By James R. Lint
Faculty Member, School of Business, American Military University
Overview: On August 2nd and 3rd, BSides Las Vegas held its eighth annual information security conference at the Tuscany Suites in Las Vegas. BSides is a community event organized and run by volunteers. The following is our second survey of some of the many strategies, insights and experts that enriched the entire two-day experience for cybersecurity professionals.
Chad Dewey Explains Urgent Need for Better Maritime Security
One of the Tuesday sessions featured an interesting and alarming talk, “Cruise Line Security Assessment or Hacking the High Seas.” Speaker Chad Dewey, a computer science and information systems instructor at Michigan’s Saginaw Valley State University, discussed a physical security assessment that found incidents of cruise line staff leaving doors unlocked and forgetting to wear their nametags. These lapses in security are indicators of a descending, slippery slope of security standards.
The talk also pointed out that some navigation systems on cruise line ships are run by the older Windows XP operating system. Windows XP was new back in 2001 and ceased getting security updates in April 2014, leaving security holes that could be exploited by the wrong people.
Dewey mentioned that most ships are connected to the Maritime Telecom Network at sea. A security assessment found that some default usernames and passwords were still in use, leaving ships’ public-facing IT services vulnerable.
Analyst Ken Westin Analyzes Data Science Applications for Information Security
Ken Westin, an information security analyst and researcher, spoke about applying data science concepts to information security. He said that we can access more threat intelligence, network intelligence and endpoint security data now than ever before. The tools and data sources have evolved, increasing access to meaningful data for information security.
Westin noted that cybersecurity professionals can leverage machine learning, but we have to beware of statistics that masquerade as machine learning. Machine learning is more than statistics; it is an evolution of information and the quality of the information.
According to Westin, the goal is to enhance, not replace, current information security processes. He believes that the weak human + machine + process can equal superior knowledge, compared to machines alone.
Westin explained the need to keep data fresh and flowing, saying that data has a half-life; it can get old and obsolete. With the copious threat data that flows from computer systems, we have a lake of fresh data available to us if we choose to use it.
BSides Offers Career Services For IT Professionals
A fascinating area that was busy on both days of BSides was the Hire Ground room. Hire Ground provided mock interview practice runs with hiring managers, resume reviews and career advice, in addition to Hire Ground’s interesting presentations about getting hired and job hunting. These career-related services were helpful for IT professionals desiring to move up the ladder, change jobs or explore new job areas.
The Hire Ground room also offered a game called “Recruiter Bingo.” Applicants would take a bingo card, get the card stamped at the various sponsor and hiring tables, and win prizes. While the Hire Ground room was a serious and potentially career-enhancing area, the sponsors and hiring managers in the room kept the activities light and interesting.
“I Am The Cavalry” Discusses Uncomfortable Approaches to Solving Problems
On the last day of BSides, the nonprofit and advocacy group called “I Am The Cavalry” (or IATC) held a discussion, “Uncomfortable Approaches to Problems.” The morning focused on problems and the afternoon on solutions.
Experts Beau Woods and Joshua Corman offered some excellent slides on explaining problems and ways to define the problems. They also led discussions for potential solutions to those problems.
IATC members are often selected to sit on government panels to help leaders define and solve cyber issues that can become drastic in the future. The potential is out there for hacking medical implants and medical devices.
In addition, hackers have used ransomware to hack hospital computer systems. The cost of shutting down a hospital’s day-to-day operations by preventing access to patient records can be costly in dollars. But someday, it may be costly in lives.
IATC also discussed a program they have advocated for since 2014: the Five Star Automotive Cyber Safety Program. The most intriguing element of this program was evidence capture. Most automotive systems will not always show evidence of tampering or the required normal computer logging to facilitate safety investigations.
Evidence capture will create issues with privacy sensitivity and the balance of a “black box” with the additional legal issues of surveillance infractions of citizens. By contrast, many areas of the European Union have much stricter surveillance and privacy laws.
IATC has their work cut out for them, but they seem to be pushing forward new ideas and finding ways to explain the problems to non-technical people.
BSides Combines Unique Qualities, Fun, Education and Networking
Although BSides is a small conference compared to the large information security events (Black Hat and DEF CON) held near the same time frame, it is strategically scheduled to take advantage of the presence of leaders, professionals and new learners. Ultimately, it helps attendees improve the field of information security.
Attendees can visit this conference for free (many people leave a donation). This is unique among Las Vegas conferences.
At BSides, everyone is a participant, sharing their wisdom and experience with others of varying IT/cyber skill levels. Organizers offered a variety of discussions with labels such as “Common Ground” (focusing on non-tech issues of importance to the IT community), and “Underground” (an off-the-record series delving deeper into the subjects that are better discussed behind closed doors).
Another label was “Proving Ground,” referring to BSides’ unique mentorship program for first-time presenters. This mentorship program is different from many conventions and enables BSides’ speakers to improve their public speaking skills, while BSides gets a new, fresh focus on the topic of the conference talks.
BSides also has a “Pros vs. Joes Capture the Flag” event to allow new information security personnel to test their computer system defense management. It’s a live-fire security challenge where the “Joes” (new learners) get a chance to practice their skills in a real network without fear of causing a global computer shutdown. The professionals get to practice against personnel who are not doing “normal” security. It is also is a tryout for the BSides’ standing Red Team.
If you’re a computer security professional, business leader, engineer, IT student or IT faculty, BSides provides a wealth of insightful, career-relevant information. It offers an entertaining mix of fun and serious learning for everyone, and you have the opportunity to talk with industry leaders in a relaxed, low-stress environment.
About the Author
James R. Lint recently retired as the (GG-15) civilian director for intelligence and security, G2, U.S. Army Communications Electronics Command. He is an adjunct professor at AMU. Additionally, James started the Lint Center for National Security Studies, a nonprofit charity that recently awarded the 40th scholarship for national security students and professionals. He has 38 years of experience in military intelligence within the U.S. Marine Corps, U.S. Army, contractor and civil service.
James was also elected as the 2015 national vice president for the Military Intelligence Corps Association. He has served in the DHS Office of Intelligence and Analysis and at the Department of Energy’s S&S Security Office. James had an active military career in the Marine Corps for seven years and also served 14 years in the Army. His military assignments include South Korea, Germany and Cuba in addition to numerous CONUS locations. James has authored a book published in 2013, “Leadership and Management Lessons Learned,” and a new book in 2016 “8 Eyes on Korea, A Travel Perspective of Seoul, Korea.”
Online Degrees & Certificates In Cybersecurity
American Military University's online cybersecurity programs integrate multiple disciplines to ensure you gain the critical skills and management practices needed to effectively lead cybersecurity missions – from government or private industry. Learn from the leader. American Military University is part of American Public University System, which has been designated by the National Security Agency and the Department of Homeland Security as a National Center of Academic Excellence in Cyber Defense Education.