyone’s lips: here are the topics that were creating a buzz twelve months on.
Infosec 2018 asked its attendees a big question with a great many aspects: “do you actually know your network?” How many devices are connected, and how many other networks are within your range? How many of those are secure? What’s being held on your servers, potentially visible?
GDPR has asked businesses to perform data audits, bringing to mind downloads, automated backups and archives that they may have forgotten - or never knew about to begin with. The end points of our networks are blurrier than they should be - as is so much of information security.
Crowdstrike’s strategy talk on cybercrime and statecraft built on the buzz of election interference, troll farms and data selling, exploring how data leaks become part of government and business strategy. Responses need to work the same way - collaboratively, with businesses, governments and law enforcers building around the idea that leaks are to be prevented, not exploited or covered up. Endpoints also need to be carefully monitored - security needs to be kept up in transient locations that are part of the network purely because workers are using them.
Physical security was high on the agenda and Pen Test Partners ran an attention-grabbing demo on their stand. The team demonstrated how to hack the archaic coding of a ship and change the weights that were logged for each cargo, making the ship look underloaded and creating ‘invisible’ weight on board. Result: a lopsided vessel with more weight on one side, that’ll tip over as soon as it leaves port. The goal was to demonstrate the real life consequences of security compromises, beyond the often abstract concepts like “data breach”.
This is all crucial as the Internet of Things extends, bringing more and more devices into networks - many of which are designed with other priorities in mind before security. Lars Lydersen’s keynote on securing the IoT made it clear that cheap IoT devices aren’t currently up to scratch - but they could be. The functionality to secure IoT devices already exists, but the will to secure them is lacking.
Nearly a month after GDPR rolled out, it’s still top of mind for many Infosec attendees - and many are now in a position to predict post-GDPR trends with greater confidence. The third day’s keynote made it clear that implementing our GDPR strategies on time is only the beginning.
Understanding the legalese and the implications of GDPR were high on the agenda, with Symantec’s Ilias Chantzos modelling breaches and management in practical terms. Storing your data elsewhere now comes with additional responsibilities regarding data handlers’ compliance. Cloud storage has become the industry standard for accessibility and usability reasons, but the compliance question will see the cultures around working from home and accessing data change. The overlap between GDPR and network endpoints is well understood by infosec professionals - but data needs to remain accessible by the right people.
Humans are the first line of defence in protecting organisations - and human behaviour links all the previous themes together. The information security skill shortage is well known and remains a concern, but the solution demands awareness across organisations as a whole.
Hut Six’s Simon Fraser made a case for human error as the basic information security threat, describing a process for transforming staff from cyber threats to cyber allies. This means they need to understand why so much of what they’re doing, for convenience’s sake, is actually a threat to information security - and they need to be motivated into doing the right thing. The right behaviour can be shaped at a system design level - make the secure systems usable and convenient and people will want to use them - but that has to be coupled with a sense of informed responsibility among personnel.
It’s going to take committed leadership from security analysts. Despite concerns about deep learning AI putting the analyst out of a job, the Forest Tree workshop showed that the future really holds a change of remit. AI will relieve the mundane tasks, but the analysts will be driving effectiveness and value at the strategic level, leading the business transformations that will keep firms secure.
The Cumberland Arms
It’s not all work, of course. And I have to say the nearby Cumberland Arms has a decent selection of ales on draft. Recommended!
Information security moves at an amazing pace, and too many businesses are finding themselves left behind. As the entire culture of data protection changes to focus on devices, endpoints and strategic vulnerabilities, more and more businesses will need to take on personnel who can lead the way in changing user behaviour among their staff.
The smart ones are already looking for the right people. Start your job search with us today, and make sure they come to you.