St. Charles, MO, is known as the launching point for a famous exploratory mission from U.S. history: the Lewis and Clark Expedition. Explorers set off from the city's muddy shore to find a passage to the Pacific Ocean, mapping out what lay west of the Mississippi River. It was with this same spirit of adventure that around 400 security professionals gathered to swap stories of defending our orgs, raise awareness of emerging threats, and connect as human beings at ShowMeCon 2024.
This edition of ShowMeCon marked a triumphant return after a 5-year hiatus. For many attendees, it was a reunion of old friends who had not seen one another in years. For some of us, it was the first ShowMeCon we could attend. No matter the experience level, the event's overall welcoming atmosphere and friendliness were palpable. Here are just a few of the highlights from the return of this legendary event.
We need more people working securely, not more security people
In his session, "Why You Don’t Need a Security Team," Alex Hamerstone, Advisory Solutions Director at TrustedSec, argued that many traditional security functions could and should be distributed across an organization rather than continually concentrated into walled-off 'security teams.' Security teams have become a hyperspecialized department that says 'no' to things that oftentimes other teams feel they need to work around. We have developed a culture of blaming the victims, which has also set security apart from the user. Alex challenged us, "If a single user can take down a whole system by clicking one link, was the system secure to begin with?"
According to Alex, the future of scaling security will focus on integrating security into various departments and roles and fostering a culture where security is everyone's responsibility. Some folks will need to manage governing, compliance, and oversight, and there will always be a specialization in areas such as incident response. Still, every team needs to be able to perform its own threat assessments and modeling. As he summed it up, "Would you rather have a software security team or developers who write secure code?"
Alex also talked about the future role of CISOs, predicting that legal and business expertise will become more critical than technical skills. Business continuity will become more and more the responsibility of the CISO, and security will need to scale better across the organization to keep up with ever-evolving threats. Alex argued it would be much easier in the long run for leadership to hire security-minded team members rather than security experts who know every role in the business.
Lessons from a grocery store
In his session "Evolution in Progress: Insights Since Our Last Encounter," Joey Smith, VP and Chief Information Security Officer at Schnuck Markets shared his "Three E's framework." He asked us which of the following we thought we needed to work on: "Expertise," "Emotional Intelligence," or "Exposure." He emphasized the importance of finding a career that aligns with one's passion and highlighted the value of continuous learning and adaptation.
He said he learned a lot about security from working to stock shelved during the pandemic. The Schnucks' mission is to "Nourish people," which means more to him than just ensuring Oreos are on the shelf. As they rolled out inventory control automation and robots to assist with stocking, they ran into all sorts of issues. Still, by applying some standard, common sense rules, they have been able to meet each challenge successfully.
His Top 10 list of lessons learned:
1. Under promise, over-deliver.
2. There are three sides to every story. My side, your side, and the truth.
3. Don't Bring up a problem without also bringing up a solution.
4. Prioritize and Execute!
5. Take a chance. Walk through career doors as they open for you.
6. Make your bed every morning.
7. Treat your vendors with respect and professionalism.
8. It's OK to mess up sometimes.
9. Work to find the yes. We can't just be the department of "No."
10. Out of sight, out of mind. Keep your Zoom cameras on and know your teammates.
Not every engagement goes flawlessly, and that is OK
Most pentesting stories you hear have close calls, but almost magically, everything works out at the last moment in most of these tales. Bobby Kuzma, Director of Offensive Cyber Operations at ProCircular, and Security Researcher Valerie Thomas brought a decidedly different to their session, "When Pen Tests Go Wrong." Together, they showcased how unpredictable pentesting can be and how important it is to plan thoroughly and stay adaptable.
Some mishaps are going to be wildly outside of your control, like having a contractor upload your carefully written and tested payloads into VirusTotal, which means the client will now be able to detect their presence. Some missions will go haywire because you failed to consider the weather report, such as Valerie did on one outing, making her all-black 'ninja' outfit highly visible, even at night. Sometimes gravity itself can work against you; as Bobby shared, he once tripped and rolled down a hill and needed medical attention while trying to gain physical access.
No matter what came their way, Bobby and Valerie stressed the importance of being adaptable. While there is no way to predict what can go wrong, entering into any engagement expecting the unexpected, and knowing you might need to pivot or change plans ultimately sets you up for success. You can't plan for every possible circumstance, but staying flexible and accepting that you might need more time or resources for some situations might mean the difference between a close call and outright mission failure.
We must better prepare to detect misinformation and disinformation in the age of AI
Winn Schwartau, legendary security researcher and expert witness who coined the term "Electronic Pearl Harbor" back in 1991, gave the final keynote of ShowMeCon 2024, "The Art And Science of Metawar—Reality Is Only A Keystroke Away." He explored the evolving landscape of cyber warfare and cognitive security while technological advancements are reshaping our perception of reality and its implications for us as a society. This talk covered a lot of ground, and there is no way I can capture all the nuance, but here are my main takeaways.
Winn uses the term "metawar," where the lines between physical and digital realities blur. This is far from a new idea, though, as immersive storytelling has been influencing human behavior for millennia. Human beings are constantly being manipulated through stories and images. However, this is being taken to entirely new levels of sophistication with advanced technologies like AI and the metaverse. The amount of information, including misinformation and disinformation, currently being generated is orders of magnitude greater than anything else we as a society have ever experienced.
Fortunately, a proven way to combat the effects of mis/disinformation is by training our brains to recognize it. Cambridge University has dubbed this process 'pre-bunking.' Just like with any inoculation, a small amount of actual misinformation is given but in a safe way, fully explaining the context and how to spot it as false information. This trains our brains to be on the lookout for similar bad info, and the effect lasts for about a month. There are a number of publicly funded studies in the UK and the EU looking into this phenomenon at scale, but sadly, the US is lagging behind in this field of research.
ShowMeCon is back!
For over half the attendees, this was their first ShowMeCon. This includes your author, who was there to give a talk about cyber deception and honeytokens. All of us newcomers were treated like family and made to feel welcome from the first moments of registration through the closing party. Somewhere between the chaos of DEF CON and the coziness of the BSides I have been fortunate enough to participate in, this is truly an event apart and one worth checking out in person next year when they return for ShowMeCon 2025.