Tag Archives: RANT

A Phisher of Men: Learn How to Turn Social Engineering Techniques Around to Improve Your Security at the RANT Forum

The dangers of phishing and social-engineering attacks are well known and understood by businesses, NGOs and public bodies, so why are they still
effective? And what if there was a way to use the same psychological
pivots attackers use, and improve cyber security? Well, those attending
this month’s RANT Forum in London are about to find out just how to make
that happen.

The speaker at this month’s event is Barry Coatesworth, a highly regarded
cyber-security expert and a member of the government’s industry advisory
group for cyber-security standards, the Information Assurance Advisory Council. In almost 25 years in the business, Barry has experienced first-hand the good, the bad and the ugly of cyber security.

Phishing and associated attacks remain a hot topic, and Coatesworth will
show how and why they still work. “What I do is look at the psychology
behind these attacks,” he tells the Acumin Blog. “Security is constantly
changing, and it’s difficult at the best of times for CISOs to level the
playing field in a constantly changing threat landscape. It’s a case of
adapt or fail – so I look at why attacks work or don’t work, and at how
that understanding can be used to improve security.”

There are any number of scenarios that attackers can use to identify weak
links in an organisation and exploit these to access information: the more
obvious examples include masquerading as executives or colleagues,
relatives or other trusted contacts. But what Coatesworth is more
interested in is the methodologies that underpin these attacks. By unpicking
them and understanding them, he believes infosec professionals can get
ahead of the curve.

“It all depends what the attacker wants to do,” Coatesworth says. “Attacks
tend to be against personnel with access to sensitive information or with
admin access to systems. Opportunity is key, as well as the time and
effort needed to orchestrate a successful phishing attack. It’s not
one-glove-fits-all, but when you look at the psychology behind how the
attacks work, there are some common themes.”

Most businesses use some of the principles of social engineering already,
but probably don’t realise it. “The psychology behind these attacks is all
about marketing and PR,” Coatesworth says. “It’s more in the generalities
than the specifics. They all follow similar proven methods to seduce or
manipulate you to click on that link or download that file. If you
understand these strategies you can use them internally: it’s like a form
of guerrilla warfare, but you can use it in a positive way.”

If you want to learn how – or even if you’ve tried it and don’t think it
can be done and want to argue about it – then Wednesday’s RANT Forum is
the place to be. Wednesday 25th September, email Gemma on gpaterson@acumin.co.uk if you would like to be added to the guest list. We hope to see you there.


Upcoming RANT Forum to focus on communication and collaboration

Last month’s RANT Forum was one of the best attended so far, and saw Sarb Sembhi, director of IncomingThought, present on EU Data Protection Regulation.

This month’s event will be held at The Counting House, London on Wednesday August 28th 2013 and is set to be just as interesting, with a new speaker and an engaging topic.

Darren Hodder, vice-president of cyber fraud intelligence at the Centre for Strategic Cyberspace & Security Science, will give a talk about just how important the crossover between information security and anti-fraud is, entitled ‘Different Disciplines, Same Goals: Where is the Communication & Collaboration?’.

Mr Hodder has attended RANT previously and was surprised to find he did not know many of the attendees personally, especially considering he is so well connected and spoken at numerous industry events.

“Perhaps we need to get better at communication, rather ironic since our disciplines facilitate global communication on an unprecedented scale! In order to be better understood by the board we need to get back to what is at the heart of all the problems we are trying to solve and in my view it is all about people.”

He believes IT security professionals can get so caught up in the latest technical trends and challenges that they may forget there is always a human behind these threats and that technology is simply a facilitator for age-old crimes and scams.

Mr Hodder wants IT professionals to get to know one another better in order to reach their overall goals more effectively.

RANT is certainly the perfect location for this subject as the event encourages interaction and engagement by making the whole thing a little less formal.

The idea of the event  is to put people at ease so that key issues can really be explored in an open forum. It gives a great opportunity for people to network and get to know each other, something Mr Hodder would like to see more of in the coming months.

There are many threats facing the IT security industry and many of these will be discussed at the next RANT Forum on August 28th.

What are the biggest challenges when sourcing information security professionals?

