Interview: The Security Queens on #NCSAM

Back in May, Infosecurity introduced you to the security collective the Security Queens.

At that time, we were keen to find out more about them, their ambitions and current work. Five months later, Infosecurity reconnected with the Security Queens to find out what National Cybersecurity Awareness Month means to them and how important the message of connected devices is.

What do you think of awareness campaigns like this, do you think they have any impact on the public?

Morgan: Awareness campaigns, delivered properly, can have a really positive impact on the public - Take Five for Fraud week in November is a good example of this. The finance sector, in conjunction with ActionFraud and the National Crime Agency, produce awareness materials and deliver internal training to staff and externally engage with customers to educate them about common fraud campaigns and scams.

With Cybersecurity Awareness Month, because it’s spread out over a longer period of time, there’s definitely the potential to deliver real benefit to users and customers as long as the messages we deliver as a community are clear, and we’re united. There are some controversial pieces of advice we’ve come across, like advising users to switch off SMS two-factor authentication because it can be bypassed with social engineering and such, that can do more harm than good for the average person.

Sarah: Awareness campaigns like these are great. They provide short and sweet messages on how to protect yourself or increase your security. For example, even just increasing the complexity of your password, which anyone can do this easily.

The only issue with campaigns like these is that they need to be able to reach the right audience. As security professionals, we may be more interested in campaigns like these than the everyday users, so you really need to focus on your target market and what platforms you are sharing your content on.

What about in the infosec industry, do you think there is still attention paid to the awareness month by the third or fourth week?

Sophia: Absolutely! I think a lot of security companies and professionals take it upon themselves to raise awareness throughout the month. We’ve seen a lot of companies proactively upkeep interest throughout the whole of October, even with Security Queens we’ve tried to deliver regular security top tips aimed at general users and those who aren’t necessarily security or tech-savvy.

I think the concept of awareness month is quite important to focus end user awareness campaigns and utilize the month as a way to highlight basic security hygiene, whilst educating the wider population about security risks and issues that they may not be aware of.

Sarah: I couldn’t agree more; if you are following a platform producing content like this, then you are likely to come across these tips or even be looking out for them throughout the month.

Morgan: I’d echo this; keeping tips short and sweet, and varying the subjects you provide tips or advice on, helps, as well as using different social media platforms to engage different demographics. People might not see everything you post, but there’s still the opportunity to give helpful advice that people will engage with. Improving cybersecurity is a marathon, not a sprint.

The theme of this last week of the awareness month is “The Future of Connected Devices,” have you looked at the security of these in your work? Do you plan to? What is your perception of connected devices – are they a good thing, or do you think they have been rushed out to market?

Sophia: For my final year project at university, I researched autonomous vehicles and the future of the automotive industry. Of course with any driverless vehicle, you’re going to have a huge amount of embedded and connected technologies to help attain the level of automation needed for it to be AI-driven.

It’s not just transport moving in this direction however, it’s pretty clear that smart technologies are on the rise – mostly to enhance user experience and make our lives easier. I think that there’s been a massive surge of interest and development in the future of connected devices, and to accompany this – a massive amount of security research.

I don’t think connected devices has been rushed out as per se, but there definitely could be more research into this area. It’s a known fact that cybersecurity is constantly evolving and changing, and everyday is a new and different day in this industry. You can never be fully prepared for the adoption of a new technology, but you can continue to learn and adapt these technologies and the risks they bring.

Sarah: Like most technologies, they develop over time. For example, desktop operating systems have evolved into what they are today and it is possible that the new connected devices will develop in the same way. Vulnerabilities are always being found and are more or less unavoidable; as long as we continue to break things and fix things then these technologies will continue to be hardened and improve over time.

Security may not be the priority for the first iteration of the product, which you can consider to be careless or rushed, however other functionality might have been prioritized. It is important that the products do go through security testing before being released to try and mitigate any easily corrected issues to provide the end user with better protection (I am sure we would say that as security professionals!).

Do you think there is a wider problem with connected devices and IoT, that it is sold more on usability than security and privacy?

Sophia: I suppose leading on from the previous question, a lot of smart technology is promoted as a way to make our lives easier. In some respects the promotion of such technology glosses over the nitty-gritty of security and privacy – but that’s why we think research and awareness campaigns are important in adopting this technology, but in a secure and safe manner.

Smart technology (in particular smart home products) is definitely moving towards becoming more of the norm, but as we move towards a smarter future, it’s important to ensure that end users are aware of the security and privacy issues related to some connected devices.

At one point in time, smartphones were a new feat of technology, but with time we have grown to accept them and learn about the security risks associated. With IoT and connected technology, I think it will be a similar process, and hopefully adjusting to the technology will be accompanied with in-depth end user information about staying safe and secure.

Sarah: I think I would add that security will continue to develop within these products as they are released. The more they are released, the more time we have to understand some of the risks and focus on adding that layer of protection.

Morgan: I’d agree – smart and IoT devices are pretty much ubiquitous now, and it’s uncommon to meet someone who doesn’t have an Amazon Echo or a Google Home Hub and all the associated peripherals. In the beginning, a lot of this technology (as with most technology) was launched for functionality and user experience rather than being developed with a focus on user security and privacy; but there’s a lot of research and work being done in this area in the wider security community to improve the security of smart devices and IoT gadgets, and that will continue in the future.

Finally, how have the three of you progressed in careers and academia since we last spoke?

Sophia: Myself and Sarah have now moved onto our first graduate roles as junior security consultants in the technical field of penetration testing, and we are glad to have both achieved highly commendable First Class Honors, especially with the current climate and the challenges that COVID-19 brought to academia.

Morgan continues to study a part-time MSc in information security at Royal Holloway whilst working full-time in industry. She’s currently studying AWS architecture and security in her free time. As a collective, we’ve continued researching and writing blogs on security topics, and recently delivered our first group talk remotely to different security community groups. 

What’s Hot on Infosecurity Magazine?