ID Cyber Solutions Conference Report — G3C 2023 (Mac's first event!)

08.12.23 09:15 AM By Keven Anderson

ID Cyber Solutions Conference Report — G3C 2023 (Mac's first event!)

Attending conferences is a crucial way our staff can keep up to date with cutting-edge research, be introduced to important new ideas and perspectives, and help inspire and support the next generation of cyber security professionals. Our ID Cyber Solutions Conference Report series aims to showcase some exciting and ground breaking ideas presented at these events.

Report by Iain ("Mac"), Cyber Essentials Assessor.

It was Saturday 4th November and I was at Glasgow Caledonian University for the Glasgow Caledonian Cyber Convention (or G3C). I must admit I was pretty nervous. This was my first conference, so I had no idea what to expect.

After fighting with the banner stands and laying out swag (as a sponsor, we had a stand at the event), I was ready to start networking.

Kick-off!

Yours truly, running the ID Cyber stand. Photo by Gerard Barrett

I had a lovely chat with folks at Quorum Cyber (one of the other sponsors) and great conversations with Dr Jackie Riley (the Head of Glasgow Caledonian’s Cyber Security and Networks department) and with students who were curious to know more about working in the cyber security industry. Our ID ‘Cybear’ mascot is always a great conversation starter, and students wanted to know more about who ID Cyber are and what we do.  Interestingly, I was asked by students about the perception of tattoos in a professional environment in 2023. (Your dearest author has quite a few!) Everyone I spoke to was lovely, especially so early in the morning before caffeine had hit our systems.

G3C is a multi-track event so I wasn’t able to attend all the talks. Keep an eye out for G3C channels to catch any of the talks I missed (or indeed those I saw!).

Stephen Rattigan — Work Smarter Not Harder: The Power of Automating Your Daily Tasks

First talk and it’s ID Cyber’s very own Stephen Rattigan presenting the key to ‘Work Smarter Not Harder: The Power of Automating Your Daily Tasks’.

Even though I get to watch Steve work his automation magic on a near-daily basis I had a blast watching and listening.Why does automation matter? Think about your daily tasks. It all takes time, it’s repetitive… and we’re human. We make mistakes!Steve wants to make life easier: maximise productivity without expending more of your precious time and energy to do so.

He posed the question ‘To automate or not to automate?’ Well, there’s a great acronym to determine if a process should be automated or not:

  • Consistent
  • Repeatable
  • Auditable
  • Processes

You can see that right? It’s CRAP.

If your automation doesn’t follow CRAP then it’s probably going to take more time/labour to implement than the task itself. In these scenarios it’s not worthwhile to automate. However, if it will increase productivity, efficiency, and consistency then consider automation.

Steve then detailed how he uses automation to help at work:

  • Auto disable caps lock (isn’t it a pain when you’re typing and it suddenly turns into SHOUTY MESSAGE?)
  • Snipping tool added to middle mouse click
  • Keyboard shortcuts for PowerShell commands that are tricky to remember

Warning! Like anything in IT or cyber security, automation carries risk:

  • Be wary of installing automation tools on company devices! Always ask permission.
  • Don’t use it for passwords.
  • Scripts can be flagged as malware.
  • ALWAYS have a kill key.
  • Be careful what you automate.

For more of Steve’s insights, including useful tools, check out his talk once recordings are released!

Steve's talk on automating your daily tasks. Photo by Alice McGready

Alice McGready — Communication Breakdown

Another one of ID Cyber’s talented roster, Alice provided a great insight into ‘Communication Breakdown’,  or the importance of conciseness, clarity, and the impact of typos.

It’s not just your pride that’s hurt when you send correspondence with typos – it can affect people’s perceptions, confidence, or trust in you! Even outwith an office environment they can have catastrophic effects. They could cause international or political incidents. For example: US military correspondence being leaked to private email addresses in Mali (.ML) instead of the military (.MIL); a nuclear test at the Sedan site in Nevada was erroneously reported as being carried out in Sudan, attracting worldwide attention; and finally, the Mariner 1 spacecraft didn’t even make it to orbit because of a typo!

Typos can cause reputational damage and lack of trust in your organisation. (This one is for the commuters and Glasgow locals!) Alice told a story in pictures about a junction near Cowcaddens where a sign is erected, falls, and remains there for at LEAST 7 years before it is replaced… and the replacement has one of Glasgow’s most well-known streets spelled incorrectly. It’s ‘Buchanan’ not ‘Buchannan’! That doesn’t exactly inspire trust in the local council.

Interestingly, 43% of recruiters listed spelling errors as sufficient grounds for immediate rejection. Can you imagine you’ve put “attention to detail” as one of your strengths?! (Don’t do that, by the way. You’re inviting people to look for a mistake!)

