Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

9/9/2014
12:00 PM
Kerstyn Clover
Kerstyn Clover
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
0%
100%

Black Hat & DEF CON: 3 Lessons From A Newbie

Security conferences are a lot like metal concerts: Your parents are terrified you're going to die because everyone looks scary, but 98 percent of attendees are really nice people who want to help you learn.

I was lucky enough to receive one of several free passes to the recent Black Hat 2014 in Las Vegas from WhiteHat Security’s Robert Hansen (@rsnake) and Juniper Network’s Christofer Hoff (@beaker). The passes were distributed to young women like me who are new to the industry and have never had the opportunity to attend the storied annual event in the gambling capital of the world.

It was a whirlwind week that included DEF CON 22 -- because, after all, what is a trip to Black Hat without attending DEF CON? Here are a few things I learned.

Curiosity trumps fear
Believe it or not, there were many points before the show when I nearly surrendered my pass to allow someone more experienced or qualified to take my place. As I connected with the many amazing people who told me about the conferences and helped me attend, I started poring over forums and blogs trying to prepare myself for what on earth I was getting into.

What if I got flustered and hid out in my hotel room? What if I embarrassed myself in front of someone that's huge in the industry? I'd be a pariah forever! More than that, I grew concerned by the sheer number of jokes about deodorant and the lack thereof (at DEF CON more so than Black Hat).

The trip was overwhelming and in more ways than I could have wildly imagined -- even after all my research -- but in a great way. It took me days to sort through all of my new contacts, and I'm still reconnecting with people. There were more demonstrations, trainings, seminars, and talks than I think I could process in a year. Most importantly, the atmosphere was one of encouragement. My questions received helpful and enthusiastic answers rather than the laughter or criticism I so feared.

Pay it forward
I always hear people say "pay it forward." That implies being given something before you actually have something that you can pass on to someone else. Obviously, this was the sentiment shared by the many people who helped me (a total stranger) by funding my travel, sharing rooms, and providing free passes to the event.

In the same vein, I think the biggest smile I had on my face the entire week was about 10 minutes after I picked my very first lock with help from the Lockpick Village at DEF CON. There was a young girl hovering over my shoulder while I worked, and I offered her and her friend the loaner tools and what little knowledge I had just picked up.

Newfound friends Cet and Kat, and our three variations on mohawks.
Newfound friends Cet and Kat, and our three variations on mohawks.

All three of us were thrilled when one of them first popped a lock. That, to me, was the perfect example of overcoming the mindset that has held me back in the past: If I try to take the lead, people are going to find out I don't know what I'm doing! I now know that “faking” confidence, plus a cool demeanor, will get you far -- and eventually you will stop feeling like you are faking and start believing in your ability.

InfoSec rocks!
The third lesson is that this community is amazing. After my trip I've decided that security conferences like Black Hat and DEF CON are a lot like metal concerts: Your parents are terrified you're going to die because everyone looks scary. But 98 percent of the attendees are just really nice people (some with mohawks) ready to pick you up and dust you off if you fall or get knocked down.

As a staff consultant on the SecureState Attack and Defense Team, Kerstyn works with a broad range of organizations across a variety of industries on security assessments including incident response, forensic analysis, and social engineering. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TechPorVida
50%
50%
TechPorVida,
User Rank: Apprentice
1/21/2015 | 4:30:34 PM
Black Hat and Def Con
Good for you!  Def Con and is a must-do for me every year along with Microsoft Ignite (pka TechEd.)  I have yet to attend Black Hat.  What's holding me back? The entry fee. I invest in Ignite which is 2K.  Last time I checked Black Hat was equally as expensive.  After 30 years in technology and attending conferences the percentage of women in the industry is sadly very small. I think this would be a great opportunity for Black Hat (and others) to focus on ways to increase our numbers.

 

Def Con Tips:

Take plenty of cash. Lockpick Village and other events/vendors take cash only (as does registration.)

