July has always stood out for me in the cyber security conference year, because it’s when SteelCon—one of the events that really helped me decide to move into the industry—is held.

This year, it took place from July 19^th ‘til July 21^st, with the main event taking place on Saturday 20^th. We travelled down to Sheffield on the Friday (grimacing slightly at the traffic but enjoying the sunshine) and arrived in time for networking at a nearby pub, taking the opportunity to meet others in the industry and catch up with those we hadn’t seen since the previous event.

On Saturday morning, we arrived at Sheffield Hallam University and were quickly greeted by… a couple of hundred people carrying board games and wearing  ’80s wigs? After some mild bemusement and presenting our QR codes to the registration desk, we likewise joined the board game-carrying, wig-wearing crowd and started digging through the conference swag bag: cassette tapes and sweat bands alongside the usual programme and snacks. Confirmed: the theme of this year’s conference was the 1980s.

Another general theme at SteelCon, as at many other cyber security events, is that of community and charity. This theme would be present throughout the day with the sticker stall and auction, which would be raising money for The Children’s Hospital Charity.

The board games, prominent because their bulk meant they didn’t fit in the swag bags, were part of an awesome SteelCon initiative that they also pursued in 2023 (I’m not sure if longer-standing). In 2023, the organisers went to a local charity shop and asked for 400 random books, which were then distributed to attendees. And when I say random, I mean I know of attendees who received a book on theoretical models in nursing, a book on Martin Luther, a crime novel, a book on baby-led weaning, a school study guide, etc. Attendees were encouraged to chat with fellow attendees, compare the books they’d received, and negotiate swaps if they so desired. Any unwanted books were returned to the organisers and donated back to the charity shop so they could sell them for a second time. The same applied this year to the games, which is why I started out with a card game and left with Kerplunk.

After the opening remarks, I spent a little time exploring the sponsor stands before making my way to ‘Social Engineering 101—Part Deux’ by Chris Pritchard. This was a direct follow-up to a talk he’d given at SteelCon in 2018, though I didn’t see this at the time; my first SteelCon was 2022, when I saw Chris highlight the social engineering tactics used as suspected Mossad agents infiltrated a hotel room. Based on how much I’d enjoyed that talk, I knew this would be good!

Early on, Chris introduced Miller’s Law, which essentially says that the average human can maintain seven (plus or minus two) pieces of short-term information, and pointed out that this is really helpful on social engineering engagements. As an example, he described how he’d noticed the style at a particular company was for employees to load up their badges with trinkets (e.g., USB sticks, tokens); when creating his fake badge, he therefore prioritised the trinkets, knowing that Miller’s Law would mean they would be the focus during security checks. He showed us a photo of the resulting badge, laden with trinkets, that led to a successful infiltration: the badge itself was entirely blank.

Chris also gave some general insights on successful badge creation, keeping Miller’s Law in mind, highlighting how sometimes people take photos of their badges on their last day at a company—‘just handing this in!’—and post on LinkedIn, meaning an easy overview of the company’s badge design, and how marketing teams often publish colours with the exact hex/RGB on the company website.

After some more insights and stories about social engineering engagements, he summarised that these skills aren’t natural but are learnable, social engineers need to present a state of confidence, and they should always be prepared for surprises. It was certainly no surprise to me that I thoroughly enjoyed this talk, both the content and Chris’s entertaining presentation style!

The next talk I attended was ‘The Code Compilation Process’ by Tom Blue. I’ve known Tom personally for a while but hadn’t seen any of his presentations until now—I was delighted to discover that his infectious passion shines through in his talks. This talk presented an overview of the code compiler pipeline, from lexing through to code generation, and, as an inexperienced coder, I will readily admit that I came into this talk purely intending to support a friend but instead I very quickly realised I was getting a lot out of it.

Not only did Tom break down the compiler steps in a very clear and understandable way, but since “parsing applies to natural language too,” he also drew attention to the connections between code compilation and grammar—an obvious attraction for this ex-linguist! It really helped me gain deeper understanding from his presentation overall. Finally, he covered some security aspects relating to compilers, including how malicious modifications can easily propagate and benign code can be made malicious through a compiler. I genuinely learned a lot from this talk, thank you Tom!

Next up was an absolutely fantastic talk by James Bore on ‘Doing Due Diligence’. This is currently embargoed and we were asked not to publicise the content, but I heartily recommend checking it out when the recording is eventually released. I’ve seen James speak several times now—the quality is always top-notch but this was, in my opinion, one of his best.

Because of the embargo, the only photo I took was of Steve who was working AV for this session.

The final talk I saw was by Maya Boeckh: ‘post-startup (security) growing pains: “Hi, It’s me, I’m the risk”’. I’ve seen Maya speak before but on very different topics, with their SteelCon 2023 talk focusing on a language based on JavaScript that uses only six characters. The real similarity between all of Maya’s talks is that they only talk about things that they have a real genuine passion and interest in, and this one was no different.

