Computer scientists and engineers regularly use models, constructs to help understand, communicate about and intervene in complex systems. What sort of model could help us to think about the vulnerabilities which arise from the complex relationships between technology, society and the environment? In this seminar we share an old Danish fairytale and draw out three lessons for the cyber community. In concluding, we argue that stories are a useful type of model for thinking about cyber-physical systems.

The seminar will explore recent developments in the regulation of operational resilience and outsourcing in the UK finance sector to assess whether the proposed new framework will provide a hallmark for governing cyber-security internationally and across other industries. The reforms arise following high-profile IT failures in the finance sector, which resulted in Treasury Select Committee Inquiries and recommended reforms.  In light of these developments, the UK financial service regulators recently closed a consultation into proposed controls of operations and outsourcing in finance, which include changes that will reform standards for managing cyber-security.  The proposals are likely to form part of expected final policy statements to be announced later this year or during early 2021. The UK financial services regulators are leading in this area and the seminar will consider whether the proposals provide a benchmark for managing cyber-security risk across different sectors and globally. MS Teams Meeting Link (no log-in required) A draft slide deck for this seminar can be found here.

Software developers make pervasive use of third-party libraries to reduce costs and accelerate release cycles, at a risk to safety and security. In this talk, I will introduce a coarse-grained dynamic analysis framework, Lya, that targets such risk within the JavaScript library ecosystem. Lya interposes at library boundaries to allow concise analyses for extracting access information or enforcing invariants — e.g., identifying security vulnerabilities, highlighting performance bottlenecks, and applying corrective actions. Part of the talk will be given in the style of a hands-on tutorial, showcasing how to build and use Lya to enable further research on library-oriented security analysis and enforcement. Seminar Link (MS Teams)

Research about the determinants of the cybersecurity behaviours of students. Professor Bertrand Venard (Oxford Internet Institute) conducts a major research project at OII about cybersecurity behaviours. Through empirical research, this project seeks to understand the determinants of individual cyber security behaviours of students in France and the UK. Bertrand Venard will present the main findings of his most recent empirical research. Seminar Link

Professor Bertrand Venard (Oxford Internet Institute) is conducting a major research project at OII about cybersecurity behaviours. Through empirical research, this project seeks to understand the determinants of individual cyber security behaviours of students in France and the UK. Bertrand Venard will present the main findings of his most recent empirical research.

This seminar aims to highlight why the defensive side of security will always be playing catch up to the offensive side. Through demonstrating real world techniques used both ‘in the wild’ and on client engagements, Ruptura InfoSecurity will highlight how even simple custom tooling can defeat the most up to date defensive technologies.

Shevirah founder and CTO Weidman is a serial entrepreneur, penetration tester, security researcher, speaker, trainer, and author. She holds a MS in computer science as well as holding CISSP, CEH, and OSCP certifications. Her work in the field of smartphone exploitation has been featured internationally in print and on television. She has presented or conducted training around the world including venues such as NSA, West Point, and Black Hat. Weidman founded Bulb Security LLC, a security consulting firm specializing in security assessments/penetration testing, security training, and research/development. She was awarded a DARPA Cyber Fast Track grant to continue her work in mobile device security culminating in the release of the open source project the Smartphone Pentest Framework (SPF). She founded Shevirah Inc. to create product solutions for assessing and managing the risk of mobile devices and the Internet of Things (IoT) in the enterprise and testing the effectiveness of enterprise mobility management solutions and is a graduate of the Mach37 cybersecurity accelerator. She is the author of Penetration Testing: A Hands-On Introduction to Hacking from No Starch Press. She was the recipient of the 2015 Women’s Society of CyberJutsu Pentest Ninja award. She is on the board of advisors of the angel backed security training startup Cybrary, an adjunct professor at Tulane University and the University of Maryland University College, a member of the CyberWatch Center's National Visiting Committee, and served as a judge for the FTC’s 2017 Home Inspector IoT security challenge. Weidman is also occasionally an angel investor in cybersecurity startups

- Often the perception is that the security skills gap is for Security Operations Centre Analysts and Pen Testers - However the gap that we have in the industry is much wider - how do we unlock new groups of skills? - What are the soft skills that we are looking for? - How do we train business leaders to understand the business implications of cybersecurity?

Exploitability assessment could facilitate the prioritization of vulnerability remediation. In the past, security researchers and analysts assess exploitability for vulnerabilities by generating exploits manually. These methods involve a tremendous amount of human effort and require significant expertise. In order to solve this problem, automated exploitation approaches are introduced. However, as I will demonstrate in this talk, the effectiveness of existing automated exploitation approaches is limited by many assumptions. For example, the existing approaches mostly assume the state space of the program is limited, no security protection or exploit mitigation is enabled, and the capability of a vulnerability is already known. In this talk, I will introduce three lines of research works to tackle the problem of exploitability assessment without any assumptions. More specifically, I will talk about how we utilize static and dynamic analysis approaches to (1) explore the capability of a vulnerability, (2) pinpoint useful objects to obtain control over necessary registers, and (3) identify general exploitation chains to bypass widely-deployed kernel mitigation. Along with the introduction of these techniques, I will also demonstrate their practical impacts by using real-world vulnerabilities.

A case study of ransomware acquisition, triage, analysis and decryption. Showing the most common flaws within ransomware and how to create decryptors.