Tag Archives: identity management

From the old to the new in tackling information security

Haydn Tarr
IT Service Development Manager
The University of Chichester
Report provided to colleagues at the University of Chichester’s IT, Library and Customer Service departments

InfoSecurity Europe Conference 2018

Overview

UCISA offer a bursary to attend conferences in fields relevant to HEI support staff. I have always held a strong interest in attending InfoSec Europe and the bursary presented a perfect opportunity to attend this year. InfoSec Europe is an annual conference which holds a strong focus on cyber security technology developments. This report will disseminate my findings from the conference and draw relevance to the University of Chichester.
InfoSec was split into two formats:
My visit to InfoSec Europe focussed on the sessions it offered and discussing these topics with other visitors concerned with cyber security. There were a number of themes which were touched on regularly.

Theme 1: Cyber security prevention and training

There are varying techniques used for protecting company data from cyber-attacks. I found at the conference that commercial organisations have mainly focussed on preventative measures, e.g. firewalls, email protection, blocking users, etc. These measures do help to mitigate the risk of data breach and infection, but paradoxically reduces this workforce’s awareness of the type of threats and techniques used by attackers to exfiltrate sensitive data.
Organisations are now becoming increasingly aware that this is no longer enough, and the focus is now on training and building awareness amongst the workforce in a bid to reduce the likelihood of a data breach by exposing potential threats to staff. A general message surfaced from the seminars I attended, which was that the workforce can be the biggest asset in preventing cyber-attacks. Some organisations harness this by raising awareness and sustaining a culture where staff are encouraged to report breaches. From the opposite end of this view, other antiquated strategies are in place to prevent the workforce from even coming into contact with potential viruses and untrusted emails in the first place.
A personal takeaway is that a balance needs to be struck between the two, in which I personally feel that the University has an advantage. I observed in other organisations that training initiatives tend to be a temporary notion. Both prevention and training are a continuous development, which will adapt with emerging security vulnerabilities.

Theme 2: Blockchain

Many tech vendors in attendance at InfoSec Europe are associating themselves with Blockchain, and building this into their research and development plans for future protection technologies. In recent months we have witnessed the rise and fall in media coverage (and value!) of Bitcoin. Blockchain, which Bitcoin transactions operate upon, is a transferrable technology which can be adapted to other types of digital transactions in making them more secure.
One technology I found interesting and could offer some value in the future was the use of Blockchain to provide an improved assurance of personal identity. By using Blockchain as a way of decentralising identity, more control can be put into the hands of the individual in how they share their information with other individuals and organisations. These parties can then have more confidence that the holder of this identity, is who they say they are. This could also offer the individual complete power in what specific information that they share throughout various online services, institutions, government portals, etc.

Theme 3: The old tricks still work

Traditional exploitation techniques such as email phishing, SQL Injection and other attacks have been used for almost two decades and are continuing to grow in adoption by adversaries. The rise of IoT (Internet of Things) is partially to blame for this as the surface area of potential vulnerabilities continues to grow. These vulnerabilities could be considered as older consumer electronics, connected to the internet but using old software and firmware, are unlikely to be updated. This becomes particularly problematic in the critical infrastructure industry where I witnessed a live hack on a maritime GPS navigation system. Bringing this back to the local environment, the necessity to maintain a patching programme across the University estate with a growing number of connected devices, has never been more critical.

The University is protected in every area on the network by various prevention solutions. Despite these, there is still a risk of infection or data loss due to persistent attacks which could circumnavigate these techniques such as email phishing or social engineering. These methods are still the oldest trick in the book, and at the University with a growing number of staff, this problem continues and is generally acknowledged throughout commercial and other organisations.

Theme 4: Artificial Intelligence and Machine Learning

These terminologies are often used to describe the next generation of learning ability in computer software. We are yet to reach the state where artificial intelligence achieves its true meaning. Machine learning, however has a big part to play in some of the advances in cyber security. Vast amounts of logging data is collected on a daily basis at the University and throughout other organisations. This logging data can be used for troubleshooting isolated technical issues and security events. Cyber security vendors are beginning to respond to this accumulation of logging data positively, by investing in machine learning R&D. Future developments could enable security technologies to learn behaviours and trends from the accumulation of collected logging data. This could help an organisation’s security posture to evolve in a more effective way to prevent and mitigate cyber-attacks. Vendors are advising that the sheer volume of data that is collected now, can be useful in the future – however, everyone needs to be mindful of GDPR.
Interviews with the keynote speakers from the conference are available along with presentations from the event.
Interested in finding out more about a UCISA bursary, then visit UCISA Bursary Scheme.