During each RANT forum and conference information security professionals gather together to talk about some of the most pressing issues in the industry.

One of the topics that often gets brought up is recruitment and how organisations in both the public and private sector go about bringing in the most talented individuals.

During the latest conference, some of the industry’s top professionals gave an insight into what they thought about the process and how it has evolved over the years. We asked them what they perceived as the biggest challenges when sourcing information security professionals.

Tom Salkield, professional services director at Integralis, said: “We need to attract more people into this industry sector … there are some big problems that we actually need to solve.”

According to Mr Salkield the industry must integrate more with the education system to get people interested in IT security.

“We need to be working much more closely with schools, colleges and universities to entice the new leaders of the future to come and enjoy the big debate we’re involved in,” he added.

Many other professionals gave their opinions on the industry and their thoughts on the matter can be seen in the video below.

For example, Javvad Malik, senior analyst at 451 Enterprise, believes it’s about more than just the technical skills that are required, he thinks it’s also about personalities and “people who can fit into the mould”.

The stereotype of having information security professionals all come from hacking origins is now gone and individuals are constantly emerging from a range of backgrounds and this diversity can only be a good thing.

Acumin has been hosting the monthly RANT events for the last seven years and encourages everyone to get involved with the discussion and lively debate.

Each forum and conference sees hundreds of information security professionals join in and share their ideas on the future of this ever-growing industry.

Attending RANT is a great way to broaden your thoughts and expand your network and the next event will be held on August 28th in London.

Upcoming RANT Forum to focus on EU Data Protection Regulation

Next week’s RANT Forum will certainly feature one of the hottest topics in the IT security industry right now, as Sarb Sembhi, director of IncomingThought and chair of the ISACA GRA-SC3, will be presenting a talk on the EU Data Protection Regulation as well as other areas such as the state of the privacy policy in the US.

Prism has been a word on the lips of many an IT security specialist over the past month, with former National Security Agency (NSA) worker Edward Snowden revealing its methods of spying on citizens from all over the world.

Sarb is a well-renowned speaker and delivered an interesting talk at the RANT Conference earlier this year, which saw much interaction with the audience. It’s likely that this new talk will get the same reaction, with many professionals having a different point of view on the whole matter.

Since before the EU Data Protection Regulation was made available to the general public in January 2012, all the major US Service providers have been lobbying the EU to water down the provisions to protect EU citizens. Their point of view is that the costs to implement the provisions will hurt the consumer in the long-run.

This lobbying has been one of the most heavily funded of all time and makes you wonder how in light of the Snowden revelations that this might have actually been because it would make things difficult for the NSA, rather than just the providers.

Mr Sarb suggests that if the EU Data Protection Regulation is watered down, then there is no need for the service providers at all as the NSA will be able to store all the data.

This will naturally create a lively debate over the issue and people will be able to express their own opinions on what should be done, or not done, in an open and informal environment.

You can join us for the next London RANT Forum on Wednesday 31st July and as usual there will be plenty of food and networking opportunities on offer.

Those interested in attending this fantastic event should email Gemma Paterson on gpaterson@acumin.co.uk to be added to the guest list.

Q&A with Stephen Bonner, speaker and panelist – RANT Conference

Let’s start by hearing a sneak preview of the talk you’ll be giving at RANT?
It will be on the subject of cyber war. The way some people talk about it annoys me, so that makes me passionate. It annoys me when people use phrases like “Digital Pearl Harbour” and compare the proliferation of cyber weapons with nuclear weapons. The way we overegg some of the threats, and make them sound like significant problems when they are not that important at all, does us no favours. I think we’d be better off being more realistic about the threats and benefits.

I’ll be saying that what’s happening now isn’t war and draw some parallels between what war is and isn’t like. But I’ll also talk about what it would look like if we did have a cyber war. I don’t think cyber war is impossible or all made up but I think the use of the phrase is wrong.

Using the word “war” and describing what’s happening now in that way normalises war, which I think is a terrible thing. Cyber war is only likely if we keep making it more and more normal.

