How to make your cybersecurity event more engaging

I’m fascinated by how cybersecurity enthusiasts and organisers present and run their events, as that seems to be crucial in (a) getting people to come along, (b) triggering action.

I attended three cybersecurity events in September – Cryptoparty London, Cy3sec and Cybersecurity for ‘Real People’ – and learnt a lot from how they engage, or don’t. Conclusion: Infosec events need to be a LOT more practical and engaging and to deliver on what they promise. Drinks/snacks also help with after-work events.

1. Cryptoparty London

Cryptoparty London

Organised by:

A tech consultancy and a civil rights group put together the London event but this is just part of a larger decentralized movement of CryptoParties with events happening all over the world. “The goal is to pass on knowledge about protecting yourself in the digital space. This can include encrypted communication, preventing being tracked while browsing the web, and general security advice regarding computers and smartphones.”

https://www.cryptoparty.in/london 

Approach

Put it in a bar, call it a ‘party’, have infosec-themed cocktails, offer interactive break-out workshops (on Tor browser, Bitcoin, email encryption and smartphone surveillance) and lightning talks with a stage and large screen, surveillance-based visuals, digital art and music. September was the tester – it went very well and is now going monthly.

Pros

  • Beginners welcome
  • Networking, sense of community, expert access
  • Top pedigree of speakers, eg, Silkie Carlo, co-author of Information Security for Journalists
  • A nice dark room and sociable vibe for tired people after work
  • Practical workshops, how-tos and Q&As
  • Stickers and swag on the tables

Cons

  • It’s held in London – I’m in Birmingham
  • It ran way over time so I missed my second workshop
  • Logistics – bar noise/numbers made workshops hard to hear for some
  • Attendees seemed highly engaged and knowledgable already – bar too high for newbies?

Summary

CryptoParty’s main objective is to “tear down the mental walls which prohibit people to even think about these topics” – on that aim, it was definitely the best for engagement and practical learning. I’m now set up on Tor Browser and just wish I could have stayed longer.

2. Cy3Sec

Organised by:

Fizzpop – a popular Birmingham-based maker/hacker group with its own workshop space. Its first cybersecurity workshop was set up on Meetup and is set to run monthly.

https://www.meetup.com/fizzPOP-Birminghams-Makerspace/events/243198601/

Approach

One presenter talking to attendees around a table, small group style. There was a tech fail on the projector front which didn’t help. The speaker was a real-life locksmith so the focus was very much on how the hackers break in. The Meetup blurb said:

“The first hour will be on ‘beginner’ topics, then half an hour to chat, then an hour on a more advanced topic(s). If people want to do a short talk, great. There may be Bluetooth lock picking. There might be hacking a local server. A talk on decapping chips. If you’ve something to teach or explain about, please let us know.”

Pros

  • Beginners welcome
  • Quiet workspace, easy to get involved
  • Unusual angle – locksmith/hacker, physical access to devices
  • Free-roam topics and tech nerd view (how to kill people and start wars through hacking) = an interesting experience!

Cons

  • Attendees were Fizzpop members, a brain surgeon and a someone with a Masters in cybersecurity – not exactly beginners friendly
  • Mostly a one-way talk, lots of assumed knowledge, and attack based with cybersecurity solution more an afterthought
  • Departed from promised structure and timings
  • Sense of being an outsider entering a tech nerd’s member’s club

Summary

I never knew where this session was going or what I was going to get or even when it was going to end. Some structure and communication would really help this session. The Fizzpop-style focus on physical hacking and USB baiting, and ‘how stuff works’ was way above my knowledge grade but learning how to hack could fill a useful gap if done at beginners level and with a sense of playful fun that is the Fizzpop way.

Despite the exclusive feel, I am tempted to go back – albeit with a flask of tea and some biscuits, and just enjoy the random weirdness of Fizzpop life.

3. Cybersecurity for ‘real people’

Birmingham ORG cybersecurityOrganised by:

The Open Rights Group Birmingham – which runs regular events on cybersecurity and data privacy for concerned citizens. It feels more political although the offer is also practical. It campaigns to protect and promote digital rights in Birmingham and beyond. It was also set up on Meetup:

https://www.meetup.com/ORG-Birmingham/events/242706511/

Approach

The purpose was to offer practical cybersecurity advice that ‘real people’, not just digital geeks, can understand and apply in their daily lives. There were two main speakers, a large screen, a Powerpoint presentation and chairs for the audience. Although it was billed as a workshop, it was really more of an advice session/talk, with little opportunity to interact – one of the problems of running through a set of slides.

