Culture of Security

Posted by boblord Employee Aug 27, 2015

I sometimes talk to executives about how employees and their fellow executives at the company view security, and about cultural issues around security. They often tell me that, generally speaking, people are on board with the necessary work to keep things safe. I’ve yet to hear someone tell me that people pride themselves on working around security teams and programs so they can run the business more efficiently. I’ve heard a number of stories that include facts about their compliance efforts, how they train employees, and sometimes about how they use metrics to improve their security posture.


Those are all great things, and in most cases I learn something. But here’s what I’m up to: I’m asking a direct set of questions. In every case I can remember, I get a positive few of how the company thinks about security. Sure, there are staffing issues, and many problems that keep people up at night, but the general answer I get is “we have a culture of security at our company.”


Then I switch gears and start asking indirect questions, questions that that may reveal a different slant on the issue of security culture. For example, I ask “Tell me about a time when your IT and Security teams needed to make a controversial and unpopular change,” and “Tell me about how management supported them,” and “What was the outcome months later?” Sometimes I get a good story showing leadership from the IT/Security teams, and backing from management. But I’ve also gotten responses like “Bob, I’m proud to say that our IT and Security teams have never ruffled any feathers. They’ve always found solutions that improve security without upsetting anyone or adding any friction to the business.” I don’t know about you, but that sort of answer does not ring true. It’s more likely that the security team isn’t pushing the company to evolve to be more secure, or isn’t capable of doing so. Other indirect questions also tend to back up this conclusion.


The culture of security in an organization is defined more by the way it encourages or discourages hard decisions than any other factor. Talking about metrics is good, training is great, and so on. Everyone has to do those things and they’re hard. But on the topic of culture, we should be asking ourselves about stories. Stories are the way real cultures are made. Stories tell of love and fortunes won, and lost. They give an emotional energy to work that no policies and procedures manual can. (Though if you are good, you’ll write those otherwise boring and lifeless documents in a way that will engage people.)


Stories also are the way people communicate the real incentives in an organization. Sure, there are performance reviews, bonus plans, and team charters. But those corporate tools will often struggle to keep up with the way people share stories at the water cooler and over drinks.


Consider this story: The CEO is traveling overseas and breaks her phone. She needs to log into her mail account and the system is asking for her 2-factor code. Since the 2-factor code is generated on her phone, she’s unable to get access to mail. She has to buy a new phone, and spend time on the phone with the security team (who are pulled into make sure it’s really the CEO rather than a social engineering attack/test) to get it reinstated. Time zone differences and getting the right people involved results in her losing over a day of productivity. She’s clearly upset.


How would this story play out in your organization?

(a) The CEO cools down after a day and gets over her frustration. At the next company all hands, she tells the complete story. She explains she was upset at the downtime while traveling on business. Then she explains why the security of the customer data is more important than the personal productivity of any one person, even the CEO. She praises the cross-functional teams that came together to design, implement, and maintain these security systems. In her story, she puts the focus on the customers and the trust they give the company every day, and how it’s critical in these dangerous time to have a bias towards security.

(b) She gets over her frustration, and eventually gets back to work. But she tells no story. Perhaps she asks the security team to research alternatives for future cases where executives are traveling.

(c) She orders the security team to disable 2FA for mail company-wide until they come up with a better plan for handling escalations like this. It’s not reasonable to have people out of work when they break their phone.


I wonder how many of you reading this post will answer (c). How an organization responds to these conflicts is the definition of its culture of security. What matters for culture is how you react when people are uncomfortable, unable to work, forced to change their processes, and need to take on new and routine work. What core principles win? Do you have written and exhibited patterns that put the safety of your customer data first? What about when it costs an employee some productivity? What about when it’s the CEO? What about when no one at the company can send email or use the VPN because the 2FA server/service is down for a day?


These stories telegraph to all employees how the organization actually values security, regardless of slogans, emails, and policy documents. When the security team asks other teams to do work to improve security, these stories will remind people that how valued security is. The real incentive structure will be communicated by these stories.


What security stories does your organization have? I honestly want to know! Drop me a line on Twitter at @boblord. If you want to remain anonymous, send me a DM.

Try this experiment. Go to your favorite search engine and type this:

+”no evidence” security compromise


(Other variations are also interesting, including adding words like “breach”)


There is something about the phrase “no evidence” that troubles me. You may have noticed the same thing. On a regular basis organizations say that there is no evidence of compromise, and no evidence that attackers gained access to user/customer/employee data. They write these phrases to lessen the blow of what is surely a very hard time internally for the responders. They want to lessen the blow and be reassuring to those of us who worry if we’ve been impacted.


For me, it does the reverse. It makes me worry more because it tells me about the state of preparedness of that organization. The phrase “no evidence” could mean everything from “we have tons of evidence and we’re sifting through it, but the probability of the attackers accessing your data is very low,” all the way to “we don’t collect data for use by incident responders, so who knows?”


Simply put, absence of evidence is not evidence of absence. In fact, the term used in debates is “argument from ignorance." That’s not very reassuring.


What phrases should we be reading instead? What would make us feel better about the investigation? We should be seeing statements like “We have evidence that there was no compromise.” Variations might include “We keep detailed logs of network, system, and user activity. Although the results are preliminary, we conclude that the attackers were not able to access your data.” Or maybe “We were able to trace the attackers activities over the past year, and understand the attack. They never had access to your data."


Now if you’re reading this blog, and you know how attacks work, you know that those phrases are unlikely. More likely phrases by teams armed with evidence would be “We know which users were affected and are taking appropriate steps to notify them,” or “Attackers were able to access only the following data…” Even though those phases would indicate that the attackers accessed confidential data, it would be reassuring because it would allow appropriate action by all parties. Incident response teams would know how to re-assess their risk, and adjust technologies and processes. It would give customers/users the information needed to better protect themselves.


How does an organization get to the point where it can confidently and honestly say it had evidence? The bottom line is you have to assume you’ll be breached. When you assume you will be breached, you’ll behave differently than if you assume your defenses will be sufficient.


Collecting evidence required to make strong statements after a breach (or a suspected one!) and storing it for months or even years can be a challenge. How long should you keep pcaps, netflow data, and OS/application logs? How much would it cost? What about the security of all that data? I’ve talked to numerous teams who strongly assert it would be too expensive. But few can show me the spreadsheets mapping out the costs, assumptions, and a creative look at the task of gathering and storing data. And worse, it implies that they haven’t given the executive stakeholders the the opportunity to make a business decision on the subject.


My suggestion is to have the debate. Don’t look to show that it’s not cost effective, but rather how you could define the problem statement to make it cost effective. What trade-offs would start to make the problem look solvable? What assumptions can you change to make it more feasible? For example, what if you didn’t store SSL pcaps, but just the netflow data? What if you store netflow data much longer than full pcaps?


As you think about how the NIST Cybersecurity Framework considers the continuous functions of Identify, Protect, Detect, Respond, Recover, are you giving enough consideration to the latter functions? Are you building a cross-functional team to write breach runbooks, and to dry-run test them when you read about breaches in the press? Are you testing your detection capabilities?


In short, I’m hoping to see fewer blog posts that assume a lack of data is acceptable. It’s not.


Have thoughts? Drop me a line on Twitter at @boblord.

Late last night in the US, we became aware that the threatened dump of Ashley Madison subscriber details finally came to pass, exactly 30 days after the attack was first announced. If you'd like to catch up, check the reporting here at The Guardian. Now that the data dump is available on the Internet, curiosity seekers, suspicious spouses, and zealous divorce attorneys would do well to avoid wasting too much time hunting for "one true and correct" Ashley Madison dump on their own. While there are already several fake dumps being circulated, the "real" dump from last night appears to be credible according to the few forensic experts who have looked at it. However, even in the "real" dump, the data is rather suspect, with fake profile information interleaved with "real" profile information.


For starters, it's trivial to set up a fake account on Ashley Madison, since Avid Life Media's  (ALM's) account setup procedures encourage, but do not require, an e-mail address to be verified by the user registering. Registering a fake address might be done for a variety of reasons from various actors, ranging from pranksters to bitter divorce rivals.


Second, the majority of "real" account holders tend to use fake, throw-away data and details, for obvious reasons. If some of those fake details happen to coincide with a real person, then it can create a sticky problem for that real person.


Finally, even if the real data is a real person, and that person really registered for the site, there is no indication in the data if that person was successful at, or even intending to, pursue an illicit affair.


One of the appeals of online dating sites -- especially niche services like the ones offered by ALM -- is the low bar to entry combined with the promise of anonymity. According to discussions on Reddit's various relationship and dating groups, Ashley Madison users, as well as users of other "edgy" dating services, appear to be just as likely to be fantasizing "tourists" as they are to be serious philanderers. For these people, the perceived anonymity and ease of signup, even without intent of follow-through, can spell trouble at home if (and in this case, when) that anonymity is blown.


Dating sites of all types are trusted with perhaps the most sensitive, personal data imaginable. Not only credit card payment information and personal identifiers such as addresses and phone numbers, but personal details that few people would be comfortable discussing in public. In addition, these particular datapoints are rarely, if ever, governed by established regulation or law, at least in the US and Canada. The breach is almost certainly a crime, but while it's still unclear how the breach at ALM's online properties occurred, I'm hopeful that CISOs around the world take securing customer data to heart in light of these events. This concern for user data needs to be internally driven, since going above and beyond compliance requirements is especially critical when those CISOs are entrusted with the emotional, psychological, and physical well-being of their customer base.