And what about the panel you’ll be part of?
I hope that will be a little more light-hearted! The other talk is more about “You’re all doing it wrong, stop it,” and this is a bit more humorous. We’ve assembled a panel of people that have never sought to be security rock stars, but given them a platform to discuss how they became security rock stars and what the benefits are. They will also be offering advice to aspiring security rock stars! It’s firmly tongue-in-cheek, though.

With such an experienced panel the audience will be hanging on your every word. What’s the message you want them to take away from that and your talk?
To enjoy it would be my advice. With my talk, it’s very much about getting people to stand up and challenge people who throw around terrifying expression when they don’t match. It’s also about changing the message around cyber war and getting people to think about the definition of war, the Geneva Convention and so on. I think people perhaps aren’t properly preparing: people should be working harder to make war less likely and also working to reduce the consequences of it.

If phrases such as cyber war and Digital Pearl Harbour are wrong, what should we be calling it?
It’s just crime and theft. It’s still bad and can damage organisations and people, but it’s a crime, not war. And the proper response to crime is law enforcement, not intelligence agencies and the military. The more we position simple crimes as military actions the more comfortable people will be with taking military action.

I’m going to talk a bit about the features we see at the very high end in terms of espionage work and compare that to war. There are not very many stealth wars; once you’ve invaded you have to stand up and say hello. Mostly what we’re seeing is crime with a bit of espionage thrown in. A denial of service (DoS) is not war, it’s a protest, a riot. You stop protests and riots by arresting and prosecuting people, not by cluster bombing. There is a line and we need to be very clear about it.

You have been involved with The RANT Events for many years now. What do you think sets it apart from other security events?
It has an authenticity; it’s people talking about what they are passionate about rather than what they are told to be passionate about. There is an element of truth to the event; it’s a way to cut through some of the hype that can dominate the security industry. There are no keynotes where a DLP vendor tells you how important DLP is, or an antivirus vendor telling you how important that is.

RANT feels very much like a community, with people engaging and being honest about the things they like and dislike. I think that’s powerful and an important step towards being a more mature industry.

Register for the RANT Conference – http://www.rantconference.co.uk/register/

Top industry professionals set to flock to London for the upcoming RANT Conference

June’s RANT conference will see a selection of top IT Security industry professionals take to the stage.

The RANT Conference in St Paul’s London is a little under a month away now and anticipation amongst information security professionals is growing by the day.

On June 11th 2013 a full day of enlightening, informative and engaging presentations and interactive debate panels conducted by a selection of of the IT security industry’s most influential thought leaders, Rockstars, Futurologists, Innovators,  and Ranters  has been scheduled.

Acumin has been running the monthly Risk and Network Threat Forum (RANT) since 2007. It serves as an end user only, informal networking, discussion and debate event for senior professionals working within the information security and risk management market.

Every month a new speaker attends to start a rant about a particular hot topic within the industry and actively encourages the audience to pitch in with their points of view, opinions and suggestions in a relaxed and informal atmosphere.

The first RANT Conference in June will see well known speakers Stephen Bonner of KPMG and Mark Stevenson of Futurologist take to the stage amongst plenty of other top industry professionals to talk about the biggest issues the sector is currently wrestling with.

Some of these topics include bring your own device – which serves up the notoriously well known acronym BYOD – mobile device management, secure outsourcing, and the major threats currently facing cyber security.

Mark Stevenson, founder of The League of Pragmatic Optimists, will also be attending to give a keynote speech on ‘The Big Shift’, highlighting the major role the security industry has to play in helping shape the future.

State sponsored espionage and the pressing issue of mobile security will also be explored later in the day by a selection of top industry RANT’ers.

The RANT Conference is designed for information security managers, directors, chief information security officers and other senior information security and risk professionals who work within end user organisations.

June 11th really is an essential date for the 2013 IT security calendar and the event is not to be missed by industry professionals!

The conference has seen a high number of registrations already, places are going fast so be sure to register ASAP to secure your spot. Discount codes are available, email Gemma on gemma@rantconference.co.uk to see how you can get one.

Q&A with Mark Stevenson, keynote speaker at the upcoming RANT Conference

logo low res

Without giving too much away, what will you be talking about at the RANT Conference on June 11th?
I’m going to be talking about the mega trends that will affect the world and what will be required of the security industry in order to respond to them.

