Commissum

The More We All Know About IT Security the Better!



The More We All Know About IT Security the Better!



For those in the know, last Thursday evening saw the first Security Scotland MeetUp. It was organised and hosted by Stu Hirst of Skyscanner at their snazzy office in the Quartermile part of Edinburgh. I think it’s safe to say the night was a massive success with the event packed out and a waiting list as long as your arm.

Firstly, we want to give Stu a massive shout out for hosting, organising great speakers, (more on that in a bit), sorting an interview with Cyber Security Celebrity Rik Ferguson, and, mostly, for providing free beer and pizza! Just what was needed to cheer everyone up after a long day. There was a real mix of attendees from people just starting out in the game to some seasoned pros so a great chance to network and chew the fat with likeminded folk, and I think, exactly why Stu set it up.

For those of you that didn’t make the event, unlucky! You better be quick to register for the next one in May when it should, hopefully, be a bit warmer. However, luckily for you, your blogger was there this time round so you didn’t have to brave the Edinburgh February weather after work, Brrrr!

Apart from the welcome refreshments the entertainment included two invited speakers, the second of which was none other than Commissum’s own Jay George; Managing Consultant, security Guru and all round good guy. Jay was waxing lyrical this time about what Penetration Testing can tell you about your organisation before you’ve even done any testing and sharing some of the (thankfully anonymised) hilarious examples of issues we run into whilst doing our work. Not sure if it was Jay’s jokes, the beer or the daft things we come across but there were plenty of laughs. Jay’s Q&A after went down a storm too with some great questions teasing some even better responses out of Jay…

What penetration testing REALLY tells you about your security-- (3)

“Do you find yourself in a situation where a pen test is so bad that you don’t have time to document all the issues?” was a good example. “Thankfully, not.” Was Jay’s response. “But it depends on several factors, of course. Whilst it is not the case for external tests, the internal ones can be a bit trickier. What we usually do is we set a scene: we tend to prep organisations, especially those large ones that haven’t had a pen-test before. It’s important for us to know that they know what to expect and how to prepare – a win-win situation indeed!”

Another top question was about the new CBEST testing. It’s a test like no other! We say that because it tests people, processes and technology in a single test. It is also less time constrained than, say, traditional penetration testing. CBEST test is threat intelligence based and focuses on the most sophisticated attacks on critical systems and services. Jay was explaining the importance of a test and confirmed that it definitely pushes right top to the financial services’ sector right now. “The hope is that it will start to trickle down through all the other organisations,” – he said.

Another question that inspired laughs– “How many organisations you have worked with are spot on security wise?” Well, well, well – it’s a difficult one to answer, mainly because “spot-on” is a little bit hard to define. What we tend to see is whether a security policy is “good”. In other words, whether there are only few low-level issues. Those are usually basic configuration problems that can be fixed fairly quickly. If this is the case, than an organisation is surely not too far from so-called “spot on security wise”.

The evening closed out with a recorded interview between Stu and the multitalented Rik Ferguson, with Rik giving us his musings on everything from women in cyber security to his house move from Poland back to the UK! Rik promised to get to the next event so make sure you keep your eyes peeled for when it goes live. Big thanks to Rik too for making the time to talk to Stu and sharing his thoughts. After all, nobody doubts that cybersecurity is a shared responsibility – let’s help each other. We want to share our knowledge, and we want to share our skills. We certainly recommend attending the future security meetups! In the meantime, we are happy to answer any questions you may have. Get in touch: call 01316252737 or email us at info@commissum.com