Pros

  • Beginners welcome – had the most varied mix of people of all three events
  • Darkened room for viewing slides, the acoustics weren’t great though
  • Practical advice on sending secure emails and messages, password managers, Tor browser
  • Beginners friendly – idea of just ‘change one thing’
  • Friendly, open, inclusive vibe
  • Resources posted on the Meetup site (Update: more resources, tips and follow-up from the session have now been posted to ORG B’ham)

Cons

  • More political stance – which may put off some; would be good to know more about the trade-offs not just follow advice blindly
  • Tried to pack too much in – people asking more in-depth questions but no time to cover
  • Top-down talk – less engaging than a practical workshop

Summary

This was my first ORG session and the organisers obviously know their stuff, but it was a skim across the surface and felt like an intro session to a longer course. I think they could increase engagement with less content and more practical focus, and as the session started at 6.30pm, maybe see if they can get sponsorship for some refreshments as most people come directly from work.

The immersive option?

Data privacy is a hard sell, even though it’s one of the biggest issues of our time with surveillance and data capture growing exponentially and often obfuscated and kept out of sight.

Most people know they should do ‘something’ but maybe think it’s too techy, or a hassle, or like me, tell themselves that they’ll get around to it one day and hope they don’t get sprung in the meantime. In short, there are barriers for everyone to overcome.

This next event could be the answer… and I’m pleased to report that I’ve managed to get a spot helping out at The Glass Room London, which opens for three weeks at the end of October.

Curated by Tactical Tech and produced by Mozilla, The Glass Room, was attended by over 10,000 visitors in New York City last year.

It is ALL about the engagement, with people coming in off the street to an immersive, dystopian tech store that exposes the state of their data privacy. Data Detox Kits will be handed out. And there will be interactive exhibits.

It looks really really good, and will be blogged.

Seven ways the Bank of England encourages a culture of cybersecurity

Bank-of-England-culture-change-security

“What is important to you?” This is the first question to ask before planning any cybersecurity strategy, according to John Scott, Head of Information Security Education at the Bank of England, talking at the recent Cybersecurity UK Roadshow event in Birmingham (notes here). Because if you don’t know what a client or company values, if you don’t understand their business priorities, you can only talk in absolutes.

As Scott gently points out, 80% of cybersecurity consultants come from a background in IT or security and they tend to talk in absolutes. Finding people who can both listen and communicate well on this topic is difficult (this is the soft skills side of cybersecurity, I guess). The result in many large organisations is an environment of enforced compliance; getting workers to care and engage beyond that is a tough sell.

‘From compliance to culture, awareness to action’ was the title of Scott’s talk. He said compliance and awareness aren’t enough; it’s building a culture of mature security that is required to stay safe. Scott then rated security culture on a scale of -1 (negative behaviours) to 0 (compliance behaviours) to +1 (security maturity and positive behaviours), and outlined the Bank’s encouragement of the following ‘cyber seven’ practices to move from compliance towards maturity (more of which below):

Bank-of-England-cyber-seven

1. Passwords

0 = don’t share passwords

+1 = use a password manager

2. Phishing

0 = don’t click on suspect email links or open attachments.

+1 = report suspicious emails (whether clicked or not)

3. Document classification

0 = classify documents when saved into document management system

+1 = mark docs clearly, dispose of confidential documents safely

4. Clear workspace

0 = don’t leave confidential material on your desk

+1 =  also check printer, whiteboards, keysafe when you leave

5. Remote working

0 = make sure you are not overlooked when working on trains

+1 = keep your remote token separately from your laptop when travelling; report loss of devices immediately

6. Social media

0 = don’t post photos of the Bank on social media or get involved in discussions related to the Bank’s mission on social media without permission

+1 = audit your social media profile – make sure you’re aware of what you and other people are saying about you.

7. Report it

0 = if you see anything that worries you, tell us – ‘See it, Say it!’

+1 = if you’ve done something yourself or caused a problem, report it

This final point raised a lot of questions in the audience – wouldn’t a major breach be a sackable offence, for example? Why would employees admit their error? Scott suggested awareness and education, perhaps telling stories about how coming forward has worked and to try to build trust with your employees.