These mega trends are part of the Big Shift (more details on that here: http://www.rantconference.co.uk/seminar/opening-keynote/), but how is that different from the digital revolution?
That was just a trailer; I like to say it is like the cocktail sausage before dinner. Everything that happened with digital – the democratisation of power and established players losing control of the means of production and distribution – will come to the physical world with programmable biology and programmable matter through 3D printing and nanotechnology.

So imagine a world where your mobile phone can give you a blood test and you can download the right drug based on that blood test and then print it at home. That’s what we’ll be seeing within the next generation or two.

That obviously has massive ethical and security implications. For example there are people using 3D printers for guns. Is there a way to allow people to download a car part, for example, but not an AK47?

That leads to the question of who regulates it…
Even whether it can be regulated; my suspicion is that it cannot. Therefore what happens to the security industry? It will have to become a ‘crowd industry’. Rather than specific people telling us what to do we will have to come together as society and work out how to secure ourselves.

So what will you be telling the Conference about how the role of these information security workers will change?
There are very difficult questions coming but they are probably the best people to answer them because they have the expertise and the knowledge and they understand more about securing distributed resources than most people.

So the question is, what is the security framework that works for individuals in a radically democratised world, where, for example, I may want to exchange my genome data with a physician in South Africa? I don’t know the answer yet, nobody does, but I think they are the right people to think about it.

How far will these changes go? What will the world look like in 100 years?
I think anyone who would attempt to tell you what the world will be like in 100 years time is either intellectually vain or bonkers. If you look at the history of futurology what you’ll see is that the predictions were often an expression of prejudice or a wish list of the person who was asked. We’re quite good at seeing first order effects: If you invented the internet it’s not a huge leap to predict email. But do you then see the invention of social media? Or its role in the Arab Spring? No.

Because of what is happening with technology all bets are off; pretty much anything you can imagine is possible in the next 100 years.

So if it’s less about predicting, what is the role of a futurologist?
It’s about getting people to ask the right question. For example I was talking to a pharmaceutical company about the prospect of printing drugs and open source drug development and what that would mean legislatively. They were then asking questions that went beyond margins, questions they hadn’t been asking half an hour before. That’s the point; they go from asking questions about profit margins on existing drugs to asking what would happen if every doctor’s surgery in the world could download and print its own open source drugs.

Douglas Adams said there are three types of technology: tech invented before you were born, which you don’t think of as technology; technology that is invented between you being born and turning 35, which is very exciting; and technology invented after you turn 35, which is completely pointless and makes you angry.

If you look at a lot of organisations the ones who decide the strategy are in the last group and most of their employees and customers are in the second, so there is a massive mismatch there.

A lot of the people you’ll be talking to at the conference may be in that last group as well.
I can guarantee that at the end of my talks people do not ask dull questions! People at the conference should be getting hold of 3D printers and hanging out with bio-hackers and so on. They should be asking, ‘what is my role going to be in this?’ and ‘how do we secure these new technologies while making them accessible?’

Hear Mark’s talk on The Big Shift at the RANT Conference on 11th June…click here to register

A Fortress or a Modern City? That is the question

Before he found international fame with his, to all intents, groundbreaking action-novel The Da Vinci Code, American author Dan Brown released a number of novels that later went on to become best-sellers.

The first novel he ever released was entitled Digital Fortress, a thriller about a cryptographer who is called in by the National Security Agency to help break a code that its all-powerful device cannot break. Cue lots of Browninian twists and turns and cliff-hangers.

It’s an interesting title, one that presages the digital world we live in. A lot has happened in the 13 years since it was released with regards to cyber security, information risk, ethical hacking and other things pertinent to this industry.

The next RANT topic coming up at the end of the month deals with the idea of so-called digital fortresses, contrasting it against the open approach, otherwise known as de-perimeterisation.

What will be discussed at this networking event, which all professionals operating in the information security industry – including those with expertise in governance & compliance, digital forensics and penetration testing – are advised to attend, is a number of topics including physical defence strategy of past civilisations, a comparison with how modern towns and cities are secured and the pros and cons of a digital fortress strategy or an open approach.

