VB ‘securing your organization in the age of cybercrime’ Seminar

For more than 20 years, Virus Bulletin has run the annual international Virus Bulletin conference, allowing experts in the anti-malware field to share research interests, discuss methods and emerging technologies, as well as network with their peers and meet with those who put their technologies into practice in the real world.

From very positive delegate feedback at these international security events grew the concept of a series of small, one-day seminars. As a result, last month saw the inaugural VB Seminar in central London, UK.

The Seminar was held at the historic Institute of Engineering and Technology (IET) – the foundation stone of which was laid by Queen Victoria – on the banks of the River Thames in the heart of the capital. Despite its historic pedigree, the venue’s facilities were perfect for our needs, providing a modern, yet intimate space for the seminar sessions.

With snow forecast for much of the country, the organizers breathed a sigh of relief when all the speakers and delegates reached the venue safely on a cold morning in late November, and the bad weather stayed away long enough for the day’s proceedings to run uninterrupted.

Alex Shipp kicked off the programme with a look at targeted attacks and digital espionage, detailing some of the social engineering tricks used by attackers and the crafty ways in which they get their malware past security barriers. He gave an indication of the types of organization most likely to be affected and some tips on how companies can defend against such attacks, advising IT security professionals above all to stay vigilant.

Next up, DC Bob Burls of the Police Central e-Crime Unit presented an overview of botnets, explaining how they have evolved, what they are capable of, and how they are currently being used in the criminal world. He highlighted the importance of collaboration between the IT industry and law enforcement, emphasizing that it is vital for security incidents to be reported to the police in order for them to build up evidence against the perpetrators.

ESET’s Juraj Malcho was next to take to the podium, bringing a slightly more technical flavour to the proceedings with a look at the various vulnerabilities that have been in the news this year – of course devoting a fair portion of his time to discussing the headline-hitting Stuxnet vulnerabilities.

After a brief break for coffee, Andrew Lee stepped up to highlight the many ways in which social engineering can trick users into giving away valuable information, and what impact that can have for an enterprise. During his presentation Andrew ran some live demonstrations, including one in which he used Firesheep to expose delegates using the venue’s free WiFi connection who had left their Facebook IDs open. He concluded that social networking is the single biggest threat facing computer users today – there was a murmur of agreement from members of the audience.

Bryan Littlefair, CISO of the Vodafone Group, was next to take the stage. As one of the world’s largest organizations and best known brands, Vodafone typically suffers 1,000 DDoS attacks per month, and the organization invests more than £300 million in security globally. Bryan shared some of the strategies and programs that have worked for the company, stressing that a successful security team should support the business, not block new initiatives, and must operate strategically.

The last of the morning’s presentations came from David Evans of the Information Commissioner’s Office (ICO), who presented the ICO’s view on data security. David highlighted the results of a survey in which protecting personal information was shown to be a greater public concern in the UK than the NHS and national security. (He pointed out that, inevitably, the same people expressing concern about their personal data would be posting status updates and detailed information on Facebook, Twitter, et al.) David outlined the ICO’s roles, policies and procedures, and his advice for reducing privacy risk was to use personal information only where strictly necessary, and to adopt a ‘data minimization’ approach.

A lunch break followed, in which delegates were able to relax, network, and appreciate the stunning views from the IET’s Riverside Room – indeed several braved the chill to step out on the terrace for a better view of the Thames.

After lunch, delegates returned to their seats in time for IBM’s Martin Overton to start the afternoon’s proceedings with a look at how to detect the unknown. He presented an overview of the tools, tricks and techniques that can be used to help establish the true state of a suspect system.

Richard Martin of the UK Payments Administration followed, with a look at the lessons learned from online banking attacks. UK bank brands were targeted by 7,000 phishing attacks in October 2010, and surveys indicate that the number of users who click the links contained in phishing emails or otherwise act on them has increased over the last five years – with under 24s twice as likely to act on them as other age groups. Richard’s advice to other businesses was to expect the full attention of criminals, not to assume that the challenge ends at the perimeter, and overall to expect the unexpected – with banks having learned a lot over the last few years, he asked: what happens when the bad guys move on to easier targets?

Sophos’s Graham Cluley rounded off the day’s presentations in his trademark flamboyant style with another look at the security risks of social networks. In an illustration of just how easy it is for attackers to gather detailed information from these sites – and how little regard users have for the risks of sharing personal data – he reported the results of an experiment in which two fictitious Facebook users were created: 21-year-old ‘Daisy Felettin’ and 56-year-old ‘Dinette Stonily’. Each sent out 100 friend requests to randomly chosen Facebook users within their age group and after just two weeks 95 strangers had chosen to become friends with either Daisy or Dinette. Within the older age group there were even eight Facebook users who had befriended Dinette without having received an invitation from her. Of those who accepted the friend request, 89% of the younger age group and 57% of older age group revealed their full date of birth, while 46% of the younger group and 31% of the older group gave away personal information about their friends and family. Graham reiterated Andrew Lee’s conclusion from earlier in the day – that social networks are the greatest threat facing computer users today.

Finally, to bring the event to a close, delegates posed their questions to a panel of the day’s presenters. The experts squeezed onto the stage with the questions and answers deftly coordinated by Sophos’s Stuart Taylor.

Overall, the seminar was a resounding success. Without exception, the presentations were engaging and informative, and a good mix of delegates from UK businesses and government organizations made for some excellent networking opportunities. We hope to be able to repeat the event in the not too distant future, so watch out for details.