As security researchers and onlookers, we should also be mindful that this breach is not just another object lesson for CISOs. As with many breaches, this dataset can severely impact the real lives of real people, but this set goes beyond the normal health and and privacy concerns spelled out in compliance documentation. Some people are literally put in physical danger if their details are connected with Ashley Madison. Among the at-risk population include physically and emotionally abused spouses, people coping with sexual orientation, gender identity, and addiction and compulsion issues, and the children of people who are named, falsely or accurately, in the datasets.


I'm hopeful that some good can come from these developments, and hopefully the victims of this breach, like the Sony breach and the iCloud breach of last year, the people most affected and most at-risk make it through this uncertain period and we can all work harder at educating service providers and security professionals on how to best ensure a safe and stable Internet.


Update: ALM has released a statement regarding the breach and subsequent dump, here.

Update: Also, most credit card details are still safe.

I once worked on a project where an injection vulnerability was uncovered on a web application that allowed an attacker to create special HTTP requests that can enumerate directories and see the contents of most files on the system. Everything from autoexec.bat to digital certificate files were there for the taking. Interestingly, one person on the team did not see it as a problem. Perhaps it was in defense of his environment or perhaps it was just a general misunderstanding. Either way, file contents were not enough to “prove” this vulnerability.


Granted, the Windows SAM file and its backup were not accessible which was to be expected. Yet every other file on the host – from binary to text – was there for the reading, and taking. But that wasn’t enough. The debate was probably a weakness borne early on in the scoping of the project. Yet, still, taking such a finding several steps further (i.e. posting the files online, spoofing digital certificates, etc.) just to show what else could be done didn’t seem to make sense. That’s a common problem with penetration testing. If there’s no defined end point, then how far do you go? Time and budgets are finite so it doesn’t make sense to keep going for the sake of appeasing one or two people who might see things differently.


I’m probably just looking into the bigger picture too much. I don’t just don’t care to get off into the weeds when diminishing returns are obvious. Too many people thrive out there, though, hence many of the challenges we still face with security.


Taking such a finding and playing it down is sort of like having the following conversation with your oncologist: "Doctor, you're telling me I have a cancerous tumor in my chest. You say it was discovered in the MRI and it could have serious consequences if left untreated. Well, I ask, upon what specific information is it concluded that the surrounding organs are susceptible to this cancer metastasizing?" Sure, vulnerabilities are subjective and there’s always room for interpretation but this one was a bit odd.


I’m all about demonstrating the real business risks and backing it up with sound information and common sense. It was never said out loud, but remained clear, that one of the underlying motivations was to dismiss this finding altogether. Have you ever experienced this? It happens and you need to be prepared to address it. Be it a peer in IT, a high-level executive, or someone in between, there will be people who don’t approve of findings in your security assessments. You can either stick to your guns, stand corrected if it’s a false positive or otherwise shown to not be a problem, or shrug it off and pretend it never happened. I don’t recommend the latter.

Since I co-founded back in February, 2014, I've spent a lot of time thinking through, presenting on, and discussing what is currently wrong with IoT security. Most conversations around this typically lead to the same concerning conclusion -- "why isn't anyone building a standard for these devices?"  Well, today, that frustrating question has a friendly answer: somebody has. The Online Trust Alliance (OTA) recently released the first draft of their IoT Trust Framework, focused on bringing some sanity and minimum boundaries to the IoT security and privacy concerns plaguing this nascent ecosystem. Even better, OTA is welcoming feedback regarding this important document until September 14th, so nobody has to feel left out in providing their insights around this formidably large and complex topic.


Unlike other attempts to wrangle in IoT, OTA's effort is specifically focused around two areas: home automation and consumer health/fitness wearables. By scoping their focus, they are more apt to provide guidance that will be most relevant to these areas, rather than try to cover the entirety of what IoT could possibly encompass. Depending on whose definition of IoT you want to abide by, IoT could very well include everything from home routers to industrial machinery. By being specific with their scope, OTA will have a fighting chance to give guidance to vendors that will be actionable and valuable.


Another important decision by OTA is to not only focus on information security, but also privacy. Often, information security and privacy are treated like silos, which is very unfortunate. With OTA, however, the IoT Trust Framework brings a comprehensive approach, addressing each area through one set of guidance. The decision to call this a "trust" framework, rather than a privacy or security framework, is clearly purposeful.


What I appreciate most about this draft document is that the language used is clear, actionable, and effective -- there's no "legalese" or over-the-top technical phrasing for the sake of sounding complex. The document is quick to read through, could be made into a testing rubric that vendors can use, and will help to effect change rather than to exist purely to add a facade of improvement. Many standards are created for both information security/privacy topics, but few deliver guidance that will really make a difference to the daily user. I believe the IoT Trust Framework greatly improves on this notion.


What I Like So Far...

  • "All user sites must adhere to SSL best practices using industry standard testing mechanisms. For example the working group suggests sites score a minimum of 90% using industry benchmark testing tools."
    • I cannot tell you the number of times I have seen "must use SSL" in standards, but not aim towards any sort of goal for the implementation of SSL.
  • "Personally identifiable data must be encrypted or hashed at rest (storage) and in motion using best practices including connectivity to mobile devices, applications and the cloud utilizing Wi-Fi, Bluetooth and other communication methods."
    • Many transports I see with IoT devices are completely unencrypted currently, allowing for private data (e.g. video, PII) to creep across public networks and live in mobile devices.
  • "The term and duration of the data retention policy must be disclosed."
    • I've owned two IoT devices that I've performed research on that stated they had deleted my data, but I was still able to access the old URLs for months after the alleged deletion.
  • "Manufacturers must publish to consumers a time-frame for support after device/app is discontinued or replaced by newer version."
    • It concerns me when a vendor says, "oh, we no longer sell that device" as an excuse as to why Telnet is running with a backdoor password on my year-old purchase.
  • "All updates, patches, revisions, etc. must be signed/verified."
    • This is one area where vendors could use a lot of help... nearly no device I research does this, and if they do, they screw it up.


What's Next?

The OTA IoT Trust Framework is an important effort for a tough problem. OTA's working group has many large, powerful technology firms involved in this effort, as well as federal government agencies. The best thing we all can do for them, and us, is to contribute feedback before their September 14th deadline. Additionally, if you are an IoT vendor or otherwise deeply concerned about the future of IoT, consider having your organization join their working group for this document.


While the IoT Trust Framework is a big step in the right direction, one area that needs distinct help is the actual hands-on technical guidance that will ensure IoT improves and that all standards' guidance is implemented thoughtfully. Other avenues exist to help the Internet of Things, including the OWASP IoT Top 10 and At Rapid7, I'm fortunate to be able to advise IoT vendors in a professional capacity, but this doesn't scale to the size of IoT, unfortunately.


Solutions such as Brillo and Weave from Google, Thread, HomeKit from Apple, and Parse from Facebook each provide a component to improve on the subsystems and protocols supporting the current generation of IoT. As these technologies mature, having a standard to work against such as the IoT Trust Framework will be a critical anchor. Today, our IoT involves outdated Linux kernels, backdoor accounts, insecure network protocols, poorly designed cloud services, and a complete lack of privacy standards. If we're going to improve upon this anytime soon, new technologies and protocols must be leveraged and standards followed. The IoT is a Wild Wild West, desperately in need of a sheriff to come and "clean up town," so to speak.


Whether you perform security research on IoT devices, help contribute to ongoing standards development, or simply advocate for those that do, it's imperative that we all are thinking about this burgeoning wave of technology that is uniquely positioned to improve our lives -- as long as we secure it, and our data, in a meaningful and substantive way.

First things first:

>> You must be registered & confirmed to be able to attend our 2015 Black Hat party.  <<

defconparties.jpgI can't emphasize this enough: Unlike previous years, we are not doing any kind of at-the-door registration for our party this year.


If your plan was to live in the spirit of utter spontaneity, roll up to the club and see if you can happen to get in without registering beforehand -- you're going to be disappointed, and we really don't want to see that happen! While we absolutely want to see you and welcome you to our legendary party, we need everyone who wants to come to please register in advance.

As I write this, we still have some space left before we hit capacity and have to close down registration, but we are getting awfully close to that point. So if you're thinking you'd like to party with us, please don't wait to sign up.


Image from @defconparties of last year's fantastic party!

Trey Ford's Black Hat Attendee Guide

This year I've been prepping for Black Hat a lot earlier than usual by reading Trey's Black Hat Attendee Guides very, very carefully. Speaking of, have you read my esteemed colleague's excellent Black Hat Attendee Guides yet?  There's lots here for pros and n00bs alike --


The Black Hat Attendee Guide


These posts are chock-full of useful information from a guy who really knows both our industry and the conference scene. Benefit from his wisdom and experience, folks!

In between packing this weekend/Monday night/Tuesday?, take the time to give these a read, and you'll get a lot more out of your week in Vegas. (I went out and bought some of the items he mentioned in part 7, because I barely made it through the week last year!)


A busy week in Vegas—come by and see us!

visitus.pngAnd of course, Hacker Summer Camp isn't just about parties -- thought it helps -- we'll be at Black Hat, BSidesLV and DEF CON next week.


