Send your Staff to Security Conventions
I just got back from ShmooCon 2008 (http://www.shmoocon.org/) with a notebook full of scribbles and a wiki full of links. I recommend that companies of all sizes send people to their local security conventions in addition to the larger ones.
How to get the most out of the experience:
Take Notes
Don’t worry if the 1337 Hax0r next to you is looking at you like you’re from the media. Take notes; fill in gaps from the presenter’s power-point. Jot down: links and tools that they mention, concepts you don’t immediately understand, how it affects your workplace and ideas that their talk inspires.
Attend Random Talks
Having a solid plan of what you want to listen to is good. Throwing in a little chaos into the schedule is better. It’ll expose you to new things. I had an excellent example this weekend while attending Sethi and Bhalla’s presentation on Aspect Oriented Programming. I’m not a developer, but now I have something to talk to them about when I get back into the office.
Put the Talks Together
The concepts in each individual talk can be combined with other talks. Another example from this weekend, take Jay Beale’s talk on Client-side attacks with Josh Wright and Brad Antoniewicz’s talk on EAP exploitation to get a feel for the importance of client-side configuration management and security. Or take some lessons learned from Isaac Mathis’ talk on the cultural impacts on security and Matt Weir’s “Smarter Password Cracking” talk to build culture-specific dictionaries.
Bringing the Message Home
Take your notes, rewrite them so that they’re legible, add links to papers, tools, and other talks. List out the impacts to your organization. List out the to-dos in one place so you can track them.
Spend some time writing up some of the key-findings for management. Make recommendations for changes and new projects. This will make them feel better about the money they spent sending you.
At Defcon 14 (circa 2006) there was a talk on blackjacking. I took elements of that talk to influence the corporate Blackberry policy and get application white-listing added before the devices were widely deployed. I can only imagine how much help-desk work that step has saved, let alone the security incidents.
What if I can’t go?
Sometimes you can’t go. And you certainly can’t go to all of them. For big conventions that I can’t attend, I keep an eye on the blogs of people who did get to go, and I keep an eye on the presentations as they are published. Sometimes, the talks will appear on youtube or on the convention site itself. Take time to read through them, and follow the same process: take notes, identify impacts, record inspiration, and combine talks.
Comments