Independent. Dynamic. Involved.

Takeaways from Black Hat Sessions XIII: are InfoSec conferences becoming interchangeable?

By Diederik Perk.    On its first glance, 2015 will go down as a big year for cyber security in the Netherlands. The smoke has barely settled on The Hague after the combined GCSC, ONE, HSD’s CyberSecurity Week and an impromptu rendition of B-sides- courtesy of DCWC- were all taking place in April. Its net-result for this country was a mandate to start an office to promote internet security. After all the resources invested, that brings into question the value of those conferences for increasing information security.

It is a question practitioners and their management are forced to answer, every instance one springs up that boosts relevancy. It’s a tough call, because you cannot really put a price on the potential for knowledge exchange, promotional exposure and expanding business networks. The organizers of BlackHat seemingly can, however, since the tickets went for €265 a piece. Unless you were handed one through business relations or, like this author, the fortunate winner of a free ticket.

All the more, the value question keeps staring back at us. The growth of the digital security market has accelerated the widespread presence of commerce at such events. This time, part of the welcome package was one conference booklet and ten promo folders. As a company, you can hardly differentiate yourself within it, but you can hardly avoid joining in it neither. Therefore, move to set your specific goals, before it becomes part of a routine and time and resources are wasted. As a discussion starter, I share some of my observations that serve to point to improve experiences at larger InfoSec conferences.

Celebrate the highlights

At BlackHat, all talks are recorded and made available to the public. This is an excellent way to reach a broader community. Organizers ought to build the connection with its present audience, and make it easy for them to understand and show the value of participating. This may be in the way of sharing presenters’ slides or a management brief with key points. With this Black Hat audience based mostly in the banking, IT and public sector it must be of primary concern to deepen those ties, before expanding into wider audiences.

Keeping things together

A fundamental issue in IT security is how decision-makers are not as versed in technology as the practitioners. Communication between the two sides then, often becomes not fully productive. This BlackHat session introduced an option to attend two tracks alongside each other: a technical and a non-technical one. Understandable on the one hand, a missed opportunity for closing the gap on the other. The result at yesterday’s sessions were one room continuously overcrowded, whereas the major hall where the policy oriented talks were scheduled remained scarcely occupied.

Coordinate content

At Black Hat, a variety of speakers ranging from academics, independent researchers, representatives of internet providers, nuclear energy sector and IT security companies appear on the program. Another option, with such a cross-section of important insights, is to define a narrower theme than IT security in the Netherlands and get more into depth perspectives weighing in. A panel accommodating audience interaction is then a more dynamic finale than another plenary keynote speaker. Underlying such a close-knit thematic conference would be a call for papers to ensure new research findings are integrated with practical approaches.

No Business without play

In this Black Hat session, leave it to Madison Gurkha to introduce a variety of hack demos. The Hollywood credo to rather show than tell is a concept conference organizers may take at heart. Find a way for participants to have fun. On the vendor floor that aim is done on trial–and-error basis, and so should the main program. Unfortunately, Black Hat in NL showed mostly existing flaws, and working with well-known security frameworks to mitigate risk. When, for example, the two presenters from NRG were asked to give a sense of their capacity in their workforce, or share security incident related findings they fell into a non-disclosure mode.

This stands in stark contrast to the United States’ conferences, where some (self-)criticism emerged that those who presented are saving up their spectacular findings, irrespective of their urgency, to optimize impact. It is then perhaps less surprising that specialists refer to the set of major ‘cons’ (i.e. Defcon, Black Hat, B-Sides, Hack in the box)  in Las Vegas as Security Summer Camp.  The original white hat subculture with its particular strain of anti-establishment but pro-sharing anarchy springs up, and no WiFi network, device or appliance around the facility is safe from friendly hacking attempts.

Reimagining the conference as a professional playground brings value on multiple levels. Knowledge transfer is as much about good information as it is about the enthusiasm and motivation to transfer it. At Traxion, our consultants perform root-cause analyses of hacking attacks in the wild, going one step beyond hack demo’s using exploits in lab environments. Speakers at Gartner conferences conveniently offer a roadmap for audiences in the form of to-do lists for the next morning, the next 90 days and to accomplish before the year’s end.

Playful learning is something successfully adapted and applied to gamification models. Bringing that to larger audiences is the challenge, and- even more so- the opportunity for conferences looking to carve out their own position. The bottom-line for information security is, there is a lot of learning to do, and, the first step is learning how to learn it.


Confidental Infomation