On Friday I went to the 4th International Conference on Cyber Security and Education, held at the Scottish Police College in Tullillan Castle. There were loads of really interesting talks and I think the only let down was the lack of abstracts/summaries of each talk; so often I was blindly going into a talk in one of the three streams available with the title “malware” or “threat analysis” without much of an idea of what would be said. Photos and tweets from the event can be found with the hashtag #thecyberacademy.
The first talk I went to was on side channel analysis of embedded systems by Doug Carson from Keysight Technologies. Side channel analysis involve using electro-magnetic or other emissions to establish what is happening on the device. Doug explained the basic methods of how to get information out of embedded systems, through both side channels and sticking in wires and probes and measuring all sorts of things. He showed a screenshot of a BMW system, complete with airbag controls (car hacking anyone??) and then said you could reverse engineer cryptography just from the spikes in signals. They had managed to get the encryption key from a 128-AES encrypted SIM card, purely by using side channels. This stuff is amazing for forensics when you need to really understand the underlying system, but frightening if this gets into the wrong hands. So far all this stuff happens in labs which specialist equipment, but I don’t think that car ransomware in the future is a too far-fetched idea...For exmaple, you are suddenly locked in your car with no way out, and must pay £20 to the hacker to be ‘unlocked’.
The second talk was Dell Secureworks Rafe Pilling speaking on malware they had seen in the last year:
Jason McClay from G2G3 explained how using game mechanics in a non-game environment makes the activity more engaging. Even just by adding a leader board and points system, people are more interested in learning. This can be applied to cyber security education – both from just an employee awareness campaign to teaching security staff what to do in an incident. These are done via games or full simulation of attacks (which can hook into the company’s data to simulate realistic events). He showed an example game, as part of teaching staff about phishing, where you are a bad guy putting together a phishing campaign. You get to choose the most realistic email template, add graphics etc to teach staff how realistic phishing emails can get. I found this adorable flash game about phishing in my research!
Nathan Dornbrook from ECS did a really interesting presentation about a threat analysis toolkit called TARA - Threat Agent Risk Assessment. TARA is a “method to distil the immense number of possible threats into a manageable picture of the most likely attacks to occur, based upon the objectives and methods of those who possess the capability and desire to do harm. It is a way of conducting risk assessments to produce a more understandable and realistic picture, so effective security decisions can be made.” Basically from the screenshots he provided it looks like a spreadsheet with all the different types of threat actor (organised gang, nation state spy, reckless employee etc), capabilities, company controls, assets etc. You put ticks in the boxes of things that apply to you and it produces a visualisation (e.g. page 7 of this paper) of what threats you should be focusing on. It sounds really useful and I may do a further blog post in more details about this later.
Jim Black & Joseph Spadavecchia from Bloxx explained how SSL/TLS inspection can take place and why companies want to do it. Basically, since TLS provides a secure connection between the user and the website, organisations aren’t able to see what the internet traffic is of their employees. Most large companies monitor non-encrypted traffic for reasons such as data loss prevention, malware analysis, productivity monitoring and high bandwidth consumption monitoring; but as the world moves to encrypting more and more traffic, this gets a lot harder. The talk sparked an interesting couple of questions on the ethics of doing this; the company is essentially ‘breaking’ TLS and inserting themselves as a man-in-the-middle to spy on encrypted traffic - which could contain highly sensitive information. Normally, however, solutions offer white lists (such as online banking, well known retailers, government websites etc), but it is up to the company how to implement it.
The closing talk was from Michael Driscoll from the FBI. He mentioned that whilst the biggest threat actor (in terms of volume) in the USA are the organised crime gangs, their main focus is on terrorism and espionage. He went into some detail about how Sony worked really closely with the FBI in their attack last year, and really emphasized the need for companies to reach out to law enforcement for any kind of cybercrime.
rabbit vision foodies Skye UK Cyber Security Strategy Mweke blood security cloud link files altitude sickness Hayes commands python make your own fabrics sausages promotion data flow stand-up Barcelona web browser forensics Moroccan cuisine page breaks exam free courses digital forensics Derren Brown lectures DNA internet statistics cheatsheet compSIA. Security+ encryption exams Windows PostgreSQL Shira camp Barafu forensics jquery new papier mache NSA comedy O2 MP3 sharing RHD search ballistics styles heatmap Gullane celebrities OCFA CV train etiquette risotto laptop Girl Geeks Snapfish Facebook chat