Hear our experts present at Black Hat

    Wim Remes, August 5 @ 10:20AM, Mandalay Bay BDC

The underbelly of the Internet has been in a precarious condition for a while now. Even with all the knowledge about its weaknesses, we only make slow progress in implementing technology to secure it. We see BGP routing leaks on a regular basis. It almost feels like we take it for granted but at the same time it undermines our trust in the Internet. In this talk, we'll review the current situation for BGP, a foundational piece of the network we all rely on, and focus on the practical implementation of available countermeasures through live demos and examples. In and of itself, we launch a call to action for private organizations, government entities, and academia alike to roll up the sleeves and get cracking at fixing our Internet. If we want to keep trust in "The Internet of Things," we first have to build trust in the network that powers it.


    Trey Ford & Kevin Bankston & Rebekah Brown, August 5 @ 4:20pm, South Seas GH

Sharing information isn't hard - getting past backroom deals, NDAs and approval from general counsel is *very hard*. This topic is not two-dimensional, even if we are quick to weigh data sharing in the face of data breaches, and the US has several pieces of legislation in play on this *right now*.

Conservatively there are over 300,00 open jobs available in information security- efficiency, prioritization and alignment with IT has never been more important. Information sharing and threat intelligence offers hope that we can better inform priorities to align with real threats, however these solutions come with a new set of questions.

    Nick Percoco & Tim Wilson & Lee Kushner & Kevin Oswald, August 6 @ 3:40pm, Mandalay Bay Room J

The bad news is that enterprise data is at risk, and the attackers have the advantage. The good news is that this situation has created a boom market for IT security professionals. How can a skilled security pro take advantage of this lucrative marketplace? What's the best way to find new job opportunities and open positions? What skills and training are the best resume builders? Which positions offer the best salaries, and how can security pros find them? If you are doing the hiring, what positions are most in demand, and how can you identify potential candidates who have the special skills you need?


Visit us at Black Hat Booth 541

Our booth in the vendor hall is #541, conveniently right next to the Networking Lounge. We have the full schedule of booth events right here -- and in addition to product demos, we'll have a number of theater presentations happening on Wednesday and Thursday by the likes of Mark Stanislav (@markstanislav), Leon Johnson (@sho_luv), Christian Kirsch (@chris_kirsch), Mike Scutt (@omg_apt), Tod Beardsley (@todb) and Wim Remes (@wimremes). So come on by our booth to hear their nuggets o' wisdom, or to meet them and say hello!


Get your free Metasploit t-shirt

And as we do every year, we're giving out free Metasploit t-shirts at our Black Hat booth. Tod has more details on our fantastic community-contributed design this year, and for the first time in a while the shirt isn't black, white, or grey, but NAVY. *gasp*  And we'll also have women's sizes, hooray!  So while you're dropping by our booth to pick up your party badge, hear our theater talks, or get the scoop on the latest from us, don't forget your free t-shirt! Though judging by the lines we've had in past years, you probably won't be able to miss it


Meet our Recruiting Team at BSidesLV and Black Hat

Kate Launey (@kate_launey), a member of our recruiting team, will be on-site at BSidesLV both Tuesday and Wednesday, available to talk about our open roles and to answer any job-related questions you might have.  As proud BsidesLV sponsors this year, we'll also be participating in the Career Track on Wednesday. Kate will also be at our Black Hat booth on Thursday.


So if you're interested in joining our ever-growing team here at Rapid7, or are just poking around to see what's out there, feel free to talk to ANY of us about what it's like to work here (spoiler alert: it's awesome), and if you'd like to talk about open roles specifically, make sure to say hello to Kate!




Support the EFF at DEF CON, get cool stuff

Near and dear to my heart as always, and especially this year, is our DEF CON fundraiser to support the excellent folks at the EFF.


This year, we wanted to say it loud and proud: OPEN SOURCE IS MAGICWell, at least indistinguishable from magic, but you know what we mean.


Our t-shirt design, seen at right, is one that I'm happy to saw I drew myself, huzzah! /flexes

So I'm very excited to see it on our official DEF CON t-shirt! (I'll gladly sign your shirt if you'd like to make yours a limited-edition-artist-signed version, which I'm sure will go for a whole dang lot on Ebay one day. Right? Right?)


We'll have men's and women's sizes of the shirt available at DEF CON ($20), as well as laptop decal versions ($2) — all to support the EFF (we don't make a dime off of these). And we've already had requests for kids' sizes and onesies... we won't have them for DEF CON but we're looking in to having them made, if these shirts are as popular at DEF CON as we suspect they'll be.


Come see us in the DEF CON vendor hall, support the EFF, everybody wins!


BTW, a big thank you to Marshall Kirk McKusick for his blessing in letting us use the FreeBSD Daemon in my design. So yes, the BSD Daemon is used with permission.


I'll be spending most of my time between BsidesLV and DEF CON next week, so please say hello!


I'm looking forward to a very busy, crazy, insightful, blurry Vegas week next week—hopefully I'll remember some of it after it's all over!


Joining us for the first time? This post is part of a series that starts right here.

So this post is a bit of a bonus. I've asked my dear friend Quinton Jones to share some wisdom and inspiration on how he injects passion and energy into his introductions. He's simply unforgettable, one of the greatest customer champions and business development folks I know, thanks to his passion for people. Please enjoy this five-minute mental vacation, and get excited about the magic of meeting people next week! ~trey


I’m tickled to the core, from merely being invited by the super posable action figure Trey Ford (as I call him) to weigh in on this topic of talking.


On the authority of my own personal “spidey sense,” it seems to me that we’re on the course correction path as an industry, but it feels like we almost completely turned into a zoo for a minute there, and simply need to start over at the beginning.


What I mean is something I learned from one of the lesser-acknowledged-and-discussed-but-equally-credentialed other disciples of the Jesus of Nazareth—most call him Alex Stamos—basically, the narcissism in the room was strangely strong a minute ago, back when we somehow all agreed the aspirational finish line of the infosec discussion was when we identified the problem.  Which, admittedly, was highly strange and I’m as guilty as anyone.


But the simple, actual truth—like the zen economics of how we really got out of the game of counting our 9s and broke through to 100% uptime type phrases—began when we first admitted we were pretty dumb to have been aiming for 100% of anything in the first place. After all, it’s one of those paradoxically true things, you can’t try or think your way through into the “we did that now” place.  The last mile is only available as a path when you’re trying your best, and have tried every theory you could invent, and then give up and admit defeat. Only then do you find the actual finish line of anything, whether it be “a happy family” or “resilient computers” even “a brilliant Black Hat” or “less insecure and risk-calibrated appropriately-applied and fully-considered security”-types of things.


So when we similarly aim for the best practices in how to “connect with other humans” at—hilariously and ironically—a conference, in person, in Las Vegas, of an enclave of statistically-correlated introverts…. oddly, maybe the obvious is worth saying real quick.


The Black Hat experience that I feel contains the densest betterment moments for my career all year, every year, actually happens in the one-on-one, or small clusters of, say, three to six or sometimes ten “in-between the talks” moments.  In other words, the best bits are always with the other people attending.


Which therefore requires—if we aspire to fertilize and foster the spawn of those learning moments as well as we can—the simple sad-but-true truth that SOMEONE is going to have to shove their hand out at some point toward some stranger (while I know it’s super freaky to do this) and say, “hi” to some presumably highly-scary person, who is obviously scary due to their “stranger-danger!” qualities…


…who suddenly becomes “now not-a-stranger” once we say “Hi.”


So we talk to others, and that’s when the magic happens. And if—having zero personal cupid-esque qualities like archery skills, wing-ed, diaper-wearing, or even benevolent pudginess of cupid-like person (having no cupid-ism whatsoever) —we may have the role of introducing two of our girlfriends to one another, it’s absolutely imperative that you do something brazen at that moment.  Such as lying, breakdancing, or disclosing curious but true quips about them both, in each other’s ear-space, in other words anything that might help make the relationship spark you’re dropping on your gal pals memorable (in their post-conference brains, of course).


And in case this isn’t what some of you might aim for organically, it must clearly also be heartfelt, born of an altruistic region in your—not brain, nor mouth—heart zone within yourself. Not profit-seeking nor ego driven.


In my case, I readily offer to make a fool to myself to achieve the “WELL IT SHALL FEEL STRANGE FOR SOME TIME TO HAVE JUST SEEN THAT….  BUT AIN’T NO WAY I’LL SOON BE FORGETTING THIS PERSON” feeling in whoever just watched me breakdance. I promise you, it’s way worse than bad… it’s unapologetically unforgettably horrible.


Of course there’s the always-true shorter path, if available -- simply introduce the people you might know to one another, so they may speak fiercely and join our Internet unborking team and stuff, but then give them each a unicorn so they can always remember this new colleague of theirs.  If I see this thing in the wild myself, I typically put a comment card in the boss’s office and recommend the introducer for a promotion.  That right there is the righteous stuff that scales.

My name is Quinton Jones and I endorse this BCRA-Compliant message.

Want more? You can read all parts of the Black Hat Attendee's Guide series by clicking here.

This is the eighth and final post in our Black Hat Attendee Guide series—you can start from the beginning right here.


Big gulps, if you've made it this far in the guide—you've arrived, this is the last post. When you get back from Vegas, you’ll probably have a couple of reports you’re staring in the face.


First is the expense report. (Pro-Tip: Take cell phone pictures of everything you spend a dime on!) Before you leave, double check the minimum dollar amount requiring receipts, and know how long you have to get your reports in… but you can’t start until you’re on the road.


Second is your trip report. Not all companies require them, but sending something to management is a smart move, and helps the company derive maximum benefit from the money invested… and you can start writing this right now. (Open a text editor now before you forget!)


