The Importance of Networking

Without networking, there’d be no internet.

However, I’m referring to a different type of networking – Human Networking…

I can only speak about what’s going on in London so I’m keen to know what the scene is around the UK but my gosh, the calendar of security networking events in London is pretty impressive.

You could fill your week up simply by attending security events. There’s an event/meetup for pretty much any area of security; Application Security, Risk Management, Threat Modelling, Cloud Security, DevSecOps – you name it, it exists!

This many events surely indicates demand. Indeed, there’s demand but what it also indicates is a great camaraderie amongst the security industry. We’re fighting battles all day long at work but we’re not done at 5.30pm. No – we want to learn more, talk more about security and have a drink with each other laughing at how impossible our jobs are! Our non-security friends have to wait till the weekend because we’re having too much fun at these events.

In general, security people much like IT people are probably considered a little dull, no? Well with our booming social scene, aren’t we proving that not only do we truly love what we do (since we want to spend our evenings at security events) but that we’re actually social butterflies?

So whilst this all sounds like buckets of fun, what value do you get from attending networking events?

Well I got my job from meeting someone at a networking event which just so happened to be an ISSA event so I might be a little biased but asides from that, not only do you get to learn a bit more about security but you get the opportunity to mingle with other security folk , both junior and senior across the whole industry and that’s where you get value. That’s how you learn – even if you’re just listening to conversations. It’s a safe place to ask questions, share your opinions and be challenged without any worry of embarrassing yourself infront of work colleagues or your boss. It’s a casual environment after all!

So here’s your call to action – come to the next ISSA event, meet the friendly regulars and the newbies that will be in your shoes (there’s always plenty of them) and then join them at other events too! You’ll soon recognise the value of networking.

Member Profile - Lauren Chiesa

One of the things we've been trying to do here at ISSA-UK is focus a bit more on our membership and what we do.  This month we are launching the first of our member spotlights.  Lauren joined ISSA-UK a bit over a year ago and was promptly swept away by the quality of our event and networking.  Indeed, it was networking at our event that helped Lauren make the connections that got her into the security industry!  Read on to see ISSA-UK from the eyes of one of our members and also meet Lauren. - Gabe

Name:  Lauren Chiesa

Occupation: Cybersecurity Consultant

Why did you join the ISSA:

I joined the ISSA after attending one of the Christmas chapter meetings. I was overwhelmed at how welcoming the members were to me as I was at that time only a student.

What benefit have you received from being a member:

My network of contacts rapidly expanded as ISSA members are great at networking and there is always a mix of new people.

Why would you renew:

The regular chapter events prove time and time again to be one of the best networking events in the industry. There’s special events throughout the year such as special InfoSec evening events and a full day conference on board HQS Wellington. I

What else would you like to see:

I have no suggestions for improvements at this point! I think ISSA are doing a great job at bringing their members together and keeping them up to date with what’s going on in the industry by putting together interesting and varied agendas.

What are your predictions for Information or Cyber Security for the foreseeable future:

I think it’s still going to take time for companies to recognise that security is as much about training your staff as it is getting your technology right and a lot more money needs to be spent than will be budgeted for. Training needs to be tailored to be effective and that’s expensive but it will make a big difference to a company’s security posture.

I also think we will also see more Social Media attacks – clicking on content and links is far too easy. Non-security folk will take a while to recognise that clicking links on Twitter and Instagram is no less of a threat than links in phishing emails.

I can’t not mention IoT – we’re going to struggle to get it right straight away as there are so many new challenges and problems that we’ll be faced with. As has been the case with the evolution of security, we’ll only learn what we need to do by failing first. However, the difference with IoT is that we need to be very careful how wrong we get it as the need to consider safety is critical.

What got you into the industry:

I was fascinated by a Cryptography module I studied as part of my undergraduate Maths degree but had chosen to pursue teaching instead. However, my interest in ciphers never faded so I set up an extra-curricular class to teach my students about it –  I ended up inspiring myself to quit teaching, get myself a Masters in Information Security and step into the world of Cyber.

What does the industry need?:

It needs to take chances on people that don’t know much about security but are curious. Our industry is fascinating, exciting and important – it’s easy to inspire the curious. We also need to transform our identity – try a Google image search on “Cyber Security” – that’s not what we should look like.

