Data Loss Prevention (DLP) , Governance & Risk Management
13 Scenes from an Irish Cybercrime ConferenceHackers Flock to Dublin For Briefings, Networking, Lock Picking
Information security professionals and students - as well as managers, executives and vendors - recently flocked to the Irish Reporting and Information Security Service's IRISSCON Cyber Crime Conference in Dublin (see Cybercrime Experts Hit Dublin).
The conference offered interesting contrasts with the Black Hat Europe conference in Amsterdam that preceded it earlier this month (see Black Hat Europe 2015: Visual Journal). For example, Black Hat Europe drew 1,500 attendees - a record for the conference - from 61 different countries for a variety of hands-on training and briefings over four days.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
In comparison, the one-day IRISSCON is designed to be a more local event, organizer Brian Honan tells me, and cost only 25 euros ($26) per person, which is a fraction of the Black Hat ticket price. This year, the Irish Cyber Crime Conference attracted about 300 attendees - who mostly reside in Ireland - although that was also the maximum occupancy of the conference space at the Clyde Court Hotel, and Honan says there was a waiting list for attendees and last-minute flurry of people attempting to score tickets.
Here are some visual highlights from the event:
Warnings Remain Too Often Unheeded
Honan, who heads Ireland's computer emergency response team - IRISS - opens the conference with a warning that won't surprise anyone who's been following information security or cybercrime trends: The quantity of attacks is increasing, together with the sophistication of attackers (see Irish Cybercrime Conference Targets Top Threats). Unfortunately, he says, related warnings and recommendations to businesses to improve their security programs too often aren't heeded.
Indeed, he notes that his list of the top information security problems facing Irish organizations remains unchanged since at least 2012: poor passwords, missing patches, failing to fix common Web application vulnerabilities, outdated antivirus software and a lack of enterprise monitoring.
The Skinny on Skiddy Forums
Robert McArdle, threat research lead for Europe, the Middle East and Africa at security vendor Trend Micro, says the company's researchers spend a fair amount of time on script-kiddie - or skiddy - forums where participants often trade tools they might not completely understand how to use. Of course, no one is born knowing how to hack. But as McArdle puts it: "Today's idiot is tomorrow's supervillain."
For example, for $35 anyone can buy what he says is a "pretty good" keylogger - though it lacks the full features, functionality and support provided by the high-end kits available for hundreds of dollars via Russian cybercrime forums - via a social network called Hack Forums, which he characterizes as "a wretched hive of scum and villainy."
For anyone who doesn't get the reference: "If you don't know 'Star Wars,' it's probably a good time to catch up," he says. "The Internet will make much more sense."
This is the seventh annual IRISSCON, and the event also gives Irish law enforcement agencies a way to connect with security professionals and executives in attendance. And Inspector Michael Gubbins, part of An Garda Siochana - the Irish police - Computer Crime Investigations Unit, warns businesses about the rise in CEO fraud and online extortion attacks. He also urges organizations to liaise in advance with police, so that in the event of a breach or blackmail attempt, authorities could react more quickly and rapidly get their hands on the log data and other technical information required to launch a digital forensic investigation.
Capture the Flag
In a separate room to the briefings, the conference's capture the flag event draws 52 preregistered participants - 13 teams of four individuals - who compete to earn the most points throughout the day. Points get awarded whenever a team successfully takes control of one of 15 different servers, after which they then had to defend them against attackers. Participants get proportionately more points for hacking the harder machines, and can also earn points for solving various puzzles or challenges, and even boost their score via the secure coding challenge or by successfully picking locks at the lock-picking table.
Attack, Defend, Repeat
The capture the flag event was organized by IBM employees Jason Flood and Brendan Lawless - who are both pursuing a Ph.D. in their spare time - and who got the day off work. Flood tells me the CTF event is not just about showing off technical skills - "you can go to the bar after, boasting about how you solved the problem" - but also serves as a networking and recruitment tool. "It's a great way to exchange skills and mindset," he says, adding that he walked around the entire day telling participants: "We're hiring, we're hiring."
Flood also tells me the ability to earn points in a variety of ways is meant to allow participants to "lift their heads up" once in a while and smell the roses. "We run for six hours, and to be honest it's mentally taxing," he says, "and in the last half hour, it switched leadership about four times, so it got pretty good this year."
