Information Security Summit in Hong Kong

First published: 15^th October 2019

The 16th Information Security Summit will be held at the Hong Kong Convention and Exhibition Centre on 23 and 24 October. With the theme, "Over the Horizon Cyber Security", the two day conference is a Regional Event with the aim to give participants from the Asia Pacific region an update on the latest developments, trends and status in information security. Conference registration is free, there are also a series of nine workshops, running from October to January, on demonstrating management and technical theory, applications and practical experiences on all aspects of information security relating to securing and protecting data in borderless cloud and mobile environment, big data analytics and the Internet of Things.

As cyber attackers are growing more capable and smarter, enterprises are looking at investing in analytics and threat intelligence in order to make better decisions on investment in cyber defence to pre-empt the attacks. Advanced security technologies are increasingly integrated with threat intelligence. Overseas and Local Experts from the industry have been invited to share their experience and knowledge.

The event is organised by the Hong Kong Productivity Council and supported by HKCERT, HK Computer Society, Cloud Security Alliance, High Technology Crime Investigation Association, HK Information Technology Federation, Professional Information Security Association, Internet Society (HK Chapter), Information Security and Forensics Society, International Information Systems Security Certification Consortium, and Information Systems Audit and Control Association.

Updated: 25^th October 2019

In the first keynote speach, Pishu Mahtani from (ISC)² highlighted the problems with security on the Internet of Things (IoT). He advocated Security by Design (locking down production devices against physical attacks), by Default (avoiding weak default credentials) and by Deployment.

Mike Passaro from Recorded Future gave a remote presentation on applying threat intelligence to the MITRE ATT&CK framework. The ATT&CK framework is a knowledge database describing cyber adversaries and providing a common taxonomy for offence and defence.

Leo Chan of Tenable demonstrated how risk exposure and vulnerability are determined.

Paul Jackson of Kroll Associates gave his insights on the increasing prevalence of the insider threat, and how to approach investigations. He introduced Kroll Artifact Parser and Extractor (KAPE), a free tool for quickly collecting key incident information across a variety of systems.

Richard Hollis of Risk Crew limited highlighted how badly we are addressing cyber security; the OWASP list of top ten exploited vulnerabilities is almost unchanged since 2013. Attackers have moved from the familiar scenario of utilising an attack vector to deliver a payload to achieve a target to a multi-stage, cyclical process designed to make APTs a persistent, moving target. He argued that we are facing an iceberg of data loss: what we see, the loss that is reported, is only a small fraction of the total. He advocated greater accountability for data loss.

Sean Duca of Palo Alto Networks talked about how the Internet of Things threatens our security and zero trust design concepts to address that.

Jason Yuan of Sangfor presented their approach to combatting ransomware.

Day one ended with a lively panel session moderated by Paul Jackson and featuring Sean Duca, Richard Hollis, and Pishu Mahtani

Day two started with a keynote from Roy Ng of Centre for Research in Information Assurance (CRIA) on how 5G will be a paradigm shift in cyber security. He advocated rethinking countermeasures with an information assurance model and machine for holistic protection.

David Gee of HSBC explained their approach to cyber risk quantification using probability distributions as coefficients in their model so that the findings are presented with the associated uncertainties. They use the findings to direct their cyber security investment to the most effective risk reducing controls.

Jeffrey Carpenter of SecureWorks shared his experience from recent incidents and the challenges his clients faced. He emphasised that "exciting" attack vectors are not the ones you should worry about the most. The currently most prevalent cybercriminal threats are business email fraud, ransomware, digital currency mining, and banking trojans. Ransomware attacks are evolving to increase their impact, and therefore the potential gain for the attacker, by spreading laterally within the victim's network before revealing themselves. He highlighted lack of Cyber Hygiene as an industry crisis. This includes deficiencies in password policies, patching, authentication, allocation of user privileges and administration rights, and hardening.

The panel discussion before lunch on emerging security threats featured Mika Devonshire, Andrea Lau and Carol Lee and was moderated by Anna Gamvros.

Andrea Lau of Security Research Labs reported on the challenges of security during the rollout of the Jio Network in India: their pilot test was with 1 million staff and their families, the full rollout covered hundreds of millions. One issue was that even the new equipment was arriving with old vulnerabilities, such as core network devices unpatched since 2007. User inexperience was also a problem, with the majority of users falling for phishing and vishing attacks in tests. She concluded that "security by design" is a dream when even a 100% greenfield startup is tied to insecure legacy in equipment and employees.

Mika Devonshire of Blackpanda talked about Cyber Liability Insurance and how it fits in with cyber security with particular reference to ransomware trends.

Michael Mudd moderated the final panel, on the future of information security, with Roy Ng, Jason Yuan and Jeffrey Carpenter. The organising committee char, Dale Johnstone, closed the summit with a few remarks.