It’s always better to know that a breach or a vulnerability has occurred so you can address it but you need people to feel secure in coming forward. As the Regional Organised Crime Unit noted in their talks at the roadshow, one of the biggest issues in cybersecurity is the lack of reporting.

Thanks to John Scott and Metsi Technologies for use of the slides.

Notes from Cyber Security UK Roadshow Birmingham

John-Davies-CybersecurityA one-day event held yesterday held at Innovation Birmingham on the Aston Uni campus to help businesses get to grips with cybersecurity. It was organised by Metsi Technologies, and supported by the National Police Chiefs’ Council and Regional Organised Crime Unit (ROCU) in the West Midlands. The Twitter account and hashtag was @cybersec_uk but the backchannel was pretty quiet. Here are my notes.

Cybercrime

The increasing threat of cybercrime runs across a range of levels from nation-state threats to ransomware to IP theft. There were various police chiefs in attendance and the main message seemed to be that cybercrime is massively unreported to police – with the result that sufficient budget isn’t being assigned.

Ashley Bertie, Assistant Police and Crime Commissioner for the West Midlands, sent out a plea to find out what your local police force is doing and engage with their agenda. One available resource that has just launched is the Digital PCSO (Sean Long in the West Midlands) who can go into business organisations, schools and the community and advise on security basics.

John Davies of Pervade Software then introduced the National Cyber Security Strategy, consisting of three main acronyms:

  • NCSC – the National Cyber Security Centre (at GCHQ) – pushes out national strategy.
  • CiSP – Cyber Security Information Sharing Partnership – a place to both get free advice and also report hacks.
  • CES – Cyber Essentials Scheme – certification scheme to show that a business has addressed basic cybersecurity.

Main cybersecurity threats for SMEs

Louis Augarde, lead pen tester for Omni Cyber Security, introduced these as:

  • Ransomware – disruption for financial gain
  • Credentials-based attacks – to gain an entry point
  • Breaches based on known vulnerabilities – often used as a first step to identify weak systems that can be exploited further
  • Phishing emails – to gain credentials and access
  • DDOS – freezes your system temporarily but can also be a smokescreen for more serious attacks

He also introduced me to the idea of baiting, a social engineering tactic to get hold of your personal info by leaving out a USB for people to pick up. Never plug an unknown USB found on the train into your computer!

Cybersecurity help for Birmingham SMEs

If there’s one thing for businesses to do now it is the Cyber Essentials Scheme, said John Davies. Participants address 68 questions on their cybersecurity systems around firewalls, patches, configuration, malware, user accounts and so on. The scheme costs £300 and provides an annual certificate.

The CES process is designed to prevent the vast majority of cyber attacks but also offers a badge to show that a business has made an effort to keep the supply chain more secure.

Other options mentioned include the 80-question IASME governance standard, costing £400, which also looks at data assets, risk assessments, people, policies and disaster recovery. Both CES and IASME were said to be a good foundation in securing businesses and a more achievable alternative to 500+-question ISO27001 international standard.

There is also the newly launched West Midlands Cyber Security Cluster, the 19th in the UK, and people, businesses and organisations can tap into this to get help and advice in tackling cybersec issues. The website looks as if it has teething problems right now so check back later.

Other links mentioned on the day were:

Takeaway quotes and stats

95% of all successful attacks are the result of well-known and entirely preventable vulnerabilities (various reports from 2011)

“Don’t buy the whole onion – security is best built in translucent layers” – Brian Chappell, Beyond Trust, introducing five main layers for organisations wanting simpler security (focus on the high risks, tackle lateral movements of hackers into your system, exercise privilege control, one standard user account for all, configuration management).

The first reported cybercrime was in 1820 – it was the sabotage of some newly invented tech – the Jacquard loom – that automated the weaving process. DCI Rob Harris suggested this was where the term ‘patch’ came from but I’m not convinced that is true.

“Why do they do it? I’ve sat opposite many cyber criminals in my job, some as young as 16, and their answer to this is ‘because they deserve it’.” – National Police Chiefs Council on cyber crime motivation.

“80% of people [in cybersecurity roles] have an IT or security background and they tend to talk in absolutes. You have to find people who can listen and communicate.” – John Scott, Bank of England

GDPR for businesses

Jane Burns of Anthony Collins Solicitors made a valiant attempt at an overview of this super-complicated incoming regulation from May 2018.