Plan now (before the trip) or panic after, as details blur. This report must cover the Three Golden Questions, as it is going to management, so be answering these questions as you write:

  • What do I need to know?
  • Why do I care?
  • What do you need from me?


The Talks

We’ve given you a strategy for picking the can’t-miss-talks, so move them into your report now, Speaker, Bio, and Abstract—capture links too.

  • Whittle these down to explain the value or relevance to the business and team- and how you plan to pass on your learnings and observations.
  • Highlight What research you found most interesting or exciting personally, inspiring growth and personal development on your time.


The Workshops

You should have picked some of these out as well. Black Hat affords you opportunities to gain hands-on skills, helping you when you get back to work. Perspective, tips, tricks, lessons learned, and better ways to execute workflows will all come from those workshops. Take some notes, share them.



Open source tools in the Arsenal may be things your team uses daily, or things you should start using. You’ll have met the developers/maintainers or representatives of the teams that do. You also have a direct pathway to pass on feature requests for the team (knowns are heard with priority over unknowns.)


You also have an opportunity to learn about features you didn’t know existed, in a tool you already have, and might actually pay for, from a vendor you work with.



You know the products you use today—meet your account rep, meet the sales engineer, and try to catch the product managers at the booth. Have an idea of what features are coming down the roadmap, and find out what is new or recent in products you already have. Odds are you are not using everything available, this raises return on investment (ROI) for dollars already spent.


Technologies you will be looking into—check those products out as well. Have them scan your badge, get information sent to you (white papers, data sheets—who wants to carry paper around?) and catch some demos.

Ask point blank what their strengths and weaknesses are, who they compete with, and how to differentiate them. (Pro-Tip: Know when your budget cycle is for those technologies so you can discuss meaningful time-frames for demo and testing!)


Check out the startup space on the show floor. If you’ve never heard of a company, find out who they are, and what they do.


Report back on all of this, use it for additional notes to discuss with your engineers and architects.



Does your organization have headcount? Do you know folks that are actively hiring? Are there referral bonuses for those positions? Know before you go. Have draft emails or at least links in your mobile notes app, be ready to connect and make referrals—and who to connect them with back home.


Talk to the team, identify key challenges or problem-areas you don’t have solved. Take notes during the day—the people you meet with similar challenges will have ideas and experience on how to overcome them—don’t spend the energy re-inventing the wheel.


At the vendor booth, ask for introductions to other folks that use the tools you do, compare notes on deployment, usage, or partnership.


Lessons Learned


Remember: The trip should be seen as an investment, that you’ve executed in spades honoring the time and money spent for you to be away, so share the success stories. Make it a point to capture a few “I wish I would have” and “if I had another teammate to coordinate with” type items. Document things you didn't expect or hadn't prepared for, anything you would do differently next year. Experiences are best shared— refer back to this document so you will achieve and experience more next year.


These notes and observations, by themselves, will pay for your trip next year.


Plan early, execute quickly, profit.

So that’s it for this guide series. Thanks for reading it, and for your kind comments and additions on Twitter and beyond.

I hope at least some of the knowledge download here proved useful for you.


I’m tapping out, it’s time to start packing. Travel well, I’ll see you next week in Vegas!


If you're just joining us, this post is part of a Black Hat Attendee Guide series that starts right here.

When traveling to industry conferences, most people prepare their electronic companions (laptops, cell phones, etc) by asking: “Did I pack the right charger in my carry on?”


The premier gathering of the world's best and brightest hackers might be a great opportunity for you to up your travel security game. This post serves as a quick guide on how to keep your information safe from well-meaning researchers, prank-playing fellow attendees, and the occasional bad apple.


Keeping it simple, Black Hat and the surrounding hotel property will offer some of the most “accountable” networks you’ll use. Honestly, you should probably be operating year round at the level of electronic discipline outlined below; then again, you don’t want to drive the mechanic’s car.

Top Tier, Paranoia-at-Maximum Overkill Mode

People can’t steal what you don’t bring.

conspiracy.jpgLet's start off with the easiest solution to the problem at hand. When I touch down at McCarran International Airport, my laptop, cellphone, tablet, and most importantly, sensitive data are all locked up safely at home. I travel with a $20 pre-paid “burner phone” (as seen on TV crime shows) and a sub-$200 Google Chromebook. Both are fresh out of the box and contain no information or passwords. The number for my burner is circulated the week before to friends and coworkers, and I’ve configured call forwarding with my regular carrier just incase they forget it.


As for the Chromebook, it comes with Verified Boot, a feature allowing the device to be easily and quickly reset back to a new-out-of-the-box state if you suspect anything fishy might have happened.


A good password manager like LastPass and a physical two-factor authentication device like YubiKey or an RSA token will get you into your email and SaaS applications remotely. Of course, an out-of-office notification reminding people that--for security reasons--you have limited access to your phone and email will also free you up attend more parties.


On the return trip, the cell can be dropped off at any major phone retailer where it will usually be donated to a good cause or recycled for you. The Chromebook is relatively cheap and easy to find a good home for. Most importantly, neither should return to your home or office to avoid spreading any nasties they might have picked up to other electronics and networks you care about.


For the other 95% of you

“But I can’t live without Angry Birds!”

If you do bring your primary laptop or cell phone with you, remember that you will be subject to  attacks up to and including new and cutting edge research. While the vast majority of researchers are white hat hackers and might not be after your bank account details, the audience members are not vetted, and many are smart enough to duplicate the on-stage results within hours. Simply having up-to-date antivirus definitions isn’t going to protect you.


Talk to your corporate IT department before you leave, requesting a minimal-access VPN, similar to the VPN service used to work from home, but hosted outside your firewall (no direct access to the enterprise network).


If this isn’t available, consider a reputable service supporting your desktop and mobile operating systems (the EFF also has a good overview on picking one). This won’t guarantee end-to-end security, but it will keep your network traffic relatively safe until it gets far away from Las Vegas.

Other Considerations:

  • Based on past talks and summaries of upcoming ones, anything that receives or transmits a signal is a potential target.
  • Leave gadgets--like wireless mice, headsets, others--at home.
  • Keep Bluetooth turned off.
  • Set your phone in Airplane mode when in the conference area, out to dinner, or not expecting a call. (Anyone who has been to Vegas before knows that you are unlikely to get a decent signal in and around the casinos.)

stallowned.jpeg.jpgCore Actions List:

  • If the OS isn’t current, and you aren’t planning on doing forensic studies on a fully Stall0wn3d machine, leave it at home.
  • Patch ALL THE THINGS. If you can’t patch the OS, applications, and browser plugins up to right-NOW-current, leave it.
  • This goes without saying, but if it isn't encrypted, leave it. Only Full-Disk Encryption or device encryption need apply.
  • If it communicates, unless you know what you’re doing, turn off:
    • WiFi
    • Bluetooth
  • Firewall ON.
  • VPN all the things. Refer to the EFF’s overview.
  • 2-Step Authentication on all the things. Stay away from stuff you can’t. Nuke sessions and rotate passwords when you get home, on devices you trust.
  • Keep track of your stuff. Anything of value can be physically stolen.
  • Honor OpSec: Be aware of your surrounds, eyes and ears. Loose lips sink ships, and everything in Vegas is recorded by someone, usually hotel security, and certainly not for you. Be careful in what you discuss, be aware of sensitive documents you discard.
  • When you leave your room or hardware, power off machines ALL THE WAY (not hibernate or sleep) to eliminate side channel opportunities.
  • Shut off cellular data, unless you need it. This will ration your battery and limit exposure.
  • USBs: If they aren’t yours, don’t trust theirs.
  • ATMs: Don’t use them near Black Hat (Mandalay Bay) or DEF CON (Paris/Bally’s). Seriously. No.
  • RFID shields: Leave work badges at home. Consider a shielding if you're worried about passports, room keys or anything else.
  • Use your own chargers for your devices, or make the USB port power-only, if you carry that kind of hardware.
  • Messaging—avoid unencrypted SMS. Use iMessage, Signal, Wickr, PQChat or some other way to communicate.

Mind the real threats

Even with reasonable electronic protections, your devices are still subject to good old fashioned crimes like physical theft. Beware of the usual pickpockets and hustlers that set up shop in any tourist destination if you leave the watchful eye of strip casino security.


If you meet a new friend in the bar, think twice before inviting them back to your room for another drink.


Also, when attending events after the sun goes down, try to not wear your passport and life savings around your neck in a fancy travel wallet. Instead make use of your in room safe (yes, they aren’t perfect) and keep a minimal number of cards and cash in your front pocket.


One final thing to be aware of is information solicitation. While not a direct attack on your devices themselves, learning more about your company's defenses over a drink or three is a great way to set up for a future attack.


Hopefully with a few basic precautions you can avoid ending up on the Wall of Sheep, or worse.




Want more? You can read all parts of the Black Hat Attendee's Guide series by clicking here.

Joining us for the first time? This post is part seven of a series that starts right here.


Hacker Summer Camp is no joke, and you’ve got to have a game plan when you head for Vegas. If you don't travel frequently, this is for you.

Ignoring sartorial conundrums and basic hygiene, this post is focused on keeping your body operating at peak… or at least somewhat operational.


Vegas: It’s nothing like home for most of us. Desert allergens, low humidity turning you into human jerky, scented and conditioned casino air probably provide more smoke particle density than you’re normally exposed to.