This talk drew on Maya’s comprehensive experience of working in and with start-ups to offer insights on security aspects that are commonly deprioritised in the early stages of building a business, and the challenges surrounding these. For example, they spoke about start-ups where staff end up using their own devices which are not managed or overseen by the company at all, and the resulting issues this can cause. Unfortunately this talk had to start late due to some technical issues, which meant there was no time for a Q&A before everyone made their way to the conference closing remarks—I think there could have been a very worthwhile discussion had there been more time!

At the conference closing remarks, most of the attendees (myself included) had removed their ’80s wigs due to the heat but the charitable nature of the event continued, with the announcement that almost £1,500 had been raised for the organisation’s chosen charity, The Children’s Hospital Charity. It was a fitting way to end such a community-focused conference.

Although there was an afterparty, we left after the closing remarks to make the trip back up to Glasgow (through wind and rain this time, rather than the glorious sunshine of Friday’s journey south!). Many thanks to the organisers, speakers, volunteers, and sponsors—I’m very much looking forward to next year!

It was Saturday 4^th November and I was at Glasgow Caledonian University for the Glasgow Caledonian Cyber Convention (or G3C). I must admit I was pretty nervous. This was my first conference, so I had no idea what to expect.

After fighting with the banner stands and laying out swag (as a sponsor, we had a stand at the event), I was ready to start networking.

Kick-off!

I had a lovely chat with folks at Quorum Cyber (one of the other sponsors) and great conversations with Dr Jackie Riley (the Head of Glasgow Caledonian’s Cyber Security and Networks department) and with students who were curious to know more about working in the cyber security industry. Our ID ‘Cybear’ mascot is always a great conversation starter, and students wanted to know more about who ID Cyber are and what we do.  Interestingly, I was asked by students about the perception of tattoos in a professional environment in 2023. (Your dearest author has quite a few!) Everyone I spoke to was lovely, especially so early in the morning before caffeine had hit our systems.

G3C is a multi-track event so I wasn’t able to attend all the talks. Keep an eye out for G3C channels to catch any of the talks I missed (or indeed those I saw!).

Stephen Rattigan — Work Smarter Not Harder: The Power of Automating Your Daily Tasks

First talk and it’s ID Cyber’s very own Stephen Rattigan presenting the key to ‘Work Smarter Not Harder: The Power of Automating Your Daily Tasks’.

Even though I get to watch Steve work his automation magic on a near-daily basis I had a blast watching and listening.Why does automation matter? Think about your daily tasks. It all takes time, it’s repetitive… and we’re human. We make mistakes!Steve wants to make life easier: maximise productivity without expending more of your precious time and energy to do so.

He posed the question ‘To automate or not to automate?’ Well, there’s a great acronym to determine if a process should be automated or not:

• Consistent
• Repeatable
• Auditable
• Processes

You can see that right? It’s CRAP.

If your automation doesn’t follow CRAP then it’s probably going to take more time/labour to implement than the task itself. In these scenarios it’s not worthwhile to automate. However, if it will increase productivity, efficiency, and consistency then consider automation.

Steve then detailed how he uses automation to help at work:

• Auto disable caps lock (isn’t it a pain when you’re typing and it suddenly turns into SHOUTY MESSAGE?)
• Snipping tool added to middle mouse click
• Keyboard shortcuts for PowerShell commands that are tricky to remember

Warning! Like anything in IT or cyber security, automation carries risk:

• Be wary of installing automation tools on company devices! Always ask permission.
• Don’t use it for passwords.
• Scripts can be flagged as malware.
• ALWAYS have a kill key.
• Be careful what you automate.

For more of Steve’s insights, including useful tools, check out his talk once recordings are released!

Alice McGready — Communication Breakdown

Another one of ID Cyber’s talented roster, Alice provided a great insight into ‘Communication Breakdown’,  or the importance of conciseness, clarity, and the impact of typos.

It’s not just your pride that’s hurt when you send correspondence with typos – it can affect people’s perceptions, confidence, or trust in you! Even outwith an office environment they can have catastrophic effects. They could cause international or political incidents. For example: US military correspondence being leaked to private email addresses in Mali (.ML) instead of the military (.MIL); a nuclear test at the Sedan site in Nevada was erroneously reported as being carried out in Sudan, attracting worldwide attention; and finally, the Mariner 1 spacecraft didn’t even make it to orbit because of a typo!

Typos can cause reputational damage and lack of trust in your organisation. (This one is for the commuters and Glasgow locals!) Alice told a story in pictures about a junction near Cowcaddens where a sign is erected, falls, and remains there for at LEAST 7 years before it is replaced… and the replacement has one of Glasgow’s most well-known streets spelled incorrectly. It’s ‘Buchanan’ not ‘Buchannan’! That doesn’t exactly inspire trust in the local council.

