[Owasp-cambridge] Reminder: Joint OWASP & BCS Cybercrime Forensics SIG "Incident Response Day” 2017 - 19th Januar

Adrian Winckles adrian.winckles at owasp.org
Thu Jan 12 00:39:30 UTC 2017

Joint OWASP & BCS Cybercrime Forensics SIG “Incident Response Day” 2017

Thursday 19th January 2017 9:30– 17:00, Lord Ashcroft Building (LAB026),
Anglia Ruskin University, Cambridge.

Hosted by the Department of Computing & Technology, Anglia Ruskin
University, British Computer Society (BCS) Cybercrime Forensics Special
Internet Group and OWASP (Open Web Application Security Project) Cambridge

It looks increasingly likely that 2016 will be known as the “Year of the
Data Breach” with more and more organisation’s than ever before becoming
part of the self-fulfilling prophecy, “there are two types of organisation,
those who know they’ve been breached and those who don’t”….

So what happens if despite your best efforts your defenses are ineffective
and you suffer a data breach.  Your organization needs to know how to
handle the breach either internally and externally, who to inform and who
to call.

What is needed is “*incident response*”, an organized approach to
addressing and managing the aftermath of a security breach or attack (also
known as an *incident*). The goal is to handle the situation in a way that
limits damage and reduces recovery time and costs.

*Background *

OWASP (Open Web Application Security Project is a 501(c)(3) not-for-profit
worldwide charitable organization focused on improving the security of
application software. Their mission is to make application security
visible, so that people and organizations can make informed decisions about
true application security risks.

The British Computer Society (BCS) Cybercrime Forensics Special Interest
Group (SIG) promotes Cybercrime Forensics and the use of Cybercrime
Forensics; of relevance to computing professionals, lawyers, law
enforcement officers, academics and those interested in the use of
Cybercrime Forensics and the need to address cybercrime for the benefit of
those groups and of the wider public.

The Department of Computing & Technology at Anglia Ruskin University is
enhancing its curricula and capabilities in information security following
its successful BSc(Hons) Information Security and Forensic Computing
pathway. Establishing a joint professional networking group with OWASP
concentrating on aspects of computing and application security is a key
part of this enhancement.

*Speaker Biographies*

*Peter Yapp -  Deputy Director Incident Management for the National Cyber
Security Centre (NCSC).*

Before joining the NCSC, Peter was Deputy Director Operations for CERT-UK.
Prior to CERT-UK, Peter was the Information Security Advisor for Brecon
Group and before that the Managing Director for Accenture’s global Computer
Incident Response Team (CIRT) running a team of 50 based at five locations
around the world. While there, he set up a cyber threat intelligence team
and inputted into technical, policy and training initiatives. He also
contributed to the maintenance of the largest ISO27001 certification in the

Prior to Accenture, Peter was head of Forensics and information security
consulting at Control Risks in London. Peter devised and delivered
information security awareness training courses for Oil and Gas clients
around the world, specialised briefings on the threat of state sponsored
espionage and a computer forensics training course for CISSPs. Peter
reviewed and revised information security policy documents. He carried out
IS Security (and ISO27001) reviews and gap analyses (and risk assessments)
for the finance and manufacturing sectors. Peter carried out numerous
computer investigations into fraud, abuse and misuse.

Before joining Control Risks in 1998, Peter was a Senior Investigation
officer in the National Investigation Service of H.M. Customs & Excise.
During this time he represented H.M. Customs & Excise at national and
international conferences and seminars, speaking at Interpol on computer
crime. He was a member of the British Home Office delegation to the G8 sub
group on High Tech crime. Peter trained overseas agencies around the world.

*Steve Shepperd MBE – Senior Forensic Consultant – 7Safe/PA Consulting*

Steve leads the 7Safe Cyber Security Incident Response offering.  Steve has
extensive experience in conducting and directing forensic and hi-tech
investigations having been involved in the discipline since the late the
1990’s. Steve has worked within the Civil Service, law enforcement and
private industry, latterly employed as a cyber security specialist for a
government intelligence agency prior to joining PA Consulting. Steve has
been involved as a team member and team leader in myriad digital
investigations ranging from civil to criminal and national security level
incidents. Steve is also the lead developer and course manager for the
Certified Malware Investigator course, the Certified Data Acquisition
Technician course and is the author of our new Cyber Network Investigations

*Tony Drewitt, Head of Consultancy – IT Governance*

Tony leads IT Governance’s consultancy team. He works with clients to help
them implement and comply with international standards such as ISO 27001
and ISO 22301 as well as other compliance frameworks such as the NHS
Information Governance Toolkit and the UK Gambling Commission’s technical
security standard.