The EU GDPR, also being adopted in the UK despite Brexit, offers a whole different world of pain so I’m not going to get into it here but, basically, if you’re not already aware, businesses are going to have to get a whole lot better and more transparent in how they process their data, or they risk big fines, and even worse for some, being cut off from accessing their data for a period of time.

This photo may be useful…

Jane-Burns-GDPR

What does the Bank of England do?

What does the most secure place in England do to prevent cybercrime?

John Scott, Head of Information Security Education at the Bank of England, gave a great presentation on one of the biggest problems facing companies – that of lack of user engagement in an organisation’s cybersecurity practices. He said compliance and awareness aren’t enough; it’s building a culture of mature security that is required to stay safe.

I enjoyed this talk so much I’m going to blog it separately.

Next event: a London CryptoParty on 11 September, a mix of cocktails and practical workshops…

 

 

Tor’s two sides, Amazon’s offline surveillance and how to obfuscate

Interesting links I’ve read this week:

The dilemma of the dark web: protecting neo-Nazis and dissidents alike (Guardian, 23/8/17)

“Perhaps the most important use of Tor, for many of its users, is simply allowing access to the open web in a protected and private manner. The system works by bouncing a request through at least three relays, with each only knowing the positions next to it in the chain: the entry node knows who is asking for a connection, but not where for; the exit node knows what the connection is to but not who wants it; and the middle node only knows to connect the other two.”

Silicon Valley siphons our data like oil. But the deepest drilling has just begun (Guardian, 23/7/17)

“For Silicon Valley, however, anything less than total knowledge of its users represents lost revenue. Any unmonitored moment is a missed opportunity.

Amazon is going to show the industry how to monitor more moments: by making corporate surveillance as deeply embedded in our physical environment as it is in our virtual one. Silicon Valley already earns vast sums of money from watching what we do online. Soon it’ll earn even more money from watching what we do offline.

It’s easy to picture how this will work, because the technology already exists. Late last year, Amazon built a “smart” grocery store in Seattle. You don’t have to wait in a checkout line to buy something – you just grab it and walk out of the store. Sensors detect what items you pick up, and you’re charged when you leave.”

How to obfuscate (Nautilus, Issue 49, 29/6/17)

“The solution TrackMeNot offers is not to hide users’ queries from search engines (an impractical method, in view of the need for query satisfaction), but to obfuscate by automatically generating queries from a “seed list” of terms. Initially culled from RSS feeds, these terms evolve so that different users develop different seed lists.

… The activities of individuals are masked by those of many ghosts, making the pattern harder to discern so that it becomes much more difficult to say of any query that it was a product of human intention rather than an automatic output of TrackMeNot. In this way, TrackMeNot extends the role of obfuscation, in some situations, to include plausible deniability.”

The dick* pic guide to government surveillance

* and boob

I had a conversation with a family member recently about my growing interest in cybersecurity and they responded with ‘I’ve got nothing to hide so I’m not worried’. Basically, let the government watch them if it stops terrorists; it’s all good.

For someone who grew up in the 1980s Cold War (but also basically made a second career out of Web 2.0), it’s about how much they are watching, centralised files, a culture of fear, lack of freedom, potential abuse of political power – and trying to understand the trade-offs of privacy versus security when we put our info out there.

I don’t think I have anything to hide either – except when I do – but it’s not about having something to hide, it’s about having something to protect. We’re not just talking about status updates knowingly shared on Facebook, Twitter, etc; the info at risk is also the stuff you think you are keeping private: phone calls, files and photos stored in the cloud, SMS, email.

Getting people to care about surveillance and infosecurity is apparently an issue, with cybersecurity events often struggling to attract an audience. Calling it infosec or cybersecurity is a kiss of death, according to a friend who runs such events. (It’s true: I’m going to an evening event in London because it’s a CryptoParty in a bar with beer sponsors, etc, whereas a day-long ‘cybersecurity roadshow’ in Birmingham was a much harder sell.)

To help with the ‘who cares’ issue, I finally got round to watching John Oliver’s 2015 ‘Last Week Tonight’ interview in Moscow with Edward Snowden – a deliciously awkward affair in which Oliver played a rude, dumb American asking Snowden’s nice, intelligent whistleblower to explain in layman’s terms (‘Can I share my dick pics or not?‘) why they should give a shit about increasing government surveillance powers and his 2013 revelations.