Conference super marathons bring you back-to-back if not double-booked days running from very-early to very-late, atypical stress loads, and more talking in 24 hours than your vocal chords probably offer in a month back home.


Then there is food, hydration, and rest. You’ll have less of all three, unless you plan and execute carefully.


What I’m about to break down is not medical advice, it’s my personal approach on staying at peak for the Week To End All Weeks that is Black Hat.


Fuel the Machine


When my body gets hungry, Trey gets hangry -- and that’s entirely my fault. I carry snacks, and try to keep them protein-based.

Two of my favorites:

  • I like almonds, @RSNAKE turned me Blue Diamond almonds. I prefer them raw, the wife likes sea salt. They aren’t heavy and they’re easy to share.
  • Justin’s Nut Butters are one of my favorite things in the world, the chocolate hazelnut is wonderful when you’re hurting.  One packet will bring me from hangry to genteel for an hour.


If you do a daily vitamin of some type, bring it and take it. You’ll be missing meals, distractions happen, and when you’re engaged you lose track of time SQUIRREL!


You know your body. Personally, I fear the carb crash, so I avoid energy bars and candy where possible… (@415 can tell you stories about feeding me until I fall asleep, foods like this do it fast).  In my case, I need to stay sharp and laser-focused at the event, but as always YMMV.


Hydrate or Die.

You’re in the desert, you’re going to be talking a lot, and you’ll be drinking coffee--a diuretic--as well as energy drinks, sweet carbonated drinks, and probably alcohol.

I need help ignoring that the water doesn’t taste like home, and bottled water costs a fortune.

  • Bring a water bottle of some type, keep it in your pack.
  • I like to use electrolyte tabs of some type to flavor the water. Bonus: Some of them have caffeine. I carry the stuff from Nuun, others love those vitamin C Emergen-C packets.


Moisture is the Essence of Beauty

essence.gifI figured if I referenced Zoolander, you’d remember this, but I’m serious about this point: Allergens are a serious consideration, not just due to the desert, but the hotel/casino air.


  • If you use antihistamines or decongestants, bring them, consult a medical professional if you have any questions.
  • Single-Use eye drops. Dry air, air conditioning, long nights, smoke… you’ll be glad you have them, and since they are single use, you can share with your friend sporting those questionable blood-shot eyes.
  • Chapstick. Ask Napoleon Dynamite if you have any questions, same thoughts as above.
  • Cough Drops, I like the one with honey. You’ll be talking, the air is dry, and your throat is going to hurt. Take some in your pocket at night, you’ll be glad have them after an hour of a shout-powered conversation at the parties.
  • *Ed.Note: If you have an inhaler you only use occasionally, especially for allergy-induced breathing troubles, do yourself a huge favor and bring it! - Maria*


Don’t do drugs

You’re an adult, and probably a hacker--punk rock and hard core, et cetera. I’m not telling you what to do. I am saying to be careful about what you put in your system, whether it is food or something else, and be prepared to deal with it.

  • Again, if you normally take vitamins, do that.
  • Montezuma’s revenge--you’re eating strange things, probably different than home… be ready for your gut to tell you about it.
  • If you foresee a need for pain/headache/hangover management, bring what you need to deal with that, whatever makes it stop. ’Nuff said.
  • Coffee in the morning. Starbucks will have an epic line. Meet people, or make some in your room. (Some of us aren’t human or humane until consuming the java.)
    • Pro grade: Some folks love the Aero-Press, it’s lovely coffee.
    • In a pinch, keep Starbucks VIA instant packets handy.


Fuel the Machines

Electronics need power, and we seem to be tied to them, so prepare for that.

  • Bring your USB battery pack, if you have one. Cell phones will die faster than normal, towers and bandwidth are a commodity.
  • Small power strips. Power outlets are at a premium, Murphy’s law dictates the only ones you’ll find will have campers using them. I carry one of these, and I make friends.


It’s the way you carry it.

The adage rings true here, “It’s not the load that breaks you down, it’s the way you carry it.” I know Jack Bauer looked swag carrying his man-purse, but you’ll probably carry a laptop and more ALL DAY, despite my best warnings, so bring a backpack and use both straps!

  • Reconsider carrying your laptop, unless you really will be using it.
  • Wear comfortable and supportive shoes. You probably aren’t used to standing all day. No, they might not match, and that’s probably okay…  at least you can still mock people wearing their Vibram 5 Finger / hobbit shoes!
    • Of note- you'll walk a mile from your hotel room to the briefing rooms. Those of you counting steps may score closer to a long day at Disney Land...
  • Bring a layer to put on. It will be over 100 degrees Fahrenheit in Vegas, which means giant machines will be pumping cold air—and some rooms will be colder than others.
  • Bring a carabiner. I know this sounds silly, but that little gap in the curtains lets lights from the strip dance in your room. Carabiners are tiny, and you'll need anything to help you sleep.


Expert Mode

Managing your energy is a balancing act, and frankly you want to be at peak this week. Championship athletic teams peak for the playoffs and finals, top researchers have brought their best work to this event, you need to be on point.

  • Sleep. Prioritize it. There is a time to rage (pulling the all nighter), and there is a time not to. Careers are made and destroyed crossing this line.
  • Diet. Take care in getting real food. Whole Foods isn't far away.
  • Fitness. If you train regularly, and find it keeps you sharp, do some of that. There are gyms on property (I think they call them spas?), some people go run the strip early (find them on Twitter), while others of us will sneak off to CrossFit Max Effort about a mile away.


Everything in moderation, including moderation.

Bring your best, and bring it hard.


If you’ve got additions to the list, I’m all ears, tack it in here or on Twitter.



Want more? You can read all parts of the Black Hat Attendee's Guide series by clicking here.

If you are just joining us, the series starts here.

If you follow LinkedIn alerts, you’ll see a clean pattern where the musical chairs, that is InfoSec, pick up and move to the left. The first starts the week after RSAC in SF, the other is after Black Hat.


This isn’t because recruiting happens, even though it does.

It is because people go work for great companies, and leave bad people, circumstances, or have found an opportunity to grow somewhere else (for more coin!)


Keep your head on straight


No one (in their right mind) likes talking (in public) about a job hunt while they’re employed. Obviously it’s an uncomfortable subject, and if word gets out you’re looking, your day job becomes a little less safe. Like it or not, networking leads to new gigs and a brighter future-- just be aware of how many people know that you’re looking or listening.


Keys to success in this venture, in my humble opinion, are found in perspective and transparency. Everyone, if honest, can see the gaps between what they dream of, their ideal, and what they have to offer.


Searching for where to start? Understand where you are today.


Carefully shape what you’d like to be doing in 3-5 years. Keep in mind that growth is part of every job you take, so you won’t be 100% qualified, or know how to do everything in your next role JUST YET. Successful candidates grow, and we expect it.


Many of you are actively looking, this post breaks down some of the discussions I keep having with folks.


“I’m not qualified, I’ve never done that before”

Almost everyone says this at some point, and for good reason, rooted in their humility, impostor syndrome, or Dunning Kruger-type things, and almost everyone worth their salt probably wrestles with these tendencies.


I’m going to say it again: Change your perspective.

You are not applying for a job where you need to do clearly defined work, like mowing a lawn, running a cash register, manning a post for a specified time—all of which fits nicely onto a timesheet. The work we do in this industry is very fluid, even if job definitions seem pretty straight forward.


Remember: People are hired for aptitude.

Jobs are chosen for growth potential.


If you can already execute the duties in a job description, managers aren’t worrying about hiring you—we worry you’ll be a pain in the rear as you get bored.


You’re qualified because you have the potential, the question you need to have is the gap: Is this something you can get up to speed fast enough to be a help to the team? That is the question you need to answer when you look at things on the job description.


So let’s look harder at that:


Reading the Job Description (JD)

The JD is not a tool to determine if you are qualified. Read it while asking yourself: “Is this what I want to be doing for the next three years?” and “Is there room to grow into this job?”


careercat.jpgFor those of you who haven’t directly managed humans, hiring and firing is a thing, and it is very different than managing systems. Rebooting (err, mis-hiring) hurts people, changing their lives in a painful way. Scaling systems is straightforward, even if tedious—cloud technology has helped dial us in, and configs are pretty structured—but there ‘s no Chef or Puppet config for adding humans to your team, so we use job descriptions.


Unlike system and application profiles, we can only attempt to describe the skill sets, attitudes, preferences, and special gifts or traits of what we think a successful candidate might embody.


Read that paragraph again. The JD is effectively guesswork.


There are bullets that aren’t negotiable, and there are bullets that are flexible. You won’t know which is which, so tread lightly and read thoughtfully.


As a hiring manager, I can’t tell you how many times we finished interviewing some people, only to realize there was absolutely NO WAY these people were work out. Moment of clarity, it wasn’t them, it was us—and the JD needed a re-write.


When you read the job description, try to read between the lines and be quick to ask questions while you have someone F2F at Black Hat.

  • What does the day-to-day workload look like?
  • What does the new hire need to ALREADY know how to do?
  • What can they learn on the job and grow in to?

(Another side-note: Even if you know how to do something, you can almost bet a prospective future employer does it differently, so there is always learning, growth, and adaptation required…)


You have a great resource available to you at events like RSA and Black Hat -- corporate recruiters and potential future teammates. So while at Black Hat, don’t avoid the recruiters—talk to them and find out who is hiring for what roles. Once you do, then talk to the folks on that team. I know a number of hiring managers coming to Black Hat with headcount they are looking to fill—immediately. Seek them out. I promise that you’ll learn farmore over coffee or a meal about the team and company than you will in 10 hours scouring their website.


