Summary

The Council of Registered Ethical Security Testers (CREST), one of the UK's primary penetration testing certification bodies for individuals and organisations, is introducing CRESTx, a spin-off from their flagship conference CRESTcon. CRESTx was inspired by the success of TEDx, and brings short talks on big ideas to the domain of cyber security.

CRESTx Lancaster will provide a range of 5, 10 and 20 minute talks on cyber security challenges, assessment, and response. These talks will highlight cutting edge research and industry best practices, and will draw on the multi-disciplinary approaches of Security Lancster, Lancaster University's Centre of Excellence in Cyber Security.

 

Agenda

 

  • 09:00 - Registration and refreshments
  • 09:15 - William Knowles - Welcome: Security Lancaster
  • William will open the event and set the scene for the days presentations.
     
  • 09:30 - Session 1: Personal Security and Privacy
  • Despite the enriching effect of the proliferation of technology into our everyday lives, it has come at the cost of the increased risk of personal security and privacy breaches. Personal data is no longer exposed only through devices on our person, but through the replication of this data across the internet. This session will highlight research that intends to address these challenges, including those arising from future research trends, such as home automation technologies.
  • Speakers:
    • Dr Alistair Baron - Dealing with Fake Digital Personas: Security Lancaster
    • One particular issue in policing online social networks is the ease in which users can create fake profiles (digital personas) and pretend to be somebody they are not. There are a variety of reasons why people choose to use fake profiles online, ranging from perfectly innocent motives such as identity exploration, to deception in order to commit serious crimes, e.g. adults masquerading as children for the purpose of grooming. Using Natural Language Processing and Machine Learning techniques, author profiling and authorship attribution tools have been developed which are able to compare the language use of different digital personas. It will be shown how, using these methods, it is possible to indicate when the same person may be behind multiple digital personas, and predict key demographic information about a user (such as age and gender) with high accuracy.

       

    • Dr Jose Such - Challenges for next generation SNS Privacy controls: Security Lancaster
    • The use of social networking services (SNSs) such as Facebook has explosively grown in the last decade. Despite their success, most users state being either 'concerned' or 'very concerned' about their privacy when using these services in surveys. In this talk, we will introduce the privacy problems that current SNSs have and the challenges for developing new generation privacy controls that can solve them.

       

    • Dr James Brown - Home Jamming: Security Lancaster
    • A plethora of communication protocols for home automation are currently in use. These protocols generally lack essential security features such as message authentication. Thus, smart homes are not protected against accidental or malicious message injection. This talk will discuss this topic and will describe how jamming can be used to prevent processing of unsolicited messages in smart homes.

       

  • 10:25 - Break and refreshments
  • 10:40 - Session 2: Critical Infrastructure Protection
  • Incident reports of attacks on critical infrastructures have increased rapidly over the past decade. This session will explore current and future approaches to ensuring their security and resilience against cyber threats. Challenges and responses to the integration of emerging technologies into critical infrastructures (e.g., cloud computing) will also be examined.
  • Speakers:
    • Dr Kevin Jones - Protecting the Critical National Infrastructure from Cyber Attack: The Requirements & Research Questions?EADS Innovation Works UK, Homeland Security and CNI Protection
    • Securing the Critical National Infrastructure (CNI) from Cyber Attacks is the focus of significant global research amongst a background of increased attack vectors and growing interest from governments worldwide. This talk provides an introduction to the Supervisory Control And Data Acquisition (SCADA) systems that form the basis for CNI, and discuss the background and requirements for current research within the area of CNI Cyber Security. The aim is to foster discussion and opportunities through; the use of real-world examples, an overview of the SCADA cyber security problem space, and current research directions including ongoing activities within EADS Innovation Works UK.

       

    • Dr Andreas Mauthe - PReSET: A Toolset for the Evaluation of Network Resilience Strategies: Security Lancaster
    • Computer networks support many of the services that our society relies on today; hence ensuring the that networks are resilient against faults and challenges is crucial. Due to the constantly changing nature of threats resilience strategies need to allow dynamic reconfiguration of networks, including resilience-specific functionality. However, this cannot be tested in live networks and thus it is important that resilience strategies are evaluated prior to their execution in order to ensure that new or adapted strategies will not exacerbate an on-going problem. To facilitate this activity, we have developed a toolset that supports the evaluation of resilience strategies that are specified as event-driven policies. The toolset couples the Ponder2 policy-based management framework and the OMNeT++ simulation environment. In the talk I will discuss the network resilience problem and motivate simulation as a suitable way to evaluate resilience strategies. Further, I will outline the developed toolset , including its architecture and the implementation of a number of resilience mechanisms, and will also present some initial results.

