I would like to propose a question to all of the hackers, phreakers, lock pickers, security professionals, and social engineers out there reading this: why do we so love “Cons” like Shmoocon? If the first answer you came up with is because you enjoy the parties… please, just stop reading now.
I’m only kidding of course, but seriously, events like ShmooCon, DEFCON, Notacon, etc. are all important for security pros to experience because they are all great places to learn. As much as people joke about going there to socialize, there is a TON that one can take away over the days of a Con.
The best part of these Cons is that they’re informal – you're not in a classroom setting and the folks giving the presentations (who were probably up just as late as you were the night before) make their talks intriguing and entertaining. Not to say that other conferences put me to sleep, but it’s just a different way to think... a bit more fun… and hey, I can also wear my jeans and tattoos with pride.
Along those same lines, you get people from all around the globe coming to these events… snow-pocolypse or not.
(I especially enjoyed reading the note from the folks at the Wardman Park Marriot indicating that it was the worst storm since 1922 and that it may “hinder events and services.” Granted, there was no satellite T.V. for a few hours and there were limited places to eat, but it did not stop nearly 2,000 attendees from coming, even if all of us had to take an elevator from the lobby to mezzanine together. Apparently some skylights are not designed to support over two feet of heavy snow.)
But whether these folks are there presenting or simply attending, there are always a wide range of people with various skill sets… all of which create an extremely valuable atmosphere when we’re mixed together.
Joking aside, Cons are also a great place to network and meet new people. I can't tell you how many amazing individuals that I've met at Cons whom I’m still in contact with. Cons bring people of like-minds together, and once you get us geeks in our environment you can really get us to open up... or give you a mohawk.
Either way, it’s a win win situation. You’re literally in the midst of the larger process as it transpires around you… meeting people whose research drives us crazy when we’re attempting to remediate it, or talking to others who give us the chance to stay one step ahead, at least for a day or two.
So, why should C-levels care about these Cons? Let’s take a minute to throw out the fact that we socialize and/or consume some drinks, I get that it’s not part of the ROI they want to hear. Simply put, it’s about education.
I would rank these Cons above any 'courseware' you can think of! This is zero day information... in detail, given to the security people who know exactly what to do with it. You might not walk away from the event with a certificate of completion, but you're going to walk away with a lot of truly valuable information that you can take back to your company to help enhance its security stance in one fashion or another. I don’t know any other types of shows that really make me feel this way.
I find it hard to sum up the importance of these Cons and the security measures learned there to upper level management, but essentially it comes down to this reality: it will cost a company more money to clean up the mess after they get hacked, than it will to continue to send us to Cons like these and use the techniques learned and products necessary for proactive defense. Cyber war is here, where are you?
Stay safe…stay secure…..PEN TEST!
-Caitlin Johanson, Technical Support Engineer