He has helped one of the first companies in the UK to achieve full
certification under BS25999-2 (now ISO22301) and is currently delivering a
number of ISO27001 ISMS projects for companies in the UK and overseas. He
is also a leading business continuity author of ITGP titles A Manager’s
Guide to ISO22301; ISO 22301: A Pocket Guide, and Everything You want to
Know about Business Continuity.

Tony is a full member of BCI and is a certified Lead Implementer and Lead
Auditor for ISO 27001 and ISO 22301. He also holds CRISC, CISMP and ITIL
Foundation certificates.

*Presentation Abstracts*

*“Malware Red Alert: the first 24 hours”  - Steven Shepherd MBE, 7Safe/PA
Consulting *

It’s Friday at 19:30. You are the acting manager of your organisation’s
Security Operations Centre. You are working the graveyard shift with a
colleague when …

Your SIEM alerts you to what may be the presence of a Trojan in your
system. But before you have a chance to respond, you receive an email from
a hacker making demands.

The threat is that highly-confidential information has been stolen from
your financial database. If the hacker does not receive £2 million by
midnight on Sunday, they will put this data on the web just before your
firm’s annual financial report, due for release on Monday, is published.
Their motive: to cause panic among investors by undermining the credibility
of your growth and profit forecasts with data that the hacker claims they
have found in emails and report documents.

What do you do next to thwart the attack, contain the incident and prevent,
or at least minimise, damage to your brand name and reputation in the

Security incidents, both potential and actual, occur on a frequent basis.
It is therefore important to accurately categorize incidents and prioritise
the most severe. Evaluation is based on the impact that the data breach may
have on business operations, the potential reputational risk and the time
and cost of resources engaged in recovery.

Of critical importance is the effective gathering of key information about
the attack in real time. Focusing on quick fixes should be avoided. It is
important to clearly document all information collected/actions performed
for subsequent analysis in a post incident review/lessons learned session.
A clear plan must be established, including timeframes and ownership, to
implement any required changes that will mitigate future risk.

Steve Shepherd MBE describes for the business audience a series of real
life scenarios that will serve as a warning to Board members and SOC
managers alike, as he shares his thoughts on how to apply the CREST
Three-Phase CSIR model and invites the audience to role play with him in
responding to this incident.

If you think that you understand incident response procedures from a
‘people, process and technology’ standpoint, be prepared to challenge what
you deem to be fact during Steve’s practical talk and demonstration. The
emphasis will be on knowledge transfer - and why software tools are never
the whole answer.

*“Cyber resilience and Incident Response” **Tony Drewitt, Head of
Consultancy, IT Governance*

Tony will introduce today’s cyber threat environment and what it means in
terms of security incidents.  Cyber assurance techniques will be examined
from 4 different perspectives, the conventional theme’s:-

·      People,

·      Processes and

·      Technology

but also examining Digital versus Physical security dimensions.

The talk will conclude with a discussion on cyber resilience versus
incident response and if incident response is a necessity, what structure
should it take.

*Provisional Agenda *

09:30 – 10:00 Registration & Refreshments (LAB026)

10:00 – 10:15 Welcome from the OWASP Cambridge Chapter Leader, Adrian
Winckles, Course Leader in Information Security & Forensic Computing,
Anglia Ruskin University

10:15 – 11:00 “National Cyber Security Centre’s Incident Response Strategy”
– Peter Yapp – Deputy Director – Incident Management – National Cyber
Security Centre (NCSC)

11:00 – 11:45 “Malware Red Alert: the first 24 hours” - *Steven Shepherd
MBE*, 7Safe/PA Consulting

11:45 – 12:30 “Cyber resilience and Incident Response” Tony Drewitt, Head
of Consultancy, IT Governance

12:30 – 13:15 Lunch & Networking (LAB006)

13:15 – 14:15 Dr Jules Disso – Nettitude “Incident Analysis including Live
Incident Analysis”

14:15 – 14:45 Refreshments (LAB006)

14:45 – 15:30 Benn Morris - 3B Data Security LLP "Hacking Incidents - Real
Life Case Examples”

15:30 – 16:15 Canterbury Christchurch University Speaker TBD

16:15 - 16:30 Session Wrap Up & Close


To register for this free event, please register online at


 The meeting will be held in the Lord Ashcroft Building, Room LAB026
(Breakout Room LAB006 for networking & refreshments).

Please enter through the Helmore Building and ask at reception.

Anglia Ruskin University

Cambridge Campus

East Road



Please note that there is no parking on campus. Get further information on
travelling to the university.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cambridge/attachments/20170112/8245f43a/attachment-0001.html>

More information about the Owasp-cambridge mailing list