What advice would you give for someone to get into a role like yours:

Network. Go to as many Security events and conferences as you can manage and socialise. Listen to the problems, solutions, frustrations and curiosities of real cyber professionals – that’s how you’ll learn what’s really going on in the industry. Who knows – you might meet your future employer just like I did.

Tell us more about you outside of the industry:

I’m a bit of a security geek because I would state that “Cyber Security” is also a hobby of mine as I’ll spend my free time exploring areas that I don’t get to touch on at work. For example, doing malware traffic analysis exercises is my idea of a great Friday night. But “outside of the industry”, I’m a gym bunny, obsessed with travelling – I work to go on holiday and my favourite nights are dinner parties with friends.

Interested in doing your own member profile?  Reach out to Ryan King at [email protected]

BSides Scotland 27th April

ISSA-UK is going to Scotland this spring!

BSides Scotland will be taking place on 27th April at the Royal Concert Halls in Buchanan Street, Glasgow.  Last year they run a very successful event in Edinburgh and this year we expect it will be even better.

They have sold out of tickets so apologies if you are missing it but if you are one of the lucky ones to grab a ticket then expect a packed day of talks, workshops and competitions – including the “Cyber Cake Challenge” with some great prizes.

This year ISSA-UK is proud to support and attend the event and together with the BSidesScotland Crew look forward to seeing you there!

If you already have a ticket and are an ISSA-UK member please volunteer an hour or two to be at our table.

If you are a member of ISSA-UK without a ticket but willing to volunteer get in touch with me ASAP iggy[@]

Why SOC?

I had been recently asked "why SOC? I get the how and the what, but missing g the why..." and i found this brilliant question, got me scratching my head for a bit, guess too many years doing the how and what have its affect after all.

So here are some of my thought, hope its gets you thinking as well.

There are many thoughts and opinions around this topic and I will try and consolidate some for focus and simplicity.

It’s also very important to remember that the term SOC (Security operation centre) have a wide definition in terms of its specific deliverables and co-operation within the enterprise.

Correlation – Finding needle in a haystack become easier with automation and help business focus and respond appropriately to the evolving threat landscape, Correlation of information systems events assist in faster times to detection & response (MTTR).



Assisting in getting better ROI from technology investment, “single pane of glass” central log location, configuration tuning… keep the organisation running.

Risk reduction.


SOC assist the business in meeting compliance regulatory requirements.

Provide evidence for/in investigation.

Separation of duties.

Enhanced security

Actively monitoring and correlating infrastructure users and data events assist in faster detection time rapid response by dedicated team.

Reduce the impact of an incident.


central location for collecting threat and activity information, single pane of glass for available controls.



Appetite for Destruction – Enterprise Risk Management

If the title of a 1987 Guns n' Roses album sounds an unlikely opening for a cyber security blog - you are probably right. But when applied to the broader question of enterprise risk management and the need to develop a top-down risk tolerance strategy, the relevance may become clearer.

Failure by organisations to develop, communicate and monitor a suitable risk appetite strategy can lead to catastrophic business failure either way; by either accepting too much inherent risk, or conversely being too cautious and allowing the business to be overrun by spiralling governance costs and far bolder competitors. COSO defines it thus: "Risk appetite is the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so".

Organisations encounter risk every day as they pursue their business objectives. Senior management must therefore deal with the fundamental question of: How much risk is acceptable while pursuing these objectives? Additionally, external regulators and other bodies need to evidence organisations' risk management processes and board oversight, which is another area of risk in itself. But not all risk is bad. Modern businesses need to innovate to compete and survive; and you cannot innovate without taking on risk. Sometimes a lot of risk. Essentially there is no longer a 'safe path' to stick to if you want to both stay in the game and win it.

A few years ago I attempted to open up a conversation with the board of a large multinational around risk acceptance, with the aim of striking a balance between the costs of security countermeasures versus the likely cost of any losses: Thereby setting expectations around what was achievable. This endeavour fell at the first hurdle of "what level of per event or annualised loss is acceptable to the business?" "None" came the inevitable response, thus sealing the end of that debate. Nowadays, boards cannot possibly ignore the endless tide of publicised breaches and corporate collapses that adorn the media every day, and boards now seem to have accepted the 'not if, but when' philosophy, which acknowledges that you can't secure everything and therefore losses are bound to occur. No matter how much money you throw at managing risk.

