World Cybersecurity Congress 2017: A Day of Revelations and Future Directions

The World Cybersecurity Congress 2017, held at Islington’s Business Design Centre, brought together experts from diverse sectors to tackle pressing issues in the field. With a packed schedule of sessions and discussions, the first day offered a wealth of insights into current trends, challenges, and innovative solutions. Here’s a look at the key takeaways from this pivotal event.

Opening Keynote: Redefining Cybersecurity

The day kicked off with a thought-provoking keynote that examined cybersecurity trends and frameworks. The speaker challenged conventional thinking by defining cyber not just as technology, but as the integration of people, processes, and tools. A historical example illustrated this: Alan Turing’s work at Bletchley Park during World War II. Turing recognized that the German Enigma machine’s technology was nearly unbreakable, so he focused on human vulnerabilities, using early phishing-like tactics to exploit operator errors.

This session also highlighted how cyberspace has reshaped our world. Traditional geography no longer applies, yet cyber jurisdictions remain rooted in old boundaries. The internet has created a new social order, enabling unprecedented interactions while amplifying global disparities. Geopolitics now plays a growing role in the cyber domain, adding complexity to defense strategies.

Cyber Defense Frameworks: What’s Going Wrong?

The keynote didn’t shy away from critiquing current approaches. Many organizations are still defending the wrong assets—focusing on the perimeter—and responding after attacks occur. Blame often falls on technologists, when the real issue is a lack of strategic alignment. To improve, the audience was urged to design defensible systems, invest in human expertise, and exercise all available powers of defense.

As the World Cybersecurity Congress 2017 progressed, a panel discussion delved into cybercrime’s economic impact. Panelists debated whether government regulation of the IT industry is necessary. Some argued for regulation to ensure accountability, while others warned it could stifle innovation and face enforcement challenges due to the skills shortage. The consensus leaned toward self-regulation, where market forces drive vendors to prioritize security, much like consumers choose reputable car brands.

The Shift to Self-Learning Networks

One of the most compelling sessions explored the evolution of cyber defense toward self-learning, self-defending networks. The threat landscape is changing rapidly, with attackers using AI and machine learning to bypass legacy tools. In response, the concept of an enterprise “immune system” was introduced, modeled after the human body’s ability to adapt to unknown threats.

This approach uses unsupervised machine learning to autonomously learn an organization’s normal patterns, detect anomalies with full visibility, and quantify risks mathematically. By understanding patterns of life for users and systems, companies can gain a richer view of network activity and respond proactively.

CISO Strategies: Aligning Security with Business Goals

The final session focused on CISOs and how to secure cybersecurity budgets. Common challenges include quantifying risk, enumerating spending needs, and ensuring funds target the right areas. The solution lies in making security frameworks consistent, repeatable, and measurable over time. This requires knowing the current state and defining a target state for the future.

Building on this, CISOs must align their initiatives with business processes that resonate with the board. Clear communication of strategic priorities is essential. The takeaway: boards must care about security, and it’s the CISO’s role to make that responsibility clear.

For more on cybersecurity trends, check out our insights page or explore resources for security leaders. The World Cybersecurity Congress 2017 underscored the need for adaptive, human-centric strategies in an ever-evolving digital landscape.

GDPR Compliance: Is It Becoming Mission Impossible for Businesses?

The question of GDPR compliance challenges continues to dominate conversations across the information security industry. As the regulation reshapes how organizations handle and store data, many are wondering if the task is simply too daunting. Recently, four industry experts gathered to dissect the most pressing issues surrounding this landmark regulation.

Jaspreet Singh, CEO and founder of Druva, a cloud delivery vendor, noted that GDPR introduces multiple factors affecting cloud operations. He stressed that compliance is non-negotiable for anyone working in the cloud. Singh highlighted four critical areas: data location, sensitive information identification, breach notification, and the right to be forgotten. The right to be forgotten, he argued, poses a significant challenge for data processors who maintain multiple copies of data. Cleaning up systems to comply can feel almost impossible.