If you haven’t seen it, it’s well worth a watch. My notes below…

Notes: Government Surveillance: Last Week Tonight with John Oliver (HBO)

  • Section 215 of the Patriot Act (created post 9/11, and extended/renewed) requires businesses to hand over ‘any tangible things'(eg telephone records) to protect against international terrorism.
  • Snowden in 2013 revealed this to be used for the mass scooping up of data.
  • Government says it doesn’t abuse its powers + there are restrictions on how/when they can employ surveillance, eg, through the FISA Court, which grants surveillance warrants.
  • Reality is that FISA rarely rejects an application. From 1979 to 2013, it has approved 35,434 application for surveillance and rejected only 12.
  • Snowden: “NSA has the greatest surveillance capabilites that we have ever seen. Now, what they will argue is that they dont use this for nefarious purposes against American citizens. In some ways that is true but the real problem is that they are using these capabilities to make us vulnerable to them, and then saying, well, I have a a gun pointed to your head but I won’t pull the trigger – trust me.”
  • Is anyone having the conversation about where the limits should be, eg, reform of Section 215. Public debate not happening (that care issue again).
  • Oliver asks if it is possible for the public to have a conversation about something that is so complicated we don’t fundamentially understand it? He shows Snowden a video that shows Americans getting upset about the government sharing and looking at their dick pics. The rest of the interview is framed through this simple analogy.

Can they see my dick?

Section 702 surveillance – yes – through bulk collection if an emailed image crosses a border in some way and is caught on a database.

Executive Order 12333 – yes – the NSA uses this order when others aren’t aggressive enough, so if a Gmailed pic is sent even to a fellow American, it will be stored on Google server, and Google may move this data from data centre to data centre – the US government can capture that if it moves outside of US even temporarily.

PRISM – yes – it captures your info with the agreed help/involvement of government deputies/sheriffs such as Yahoo, FB, Google.

Upstream collection – yes – they can ‘snatch your junk’ as it transits the internet.

MYSTIC – if describing your junk on the phone, yes. Collects content as well in some countries, eg, The Bahamas.

Section 215 metadata – no, but can tell who you are sharing junk pics with (eg a penis enlargement centre).

So what next?

Snowden says: “You shouldn’t change your behaviour because a government agency somewhere is doing the wrong thing. … If we sacrifice our values because we are afraid, we don’t care about those values very much.”

My take is:

  • Keep doing what you’re doing but send/share your stuff via more secure platforms
  • Try to understand the lay of the political and digital landscape and don’t give away freedoms that are at risk.
  • Figure out the trade-offs and fight back against government surveillance where it is an invasion into privacy/freedom – I’m not saying terrorist and other threats shouldn’t be addressed, of course not, but scaling up government powers shouldn’t be done thoughtlessly or in knee-jerk reaction to modern threats without a thought for historical ones that threaten all our civic freedoms. Debate publicly and find the line.

Since Snowden… a visit to Infosecurity Europe 2017

Fiona Cullinan, Infosec Europe 2017

‘Since Snowden’ has become a bit of a catchphrase for me after his revelations in 2013 about the mass government surveillance of our data. Since Snowden I’ve watched Citizenfour, read The Snowden Files, completed two OU cybersecurity courses, joined ORG Birmingham, learnt how to use PGP encryption, risk-audited my personal info and started putting some basic processes in place so I am more in control of my data.

This is something I hope to starting helping other people with, so if you have a question about passwords managers or how to risk-assess your info, for example, get in touch. I’m still learning so it’s basic guidance only and probably best done at a friendly local level than in any official capacity.

Last month I also attended two days of Infosec Europe, the largest event of its kind in Europe featuring a conference programme, 360+ exhibitors and around 15,000 visitors. It was very much aimed at larger organisations and since I’m at the individual and SME level, there was some disconnect.

That said it was probably one of the best conferences I’ve attended outside of SXSW and I came away with a lot of info and contacts – enough to know that this is going to remain a definite interest of mine for some time to come.

So I’ve started a Twitter list of Women in Infosec because I missed that session at #infosec17.

And collected a few conference links for reading and reference:

Hello Infosec World.