The 312 area code is one of the original 86 area codes created by Bell System in 1947. In those early days of telecom, when the entire system could handle less than 100 exchanges, 312 supported the growing population of America's second-largest city and surrounding areas, connecting this diverse community together and letting them communicate in a brand new way. This same spirit of coming together and sharing our knowledge about ever-evolving challenges was present at the first-ever BSides312 in Chicago.
Saturday morning, May 11th, 2024, brought together 247 attendees from a wide variety of backgrounds, including long-time security professionals, students, and developers keen to learn more about security. Throughout the day, 10 speakers shared their knowledge from the stage, and many hallway conversations happened throughout the venue, The Bottom Lounge, a popular music venue that was gracious enough to host the event.
At the core of the event was a pervasive theme of community and connecting as human beings. This was true from our keynote, "Securing Sexuality: Rewiring Our Intimate Connections," by Dr. Stefani Georlich, who reminded us all that behind every data point is a human being whose privacy and security matter deeply, all the way through the closing session from legendary hacker Chris Roberts who talked about the need for inter-team collaboration in his talk "Evolution of threat intelligence, tracking your boss for fun, profit, and protection."
Here are just a few of the other highlights from this incredible day.
You can't gauge risk without understanding probabilities
When you first try to quantify security risks, it can seem daunting. With so many new threats emerging daily and the likelihood of any event being nearly impossible to predict, it might seem like a hopeless pursuit. But it turns out we have already been doing precisely this kind of risk assessment for a long time in the realm of insuring human beings, who are very risk-prone and unpredictable.
In her talk "Educating Your Guesses: How To Quantify Risk and Uncertainty," Sara Anstey, Director of Data Analytics and Risk at Novacoast, explained that most current models of cybersecurity risk are not properly taking into account range compression and are making decisions with not enough information. Essentially, if we have two threats, we are going to judge them against one another rather than stepping back and looking at the larger context. Sara urged us to embrace uncertainty and utilize Monte Carlo simulations to better estimate potential outcomes. By defining risk, setting time ranges, and assigning values with confidence intervals, she demonstrated how to produce more reliable risk assessments. Anstey's session reminded us that while we can't predict the future, we can improve our estimations and make more informed decisions. Run those simulations!
You can learn a lot about security by fighting actual fires
In her session "Dumpster Fires: 3 Things About IR I Learned by Being a Firefighter," Dr. Catherine J. Ullman, Principal Technology Architect, Security at the University at Buffalo and firefighter, showed that incident response (IR) in cybersecurity and firefighting have a lot of similar goals. Both require adequate preparation and proper mitigation steps to be in place. During a fire or an incident, we must be careful not to cause more harm to ourselves or others as we work. After either type of event, we must take into account a cleanup and recovery phase.
Catherine shared a few personal stories, such as a close call involving an air tank and some melted hoses, which she overlooked due to complacency. She said it taught her how critical vigilance and proper training are, as her other training and preparedness are the only reasons she did not get seriously hurt. Every incident is unique and requires a tailored approach, and during any incident response, we must show patience and avoid tunnel vision. No matter what type of incident you are responding to, it is very important to take a few moments to properly assess and think through what to do next in order to get the best outcome.
Security training must be inclusive of everyone, especially the most vulnerable
The "Senior Citizens Fighting Scammers" session by National Security Research Scientist Anita Nikolich introduced the DART Collective, a U,S. National Science Foundation-funded project aimed at protecting senior citizens from scams. While our seniors are often the target of increasingly advanced criminals who prey on their lack of technical prowess, there are few engaging training paths that have proven effective. Her research into how folks who did not grow up immersed in tech can become more cybersecurity security-minded led to the creation of a free mobile game called DeepCover.
The DART Collective is working to combine cybersecurity expertise, game design, and social media campaigns to offer an engaging and accessible online training portal. Anita said we must make cybersecurity education appealing without resorting to "chocolate-covered broccoli" approaches. They interviewed many seniors and took into account what they look for in an app and how they like to learn. That all shows up in DeepCover.
Next, they are creating an interactive online portal where seniors can play solo or in a group to solve challenges that prepare them for scammers. The social and competitive aspects should not be overlooked, as this provides an incentive to keep playing. As they seek to expand, the initiative is working with various community centers, including museums, churches, and senior centers, aiming to empower older adults to recognize and combat scams.
A Chicago community working to keep us all a little safer
Each session brought a new perspective on how we can empower the people in our organizations to embrace better and safer practices. Your author gave a talk about Security Champions programs, such as those from the WeHackPurple community and OWASP. One asset that many security teams overlook is the ability to tap into their vendors and partners for educational content. At GitGuardian, we are always happy to help spread awareness of the problem of secrets sprawl and would be glad to help your team via online materials and training as well. Feel free to reach out to learn more about this.
As a community-organized event, it would not have been possible without all the amazing volunteers, including the organizers, who devoted a lot of time to making it happen. I want to say a huge thank you to them for helping make Chicago a little more secure. The inaugural BSides312 conference was a resounding success, and I can't wait until we report about It in 2025!