Where Is My Data? The Core Concern for GDPR Compliance

One of the most persistent GDPR compliance challenges revolves around data location. Steve Maltby, director of sales at Oriium, pointed out that when data moves beyond the corporate perimeter, knowing exactly where it resides becomes difficult. He emphasized the need to enforce policies on endpoint devices, working closely with partners to track data.

Neil Stobart, global technical director of Cloudian, highlighted a transatlantic complication. In the United States, there is no single federal data protection law, leaving companies to do their best. This approach conflicts directly with GDPR’s stringent requirements. Stobart warned that using US-owned data centers raises concerns, as any entity can be subpoenaed. The European Union remains uneasy about this, especially after the collapse of the Safe Harbor framework. He noted that a Canadian data center provider is already offering services to US companies, bypassing some of these issues.

Darron Gibbard, chief technology security officer at Qualys, offered a glimmer of hope. Although Privacy Shield fell apart, the model clauses within it remain valid. Organizations can still use these clauses to protect data leaving the EU via cloud or other mechanisms. This provides a potential path forward for cross-border data transfers.

Will GDPR Make Businesses Care More About Data Location?

Stobart expressed doubt that smaller businesses fully grasp what GDPR requires. He believes many lack the resources to understand and implement the necessary measures. Gibbard, drawing on his experience in financial services, noted that legal teams often drive GDPR initiatives. The C-suite focuses on the potential fines, which can reach up to 4% of global annual turnover. This financial threat has sparked early conversations about identifying data both inside and outside the organization.

Gibbard described the process of mapping data as one of the most time-consuming tasks for information security teams. It involves working through the entire supply chain, including third and fourth parties, to understand end-to-end data usage. Ensuring data stays within the EU adds another layer of complexity. Many organizations will struggle to complete this mapping exercise effectively.

How Prepared Are Businesses for GDPR Compliance?

When asked about readiness, Gibbard estimated that only 10% of businesses are truly prepared for GDPR compliance challenges. Stobart agreed that heavily regulated industries will likely be ready, but smaller enterprises will face significant hurdles. He also raised concerns about the lack of clarity on when a data protection officer is required. Until a minimum employee number is established, this remains an unresolved issue.

Stobart shared an anecdote about a business owner who initially calculated that the fine for non-compliance was less than the cost of implementation. He decided to take the risk. However, after reconsidering the potential financial and reputational damage, he changed his mind. The fines, Stobart noted, are a powerful motivator—money talks. Gibbard added that brand impact is another critical factor. A public breach can erode customer trust far beyond any monetary penalty.

Will GDPR Set a New Standard for Data Protection?

Singh pointed out that US companies are already familiar with regulations like HIPAA. For them, GDPR may not represent a massive shift. He also noted that the FBI actively pursues companies that fail to report ransomware attacks or breaches. Non-disclosure can have cascading effects on other organizations and suppliers.

Gibbard observed that in financial services, standardized breach notifications exist through regulators like the FCA or PRA. However, public notifications are not yet common. Consumers want transparency: how is their data being handled, where is it going, and what happened if it is lost? The process of handling access requests will be a massive undertaking. Locating data across multiple systems—databases, emails, scanned documents—is no small feat.

Stobart described this task as “almost mission impossible.” He illustrated the point with a hypothetical scenario: a company receives a request from an individual named Neil Stobart. Running a single query might identify all scanned letters, but for a small company, this level of effort is unrealistic. This brings the discussion back to the fundamental challenge of data location.

Singh emphasized the need for processes that can identify and notify breaches promptly. Gibbard noted that breach notification timelines remain uncertain, with different countries implementing varying rules. Customers want to understand the “blast radius” of a compromise—what other systems or data were affected. Knowing where data resides is essential for this level of transparency.

In the end, the conversation circled back to the same point: understanding data location is the foundation of GDPR compliance. Without it, organizations cannot effectively respond to access requests, breach notifications, or the right to be forgotten. The regulation affects everyone, and there is no escaping its demands. For more insights on data protection strategies, read our guide on data protection best practices and explore GDPR compliance checklist for actionable steps.