Nonetheless, having that debate at a senior level and then executing an organisation-wide programme to embed the risk appetite and risk tolerance strategy into every business process, remains a daunting task that not every business is yet prepared to embrace. Like the elephant in the room or the ostrich's head in the sand (insert suitable metaphor here) it is often easier for the various risk management functions to just keep pushing along doing what they do while hoping for the best. Unfortunately that's no longer enough. Completely defending a large organisation against the onslaught of growing numbers of threats, and increasingly sophisticated attacks would require more resources than many businesses are worth, and then some. So there needs to be some conscious acceptance of risk at the strategic level, which is then fine-tuned to each critical business function as a tactical solution to managing ongoing risks. This is where the terms Risk Appetite and Risk Tolerance appear: the former constitutes a strategic, board sanctioned, policy message and plan; and the latter a more tactical approach to identify the most critical parts of the business operation and apply an acceptable level of risk acceptance variation each entity is willing to accept; based on the operational criticality of each function to the overall business.

Without these formal statements on risk appetite and tolerance, clearly mandated, communicated and integrated across a business, it is hard to set goals and priorities or to allocate resources to best manage all forms of risk across the organisation. Yet research suggests that only around a quarter of large public and private companies have a formally articulated statement of risk appetite in place. There is a view that this absence of a formal and coherent risk appetite strategy across three-quarters of organisations is at the root of ever increasing numbers of breaches and failures in recent times. Too much gets spent securing functions and assets the business could still survive if lost; while the real Achilles heels lie relatively unprotected due to distractions elsewhere.

So, what to do? Well whatever you decide to do you cannot do it in isolation. There needs to be a will and mandate from the top which leads to federation of the various risk functions in pursuit of a set of common objectives. Education and influence are key to introducing these concepts in a way all parties will understand and buy into. Sometimes you don't know you have a problem until someone educates you enough to see it.

So if you are natural educator and influencer who happens to be sitting in one of the risk functions in a business that's lacking a current strategy and statement that deals with risk appetite: then you know what to do!



Adrian Wright is board member and VP of research at the ISSA UK chapter.                                   AW3

Ransomware - A Simple How To ...


A How To ...maxresdefault

n recent months there has been an increasing rise in the number of Ransomware related incidents hitting organisations.  While many occurrences do not make the public headlines, to security professionals and observers there has been a distinct and discernible trend taking shape.

The more excitable parts of mass media seem to have found the newest "hot & scary" story to relay them on to the naïve, the innocent, the ill-informed regrettably and the impressionable – that sadly and too frequently are to be found in the public services and SMEs.

In many of my recent conversations with clients and colleagues on this topic, it seems that the focus and fears of non-security industry professionals seems to undermine what many security professionals would agree is essential rigour and practice.

So in the tradition of many like-minded individuals, I thought it was time to share my thoughts on the topic, which to most security professionals will be an obvious basic and good practices approach mitigating and preventative operational controls.

The Small Print

The thoughts and opinions expressed in this paper are entirely my own and are not intended in their entirety or partially to be those of my current, past or future employers. As with all best practices, consider carefully how to use any advice and approach for your specific circumstances, especially the operational context. Please consider carefully any and all potential consequences, especially the unintended, that could arise for your environment.

This paper seeks to promote what many experienced security industry experts consider and agree are best practices to minimise the exposed digital landscape of an organisation to ransomware and malware attacks.

Notably in this paper, I have sought to keep all references confined to a technology rather than to a vendor, with the sole exception of Microsoft.  This is because I consider this to have been the prime OS candidate affected by ransomware to date.  As with all things in security, this may be subject to change.

Best practice

Before we kick off

First things first, what is ransomware? There are long descriptions available online in case you are not familiar with the problem. As per Wikipedia, “Ransomware is a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction

Like most malware related guidelines employing good housekeeping across the IT estate will help to sleep better at night.  Controlling the inbound data filtering bad traffic which importantly includes but is not limited to email traffic and web activity while employing common sense and basic controls will help significantly.