       

  • 11:40 - Video Presentation
  • 12:20 - Lunch
  • 13:15 - Video Presentation
  • 14:00 - Session 3: Governance, Risk Management and Compliance
  • An old adage says that you can't manage what you can't measure, but measurement of risk is increasingly difficult in the age of big data, expanding infrastructures, and blurring network boundaries. This session will address approaches to tackling these challenges under the umbrella of governance, risk management and compliance.
  • Speakers:
    • Stephen Robinson - TitleXyone Cyber Security
    • Claire Hargreaves - Cyber Criminal Activity and It's Measurement: Security Lancaster
    • Our talk summaries the four key findings from our workshop held on the 18th April which explored the future of cyber criminal activity and addressed the actions required to tackle the perceived cybercrime wave. Key findings:
      1. Understand technologies role in cybercrime: We need to focus on the impact of technology not on the technology itself if we are to move forward in our understanding of cybercrime.
      2. Standardise data to further our data sources: Cybercrime data is currently fragmented, requiring standardisation to build its reliability and validity.
      3. Utilise mechanisms to capture data: Utilising both new and old mechanisms of data capture will develop our information base.
      4. Broaden analysis on cyber criminals and their victims: Developing an understanding of who criminals and victims are in terms of their characteristics will help to deliver appropriate interventions.

       

    • Tony Wilson - Using Google as a security toolIndelible Data
    • For the US National Security Agency (NSA) to release an internal document entitled "A Guide to Internet Research" tells us that protecting our data from Search Engine savvy hackers should be an important component of our security regime.
      It is good security practice to know what information search engines, such as Google, have found about our business and made available to the entire world.
      Google's searching abilities are much more versatile than we may first think, allowing us to drill down into spreadsheets, word documents and a multitude of other file formats to find information that website owners never intended to make available.

       

  • 15:00 - Break and refreshments
  • 15:15 - Session 4: The Human Element of Cyber Security
  • Although cyber security exists in a virtual space, both cyber threats and their potential solutions can be found with an entity in the physical space: the human. This session will highlight ongoing research on the human element of cyber security. Topics that will be addressed include the socio-political challenges for cyber security, and how to best train and equip the next generation of cyber security specialists.
  • Speakers:
    • Hugh Boyes - Bridging the Cyber Security Skills Gap : The Institution of Engineering and Technology (IET)
    • With the increasing connectivity of a wide range of systems, ranging from the Smart Grid to the Internet of Things, there is a clear need to improve the cyber security and trustworthiness of a wide range of software applications and complex cyber physical systems. Hugh has been leading a project to set up the Cyber Security Skills Alliance, a collaboration between the IET, BCS, IISP, IAAC and e-skills UK. The Alliance aims to develop a number of initiatives to address the skills gap, the first initiative is a cyber security MSc sponsorship scheme. Hugh will outline a number of initiatives that are being planned by Alliance members, including the accreditation of cyber security degree courses.

       

    • David Ellis - Disrupting Online Groups: Security Lancaster
    • There has been a major societal shift towards communications that are not conducted face-to-face, but are instead mediated by interfaces such as mobile phones and social networking websites. This online communication is able to bring out the best (and sometimes worst) in people. For example, Wikipedia is the result of a collective who have never met. However, this interaction can also work against society; exemplified by groups such as Anonymous, who are able to function as a very effective, co-ordinated team. In light of these recent developments, we are currently investigating how online groups develop over time and how they might be disrupted. I will discuss some preliminary findings and consider how this research could be extended.

       

    • Lara Warmelink - Detecting Deception in Intentions: Security Lancaster
    • Finding methods to prevent crimes is among security research's foremost aims. One area of research that can contribute to this is deception detection. Currently at Security Lancaster, we are investigating two methods to detect deception about intentions: short interviews and reaction time tasks. Our research into short interviews aims to use our knowledge of detecting deception in investigative situations and adapt this for situations where large numbers of people must be assessed with relatively few resources. The use of reaction time based tasks in detecting hidden intentions has been promising so far and we hope further research may clarify the most efficient ways to use it. Some plans for expanding our research to include more varied technologies to detect deception will also be discussed.

       

    • Oliver Fitton - The Syrian Electronic Army: Security Lancaster
    • Emerging cyber threats are shaping human conflict in every corner of the globe. It is not only the developed cyber superpowers who are exploiting new methods to undermine their adversaries, today every conflict has a cyber dimension. My research focuses on the cyber aspects of the current Syrian conflict and how the conflict has spread beyond its borders and into the internet. This presentation will discuss the Syrian Electronic Army's role in the conflict and what we can learn from their development.

       

    • Ian Glover - Making Security a ProfessionCouncil of Registered Ethical Security Testers
    • The presentation will address the problem of what we need to do to make IT security a real profession. It will discuss the requirements to have a professional base entry to profession in line with other more mature industries, and describe what this base should include in terms of the subjects areas and the levels that need to be achieved. It will also describe how this can be used to encourage more people into the industry and provide structured development pathways to support career development.

       

  • 16:20 - William Knowles - Close: Security Lancaster
  • William will close with a discussion of the days key highlights.
  • 16:30 - Event Close