(Photo by Ruth Bryna Cohen)
Nearly 300 people, including IT professionals, hobbyist hackers and members of the public, converged for two days of all things infosec at the Security BSides Delaware conference, held at Wilmington University Nov. 13-14.
The event, part of Delaware Innovation Week, hosted an impressive roster of more than 35 speakers this year. The conference is one of 37 BSides events to be held this year around the country, with many more continuing to pop up worldwide. Chapter founder Janice Paulson saw the need to bring BSides to Delaware while studying network security at WilmU.
“I was going to DEFCON and HOPE, and I found my classmates couldn’t afford to go. So I decided to bring the conference to them,” Paulson said. “It’s expensive to go to conferences, and some people don’t have the means. Learning shouldn’t be limited to people of privilege.”
So she and husband Josh Marpet, of data security consultancy Guarded Risk, organized the first BSidesDE in 2010. The most recent conference was the group’s sixth. Not only does BSidesDE save locals money on travel, it also doesn’t charge any registration fees. Free breakfast and lunch is provided to attendees.
“Were going to make sure it’ll stay free for as long as we can,” Marpet said. “And we’re aiming next year to have more sponsors so we can do that.”
The conference organizers specifically seek out sponsors who are hiring to help connect those attending the conference with jobs, Marpet said. Sponsors this year included Dell Secureworks, Mitre, First Data, MACH37, Guarded Risk, Liticode and SANS, which were on hand to talk to job seekers.
The conference included a packed schedule of two tracks of speakers on both days. Speakers ranged from a pre-teen computer enthusiast to seasoned pros working in the business over 30 years, and the topics covered the gamut, from breaches affecting the home computer user to security issues facing big business and government.
- On Edward Snowden: “Love him or hate him, this guy has done more to promote infosec than anyone else in the last few years. It really has set the stage for the cryptowars.”
- On the Office of Personnel Management hack: “No government agency wants to be the next OPM. The fallout from this will be felt for a number of years.”
Thomas said the now-commonplace practice of “bug bounties” — hackers who charge companies a fee in exchange for letting them know about undiscovered, zero-day vulnerabilities — would have been considered unethical and unthinkable years ago. “It’s been amazing to me to watch this come about,” he said.
Developer Justin Klein Keane spoke about security risks arising from the internet of things. Keane said his mission is to eliminate security mistakes he sees occurring with alarming regularity. IoT sits “above” the cloud, mobile, web and network, and presents a problem because it’s all done over web traffic.
“Insecure web interface, insufficient authentication and insecure network services are at the top of the list of problems,” he said. “I think this is why everyone intrinsically knows IoT is bad for security.”
Dave Vargas, president of Vargas Advanced Technologies Group, discussed strategies for responding to ransomware attacks, when end-users are threatened with destruction of their data unless they pay a fee.
Ransomware had mainly targeted individuals in the past, but has now expanded to businesses and become increasingly sophisticated with high-level cryptography, Vargas said.
Computer scientist Russell Handorf wowed an audience by demonstrating how it was possible — through the use of signal intelligence — to catch a thief who had been breaking into cars in his neighborhood.
Alex Muentz, an attorney and security adviser with Leviathan Security Group, talked about the evolving view of business toward buying information security services, as well as cyberinsurance, which still remains in a nascent stage, and hasn’t quite settled on predictable business models.
“Why do we pay for information security? It’s not profitable,” Muentz said. But with the risk of regulatory fines, lawsuits, contract losses, and reputational and headline risks looming over a company, it’s a necessity, he said. “We spend money on security so that we don’t spend more money.”
For job seekers, recruiter Kathleen Smith of ClearedJobs.net was joined by colleagues Lee Wanless of g2-inc.com and Lamont Price of Tenable in a joint presentation. All emphasized the need to form lasting, ongoing relationships with recruiters, to become self-aware, and to be able to articulate what you want to do — not just what you’ve already done.
In his discussion of open source intelligence (OSINT), Brian Martin, principal at Liticode, pointed out that OSINT is a great entry-level position in infosec. OSINT relies on finding publicly available information for political or commercial ends. “There’s no degree or clearance required for it,” he said. “Red Teams need these people.”
Those interested in strengthening their tech chops had much to choose from at BSidesDE.
Speaker Daniel Rico ran a seminar on WireShark post-incident analysis, Keith Patchulski spoke about physical penetration testing, Jim Gilsinn explained the mechanics of an ICS/SCADA man-in-the-middle attack, and David Rhodes took attendees into hands-on work with Burp Suite’s popular pen testing software. Paul Neslusan spoke about Kill Chain Evolution, and Bryan Bechard led attendees in an incident response simulation game.
If you couldn’t get to BSidesDE this year, many of the talks were filmed, and will be posted to YouTube. You can also find further information on the talks and speakers at bsidesdelaware.com.-30-
Ntirety aims to position Delaware as a cybersecurity player
Beebe is offering free data privacy classes for Cybersecurity Awareness Month
People, tools and process: How a fully remote team works
What that new California Consumer Privacy Law means for your company
Sign-up for daily news updates from Technical.ly Delaware