Reading your resume

Let me state this again, determining if you are qualified is not your job. The hiring manager makes that determination.


You really want companies to find the right folks, and sometimes, you really are the right person with all the right attributes. Let’s break that down.


If the JD is a recipe, and resumes offer a list of available ingredients. Hiring managers know their culture, organization, and the specific needs of the team.


A great manager isn’t cooking food, they’re crafting cuisine. Building a team is tedious, takes considerable investment, and is a lot harder than it looks. Blind applications represents a numbers game, and the challenge you’ll face is having zero access to the hiring manager until you’ve made it past the recruiting/HR filters as they judge you on your resume alone… unless you are meeting them face-to-face at Black Hat or other live industry events.


What hiring managers look for in you

If you haven’t walked a mile in these shoes, think about anyone you’ve ever interviewed. Meeting face to face at Black Hat allows you to skip an initial resume screen and answer meaningful questions.

Questions being asked on both sides of the table might be:

  • Can we work together?
  • Laugh and pull pranks together?
  • Are you an eight-to-fiver, or are you in-it-to-win-it?
  • Would I look forward to lunch with this person several days a week?
  • Are you my particular brand of crazy?
  • Can we collaborate?


If things are going well, this evolves from the personal chemistry into a situation where you want to know they can actually do the job.

  • Can you hold a job?
  • Are you a leader or follower?
  • Are you self-directed, or need continual guidance?
  • Will your experience and expertise complement my team?


What you (the seeker) are looking for

You also need to ask, in earnest, if this is a company you want to work for. What is the reputation of the company, who works there, what are they doing, is the future of the company viable (read: will the company survive)?


Some folks prefer smaller companies they can bleed into, where they can stretch their wings and earn sweat equity. There are more unknowns and higher risk, but there may be a possible equity payback. Risk can bring rewards, and many thrive on the instability and flexibility found in these smaller companies.


Other folks aren’t in a place to take on the culture or the risk of a smaller company for whatever reason, and they find comfort in larger, safer and more established companies. Yes, there might be more bureaucracy and a slower pace, but some people that thrive in this environment  and need the trimmings that come with stability, like benefits, healthcare, and retirement considerations.


How would you describe the company’s philosophy?

You want to know what their ethics and belief system is—if they have one, and hopefully they do!—and what it means to them. Core values are important. If it’s just a marketing exercise, find out. Companies I love strive to honor their mission, check out Nike, Delta Airlines, and Zynga core values as examples.

My hopes for you


First and foremost, be grateful for the work we do: There are other industries hurting right now, and we have no shortage of jobs. For those of you employed and considering a jump, remember that you came here for a reason-- a big part of my income is that sense of purpose.


Second, be graceful as you move about the industry. Laugh as you might, and as excited as you may be to leave, don’t forget you may wind up working with many of your current team in a few years… so don’t burn bridges or bad-mouth people. People make mistakes, people change. Hopefully we all progress and grow from lessons learned.


Third, try not to focus on the money. What we do is lucrative, no doubt, but Lennon and McCartney put it best: “You can’t buy me love.” Join a team you enjoy, with people you love, at a company you believe in. You’ll have Mondays and happy-hour filled Fridays, and the occasional no-sleep work weeks. Warts and all, this is your chosen profession. At the end of the day, you need to believe in what you’re doing.


Finally, if at all possible, try to negotiate a bullet into your job description focused on community work. Maybe that’s focused on an OWASP project, leading a local ISSA chapter, mentoring locally, or organizing a BSides event. Make it something you are incentivized to do and your company supports in writing.


We’re building this industry together—do your part.


As always, your thoughts and comments are most welcome here on the blog, or out in the Twitterverse.



Want more? You can catch all the entries in the Black Hat Attendee's Guide series here.

4839102614_3264e38212_b.jpgIf you are just joining us, this is the sixth post in the series starting here.

Conferences are magical and serendipitous. YouTube can’t capture the electricity you remember in the room as you tell someone “I watched Barnaby jackpot an ATM,” as others echo back “I was there that year too!”


At technical conferences, the content leads the way—it is what brings us to the show. Catching up on that research and work being done at “the tip of the spear” helps re-align our focus, sanity check perceptions, and validate our thoughts about what might be possible in the near future.


This post is about what’s happening OUTSIDE the briefings you decided you just can't miss. There is a lot going on that you need to make time for, some of you should be registering and competing in NCCDC’s Panopoly, checking out the official Black Hat store, book store, buying the videos… and prioritizing attendance for the Pwnies


First up, let’s talk about Sponsor Things.

Sponsors are a catalyst, the investment they bring creates jobs, underwrites research and innovation, helps bring ideas and solution sets to market, and helps make events like Black Hat possible. Check out the evolution and involvement of sponsors at BSides — support is not only unavoidable, events depend on them.


There is always that hipster sentiment reminding us how much better things were years ago, in the most ironic terms available… and that’s cool. So enjoy their reminiscing, but remember that you are here to rock the industry today.


The Business Hall

Call it what you like, you’ll hear terms like sponsor floor, vendor floor, business hall, networking lounge… these labels all filter down to a very simple thing: It's where the companies are.


Ignore the hipsters for a moment and stay with me on this one, dear reader — keep in mind that these companies are underwriting the event. They have paid dearly to make sure the show happens, in hopes that you will come and that they can connect with you in a meaningful way.


When I say paying dearly, I do mean it. This event is a budget breaker. To be clear, and to understand in broad strokes what it costs to put on an event like this, skim the sponsor prospectus—the top tier buys in at ~$150,000 USD. Do some additional math on the back of your cocktail napkin, all five of those Diamond sponsors are also sending another ~50 people (conservatively $1,500, ignoring soft costs and food). The smallest companies get in for ~$30,000 USD, sending 10 people—so let's figure that the smaller booths are spending closer to $100k for the week.


That’s without picking up additional sponsorship opportunities, networking receptions, dinners, or throwing parties… which I can assure you cost a pretty penny in Las Vegas.


So why sponsor? To meet you. That doesn’t mean sell, I mean it simply—they want to connect. What for?

  • Hiringdwight.jpg
    • Don’t kid yourself: Everyone is hiring. They’re growing, building, and our industry has a fierce talent shortage.
    • Related—don’t run around handing out copies of your resume on the show floor… no one wants to hire that guy.

  That said, if you are looking for tips and advice on looking for a job at big events like Black Hat, I wrote a special post about it:

Part 6a - On Job Hunting & Recruiting at Black Hat

  • Brand Awareness
    • Companies (the good ones) spend a lot of time and money to build technology goods and services for you. That’s specific, I actually mean for you, the reader. They know you get it, and that’s why you’re at Black Hat.
    • “I am not a decision maker or control a budget, why me?” — If you are attending Black Hat (both an expensive and aspirational event) you are an influencer, and you will be controlling budgets before too long!
  • Product Direction and Validation
    • As an influencer, you are in touch with the needs of your business, the challenges of your security team, and are tasked with responding to threats to the business.


So that’s why they want to talk to me, but why do I want to talk to sponsors?

Glib answer: Because you’re polite, you want to thank them for making Black Hat possible, and investing in your week.


Slightly-less-glib answer: The Booth Babes.


Yep, you read that right, but before you get out the pitchforks, I’m defining this differently from the standard, because I used to call myself a booth babe. (Fact.)


The folks attending Black Hat fought to be here—or couldn’t get out of it. Point blank, the people working the booths are smart, influential, and have something to offer you. They might have done your job, they might have faced similar challenges you did, or they work with people who do and have new perspectives for you to consider. (Those folks that couldn’t get out of coming? They are here because the company needed them to attend, which makes them both highly influential, and in-demand… you can’t lose!)


For the nerdy guys out there afraid of pretty girls, be warned—if you happen to see a pretty girl in a booth, make no assumptions about why she's there, or her intelligence levels just because of how she looks. She's probably smarter than you anyway. Flipside, companies bringing ‘hired help’ in questionable attire will have a hard time busting that reputation in the future, so buyer beware, and vote with your budget.


One caveat is that some booths will have a carnival act or arcade game needing staffed to manage that activity, badge scanning, and swag distribution. It’s really hard to justify putting a well paid sales engineer or product manager on duty doing this work. So be aware of the economic forces, and withhold judgement even if not everyone you interact with will be one of us, even if they all should be professional in appearance.


Life in the Booth

If you’ve never worked a booth, you need to know what’s going on there. It’s serious business (as you now appreciate the investment), and it is worth understanding who’s there, what they’re doing, and how to have a meaningful interaction in your time on the floor.


Marketing and PR

This is management, they are responsible for the booth, the staffing, messaging, visuals, and every aspect of what you’re seeing as you approach.

  • These folks work hard to support our industry—and some of them actually know how to code, even if they don’t consider themselves technical like we do.
  • Try to be self-aware, knowing there are different kinds of genius, not all of them are actually ‘technical’ the way you see it. The gift of communication, the ability to quantify and organize people, to design experience, and architect a live event is both art and science.


