44CON Cyber Security 2016 Presentations

Keynote

Presented By: David Davis MP

The Investigatory Powers Bill is currently working its way through the Houses of Parliament. Our keynote speaker, David Davis MP, is a central figure in civil rights advocacy in parliament and at the forefront of the debate on censorship and surveillance.

Since being elected in 1997, David has been the Member of Parliament for Haltemprice and Howden. David was MP for the Boothferry constituency from 1987. In the last Conservative government David held the position of Foreign Office Minister, where he was responsible for government negotiations on Europe, NATO enlargement, the nuclear Non Proliferation Treaty, the Comprehensive Test Ban Treaty and the updated Geneva Convention.

After the 1997 election David was elected as Chairman of the influential Public Accounts Committee. In this role he spearheaded wide-ranging investigations into government policy and procedure, and recommended improvements to government IT strategies, privatisation methods, public service delivery and transparency in government accounts.

David was Shadow Home Secretary from 2003 until he announced his resignation in 2008, forcing a by-election to raise awareness of New Labour’s relentless erosion of civil liberties. Since 2008 David has been a leading figure on the Conservative backbenches. He is best known for being a strong defender of our civil liberties, but his considerable experience in ministerial and public posts means David is a respected speaker and commentator on Europe and the Eurozone crisis, banking, security, education and social mobility.

 

Meaningful Measurement: It’s About Time We Got This Right

Presented By: Ian Trump

That cyber-crime has driven the rise of malware during the last decade is not in doubt; how large that increase has been most certainly is. This measurement has, I would argue, been more speculative than evidential. The problem being that attempts to quantify malware usage are lacking any meaningful industry accepted standard when it comes to the metrics concerned.

When the numbers put forward by vendors, industry bodies and the media all vary so widely (not just between those sectors but within them as well) is it any wonder that any serious attempt to establish the scale, the cost or the impact of such attacks is doomed to failure? The disconnect between the reporting of cyber-crime and the actual metrics that are most important for both businesses under attack and the industry that exists to mitigate them will remain until the difficulties of comparing oranges with apples become apparent.

Attempting any such comparative exercise is fraught with peril and serves to highlight where we, as an industry, are getting our metrics wrong; the largely accepted cost per record breach metric is far too broad a brush to paint any kind of recognizable real world picture. When reporting and discussing the scale and impact of cyber-crime it is imperative that we move away from sensationalizing of one part of the story or consequence of the breach, that which will create the biggest search engine feeding frenzy. Who the criminals were is of less import than how they got in; compromise indicators are more valuable to other businesses than the financial cost to that particular victim.

The measurement metric dial has, ultimately, moved too far towards attribution and needs to be reset to prevention and a business-based analysis of risk once more. That business-based analysis itself needs to be more realistic, so there also has to be a move away from the kind of threat intelligence reporting which is almost exclusively dominated by data derived from the large enterprise sector and consequently of little relevance to the Small and Medium Enterprise (SME) market.

The data upon which threat intelligence and attack surface trend analysis resources are based must become more granular if it is to become more relevant across all business sectors. If we continue to go down the road of never disclosing or identifying the security components that failed or the components that were not in place when a breach happened, we will never make any progress against an elusive enemy.


What it means to have the C word in the National Security agenda

Presented By: Emil Tan

This is a highly non-technical talk.

What is the meaning of “security”? What does this “essentially contested” word mean to us (information security folks) and the politicians? “Critical (Information) Infrastructure Protection”, “Information Security”, “Cyber Security” creeps its way into the National Security agenda over the last couple of years. When, how and why did that happen?

How has the “Security Committee/Community” set the tone in dealing with “National Cyber Security” threat? Do you know the politicians might not be referring to us (information security folks) in reference to “the Security Community”, but politics thinkers?

Many nations now have what is known as the National Cyber Security Strategy. What does it really mean when a document like this is established, and is it working?

My talk explores not just the “brief history” of what happened, but an in-depth analysis of how “Cyber Security” became a National Security issue. I’ll introduce the mindset gaps between politics thinkers and us (information security folks). My talk will finish off with a qualitative assessment of the National Cyber Security Strategy, not through audit metrics, but on the effectiveness of its policy communication.


Data protection, privacy and cloud computing: navigating legal compliance

Presented By: Graham McKay

Since the development of EU data protection law, technology has advanced at significant pace; indeed the world we live in today would be unrecognisable to the citizens in 1995 when our current data protection legislation was enacted.

Digital technologies such as cloud computing have fundamentally changed the ways in which consumers interact with organisations globally; indeed technological developments allow for the collection and processing of ever increasing volumes of personal data.The current data protection framework was conceived in a technologically different era to our current digital world whilst data volume has exploded.

Cloud computing profoundly transforms the manner in which Information Technology (IT) services are conceived, deployed, delivered, scaled and consumed with the potential of this disruptive technology being recognised by industry and government alike. The abundance of data relating to individuals leaves behind a hidden trail with the potential to be pieced together formulating a jigsaw of our identity capturing every online action we take, rendering the notion of privacy outmoded in such an information-rich society.
Whilst data protection legislation was enacted before the development of cloud computing, this presentation will identify the continued relevance of the data protection principles and recognise that cloud computing can be exploited within current data protection and privacy legislation.
The European Commission is currently proposing major reform of data protection legislation to “strengthen individual rights and tackle the challenges of globalisation and new technologies” by way of the Proposed General Data Protection Regulation but will this meet the needs of technological advancement thus far and beyond?