SecuriTay 6: Key Takeaways from Abertay University’s Premier Hacker Conference

On a stormy February day, I braved the winds of Storm Doris to travel north to Dundee for one of the UK’s most anticipated infosec gatherings: the SecuriTay 6 conference. Organized by Abertay University’s Ethical Hacking Society, this annual event has grown into a cornerstone for the hacking community. From seasoned researchers to curious students, the conference offered a packed schedule of talks that delved into the latest in information security.

Having attended major conferences like 44CON and BSides, I can attest that events like SecuriTay are vital for the industry. They provide a platform for emerging voices and fresh research, fostering a collaborative spirit that drives innovation. This year, with over 350 delegates and a 96% attendance rate, the conference proved its enduring appeal despite the challenging weather.

Active Directory Security: Lessons from the Field

The keynote speaker, Gavin Holt, an Abertay graduate and senior security consultant at NCC Group, kicked off the day with a deep dive into Active Directory security. Holt shared anonymized case studies from his penetration testing work, highlighting common misconfigurations that plague organizations of all sizes. He pointed out that many businesses share sensitive resources like C drives or use identical admin accounts, making it nearly impossible to track who did what.

In one striking example, Holt described a scenario where passwords and usernames were identical for critical business software. Another case involved a shared file containing complaints from the Information Commissioner’s Office. He concluded that while Active Directory remains ubiquitous, its flaws often stem from poor implementation rather than inherent weaknesses. This session set the tone for a day focused on practical security insights.

Fileless Malware: A Growing Threat

Next, I attended Peter Cowman’s talk on “Malware in Memory.” Cowman, a final-year ethical hacking student at Abertay, explained how fileless malware operates without touching the hard drive, instead residing in registry keys. He cited the Democratic National Committee data breach as a prime example, emphasizing that detection requires looking for unusual registry permissions and suspicious threads. This approach to fileless malware analysis is increasingly critical as attackers bypass traditional antivirus solutions.

Cowman’s presentation was a testament to the high-caliber research emerging from student-led initiatives. It also underscored the importance of conferences like SecuriTay in nurturing new talent in the cybersecurity field.

IoT Security Challenges: The Other Side

After a brief lunch break, I joined Jamie Hoyle, co-founder of Karambyte, for a compelling talk on IoT security challenges. Hoyle divided IoT vendors into two categories: those with proprietary IP and manufacturing, and those using white-labeled hardware without source code ownership. He argued that reporting bugs to the latter group is often futile, as they prioritize profits over security.

Describing the “IoT gold rush,” Hoyle noted that many manufacturers treat security as an afterthought because it doesn’t generate revenue. He highlighted the lack of accreditation bodies for IoT products and the difficulty of extracting firmware for reverse engineering. His key takeaway: every layer of the IoT stack, from device to cloud, must be secured, yet few manufacturers have the expertise to do so comprehensively.

Secure Messaging and the Threat Landscape

Later, I caught part of a talk on secure desktop messengers by David Wind and Christoph Rottermanner from the University of Applied Sciences in St. Pölten, Austria. They discussed the usability versus security trade-offs in tools like WhatsApp and Signal. In a survey of 28 users, 21 failed to verify messages during a man-in-the-middle attack, suggesting that current verification processes are too complex. They recommended changing terminology from “verify” to “show keys” to improve user understanding.

The closing keynote by Rafe Pilling, a senior security researcher at SecureWorks, brought the day to a sobering close. Pilling debunked myths about the “dark web,” noting that cybercriminals often work in small, localized teams rather than vast networks. He pointed to groups like Fancy Bear and Shamoon, emphasizing the persistence of advanced threats. His talk served as a reminder that the cyber threat landscape is constantly evolving.

In summary, the SecuriTay 6 conference was a resounding success, showcasing the best of ethical hacking and infosec. For those interested in similar events, check out our coverage of BSides London or Steelcon 2023 for more insights. The future of cybersecurity looks bright with such dedicated communities driving progress.