Sec-1 Seminar

I recently attended a seminar on security presented by Holly at Sec-1 – she started with external, covering off injection attacks, pivoting to internal systems, and then talked about compromising from the inside. She also went through some interesting stuff about physical access to buildings and in particular server rooms.

It was a good talk, and I thoroughly enjoyed hearing what she had to see and seeing some ‘live’ attacks. Holly gave some great tips about things that can be done to further-secure existing networks (which I’ll probably go away and do now), but in addition to that she did effectively say that she’s managed to get access into any system she’s tried; a bit like a domestic burglary, if someone wants what you have badly enough, they’ll find a way to get it.

What’s particularly interesting about the new wave of information attacks is that due to the number of automated tools now, one doesn’t have to be an expert to be able get some data out of a system and have a good root around – almost anyone can do it.

For me though, the biggest takeaway was about password re-use, Holly mentioned in particular watering hole attacks – why bother breaking into a company, instead target a website that they use, break into that, and the vast majority of the users will have re-used the same password on the site you’ve accessed as on their company network.

Of course there’s a nice little xkcd comic all about it.

The only drawback was that they took us to the less-nice Marriott in Bristol…


Cyber Essentials

In line with plans from a few years ago, and a recent drive from Governmental departments, I’ll be leading the organisation through our attempts to become Cyber Essentials accredited, first the ‘normal’ version, and then hopefully onto the ‘Plus’ version shortly after.

The good news is that we have a lot of the infrastructure in place to enable this to happen, so the changes will be in the majority about process and people rather than about redeveloping what we already have.