Resources / / InfoSec World

Disney Magic at InfoSec World 2019

Hey Ryne - you've become an Information Security Professional...what are you going to do now?

I'M GOING TO DISNEY WORLD!!!!!!!

castle
This might be the most excited I have been to write a blog post

InfoSec World - a conference put on by the MIS Training Institute (MISTI) - touts itself as the "business of security" conference that attracts over 1,000 attendees from more than 100 countries around the world. Between workshops from some of the best in the industry and a vendor hall that seems to go on forever, this executive-level event is a sight to behold. And with 25 years of experience backing it, you know it's going to deliver.

Be......our.....GUEST!

be our guest

put our service to the test

venue
Hotel on the left, convention center on the right. Courtesy of Goolge Maps.

Let's start by evalutating the venue for InfoSec World 2019. The Contemporary Resort at Disney World in Orlando, Florida is possibly one of the most expensive places you can stay, but Mickey doesn't skip on the amenities. Now, I did not personally stay at the resort (I parked my RV about eight minutes away), but everyone I talked to said it was everything you would expect from Disney hospitality with some pixie dust on top. Beyond that, the guest service staff provided by Disney kept the snack bar stocked and the coffee hot. What else even is there?

The convention center attached to the hotel was a castle in its own right - and it needed to be in order to accommodate the crowd, vendors, and speaker tracks. There were seven speaker rooms for topics ranging from blockchain to nuclear powerplant security, the grand ballroom that was used for two keynotes per day, and the gigantic vendor hall where everybody ate lunch while companies peddled their gadgets and gizmos aplenty.

dinglehopper
Next Generation DingleHopper™

Two days before and one day after the main conference there were workshops in a couple of the ballrooms that required the guest WiFi to work harder than it probably ever has, but it never even hiccuped for me. Come to think of it, I don't think there was a single thing that inconvenienced me in the slightest while I was there - a huge testament to the staff of both MISTI and Disney considering the scale they were dealing with.

helpers
Maybe they had some help....

Don't Skip the Previews

My experience at InfoSec World 2019 actually started on the Saturday before the conference when I attended a workshop on mobile device security. In total, I attended four workshops during my stay that expanded my knowledge of threat detection, open source intelligence, and building a security program from the ground up. The speakers were top of the line and provided great content that went beyond silver-bullet sales tactics. I learned things I could do with open source (free) software TODAY to help any size business achieve a better security posture.

Among the workshops I attended, my favorite was named "Critical Thinking for Investigators," put on by David Toddington of Toddington International. First he walked us through the many issues people have when it comes to overcoming preconceptions and our natural tendencies to stay inside the box. Then he took those lessons and applied them to open source investigation based on his years of experience working around the world. The workshop could have easily been called "Critical Thinking for Anyone," and even though he was forced to cram what is normally a week-long class into a single day, I left with a number of new tools and tactics to make me a better security professional.

Our Feature Presentation

InfoSec World is focused on the bigger picture when it comes to business and cyber security, and the ability to speak to security risks in the context of the bigger picture is valuable no matter what level you work at. That's why I was pretty excited to hear from the people who know how to do just that. I was introduced to the Capability Maturity Model (CMM) and its applicability to security programs. I heard the pros and cons of moving from a mainframe to microservices and how to deal with various levels of security in each.

I attended presentations that ran the gambit of topics from US Nuclear Power Security to hiring a techical writer to write your security program for you (I may have oversimplified that). The kickoff keynote was about supply chain security in the Canadian cannabis industry, making it clear that there is no such thing as an company that doesn't deal with cyber security anymore. It doesn't matter what the end product is these days, you are still going to use a computer to get it to market.

internet
Hey look! Free iPhone!

I did my best to avoid the Blockchain, but it was there in full force with its buddies Machine Learning and Artificial Intelligence to show us the future of Quantum Computing. Those who buckled in for those presentations came out lamenting that these topics are still stuck in the diluted sales pitch phase of their growth, and that there just isn't anything actionable coming out of the space quite yet.

My only criticism is that the main conference was not aimed at low-level hacker types like myself - subjecting the opinions that follow to an unfair bias. Speakers tended to stick to the executive-level topics of risk-management and cost/benefit analysis to align security costs with business profits. If you speak to C(X)Os all day, you need to know this stuff for sure, but this was not a hackercon. I would say the target audience spanned from IT management to just below the C-level, and looking back, the conference description makes that pretty clear. To keep it short: I wasn't all that interested. It's not that the presentations were bad. Just that they weren't for me.

slipper
One could say the shoe didn't fit.

All that said, I intend to keep the notes I took while I listened to the experts, founders, and business leaders for future reference.

When the talks were over, I got to play a little bit of defense for a change in a Capture the Flag event put on by Pros vs. Joes. The scenario pitted four teams against each other as they attacked opposing networks while defending their own. It was a refreshing change of pace from the typically sterile Read Challenge -> Google Answer -> Submit Flag CTFs I've participated in at other events. It was much more dynamic that that, and I'm proud to say our services never broke down.

space-mountain
The people at Space Mountain can't say the same 😢

The best parts of the whole conference, though, were the hallways and buffet lines between scheduled events. I ran into the creator of ZenMap and thanked him on behalf of GUI users everywhere. I met people who worked in non-profits, big-profits, and everywhere in between. People explained their biggest challenges and got solutions from their peers in the span of single conversations. Multiple times I found myself thinking, "This is why we come to these things."

The End Credits

I must thank the people of MISTI and Disney for putting on a great conference that gave me a chance to look at how the things I do every day impact the business that I work for. Gaining new perspective on my day-to-day work in cyber security is a constant goal of mine, and I was lucky to get a firehose of experience from some of the best in the industry - not to mention the fact that this all happened at the happiest place on Earth.

Ryne Hanson

Ryne Hanson

I am a penetration tester, blogger, and traveler living all around the United States in my RV. When I’m not at work, I love going on hikes, spending time in the water, and doing nothing at all.

Read More