Every year, the security community attends regional conferences, which offer a combination of educational learning, hands-on training, and the opportunity to meet with new and familiar faces.
Steelcon takes place in Sheffield in mid-July. This year, the conference marked its tenth event, and I’ve been delighted to have attended four of them and spoken at two of them in the past.
This conference is arguably among the best in the UK, if not Europe. It offers around 20 excellent talks from renowned and new speakers in the comfortable environment of Sheffield Hallam University.
The focus is on collaboration, communication, and, most of all, enjoyment. After all, a conference on a Saturday shouldn’t be all about the seriousness of security, right?
Unpacking Steelcon
Much like with other events I’ve attended – like BSides Birmingham – where there hasn’t been a total focus on ‘I hacked this’ and ‘here’s a vulnerability I found here’, which are completely valid, but also subjects such as wellbeing, and broader topics such as insider threat and common exposure points are covered.
All valid discussions in the security community, as we need to deliver content for all, but it’s good to see a variety of subjects covered.
From the most recent event, held on 12th July, here are ten things I learned from the talks attended.
A Range of Scams
The first talk I attended was on “Scams, Sextortion and Snapchats” by Adaora Uche, who discussed the “very unique challenges” faced by Gen Alpha – born between 2010 and 2025, as they are the first to deal with “mobile devices from birth.”
She said this new generation “can’t live in a world with no internet” and welcomed stories from the audience on their own experience.
She cited four pillars to deal with the pressures that they face: awareness, communication, education, and technology. For a starting talk, this was a dose of reality on pressures faced by teenagers, and ways those of us who are older can assist.
Time to Chill Out
The subjects of burnout and wellbeing are covered often, and hearing first-hand tales is always welcome. In the second talk attended, Mo Amin cited feeling like a pinball, being bounced around between issues when he worked in an office, as people would ask “can I grab you for this?’
He asked the audience how they can negotiate these demands, with so many things thrown at you, he recommended giving yourself time to chill out, “as I ran myself ragged doing the right thing for the team.” Amin pointed at three factors of burnout: emotional exhaustion, depersonalisation, and low personal accomplishment.
Another takeaway from Mo Amin’s talk covered the feeling of exploitation of those who “work all hours” and financial exploitation. Amin recommended taking time to do the things that you need to be productive, taking time for exercise and well-being, and taking steps away from the potential of burnout.
Amin also showed the pyramid of his concept of “Good Resilience in Testing Times,” in particular the five steps to help one’s well-being.
Red Team Ops
Andy Gill is a regular Steelcon speaker and presented alongside his Crowdstrike colleague Craig Underhill on “How Red Teams Out Run Threat Actors.” The two discussed how they operate as a consultancy within the EDR vendor.
One of the takeaways was on how ‘adversarial emulation’ works, basing red team efforts on how technology is usually used. One example of this is Scattered Spider, which uses remote management tools, reads documents, and uses your system against you in an attack.
Another takeaway from Gill and Underhill’s talk was the concept of ‘pishing’. This is not a typo, but a form of phishing in which a letter is sent through the post, and the recipient is coerced into disclosing details. Gill said this tactic is typically used to raid crypto wallets.
Threat Modelling
Next, Andrea Jones and Arron ‘Finux’ Finnon presented on threat modelling. This covered multiple subjects, including how we are not looking ahead at the benefits threat modelling can give, “as with a safe and secure system, you want to get it working and provide a product so the company can get on with its business.”
A number of frameworks were detailed on the specific subject of threat modelling. Finux said that after doing the exercise, you need to consider whether you would do it again, and if not, why not, and what was not delivered. Also, consider how two different testers would get different results depending on their experience and tactics.
Alert Fatigue, Insider Spectrum
Jones and Finux also touched on alert fatigue, particularly during cookie acceptance. Finux said that if we’re being asked to press ‘accept’ all the time on those pop-ups, this can impact how we react to alerts.
Finally, Andrew Tierney and Jo Dalton from Pen Test Partners, whose closing talk on ‘Malice, Mistakes and Misunderstandings: The Insider Threat Spectrum’ discussed the concept of the insider, leading with the concept of “not if but when” these incidents can happen. Dalton said there is a stigma about not being able to stand up and admit that mistakes have been made.
Common Authentication Problems
The two speakers disclosed examples of where tests had been conducted on cruise ships and oil rigs, where to overcome common authentication problems, such as using fingerprint biometric technology, but this proved to be a challenge when engineers with oily hands were unable to access sections and sectors!
The research found that excessive authorisation was often granted to high-level systems to overcome the base authentication issue.
There were many more talks I didn’t attend, but I heard and read very positive words afterwards. The joy of this sort of event is to pick what you are interested in and engage with it.
Congratulations on ten years to the Steelcon crew and organisers, and may this event continue, and to inspire others to participate and attend.
Dan Raywood is a cybersecurity journalist, writing for several leading publications and regularly appears on TV and radio over the past 17 years. He has also spoken at industry events including 44CON, Irisscon and Infosecurity Europe, and has worked as both an analyst and a product marketing lead for a major vendor.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.