The latter is referred to, or at least known as de-perimeterisation. This term, coined by Jon Measham in 2001 and popularised by the Jericho Forum, describes “the erosion of the traditional secure perimeters, or network boundaries, as mediators of trust and security”.

This so-called erosion has been made possible by consumerisation online, meaning that firewalls can easily be bypassed and security overhauled. As such, if an open approach is desired, then the argument goes that every level needs to be secured using a myriad of strategies including data-level authentication, encryption, and inherently secure communications. Traditional boundaries, once take for granted, are fast disappearing as the internet continues to evolve at a startling pace.

It’s a fascinating subject, one which is occupying the thoughts of many security professionals to no end at the moment. Attend the next event and join the discussion by emailing Gemma at Acumin to be added to the guest list.

“Protecting our Assets; Fortress or Modern City?”is being held on November 30th and will be the last in 2011.

For more information visit the RANT website or join us on Twitter @RANTforum or @Acumin.  You can also get in touch with the discussion host Paul Vincent of Cyber Security Limited at his Twitter profile @cybersecurer.

– Gemma Paterson, Acumin

Everyone needs to (attend) RANT

It’s good to RANT.

The Oxford Dictionary definition of a rant by the way is: “speak or shout at length in an angry, impassioned way.”

We like impassioned, there’s a positive in that description. The word angry we don’t like so much.

So, it’s good to RANT.

You might have observed the capitalisation of RANT, which is deliberate. It’s the acronym for Risk and Network Threat, a monthly, informal networking forum held by Acumin Consulting and NGS Secure.

It’s an event where senior end users in the information security and risk management industry meet with other professionals and experts to discuss – or rant if you will – about pertinent industry issues. It’s not only a great platform for debates, discourse and blue-sky thinking, but also an apt, focused and beneficial space in which to network.

Note – there are no security vendors or consultancies in attendance at such events. It’s not about sales. RANT exists as a genuine meeting place for like-minded thinkers to convene, whether it’s to query issues, rant about projects highlight certain topics or simply to listen and be informed. All under Chatham House rules.

If anything is sold, then it would be knowledge, and the price of that is, so long as you’re a member of the RANT community, absolutely zilch.

So why is face-to-face networking important? In a digital age where conversations occur over screens, where we can comfortably ring one another wherever we may be, send a tweet and get a tweet back almost instantaneously, it could be argued that such events are redolent of a bygone era.

Which would be a huge mistake. Human beings are, after all, sociable creatures – actual human interaction, as opposed to virtual relations, is almost innate, part of our DNA. Furthermore, 80 per cent of our communication – in fact, some studies suggest as much as 90 per cent – is non-verbal.

That in itself, without the need for me to elaborate, speaks volumes. An informal chat with one of your peers at an event like RANT, beer in hand, in comfortable surroundings, is conducive to creating a productive environment. Not to mention the invaluable face-time with the Acumin consultants who have their ear to the ground on all industry developments every month beofre RANT.

There’s the classic saying that “it’s not what you know, it’s who you know”. A classic for a reason, there is, of course, a semblance of truth in the maxim, but we like to go one step further and come up with a modified version:

“It’s what you know and who you know combined that provides you with a strong foundation.”

From which the opportunities are abundant. You just have to look for it, be amongst your professionals and get talking.

Let’s get ranting at RANT…impassionedly of course.

A little RANT Poetry!

I think I would call this fan mail! Thanks to all our RANT
Risk and Network Threat Forum
members for your dedication and support over the years.
Come and join our RANT,
Come expound your views,
There’s everything for risk folk,
From technology to news,
We get together monthly,
To drink and chew the fat,
We listen quite intently,
Now what’s so wrong with that?
A speaker with a slide show,
Stands up and takes the floor,
If the subject piques our interest,
We won’t show them the door,
But heckling is so de rigueur,
Within our fabled band,
We stand and shout opinions,
With a pint held in our hand,
So tell your friends; come one, come all,
Come join the RANT and have a ball,
If you have heard the clarion call,
If Managed risk is how you roll.