Interestingly, 43% of recruiters listed spelling errors as sufficient grounds for immediate rejection. Can you imagine you’ve put “attention to detail” as one of your strengths?! (Don’t do that, by the way. You’re inviting people to look for a mistake!)

After providing a series of helpful tips on how to avoid typos (check out the recording when it’s released!), Alice leaves us with a contemplative call to action: You have to care. You are advertising yourself/your product or brand. Take pride in your work. Take pride in your words.

James & Chris Bore — Mixology, Multidimensional Information Spaces, and Security

Now, I was glad I was well caffeinated for this one. It was fascinating!

James presented us with information theory: Spaces where we can represent messages and ways to communicate effectively in the presence of noise (anything that can distort a message). A dimension can be anything, for example, any 3-letter message can be encoded in 3D space/3D vectors, and taste is a 6-dimensional space. It’s mixology time!

James plotted 41 different cocktails against six tastes: tart, bitter, sour, sweet, spicy, and salty.

Now we observe the archetype of cocktails, sharing similar characteristics yet entirely distinct! Anything that fits in boundary boxes could hypothetically be one of the archetypes but… it doesn’t necessarily make it the same. For example, the martini boundary-box is so ranged that anything could hypothetically be a martini.

But how does this relate to security? We have lists of attacks and exploitation methods using CAPEC & MITR-ATTK and we can classify APTs in a risk space, but cyber security has been slow to adapt to hyperdimensional standards which are used in other industries.

What issues do we face? Data normalisation (or cleaning) is the main sticking point and from this the industry needs to adapt and collect data in a way that is normalised. With regards to threat modelling, you can just assign numbers to things. James advised: “3 is better than ‘high’ because you can do maths at it!”

Scott McGready — This conference sucks

I’m going to be honest, I didn’t take a lot of notes here. If any of you know Scott, then you’ll understand why – if you don’t… Well, I don’t wait to spoil the delivery – you’ll need to watch the recording for that.

This conference sucks. There’s too many inside jokes, it’s all the same speakers, talks you want to see clash, it’s cliquey, there’s inexperienced speakers, it’s all just about networking.

He got us there…

You see, conferences suck if you make them suck!

There’s too many inside jokes? Ask for the context!

It’s all the same speakers? Volunteer to give a talk!

Talks you want to see clash? It happens!

It’s cliquey? It may seem that way but it’s because all of these people met each other at conferences!

There are inexperienced speakers? Everyone must start somewhere and there’s only one way to get better!

It’s all about networking? This is great. Speak to people. You’ll find out about jobs; you’ll meet interesting people from all walks of life. Networking is a good thing!

This conference sucks… if you make it suck.

That was fantastic, that was bonkers, that was so much fun! If you want to experience it, check out the recording when it’s released.

Cary Hendricks — That’s a Good Question, Kev

Last up, it’s the vanguard of ID Cyber Solutions, Cary Hendricks, presenting ‘That’s a good question, Kev’, amusingly named after a podcast where Cary would answer every one of his co-host’s questions in that same manner.

I wanna work in cyber – how do I get into it?

Firstly, what do you want to be? The careers within the industry are highly diverse. Everything isn’t penetration testing! With so many roles available it pays to know the areas you may wish to specialise. You may work for an organisation helping IT through the creation and implementation of policies/procedures – that’s cyber. All these things encompass information and data. You can still work within cyber and be non-technical!

An ever-present notion in information technology is the evolution of that technology vs its ease of use. As we witness greater network proliferation this encompasses its own problems! So what are the persistent security challenges?

• Maintaining compliance
• A lack of qualified and skilled professionals
• Centralising security in a distributed computing environment
• Fragmented and complex privacy and data protection regulations
• Compliance issues with BYOD
• Relocation of sensitive data from legacy data centres

Standards and certifications like Cyber Essentials and Cyber Essentials Plus can aid businesses with these challenges, making sure that organisations recognise how to secure their data.

There are so many roles within the world of cyber: technical, non-technical, and otherwise. Where will your journey start?

_________________________________________________________________________________________________________________

What a blast that was! I met a tonne of people, some I’ve only ever spoken to online, some I’ve known for years, and some new faces. My colleagues were busy preparing and hosting talks, so it forced me to socialise. (I’m glad that was the case!) Having spent the last few years working from home that was exactly what I needed. G3C has cultivated a friendly, open environment for people, students, and industry professionals: a place to meld and inspire collaboration and transparency for those interested in the cyber security world.

I’ll be back – I can’t wait for the next conference. Who knows, maybe one day I’ll speak at one!

Time for food. Damn, I’m hungry!