Good housekeeping means the boring stuff like making sure hosts are patched, maintained, protected and audited. Seems and sounds simple doesn’t it?  As it

should be, but many IT estates aren’t quite there, completely or consistently.

We need to include things we can’t articulate in a technical statement such as organizational culture, management commitment stakeholders and values into our culture and conversations.

Keeping a watching brief and sanitising network data which might have passed the initial controls, for example: monitoring the DNS through sampling or capturing some network traffic based on the required use case of the prevailing moment.

Taking technical steps to limit, restrict or prevent are important but we must not forget our users whom we can enable train and increase awareness helping them to become the frontline defence of the organisation.

Weave all the above together and you will have a much healthier infrastructure.


You can download the full document here, fill the required details for a link to the file. [email-download download_id="857" contact_form_id="757"]


ISSA International Conference 2015 - Chicago

Conference Diary - Chicago 2015

Day 1 – Morning - The ISSA International conference kicked off with a fantastic keynote speech by Vint Cerf ending with his current focus of intergalactic communication “How to send data packets to space and back”... I guess that there is plenty more to come from Prof. Cerf. An amazing person and the applause he received suggested that the room agreed.

Next there was an insightful CISO panel: Microsoft, Oracle, Harland Clarke Holdings Corp, Trek Bicycle Corporation and Texas gov. My favourite discussion topic was "How to advance the culture of security in your company from the corner office and beyond". Great contributions from all panel members.

I found myself wondering through a few of the "tracks" for the day. Started listening to Moshe Panzer who talked about SAP Security and other ERP system weaknesses while articulating the need to secure this environment and the challenges that come with this type of tech. The talk was presented with practical and technical explanations on what the real world challenges are and what his business does in that realm.

Naturally afterwards I gravitated into the Incident Response (IR) track as it’s a focus area of mine. The talks were phenomenal, "Preparing for the Big One" and "How to Accomplish Breach Response Readiness" were particularly memorable.

Evening – We went to 360 Chicago - a night out at the John Hancock building. Some amazing views of Chicago City and surrounding area with the bonus of being tilted downwards! BOMGAR sponsored an excellent light buffet and a lot of networking opportunities with the several hundred attendees. Check out the pics, you might even spot me there...

Day 2 – Morning - Started with yet another high profile keynote speech, this time from Dan Geer, who received a rapturous applause.

I attended a couple of IR sessions related to ISSA’s initiative around Cyber Security Career LifeCycle (CSCL). A huge amount of effort had gone into the CSCL space over the days and the leadership summit. To consolidate the topic, ISSA CSCL consists of 5 main stages in the career cycle of an IT security professional: i) Pre-Professionals ii) Entry-Level iii) Mid-Career iv) Senior Level v) Senior Leader. If you would like to get involved with this initiative, please do get in touch.

In addition to all the talks and sessions being held we also had a hall which hosted our sponsors. Familiar faces from our UK sponsors include Vanefi among others.

Overall it was a very educating experience and a fantastic opportunity for me to meet our US counterparts in person.


Interesting future for Crypto “exceptional access”

On Tuesday, the group — 13 of the world’s pre-eminent cryptographers, computer scientists and security specialists — released the paper, which concludes there is no viable technical solution that would allow the American and British governments to gain “exceptional access” to encrypted communications without putting the world’s most confidential data and critical infrastructure in danger.

ISSA-UK President speaking at "Project Camino" meeting

Mr Gabe Chomic, President of Information System Security Association UK (ISSA) is a panel member at the Project CAMINO Expert’s Workshop on June 15th/16th 2015 at Royal Holloway University on “Parameters for Guidance & Roadmap for the Prosecution of Cyber Crime in Civil, Criminal & Common Law.”


Gabe Chomic will be participating in the second session at 16-June 14.00hrs on the Legal approach to “Identity and Strong Authentication”.



The Expert’s Workshop is free to attend.
Please visit and use Password: cyber2015 to register to attend the workshop.


Computer Weekly Think Tank Present Mike Loginov

Great article from Mr. Loginov in recent computer weekly think tank publication.

Security Think Tank: Education, process and technology key to security challenge