Infosec Europe 2023, day 1

The "Infosecurity Europe" logo, dates and location (20-22 June 2023, ExCeL London).

This is my first in-person conference since the pandemic and I've been looking forward to it. That said, there's a small amount of nerves too as there's likely to be a lot of people in attendance.  Infosecurity Europe is conference / trade show is hosted at the London ExCeL exhibition centre.  Attendance for visitors is free (presumably the conference is paid for by the vendors in attendance and through sponsorship) and there's various talks and workshops available.  I scheduled to attend a number of talks and workshops, and have a few vendors to see too.

The last time I was at Infosec Europe was in 2018, when I'd just restarted this blog. You can read posts from 2018's conference here.

My agenda

Over the three days my goal is to pick topics that were of interest to me or that helped my employer directly (ideally both).  My schedule is quite packed, as you can see from the screenshot below.  Unlike other conferences I've been to, there are multiple sessions running at the same time as the keynote talk, which I find odd. I've tried to stick with the keynotes though - they're keynotes for a reason.

Screenshot showing my agenda for the next three days.
My agenda for the next three days.

This year there were some really interesting workshops on offer.  I'm particularly interested in a workshop about Apple platform security, as my Apple knowledge is tiny. There's also a workshop on API pentesting which I'm looking forward to so I can brush up on my skills.

So, here's day one's sessions.

Opening keynote - Stay on track, strategies to prepare your team for the unknown

Multi-gold medal winning ex Olympian Michael Johnson gave the opening keynote, which he explained at the beginning wasn't going to be about cyber security specifically.  That's not his area.  Instead, Michael gave a motivational talk with some tips that can be applied in any industry or scenario.  Michael shared a number of anecdotes with us from his days as an athlete, and had a good sense of humour.

Firstly, Michael reminded us that you can't skip the fundamentals.  These underpin what you do and have to be covered in addition to the parts of the job that you enjoy.  This is good advice, as I'm sure I'm not the only person that's tried to "run before he can walk" on some topics.

Michael went on to talk about how it's important to understand the challenge you're facing and to determine how you can work through it.  He talked about gaining confidence this way, because once you know what you're working with it's easier to complete the work / beat the challenge.  Plus, by understanding what you face you can help prepare yourself so you don't get thrown off / confused / disorientated (so much) when something unexpected happens.

As part of questions at the end, Michael talked to us about understanding your personal strengths and weaknesses, and then making sure that we're able to offer our best to the rest of the team.

How Do You Manage Your Third-Party Cyber Risks? Top 3 Best Practices to Improve Your Cyber Resilience

This was the first talk that mentioned what I perceive at the theme of day one - securing the supply chain, and our hosts discussed practical steps that could be taken when determining your risk level.  One of the panelists commented that sending security questionnaires to your suppliers with hundreds of questions didn't scale well, and didn't necessarily provide a good return in terms of assurances.  That resonated with me, as I fill in so many security questionnaires that my wife actually asked me if I did anything else!

Our panelists covered how it was important to understand your suppliers and the services they provide you.  Your approach to managing that relationship should then be based on the risk they pose to your organisation.  Consider how reliant your business is on the supplier, assign that a risk value, and progress from there.  Ensure suppliers are considered when you think about your incident response plans, and when testing them include the supplier (where possible).

When looking to outsource a service, which can bring further risk to your organisation, it's important to think why you are outsourcing the work.  Is this purely a cost saving measure?  Do you gain additional features?  What's the net result for the business?  (Hopefully a gain...)

Finally, it's worth remembering the suppliers almost certainly have to work in multiple compliance frameworks and jurisdictions - just the same as you do!

Security fundamentals for Apple platforms

I was really keen to learn more about security on Apple devices as I really know very little about them.  My work phone is an iPhone and it's one of the most paralysing pieces of technology I use, simply because I don't know enough about how to use it.  So, I picked this section to get a better understanding of how things work in Apple land.

Starting with some statistics, it was interesting to find that 49% of American companies use iPhone and iPad corporately.  Globally there are 212 million businesses that use Apple, and people spend an average of 4.8 hours a day on their phones.  No wonder one IT professional, Patrick Wardle, said "I always think of phones as like our digital soul".