Get there early.  Last year I was in line at 5:30 a.m. and it took 2 hours to get to registration. They also ran out of schedules. I had to perform a "task" to get one of the few left. The task was to get a hug from anyone in less than 20 seconds. I managed but I almost didn't (shy crowd.)

Play with the gadgets.  Wear the 3-D glasses.  There are hidden messages all over the conference.  The human badge does way more than just grant you access.

Turn off your wifi and bluetooth.  Otherwise you'll end up on the Wall of Sheep.

Get your schedule figured out quickly.  Last year some lectures were so full you couldn't get in.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/11/2014 | 3:42:11 PM
Re: Good move for security industry to encourage newbies
Sounds like we have a plan! Any other activists in the Dark Reading community for this initiative? Raise your hand (or comment) here. 
Kerstyn Clover
50%
50%
Kerstyn Clover,
User Rank: Moderator
9/11/2014 | 3:35:38 PM
Re: Good move for security industry to encourage newbies
I agree completely. I'm also brewing plenty of ideas of my own :) There are a lot of information security conferences out there that I'm sure a lot of people could use some help getting attending and would give a great foot in the door to the industry!
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/11/2014 | 3:30:36 PM
Re: Good move for security industry to encourage newbies
Maybe a good idea for a more concerted effort by Black Hat for next year (hint- hint).

Nice to hear about the crowdfunding effort from Bugcrowd, as well. (Note to self: blog about the idea to promote more of same for Black Hat 2015).

 
Kerstyn Clover
50%
50%
Kerstyn Clover,
User Rank: Moderator
9/11/2014 | 2:27:38 PM
Re: Good move for security industry to encourage newbies
Marilyn,

As far as I know this wasn't part of a program - the first I heard about it was just Robert taking the initiative and sharing on Facebook. I think I did hear later that I guess the Black Hat board donated a couple of passes once Hoff (and maybe another person/people?) joined in and the idea caught some attention which I thought was very cool.

Edit to add: Marisa and Bugcrowd were a big help in starting a crowdfund venture for one attendee coming in from Colombia to afford airfare. Also not a formal program but a great effort!
Kerstyn Clover
100%
0%
Kerstyn Clover,
User Rank: Moderator
9/11/2014 | 2:24:41 PM
Re: good for you Kerstyn
Hello fellow Kirsten variant! Unfortunately I have to let my mom take credit for my spelling.

 

There were definitely a few times that I escaped off to hold up a wall and take a breather from all the people. I'm pretty extroverted but there is just so much going on. I think being in Vegas for the first time by itself would be overwhelming so the added conferences was just piling more on top.

 

At least embarrassing encounters are usually funny stories later. That's what I tell myself, at least....
 :)
Krenner
50%
50%
Krenner,
User Rank: Apprentice
9/9/2014 | 2:13:21 PM
good for you Kerstyn
Hey Kerstyn,

First of all, I love how you spell our name ;-)

Second – my first trip to DefCon I DID "[get] flustered and hide out in my hotel room?" (a little) AND "embarrass myself in front of someone that's huge in the industry" *see note below


*I literally walked up to Dark Tangent and said "you look familiar" while I was standing in his penthouse (and I was completely sober).
Haha

I'm so glad Robert did what he did. He also provided a pass for a friend of mine, an engineering entrepreneur.
And I agree, such a GREAT community. I hope I never have to do any other sort of recruiting – this is the crowd I want to stick with!

Congrats on your first tour – and your lock picking success (this was a highlight for my teenage son last year who DefCon embraced with open arms)!!

See you there next yr,

~Kirsten
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
9/9/2014 | 12:13:40 PM
Good move for security industry to encourage newbies
I'm so glad to hear that the security industry is being proactive about recruiting talented young women to Black Hat. Was this part of a larger program? 
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27225
PUBLISHED: 2021-03-01
In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.