Honan, meanwhile, says the event is also designed to convey to the non-security professionals - and especially executives - in attendance how even a teenager can often hack into a typically configured enterprise server in just 15 minutes.
Mastering Lock-Picking Skills
The conference's lock-picking workshop was run by Martin Mitchell, who tells me that he took a break from his day job - as an ethical hacker - to offer advice to budding lock pickers. Multiple conference attendees report sitting down at the table to give it a try for 15 minutes and then finding themselves still engrossed, several hours later.
Mitchell, who attends the conference after carrying a massive bag of locks across town on the bus, says he's running the workshop under the auspices of TOG, a communal "hackerspace" located in the city center of Dublin. He says the Dublin city council has given TOG carte blanche to pick, remove and keep any of the many "love locks" that have been blighting the city's renowned Ha'penny Bridge, and which has been damaged as a result. He says detouring home via the bridge, with lock picks in tow, can be a great way to blow off steam after a long day at work.
Challenge: Secure Coding
To emphasize the importance of writing clean - and secure - code, training firm Secure Code Warrior runs a secure-coding challenge. Points accrued from the challenge can be applied to the capture-the-flag challenge.
Socially Engineering People
Beware trying to quickly change the "security culture" inside your organization. "Cultural change either comes cataclysmically or over time," says Jenny Radcliffe, who describes her job as socially engineering people. "I'm an ethical social engineer: I only hack you for your own good." By that she means that she advocates using the same sorts of psychological techniques that hackers will employ to socially engineer - a.k.a. trick - employees, only in the service of sharpening employees' information security acumen and resistance to such attacks.
Radcliffe says organizations need to be aware of who in their organization is disenchanted - "everyone from Snowden downwards was disenchanted - there were clues all over the shop" - and to do something about it, not least by attempting to prepare the organization and its people for being hacked. Making ample reference to the TalkTalk breach, Radcliffe warns that if organizations fail to prepare their culture, "you will invite the hack; you will get the hack that you deserve" (see TalkTalk Lesson: Prepare for Breaches).
Make Security Training Fun
Echoing Radcliffe's message, Lance Spitzner, the research and community director for the SANS Institute's "Securing the Human" program (see Security Awareness: Don't Forget the Fun Factor), urges attendees to deploy security awareness and education initiatives that are designed to be fun. And he advises information security experts in attendance to learn whatever soft skills they might need to better make that happen. "It's the curse of knowledge: the more of an expert you are at something, the worse you are at communicating it," he says.
What to Expect Next
Outlining many of the near-term security threats that enterprises will face, Rik Ferguson, vice president of security research at Trend Micro, urges attendees to ensure they are getting enough context about what's happening inside their organization. "Context is all-important when it comes to judging what is going on in your enterprise," he says. "One of your aims for near-term security is about trying to get ahold of as much context as possible," such as baseline network activity as well as indicators of compromise. That way, when there's evidence of a data breach, "you're coming to an informed decision and not just jumping to conclusions" in an information vacuum.
Echoing many of the other presenters throughout the day, he also urges organizations to ensure that they are fixing the types of simple, fundamental security flaws that make too many organizations so easy to hack, such as TalkTalk, which was reportedly breached by teenagers who exploited a SQL injection flaw. "SQL injection is absolutely unforgiveable," he says.
Risk: You're Doing it Wrong
People are horrible at managing risk, says Thom Langford, CISO at French multinational advertising and public relations firm Publicis Group. To illustrate why, he asks attendees what they fear most: sharks or coconuts. Getting eaten by a great white is an obvious horror for many, but Langford notes that statistically speaking, you're much more likely to be the victim of a coconut strike. "When you're sipping from a coconut while you're friend is swimming in shark-infected waters, you're dicing with death, my friend," he says.
For the @irisscert #irisscon attendees thinking of taking a break, this image is @ThomLangford's talk in a nutshell pic.twitter.com/MYm2VaAamuï¿½ sir jester (@sirjester) November 19, 2015
Beyond the briefings and various challenges, conference organizer Brian Honan tells me that IRISSCON is designed above all to give the Irish information security community a chance to network, recruit, trade tips and simply keep in touch.
With 12 speakers, a lock-picking table, small business hall staffed by sponsors, the capture-the-flag competition and secure-coding challenge - amongst other happenings - it's a lot to pack into one day. But attendees' enthusiasm throughout the day - and well into the night - suggests that the event is a success on all fronts.
Photographs by Mathew J. Schwartz.