Saturday 13th July saw the sixth annual SteelCon conference held at Sheffield Hallam University. An annual meeting of security professionals new and old, the conference has established itself as one of the UK’s primary security meet-ups and speaker conferences.
This year, the focus of the talks covered a wide range of topics: from the technical “how to” style presentations on penetration testing and red teaming, to more community-based presentations on mental health, security management and attacker profiling. Infosecurity even got in on the act, giving an afternoon presentation on our recent State of Cybersecurity Report.
The first talk attended was “Our Mental Health Matters” presented by Lizzy Higgins, where she freely admitted to struggles with her own mental health as well as others, who “struggle with mental health for all of their life, in and out of work.” She had a clear message of “It’s ok to not be ok” as there is a real challenge of dealing with the ever-evolving threats in cybersecurity, and this can be a challenge to keep up with, and too many people feel overworked.
Higgins also said there is a feeling that you have to be on Slack and reply to comments at all hours of the day, and this means a lack of sleep, which leads to burnout and stress, and ultimately people leaving their job.
She encouraged reducing stress by using self-care tips and be more open about and prioritizing mental health and time management, and making sure you take the time for yourself. “Slow down and keep calm is the last thing you want to hear, but remind yourself of these and unplug,” she said, and talk to your co-workers.
Asked what employers should be doing to better spot and deal with these issues, Higgins said employers should listen to their employees “as management need to come to the shop floor to know how much pressure people are under” and make them feel that their feelings are real, and that their feelings matter.
The next talk was by Sean Wright on “Weaknesses In Software Supply Chains” who freely admitted at the start that there is “nothing new here” and what he was presenting on was "existing stuff", but what he doesn’t see being discussed that often.
He said software development has changed and “libraries are glued together” for a service and it is not monolithic releases, but a continuous stream of release upon release. "So security resources are allocated on a continual basis."
Wright said this is why there is a movement to “shift left” as deployment of software is often done “at a click of a button.”
Looking at some of the factors of supply chain, Wright said open source “is not bad” but it is a problem to look at and address, as supply chain is important, as it includes a lot of code and is easy for an attacker to hide in it, especially as security reviews are done once in a phased manner.
Pointing at some examples, Wright said the British Airways attack could have been prevented if there was a content security policy in place, about what could be connected to. Also, with the 2017 Equifax breach, Wright said this was “a result of companies not updating libraries” as a flaw allowed an attacker to run code on server. “If security is relying on one guy, you’re not doing your job, make sure you update and monitor,” he said.
The subject of mental health came up again, when Saskia Coplans and Alastair O’Neill from Digital Interruption presented on “The Internet Is Broken And So Are We.” They covered the basics of information governance, how this fits into information security, how it is about processes, and how to govern information and policy.
They said that: “Stress leads to burnout, burnout leads to quitting, quitting leads to a skills shortage” and said in the case of external work, if a test is embedded the input is more interesting and can be done by a smaller team, and in shorter time scales.
As a company, Digital Interruption had implemented five pledges: unlimited personal days; no forced on site work; realistic utility; flexible working; and no bosses. Coplans said that they were fostering an inclusive environment, as while breakout areas with nerf guns and snooker tables can be fun for some, they can be distracting for others. “As a community we can say we’re tired and you don’t need to setup your own company to have autonomy, and there are enough of us to say we don’t want to do it any more,” they said.
The first talk of the afternoon session was presented by Dan Nash and discussed “Can An Open Internet Fight Extremism?” Pointing at the case of the New Zealand shootings from March, Nash - who made it clear he was not representing the view of his employers in his views - asked what can we do better to stop this? As the internet was created as “the front line in freedom of expression”, there has to be more of a discussion on how protect victims and still keep the internet open.
He pointed at previous examples of extremist views, such as the Nuremberg Files, where anti-abortionists doxed doctors, and white supremacist groups who used internet forums for recruitment and posting of ideology.
However with the introduction of “Web 2.0” and social media, this enabled websites to scale up their user base, and now with “Web 3.0”, services use feedback from user behavior to improve quality. Now, we’re seeing more of a case of “centralization” where we rely on authorities to provide internet services, where once there was a collection of decentralized ideas. “Companies are there to make money and not to stop extremists,” Nash said.
He said while there have been some examples of extremist sites and terrorist cells being shut down, we have “not crushed any white supremacists movement and it is still there as it was in the 2000s.”
He concluded by saying this was not about criminalizing speech, but what role the service provider can provide, and what role the social networks can play.
The concluding presentation came from four members of the Beer Farmers collective: Andy Gill, Ian Thornton-Trump, Mike Thompson and a second appearance of the day for Sean Wright. In the talk “Rage Against The FUD”, the four presented cases where security verged into stupidity. This included the case of the Bitfi, which had claims of it being unhackable with a $500,000 bug bounty put on it, and John McAfee acting as an advocate of it.
Also highlighted was Trustify, who had featured reasons why Lets Encrypt certificates and free SSL certificates in general were not good, while issues around Blockchain, AI and machine learning, and zero day and bug disclosure were also featured.
The day concluded with the announcement that over £2000 had been raised for the nominated charity, Birmingham St Mary’s Hospice where researcher and SteelCon champion Mike Kemp had spent the last few months of his life before he passed away earlier this year.
Overall this was the third time that Infosecurity had attended SteelCon, and the second time as a speaker, and this remains an excellent conference with a great mix of content.