Bursary review – Educause

michelle

Michelle Griffiths
ITS Project Manager
IT Services
University of Oxford
Member of UCISA-PCMG

 

 

 

I applied for and was extremely delighted to be awarded a UCISA Bursary to attend the conference of my choice in 2015. I chose to attend Educause 2015 , based on very extremely good feedback from fellow UCISA_PCMG committee members who had attended in previous years.

Educause is a non-profit association whose mission is to advance higher education through the use of Information technology. It is based in North America, but has global reach, with members in Europe, Africa and Australasia. Each year the Educause annual conference is attended by upwards of 7000 higher education professionals. Oxford University has been a member of Educause for a number of years, and has presented at past conferences.

The main areas of interest from the Educause programme based on my current projects were in the areas of identity management, smart cards, and risk management. The organization of the event was extremely good; there was a mobile app that you could download and schedule which presentations you wanted to attend, which then formed your own customized conference schedule. The event was vast: with approximately 7000 attendees, you need to be really well organized. The “First timer pit stop” area was a must on the first day of the event after registration. The “International Welcome lounge” became my home from home after attending the presentations. I used the IT equipment in the International Lounge to type up my blogs, ready to be posted onto the UCISA blog site:

The keynote speakers in particular were really inspiring and engaging. I was particularly moved by the closing keynote speech by Emily Pillotan.

Emily runs a non-profit design company and shared a few of her project stories with the audience. These included a farmers’ market public space, a middle school library, two homes for the homeless, creating a space for young girls, and creating items to be used in a domestic abuse centre. After explaining each scheme, Emily provided quotes from individuals that worked on the project. This was by far the focal point which really underlines why Emily does what she does and the value she helps put back into people’s lives and communities.

The general session was presented by Daniel Pink from MIT, who described motivation from the perspective of science. Daniel said that everyone in the room was an expert in motivation, they just may not realise it yet! He also said that we all have an explicit knowledge of physics without having studied it as a major. Daniel discussed when you should reward good behavior and bad behavior, and whether this changes behavior. I think I will be adding one of his books to my reading list: Drive: The Surprising Truth About What Motivates Us.

One of the sessions that made me think outside of the box a little when it comes to career aspirations was the panel discussion “From IT Support to CIO: A journey of three women” The career path from support to CIO is not a usual one, in my experience; however, the experiences shared by the panel made it clear that if you are motivated and think big, you can succeed to the highest heights!  Originally, I was not planning to attend this presentation, but whilst looking for another room, I came across this, which seemed more appealing!

Since attending Educause a number of Identity Management suppliers have been in contact with me, which is near perfect timing for the IAM programme. I have passed onto the programme manager in charge of IDM all the contact details I gathered whilst attending Educause, which will be used to help source an IDM solution.

I would like to thank UCISA for giving me the opportunity to attend Educause 2015. It has helped me broaden my networking and knowledge base, learn from my peers, gain a useful insight into how International institutions work, and bring all that I have learnt back to Oxford University and UCISA_PCMG to share with colleagues and peers.

Day Type of Session Presenter(s) Title
1 Session 1 – Opening keynote Daniel Pink (MIT) How small wins can transform your organization (blog post)
1 Session 2 – Presentation Lawrence Bobranski (University of SasKatchewan) A practical approach to risk management that delivers results  (blog post)
1 Session 3 –Poster Myles Darson – JISC National BI Service for UK education
1 Session 4 – Panel Clint Davis, Mike Carlin and Thomas Hoover (UNC and UTC) Transforming IT – a tale of two institutions
2 Session  1- Direct poll Randall Albert (AD, Ringling college of art and design) Project Management (blog post)
2 Session 2 – Keynote speaker Andrew McAfee (MIT) The second machine age: work, progress and prosperity in the time of brilliant technologies 
2 Session 3 – Panel discussion Melody childs, Cathy O’Bryan, Wendy Woodward and Sue B. Workman From IT Support to CIO: A journey of three women  (blog post
2 Session 4 – presentation Emory Craig, Mike Griffith and Maya Georgeiva Wearable tech and augmented vision – Pedagogy in the future
3 Session 1 – presentation Ron Kraemer, Kevin Morooney and Anne West Trust and Identity in education and research identity for everyone  (blog post
3 Session 2- Closing keynote Emily Pillotan If you build it: The power of design to change the world  (blog post)