Security BSides San Francisco, 2015 conference review
Have you ever wanted to get in a time machine and go back to when security industry visionaries were just starting out? Imagine meeting Martin Roesch when he was writing the first version of Snort or Bruce Schneier as he was just putting his ideas down for Applied Cryptography. I don’t have a DeLorean, but I can do the next best thing. I can take you to a place where tomorrow’s thinkers are forming their ideas and honing presentation skills, today.
That place is Security BSides San Francisco. BSides is a community-driven phenomenon that occurs across the globe. In fact, there is probably a BSides event occurring each week, somewhere. The BSides events range from small, one-day events to very large, multi-day, multi-track events such as San Francisco and Las Vegas.
BSides San Francisco was held this year on April 19 and 20 and it brought the industry together for an exciting two days filled with discussions on latest threats and solutions to industry-wide issues. There were 33 top-notch talks spread across two tracks, ranging from in-depth analysis of technical topics to professional development and skill enhancement presentations. Most talks were recorded and posted online so I was able to see everything that was interesting to me even though I could only be in one place at a time. There were, of course, a few misses (there always are) and I do feel that having a speaker mentorship program like BSides Las Vegas has would improve speech quality and presentation skills.
If you have three hours to spare, here are the best talks from BSides SF.
(Disclaimer: I was a speaker at BSides SF, but I’m not going to review my own talk)
Medical Device Security — From Detection to Compromise
By Adam Brand and Scott Erven
Adam Brand and Scott Erven | Photo: Tony Martin-Vegue (CC-SA-BY 3.0)
One quote that was very memorable from the speech is “Privacy is important, but I want to be alive to enjoy it.” These two ideas, privacy and saving lives, sum up the seemingly contradictory forces in the medical device industry, but the speakers made the case that the two are not necessarily mutually exclusive. Medical instruments save lives every day and as technology improves, they evolve into very intelligent, networked devices. For example, think of a dialysis machine that sends information real-time back to doctors regardless of where the patient is.
[embed]https://www.youtube.com/watch?v=E6QXyZpyTPc[/embed]
The presentation included comprehensive research that was eye-opening and frightening at the same time. Malicious actors could cause lethal results and the ease with which someone could do this is scary. Much of my tin-foil hat paranoia was confirmed by this speech. The speakers ended the talk with a call to action, asking each and every audience member to get involved and become advocates for medical device security.
HIPAA 2015: Wrath of the Audits
[embed]https://www.youtube.com/watch?v=JJznV8J4hZQ[/embed]
“HIPAA 2015: Wrath of Audits” was a great presentation by Hudson Harris on HIPAA compliance, introduction to risk assessment methodology and approaches to achieving compliance. Gauging audience reaction and talking to some folks afterwards, those not actively employed by organizations governed by HIPAA probably got the most out of the presentation because it introduced new concepts. HIPAA, the Health Insurance Portability and Accountability Act of 1996, covers many areas, but the presentation focused on the provisions of the law that address privacy, security and confidentiality of patient health records.
Harris spent a good amount of time walking the audience through risk assessment methodology, based on the NIST Risk Management Framework. Risk management is a complex discipline and is the cornerstone of any good information security program. Hudson was able to take a complicated process and present it in terms that were very easy to understand. The audience left the session with the understanding of why taking a risk-based approach to compliance is the most efficient and effective way to achieve security goals.
Hacker or criminal? Repairing the reputation of the infosec community
[embed]https://www.youtube.com/watch?v=iioaVUHtfOM[/embed]
I’ve always thought that the Information Security community needs to bring in people from outside the traditional intake fields (software development, system administration) to solve our problems. Melanie Ensign, a media relations and communications adviser, is the perfect example of this.
Her talk had all of the components of a lively and engaging presentation: funny, insightful, engaging and provided actionable advice to attendees. Her message is that the information security community does a poor job of managing our story and reputation, so we let management and vendors do it for us. As a result, we have the reputation of being curmudgeons and obstructionists who can’t really achieve effective security without outside intervention. She spent very little time setting up the problem and dedicated most of her time providing actionable advice on how each individual can implement reputation management techniques today.
Melanie is truly elevating our profession. If you want to be inspired and energized, watch this talk.
Next year, expect more of the same — high quality, engaging talks from up-and-coming security leaders. You should put BSides San Francisco on your must-see list of security conferences.
See all BSides San Francisco videos here
Other reviews of the conference:
By Fernando Montenegro — Day 1 and Day 2
Tripwire’s State of Security blog — Day 1 and Day 2
Originally published at www.csoonline.com on April 28, 2015.