This was a 1.5 hour session, and I can't do it justice in a few paragraphs, but our hosts described the built in systems that Apple operating systems have to protect the system and its users.  Native tools such as Gatekeeper, XProtect and MRT help to keep the system working in a safe fashion, and because they're native they have a minimal impact on the end user experience.

In 2019, Apple introduced the the Endpoint Security Framework (ESF), which is an API that can provide details of operations that have taken place.  Security vendors can then use this information to protect users, for example by reviewing the ESF logs for likely malicious behaviours.  Sadly not all vendors seem to take advantage of ESF, which can lead to performance issues.

Towards the end of the session there were contributions from other delegates, and it was good to see a lot of the challenges my organisation has with using Macs in the workplace aren't being experienced by me alone.

Black box API pentesting

I had hoped this session would be a demonstration of how to use various tools, including open source ones, to perform API testing, something I'm somewhat out of practice at.  Instead this was more a discussion of some open source tools that are available, plus details of some learning resources.  I need to take a look at some of the resources, and may write more about them at a later date.

Combating malware within the software supply chain

There have been a lot of software supply chain attacks recently, with package managers like NPM and PyPi reacting to malicious packages found and being downloaded by developers.  As such, I was keen to hear what this talk (and the next one) could offer on the subject.

It's no surprise, but one of the comments was that the software supply chain is enormous and managing it is a huge undertaking.  Potentially failure to manage the supply chain, we're told, might result in your organisation being thought of as negligent in the case of problems.

A useful tool in keeping track of how supply chain issues can affect you is the use of software bill of materials (SBOM).  The SBOM shows what third party components are included in the software that you use (or write), meaning in the event of a problem it's possible to determine the impact on you.  

Don't let the supply chain hack you

Some common attack vectors here include watering hole attacks (where an attacker "hangs around" places that your colleagues are known to be) and business email compromise (where a legitimate email account is broken into, allowing the attacker to send legitimate looking emails from known contacts).

It's hard to stop supply chain attacks because they exploit trust.  The attacker uses existing communication channels (e.g. email between the supplier and you) which gives their messages credibility.  Alternatively, they take advantage of existing access to launch their attacks.  Auditing your suppliers presents challenges (this speaker again said how security questionnaires don't scale) and performing an audit can be incredibly time consuming.

Again it was commented how it's really important to know what you're using - be that in terms of software or knowing which suppliers collect your rubbish or perform your payroll function.

Forget traditional security awareness - your people already have

I suspect a lot of us have to undergo mandatory security training, where we sit through (hours of) videos talking about risk and how you're a key part of the defense for the company.  While that's still true, this speaker was highlighting how staff forget the training fairly quickly.  Security culture and awareness is important when it comes to helping users help keep themselves and the business safe.

Various psychological models were mentioned to help illustrate how people struggle to maintain awareness (and interest) in relation to cyber security.  Our speakers are advocates of providing gentle nudges and spreading training / reminders out over time, rather than relying on a yearly training session.  They also described how putting a reminder in front of the user at the point of need was  really powerful.  About to click a potentially dodgy link?  Remind the user that this might not be a good idea.  This is more likely to yield good results than assuming people will remember training from potentially eleven months ago.

While delivering reminders though it's important to not nag.  If you nag then people will start to ignore you.  Instead, make sure the reminders are timely and relevant.  One example was to not put a message out via Teams about email phishing attacks - put the reminder where it's needed (in the user's inbox).

This talk gave me a number of thoughts of things we can implement at work - research and development needed on that (and sorry to my internal IT colleagues in advance!).

Swag

I've not walked around the exhibitors that much yet, with today focusing on talks and workshops, so no swag yet.  Unlike in 2018, there was no welcome back / bag as the organisers have opted this year to provide "digital goodie bags" instead.  From an environmental perspective this sounds like a good choice, as I imagine a lot of delegates threw the flyers, brochures and similar straight in the bin anyway!


Banner image: Screenshot of the Infosecurity Europe logo.