Sales and Business Development

If you’ve never worked in sales, you probably don’t respect sales people enough. You might scoff, but consider Einstein: “If you can’t explain something simply, you don’t understand it well enough.” Think about that as you consider the following.: When you meet sales people that sound like they have no idea, it may not be their fault. (Remember, not everyone on the floor can run Metasploit from the command line like you do, nor should they—it takes all types!)


dontbeajerkkruger.jpgThe sales person:

  • May be new to our industry
  • May be pitching something so bleeding edge, they’ve not figured out how to effectively describe it (it *does* happen)
  • May have not been trained (by someone like you or me) to effectively understand what they’re representing
  • May work for a company WHERE CLUE=0
  • Slept through new hire orientation (and won’t be employed that much longer…)


The bottom line is you’ll meet people in all industries that aren’t operating at 100% of peak, all the time, in any given role. For whatever reason, infosec loves to bag on sales people.


Don’t be a jerk, you’ve probably said stupid stuff too. Help them improve.


If you don’t like public speaking, you’d HATE making cold calls or selling. Just try selling something you don’t completely understand—it’s difficult and embarrassing. If you want to really make it in this industry, partner with the sales people you interact with, and help them do their two jobs effectively:

  • Manage the relationship
    • They are tasked with getting to know you and your company. This might surprise you, but I am still in touch with the coolest sales folks that I’ve worked with for the last 20 years- and many of them are close friends.
  • Help you buy
    • You’ll meet sales people you like, and you’ll meet some that give you the heebie-jeebies. You’ll know the folks who are honest about strengths and weaknesses, and you will honor them for their transparency. You’ll also never forgive the jerk that sold you snake oil, damaging your reputation.
    • If you've never watched a project fail due to a missing product- you will.

Good sales people will inform you about their offerings, and how to understand their competitors. GREAT sales people will help you manage the buying process, specification and procurement… you’d be surprised how hard it is to get some companies to take your money when you want to buy something!


Take the time to meet your company’s account executive if you’re both in town. The logo on your paychecks will change, friendships can last a life time.


Business development is a lot like sales, except focused on more strategic arrangements, product bundling, technology considerations, market access, joint development ventures, and plans hidden behind the NDAs of their employer and partners. You won’t see these folks much- they’re usually double booked at all hours, but man do they have the scoop on what’s going on.


Technical Sales, Sales Engineers, Product Management

So this collection (and they won’t like me grouping them this way at first) is what I think are some of the coolest folks out there. Here’s the deal: If you are amazing at what you do in your day job, odds are you’ll wind up working for a vendor at some point in your career.


First, you’ll get picked off by a recruiting sniper, because you know the pain points their customers face, and you know the product better than anyone because you have used it daily, for ages.  Eventually, as your ability to speak human approaches your comfort level on the command line, you’ll find your way from product specialist into technical sales, supporting the occasional sales call. Later, you’ll see the good technical sales folks move away from managing sales workflows and demo environments into full-fledged sales engineers, working closely with sales folks tied to a vertical or specified region. (Pro-Tip: The closer you work with sales and prospective customers, the better the food… yet another reason to meet with your account rep!)


Some sales engineers are customer champions, and they understand the customer need, the challenges you face, and can articulate it to their employer. Product Managers wear a great many hats, and (depending on their employer) will ultimately own the direction of a named product or development initiative.


The folks at every phase of this curve are smart, clever, amazing people. They are all growing, they have their fingers on the pulse and their ear to the ground. Ask them what they’re thinking on, what they are excited about—the good ones will break your brain. (Sidenote: Product Management training changed my life… and our PM team at Rapid7 is AWESOME. /biased)


Sponsored Content

Sponsors have a lot more going on than just folks hanging out in the booths—if you want to get hands on, or hear from some of the sharp folks at specific vendors, you’ve got some options.

  • Check out one of the 21 sponsored sessions. Be advised, this content, unlike the briefings, is pay to play. There was a vetting process whereby sales pitches should have been stripped out, and if it gets out of bounds, report it to event management (via email, no need to be a jerk on social media.)
  • Get hands on in one of the 10 workshops. These are opportunities to to learn new skills, sharpen your tool kit with the very latest, or test yourself in various contests.



This is near and dear to me, even if we don’t bother pitching Metasploit as an arsenal submission (and maybe we should?)


Arsenal this year is bigger, badder, and better than ever. This is Black Hat’s tool space where over 50 of the top open-source tool developers and independent researchers will be showcasing their latest features. So if you’ve got a tool you love, or can’t seem to get running, here’s your chance to meet someone to builds or maintains it face to face. Check the schedule for Wednesday and Thursday, try to catch your favorites, or find new ones to use (these are all open source, freely available.)


Badge Scanning


Before signing off, this is probably the elephant in the room that needs addressed. You will get a badge at check-in, and that is important—some cons use bar or QR codes, some are business card only, Black Hat uses RFID with basic info from your name badge (as printed) and a unique identifier.



Remember when we discussed that companies spent a small fortune to meet you? They want to connect with you, and follow-up after the show. Yes, you will probably get emails and phone calls. That is how they justify spending their precious money on giving you an incredible week.


Security professionals are privacy conscious, and we don’t trust folks to protect our information. Believe me, I get it.


When it comes to badge scanning, can we be real about your OpSec? You’re defending your phone number and an email address. If you can’t create rules, you don’t belong. If you’re using your primary email for conference registration, you deserve the spam you’re complaining about. If you’re worried about your identity at the point of the badge scan, you’ve thought about it too late


You’re trading a scan for a piece of swag or access to a party. The company wants to build a relationship with you. The conference organizers want to make sure only paying attendees access the show content. You want to let them do this because you want a conference and a party next year.


I’d have written a shorter post if I had the time—I hope this gives you some inside baseball on the rest of the show. It's going to be a great week!


If you’ve got edits or feedback, say hi here or on Twitter.



Read a special supplemental post to this one - Part 6a: On Job Hunting & Recruiting at Black Hat

Read the next post in this series: Part 7 - Your Survival Kit

Want more? You can catch all the entries in the Black Hat Attendee's Guide series here.

For the past two months, the Department of Commerce's Bureau of Industry and Security (BIS) has been running a public consultation to solicit feedback on its proposal for implementing export controls for intrusion software under the Wassenaar Arrangement. You can read about the proposal and Rapid7's initial thoughts here. The consultation window closed on Monday, July 20th and I'm excited that numerous companies and security researchers submitted comments. It's great to see so many engaging with the process and trying to ensure we achieve the right outcome.


I also commend BIS for their engagement with the community through this process - I don't think this is an easy knot for them to untangle. It's important to remember that while the US did not propose the addition of intrusion software to the Wassenaar Arrangement controls, as a member nation of the Arrangement, the US must still try to find a way to make it work (unless and until the members of the Arrangement vote to drop intrusion software from their control agreement). Basically they're trying to make the best of a tough situation, and I believe they are striving to address the concerns of the community.


I expect we will see an updated proposal from BIS, and another public consultation period. This is an unusual measure, but warranted in this situation, and I believe it would demonstrate the desire of the Government to get the implementation right. Should we get a second consultation period, I hope even more organizations will join the discussion as the implications for their security and business become clearer.


In the meantime, attached (below) are the comments Rapid7 submitted for the consultation that just ended. Our CEO, Corey Thomas, will be speaking about some of the challenges outlined in our response at the upcoming meeting of the Information Systems Technical Advisory Committee (ISTAC), hosted by BIS. We hope to see you there.



If you are just joining us, this is the fifth post in the series starting here.

Making An Introduction


I might be wrong, but I’ll argue that networking is a transitive verb, so ENGAGE! The real magic starts happening as you progress:

  • Level 1-- Start with a “Hi, my name is… ” Yes, it’s that simple, thanks to Slim Shady
  • Level 2-- Demonstrate that you have an idea of the world the other person lives in, their passions and interests
  • Level 3-- Make a meaningful (and unforgettable) introduction


Connecting people is like a sport for me, and I enjoy it immensely. A good introduction might be the most wonderful gift you can give someone, I have been so endeared to those giving a graceful introduction. There is a fine line between grace and flattery (i.e., an unfounded and disingenuous compliment), so get it right, keep it real… or go so completely tangential—they’ll laugh as you run off to your pressing appointment.

Introductions serve a purpose, the motivation should be self-evident when you are done. I see the introduction as an event: You are investing energy and excitement into the lives of two people, regardless of how well you know them, or may be walking someone through the door of opportunity, changing their career path forever.

Make it a point to use people’s names when connecting them. Make sure you’re pronouncing their name correctlynever be afraid to ask, laughably mispronounce, or politely reaffirm if you’re not sure!


There is a chance they’ve already met and know each other well and you’re new to the party. Flipside, perhaps they’ve met and maybe don’t remember each other’s names (I’m THAT guy!). I’d recommend starting off with an “oh dear—Jim, have you met Ryan?” It’s a safe tactic: You’ll know instantly where you stand, and whether or not to charge into introductions.

Sometimes you have to neutralize an awkward air because someone is standing too close, maybe that killed a serious and sensitive conversation that was happening, so be aware of that when you approach.

I have a specific and reckless strategy, unapologetically stolen and adapted from my good friend Quinton Jones—he’s something of a Yoda figure in my world who is basically a genius at this kind of thing. Quinton’s guidance might be summarized as follows:

  • Check your brain at the door.
    Analysis paralysis is a conversation killer, doubly so when surrounded by introverts at Black Hat!  How? (See this post.)
  • Say hello, and be slow to judge.
    Question, if not flat-out ignore convention, find comfort knowing that we all say stupid stuff. Ignore the mechanics, feed on the excitement of their world!
  • Speak from the heart, try to meet people where *they* are.
    Be genuine, be real, and be sensitive to the world/stress/distractions/interest of the folks standing before you.
  • In brokering an introduction, get their attention, be memorable, build intrigue ... or offer a bold-faced lie—more than memorable, be unforgettable!
    Never be guilty of the bland, one-sentence email intro… this is almost unforgivable in person. *YAWN* If you can’t find the angle, go hyperbolic and be obvious about it!

introducemyself.jpgYour introduction will address these three key questions:

1) What do I need to know?