After providing a series of helpful tips on how to avoid typos (check out the recording when it’s released!), Alice leaves us with a contemplative call to action: You have to care. You are advertising yourself/your product or brand. Take pride in your work. Take pride in your words.

James & Chris Bore — Mixology, Multidimensional Information Spaces, and Security

Now, I was glad I was well caffeinated for this one. It was fascinating!

James presented us with information theory: Spaces where we can represent messages and ways to communicate effectively in the presence of noise (anything that can distort a message). A dimension can be anything, for example, any 3-letter message can be encoded in 3D space/3D vectors, and taste is a 6-dimensional space. It’s mixology time!

James plotted 41 different cocktails against six tastes: tart, bitter, sour, sweet, spicy, and salty.

Now we observe the archetype of cocktails, sharing similar characteristics yet entirely distinct! Anything that fits in boundary boxes could hypothetically be one of the archetypes but… it doesn’t necessarily make it the same. For example, the martini boundary-box is so ranged that anything could hypothetically be a martini.

But how does this relate to security? We have lists of attacks and exploitation methods using CAPEC & MITR-ATTK and we can classify APTs in a risk space, but cyber security has been slow to adapt to hyperdimensional standards which are used in other industries.

What issues do we face? Data normalisation (or cleaning) is the main sticking point and from this the industry needs to adapt and collect data in a way that is normalised. With regards to threat modelling, you can just assign numbers to things. James advised: “3 is better than ‘high’ because you can do maths at it!”

Scott McGready — This conference sucks

I’m going to be honest, I didn’t take a lot of notes here. If any of you know Scott, then you’ll understand why – if you don’t… Well, I don’t wait to spoil the delivery – you’ll need to watch the recording for that.

This conference sucks. There’s too many inside jokes, it’s all the same speakers, talks you want to see clash, it’s cliquey, there’s inexperienced speakers, it’s all just about networking.

He got us there…

Scott looking mischievous at the start of his talk... Photo by Gerard Barrett

You see, conferences suck if you make them suck!

There’s too many inside jokes? Ask for the context!

It’s all the same speakers? Volunteer to give a talk!

Talks you want to see clash? It happens!

It’s cliquey? It may seem that way but it’s because all of these people met each other at conferences!

There are inexperienced speakers? Everyone must start somewhere and there’s only one way to get better!

It’s all about networking? This is great. Speak to people. You’ll find out about jobs; you’ll meet interesting people from all walks of life. Networking is a good thing!

This conference sucks… if you make it suck.

That was fantastic, that was bonkers, that was so much fun! If you want to experience it, check out the recording when it’s released.

Cary Hendricks — That’s a Good Question, Kev

Last up, it’s the vanguard of ID Cyber Solutions, Cary Hendricks, presenting ‘That’s a good question, Kev’, amusingly named after a podcast where Cary would answer every one of his co-host’s questions in that same manner.

I wanna work in cyber – how do I get into it?

Firstly, what do you want to be? The careers within the industry are highly diverse. Everything isn’t penetration testing! With so many roles available it pays to know the areas you may wish to specialise. You may work for an organisation helping IT through the creation and implementation of policies/procedures – that’s cyber. All these things encompass information and data. You can still work within cyber and be non-technical!

An ever-present notion in information technology is the evolution of that technology vs its ease of use. As we witness greater network proliferation this encompasses its own problems! So what are the persistent security challenges?

  • Maintaining compliance
  • A lack of qualified and skilled professionals
  • Centralising security in a distributed computing environment
  • Fragmented and complex privacy and data protection regulations
  • Compliance issues with BYOD
  • Relocation of sensitive data from legacy data centres

Standards and certifications like Cyber Essentials and Cyber Essentials Plus can aid businesses with these challenges, making sure that organisations recognise how to secure their data.

There are so many roles within the world of cyber: technical, non-technical, and otherwise. Where will your journey start?

Cary delivering a great keynote. Photo by Alice McGready

_________________________________________________________________________________________________________________

What a blast that was! I met a tonne of people, some I’ve only ever spoken to online, some I’ve known for years, and some new faces. My colleagues were busy preparing and hosting talks, so it forced me to socialise. (I’m glad that was the case!) Having spent the last few years working from home that was exactly what I needed. G3C has cultivated a friendly, open environment for people, students, and industry professionals: a place to meld and inspire collaboration and transparency for those interested in the cyber security world.

I’ll be back – I can’t wait for the next conference. Who knows, maybe one day I’ll speak at one!

Time for food. Damn, I’m hungry!

Me, Alice, and Steve. Photo by Gerard Barrett

Keven Anderson