With 2022 coming to a close, there was one last conference for the year, which happened in the snowy cold of Salt Lake City on December 16th. This event brought together security experts from multiple backgrounds, developers working to bring better security practices into their work, as well as students who were just starting down the path into InfoSec. No matter what skill level or area of security you forced on, there was something for everyone at BSidesSLC.
What Are BSides?
There are a lot of security conferences out there, but BSides stands out as unique. Rather than just a collection of talks, BSides is a community lead events that feature hands-on labs, workshops, and collaboration, as well as industry experts presenting on a wide variety of cyber security topics. I was encouraged by the number of students participating in this event. Thinking about the forecasted number of needed security professionals and open roles at companies vs the currently too-small pool of applicants, it was great to see so many folks on the path toward meeting that challenge. I will be covering some of the highlights the talks little later in this post, but first, let's take a look at some of the ways BSides stands out as a special event.
Unique Community-Built Badges
A very fun part of BSidesSLC is a tradition of electronic badges built by volunteers. These badges give participants something to hack in real-time while the event was happening. This year's badge followed a "Rick and Morty" theme and ran off a Raspberry Pi Pico. The badges contained games, puzzles, and an eye-jiggling animation on the LCD. Best of all, these devices were fully hackable.
Not only were attendees encouraged to modify the software, as I did, adding my name to my badge as seen in the picture above, but there was a contest to see who could modify the hardware in the most unique way. Folks added more functionality and LEDs to these wearable microcomputers, with a winner named at the end of the event. Special thanks to community lead Professor Plum for creating these awesome badges and the team who lead the hardware modification lab.
Labs And Workshops
One advantage of in-person events is the chance to be very hands-on in labs and workshops. You can physically touch hardware and tools, as well as get help and encouragement from experts in the room. While online events offer the convenience of being able to participate from anywhere, there is nothing quite like being face-to-face while learning a new skill.This year's workshops included:
- Raspberry Pi Pico 101 Basics - this was also the lab where you could modify your badge with the available tools and extra components they had available.
- Network Traffic Analysis and Suricata Signatures Lab
- Metasploit Intro & 101 Basics
{% embed twitter.com/secntech/status/160385272840049.. %}
In addition to the workshops, there were also labs and community events going on at the same time. These included:
- A physical security/lock-picking lab Hardware modification lab
- Home Lab - focused on understanding and modifying smart home devices and networks.
- Capture the Flag - a set of point-based security challenges that helps individuals and teams learn about real-world exploits in a fun tournament atmosphere.
The Hallway Track
While not an official part of the schedule, one of the best parts of any live event is the "hallway track." This is the general term for informally connecting with others in between sessions, in the hallways. Since BSidesSLC was spread across two buildings this year, folks had plenty of space and opportunities to connect as they moved between sessions and workshops throughout the day.
This is one of the biggest reasons I would encourage anyone to attend a BSides or any in-person community event in their area. You never know who you will meet or what conversations you will have. For example, at this event, I learned a good deal about incident response, security staff augmentation, and security operations centers, SOCs, from folks I met in between sessions. I made some awesome new connections and can't wait to run into them again at future events.
Session Highlights
No live event would be complete without sessions. There were over 30 speakers who covered topics from starting a career in InfoSec, to in-depth sessions about using specific tools like BloodHound. Here are just a few high-level themes and highlights. All of these sessions, including mine, will be made available on the BSidesSLC YouTube channel soon.
Communication Between Teams Is Important
One theme I heard reverberated throughout all the talks was the value of communication for good security posture. In her talk "Building Stronger Relationships between Security and Engineering Teams," Senior Security Program Manager Astrid Bailey discussed how Adobe organizes and prioritizes communication between over 200 product teams. She described the process of getting security requests integrated early in the product roadmap and how the security teams worked closely with the product team leaders to ensure they were on the same page from the start of any new initiative. One of the biggest takeaways from her session was the importance of executive buy-in. She said to present narratives instead of reports full of dry facts and walked us through using dashboards to present stories to the executive team. She suggested highlighting how each department and product measured up against one another as a way to motivate VPs to elevate security in their list of competing priorities.
{% embed twitter.com/McDwayne/status/160380685064997.. %}
Storytelling came up again in AppSec specialist Shelby Pettit's talk "Document It, Or It Did Not Happen: Writing a Quality Pentest Report." Shelby explained that while she is not a penetration tester, she is someone who consumes pentest reports regularly. This has given her a lot of experience with what formats are the most effective, and she was happy to share multiple tips and best practices on getting your message across clearly.
She stressed the importance of assuming most people reading pentesting reports will not be security experts. If cybersecurity jargon is needed to explain any points, a short explanation of the concept will help the readers, from product managers to senior VPs, grasp the importance of your report. If a reader has to go investigate something independently to read your report, then there is a good chance they will not be able really to understand your proposed solutions and changes. Getting buy-in is critical to advancing security.
{% embed twitter.com/McDwayne/status/160384434198190.. %}
Another session that emphasized communication and storytelling to get buy-in was "Building a Cybersecurity Strategy" from David Bowman, Systems & Security Manager at one of Utah's largest school districts. One way David starts conversations is with a cape. He occasionally puts on a cape with a big security "S" on it and runs through the administration offices. While humorous, this gets the school officials' attention immediately and lets them know that a serious security matter has appeared that must be addressed.David also stressed the importance of executive sponsorship in any security endeavor. If the business level can not understand the 'why,' then there is not much that will likely be done. Addressing the executive team with stories of how they are undeserving their end users, rather than just presenting facts and figures around potential security threats, delivers the same basic information but frames it in a way where executives what to do something about it to improve the organization overall.
Understanding Security Events To Help Us Prepare For The Future
Another common thread throughout BSidesSLC was building for a more secure future by looking at recent incidents. The session that highlighted this idea most directly was "Why Data Breaches Aren’t Like Plane Crashes, But Should Be" from security researcher Doug Hubbard. He gave a quick overview of several Boeing 747 Max disasters from 2018. He noted how the reporting and disclosure from Boeing and investigators were very open and honest. Everyone developed a clear and direct understanding of the issues and solutions being put forth. While these incidents were tragic for all those involved, overall, air travel is safer because of these learnings.
He then compared the airline industry's openness to how most security incidents are reported and communicated. Where the airlines are very open to the causes and remedies, most security teams are very vague in their reporting and try to downplay the severity of the incident's effect on the overall business. He posits that this closed-off approach is doing us all a disservice, and we need to be able to thoroughly dissect incidents at other organizations as part of the process of securing our own.
He recommended several places he looks for security news on a daily basis and suggested everyone make a habit of routinely seeking out such news and staying on top of trends. His list contained sources like The Register, Krebs on Security, and BleepingComputer, among others. The landscape is always changing, and staying informed is one of the best ways to know where to focus your attention for better security.
{% embed twitter.com/McDwayne/status/160381344727095.. %}
Author's note: due to limitations of the Dev.to platform this is a truncated post. Read the full article with all the session highlights in the original blog post.
Looking Forward To More BSides In 2023 And Beyond
BSidesSLC was the last cyber security event of 2022, but it is far from the last BSides or security event on our calendars. We are proud to support the BSides community. You will see GitGuardian as a participant and sponsor of upcoming BSides in 2023, including Las Vegas, Montreal, Orlando, San Francisco, St Louis, and of course, Salt Lake City. Start marking your calendars now for the BSides in your area. You don't want to miss taking part in these awesome community experiences.