A decent introduction must cover these basics at an absolute minimum.

  • Who is this person, what is their name, how did you meet them?
  • Where are they from, what do they do?
    • This could be their job, their field of expertise, a challenge they’re exploring at the show, tech needs they have, positions they are hiring for, hobbies the other person may find interesting, or how amazing their BBQ is


2) Why do I care?

A proper introduction will give the introducees some context to help ensure it doesn’t die the second you leave, as well as to help all parties remember each other a little better in the long-run.

  • They’ll care, even if only a little bit, because they respect you, and they’re being polite
  • Perhaps they are both from the same tribe (appsec, pen testing, etc), heading for the same talk, looking to hire similar people, or have a common passion

3) What do you need from me?

A really damn good introduction will have a call to action, setting conversational wheels in motion.

  • “You two should discuss <be pointed--THIS TOPIC>”
  • “Look, we just met, and this is my best friend, they’re my favorite human on this planet, so make nice!”
  • “One of you had an amazing perspective on something from this talk or booth we saw, or you destroyed the lab in this workshop -- tell us again!”


WOW! This person is cool, now what?

At some point, you’ll get introduced to someone amazing. Sometimes a card exchange is customary. You’ve got a fleeting moment to anchor that connection when appropriate, so have a plan to connect with them again via:

  • Twitter
    • Tweets and DMs make a great way to track folks down or invite them to gatherings later. A quick “@username Nice chatting with you about $topic today” can do wonders in keeping that conversation--and relationship--going. And serve as a handy reminder about who you just met.
    • Please consider putting a real face as your avatar (even if only during the event.)
    • Put a link in there to your LinkedIn profile.
    • @Gabe Bassett has some great thoughts on using Twitter in InfoSec
  • LinkedIn
    • Seriously, you should have a real profile, with a real picture. Seriously.
    • This page serves as a living CV/resume, so treat it with that same level of seriousness and respect.
  • Phone numbers
    • It’s kinda old-school, but it’s a thing that won’t go away. Some folks will have burner phones for the week, so make sure you know how to track them down in the longer term.
    • Pro-Tip: On my iPhone, I have a ‘Trey Ford’ entry with my contact information—work and personal email, phone, address, etc—that I can just tap “Share Contact” and send it on its way. If you have an iPhone, it saves time typing in all your info.
  • Email. (Duh!)
  • Business Cards
    • Approximately the worst option, but it is a formal tool.
    • Stop and write (on the card) how you met, and DO SOMETHING WITH IT to follow up before you misplace that card. (I am still guilty of this, striving to improve.)

Just to be thorough, let’s cover points of performance for introductions to an audience:

  • You don’t use the person's name until the very end. Period. You are building energy up to this point.
  • Do not cover the speaker’s material, but rather why you are excited to hear them. Share how the speaker is uniquely qualified or positioned to provide meaningful perspective.
  • Share a brief anecdote or story about the person, their achievements or credentials.
  • Be positive, and build the energy all the way up to: “Join me in welcoming Herbert OZWOLDO BLUMPERFARKEN!!!” (or somesuch)


Did that feel like a non-sequitur? Good. I’ve wrecked a mess of public introductions, so this is my penance, I think everyone should know Dale Carnegie’s recipe for public speaking introductions… you’ll know if Black Hat proctors took note.


Parting Shots

Black Hat USA attendance is a serious commitment and investment. Come well-rested, well-groomed, and well-prepared to meet some amazing people.


Be deliberate in your time and interactions, try to manage your energy levels. Bring your very best.


As always, I welcome additions, edits and feedback—comment here or say hi on Twitter!


Continue on to Part 6 of this series: The Sponsor Hall, Arsenal & more

...Or go back and read Part 4: Talking to the Media & Press

Want more? You can read the rest of the Black Hat Attendee's Guide series here.

My friend Miss @VioletBlue has shared some wisdom on connecting with the press at Black Hat in this guest post below. Enjoy!

limber-up.jpgSo, you're going to Black Hat 2015…  As Mr. Trey Ford succinctly described in the Black Hat Attendee Guide Part 1, you're going to Infosec Zombieland.


Infosec Zombieland is a unique apocalyptic landscape, besides which requiring comfortable shoes and a strong liver, hosts a range of undead creatures to interact with. You'll soon encounter the overwhelmed Booth Zombie, the dreaded Undead Recruiter, flocks of chattering PR Zombies, and the subject of this guide: Press and Media Zombies.


Major media outlets will infest Black Hat USA 2015 like never before. It's safe to say that no matter where you are at Black Hat, you'll always be near a reporter, blogger or journalist covering the conference, much of the time.


This means you’ll need to behave accordingly — loose lips and all — and also that you should plan for how you’ll proceed when one of my fellow zombies (I mean, colleagues) comes at you looking for brains.


Many readers will just decide that talking to the media is a no-go, and that’s fine. Even if this is you, it’s good to know the rules when it comes to you, the press and Black Hat, and photos and video.


Black Hat’s PR and Communications Senior Manager Meredith Corley tells us that its rules about photos and video are pretty tight. “In general, our rule is that you must have the express permission of any subject you are hoping to film or photograph. No zooming in on laptops.”


In addition, we’re told that anyone taking video must have a sticker visible on their badge signifying that they’re been approved for video, and that they agree to Black Hat’s video policies, like the ones about subject consent and shoulder surfing.


But what if you want to pitch a story?


Black Hat’s Ms. Corley tells us, “Black Hat journalists and analysts are very busy leading up to and during the show. For PR folks hoping to secure meetings with media onsite, I would highly encourage them to make sure their stories are around truly fresh/new tools or services, or even better, about exciting research coming out of their company.”


She advises, “Remember, a pitch should not only include the highlights of the news (brevity is always appreciated), but even more important – details on WHY the news matters. What is the big impact?”


The Black Hat PR Manager also pointed out that you don’t have to be interviewed in public if you don’t want to. “There will be two Media Centers for Black Hat USA 2015. Attendees are welcome to conduct their media interviews in the Media Registration and Interview Center (Reef A/B).”


Mandalay Bay = Dead Island


Talking to reporters is one thing, but talking to security reporters is another beast entirely.


Information security reporting is pretty new in the grand scheme of things. At this time, a sector that still barely “gets” the internet is reporting on (and interpreting) technical issues, security subcultures, and is unaware of infosec history. That’s changing, but very slowly.


For some of the bigger outlets sending media to cover Black Hat, their writers are near-to-clueless about things you consider basic in your day-to-day tasks. If you’re tired of trendy security topics, pithy oversimplifications, and security rockstar worship, you risk blowing several gaskets in a short amount of time.


That means talking with reporters at Black Hat can be equal parts exciting, an amazing opportunity, a tedious chore in educating media, and an opsec risk that can be astonishing (or devastating).


Keep in mind that the digital operational security practices of many standard-grade reporters, bloggers (and media in general) is in its infancy, so the rules around other people’s opsec applies. I mean it when I say that the shoulder-surfing opportunities n some infosec conference press rooms are… scary.


If you ask a member of the media to adhere to your communication rules and they won’t, or don’t, or don’t understand why they should, drop them like a live grenade, and run. That opportunity, no matter what it is, isn’t worth it — and trust me, there will always been another opportunity. Their story will come and go, but damage to you can be forever.


Some of us are cutthroat. Know that unless you’re being interviewed by a patsy who regurgitates press releases, you will be socially engineered under the pressure of a rolling camera or recorded audio.


I have a lot of criticisms, and I’ve seen some members of the press treat hackers very badly over the years.

For that reason, I offer the following worst-case warnings when any hacker talks to the press:

  • Reporters are often careless with hacker anonymity
  • Some will publish your DMs and IMs without permission
  • Indie researchers (hackers!) face an entrenched assumption of criminality
  • Companies are perceived as more credible than you
  • Most of the time, you are part of a preplanned storyboard
  • No member of the media is your friend, and there is no such thing as “off the record”


That said, Black Hat understand the needs of its attendees. If you have a topic that’s sensitive in nature, or embargoed, or just want privacy when you talk to a member of the press, Ms. Corley elaborated saying, “depending on the nature of the need,” they’ll be happy to help you find a private space for the meeting to take place.


“In addition to the Media Registration and interview Center (Reef A/B), we have a private room for quiet filming that is available on a first-come first-served basis, and can help make recommendations about other spots throughout the conference center.” Black Hat’s Senior PR Manager added, “Any inquiries can be forwarded by email to The team will also be in Reef A/B to help in-person during the show.”


Have fun! And don’t forget to double-tap the recruiters.


About the author of this guest post:
Violet Blue (@violetblue) is a reporter for Engadget and ZDNet; her forthcoming book
The Smart Girl’s Guide to Privacy (No Starch Press) becomes available August 25th.


Continue on to Part 5 of this series: Meaningful Introductions

...Or go back and read Part 3: Networking at Black Hat like a boss


Want more? You can catch all the entries in the Black Hat Attendee's Guide series right here.

Filter Blog

By date: By tag: