Gibraltar Cyber Security Summit

We attended the Gibraltar Cyber Security Summit this week. It’s an initiative to bring together policing departments, local authority and cyber crime related experts. Speakers from the AFP, FBI, NCA, GCHQ and others took to the stage to transfer essential knowledge to an audience of Gibraltar’s business delegates.

The line-up of speakers includes some of the industries celebrities such as Ken Munro from Pentest Partners (@TheKenMunroShow) and Rik Ferguson (@rik_ferguson) from Trend Micro performing demonstrations and insights from their recent work. I had the pleasure of a meal with the pair the evening before and if they handle cybercrime like how they handle the demolition of salted fish – we are in safe hands. Whenever more than three infosec people get together for a meal there is only one way it will end. The next morning, as I awoke on the deck of a small yacht, cloudy, I was reminded of this rule of three.

 

 

The actual event was on another boat, so I brushed myself down like the digital pirate I am and boarded the Sunburn Hotel. Instantly I was amazed by its decadence. After attending many infosec events and conferences I can safely say all of them, where possible should be hosted on luxury cruise ships in the future. The usual networking event proceeded and it was nice to see all delegates casually discussing the topic of cybercrime. The event security was exemplary and controlled by the Royal Gibraltar Police. What really put the context of the event into perspective for me was seeing the police proudly guard in their full formal uniform (think 1960’s MET) and being told by their superintendant to remove their hats and relax a little as it’s more important to learn and listen then stand formally. In speaking with Supt’ Ian McGrail it was obvious he was very welcoming of the event and hoped it would bring a new chapter of policing to the area.

There is a strong urgency from local policing forces to prepare for cyber attacks, to look to protect businesses that choose to reside there and it’s families and children. The Royal Gibraltar Police force is not only attending but championing the introduction of such an important focus.

“Protection of national infrastructure is vital”

– Police Superintendent Ian McGrail, one of the drivers behind the initiative.

 

Opening

The event opened with the main event organisers, Justin Manners, Dr Danny Dresner and Stewart McClean giving an overview of the day. Danny led the opening with a keynote defining cybercrime and aligning a mixed audience of newbies and InfoSec professionals.  Housekeeping was swiftly touched upon, an emphasis was on social collaboration and audience participation.

 

 Ed Davis – The Governor of Gibraltar

The changing times of cybercrime were re-iterated, the risks posed to Gibraltar in generations before was explained to be tanks and infantry, now it was described to be more of a digital nature.  He spoke highly of the NCSC and the collective input from such agencies. Leaving the stage with 3 propositions;

• Developing a mindset based on securing opportunities.
• Shared social responsibility and joint defence security that emanates from the people of Gibraltar.
• Look to enhance regulatory frameworks in the area.

It was clear to see he was well briefed and enthusiastic.

 

Stewart Harrison – The team leader of the winning  Cyber Centurion team 2016

Stewart took to the stage to talk about his time teaching his children at the local college, in 2016 he lead a young group to victory at the Bletchley Park event in 2016. It was clear to see his efforts in giving the youth of Gibraltar a medium to showcase their talents at such an event.

It’s impossible to teach our children everything, but they have so much intuition all you have to do is put them on the right path.

 

Rik Ferguson – Trend Micro

In typical Rik style, his talk focused on the rise of ransomware, his experience in advising agencies such as Interpol is evident in his easily flowing talk outlining earlier ransomware attacks, the changing style of attackers and the prevention. Rik calls for education and empowerment and claims this to be one of the most effective solutions. The principals of least privilege were also mentioned. Ending on business email compromise and the ways social media can have a part of these kinds of attacks.

Business Email Compromise accounts for $5bn in lost revenues.

 

Jenny Radcliffe – aka The People Hacker

Jenny outlines her talk and discusses the methods used by social engineers. The focus of Jenny’s professional career is the psychology behind the attack and this is transparent in her talk. For some hackers it about exploits kits and malware – for Jenny it’s her ability to deceive, manipulate and con her way through a company’s front door. Remembering we are all human and vulnerable to common exploits is a factor that even myself, can easily forget.

Ken Munro – Pen Test Partners

Ken is well known in the industry for his work in hacking IoT devices, he and his team of pentesters frequently find themselves dissecting appliances from kettles, TV’s, smart fridges and even ‘adult’ toys! Ken’s talk was lively and he got his point across with the optimum blend of humour and technical demonstrations. The talk was supported by his InfoSecurity Europe style demonstration of speaking to a kettle via telnet.

 

Alex Hudson – National Crime Agency

The NCA lead the fight ‘back home’ against all the nasties of the internet and dark web. Interestingly Alex’s talk touches upon how to buy drugs online, with in-depth details about how to review a dark website and also how to receive a peer moderated review page to ensure you only obtain the best drugs, from the most trusted suppliers. I was watching the talk waiting for a twist, surely the NCA with all that they could bring to the table at an event like this wasn’t going to detail in depth the purchase of drugs online. I felt his talked lacked a focus on prevention, but to his credit does raise awareness significantly.

 

Adrian Davis –  (ISC)² EMEA MD

This talk was an interesting one. Adrian detailed the ways in which (ISC)² collects data and their adaptation to GDPR compliance. This data has, by all means, be put to good use as they had statistics from members outlining a mass shortage of information security professionals. He shunned companies for demanding experience over aptitude and willingness. He called out companies that consisted of “middle aged, balding nerds” and missing out on the opportunity that a youth-focused employment market could bring. In his talk, he referred directly to my own transition into infosec and stated that he used to be a chemist! He calls on everyone in the industry to “do your bit” and try and bring someone from another industry to the Infosecurity arena.

 

Richard De Vere – The AntiSocial Engineer

My own talk was on education. Often at these kinds of events, there is a generally agreeable trait that awareness and education form a massive part in combatting cybercrime. Speakers always allude to the education but don’t make a  direct attempt at educating the audience. So we decided to condense a short course we have put together, designed to educate teams as part of a workshop session. The original workshop sessions are about 2 hours long, cramming this into 10 minutes was interesting. I hammered through three main concerns – social engineering, passwords and updates. It was a challenge but the questions I received after the talk indicated I got people thinking about password cracking and physical social engineering attacks.

 

 

Leaving 

The GiB Cyber event was really unique. The lineup of speakers was truly amazing, FBI agents from the states, AFP officers from Melbourne. A real effort was made to strike a cord between this being a flash in the pan extravaganza and a lasting relationship building event. The event wouldn’t have worked without the support of the local police and government types fully supporting it. I suggest you go give the #GiBCyber hashtag a visit if you haven’t been following it on Twitter already. They plan to continue to other isles that may have been forgotten about when it comes to cyber security and it is one conference to watch!

 

 

---

Richard De Vere (@AntiSocial_Eng) is the Principal Consultant for The AntiSocial Engineer, he has an extensive background in penetration testing and social engineering assessments, including ‘red team’ exercises and information gathering assessments for financial institutions and some of the UK’s largest companies.