Security industry events draw together people with a huge wealth of security experience and expertise under a single roof. As you’d expect, the professionals attending are pretty safe from outside threats.
This is backed up by research from Eclectic IQ Fusion Center analysts who found scant evidence of targeted campaigns against attendees of these conferences. However, while organizers of industry events do their best to mitigate security risks, insider threats can be a problem.
Professionals drawn to these events are highly experienced and some may be inclined to partake in tricks or games to show off their skills, but these stunts – which largely follow the TTPs (Tactics, Techniques and Procedures) used by threat actors in the wild – put others at risk.
To tackle these threats, security event attendees should adopt an operation security (OpSec) mindset to reduce their attack surface. Basic security techniques can offer the most effective way of reducing risks of compromise.
So what are the risks that attendees of security conferences should be aware of and what information security best practice should they employ?
Physical Risks
There are a number of higher physical risks to be aware of when attending a security event.
Don’t increase your attack surface by physically (and needlessly) exposing your devices to increased risk. Options for exploitation are greatly increased via physical access to targeted systems.
General good practice is to maintain control of your devices. This means not letting anyone else access your personal belongings (including in your hotel room) and being mindful of the electronic resources and physical hardware you connect to.
Choosing mobile devices over laptops is another sensible move. The reason is that it’s easier for attackers to launch exploits against and run code on laptops. Mobile devices have more closed ecosystems and require the use of signed code. While still possible to exploit, using a mobile device will reduce your risk.
With free USB drives often available, security events make tempting targets for USB drops, in which wrongdoers load malware to corrupt or disable devices onto sticks that either find their way into those being given away by vendors or are left lying around.
To tackle this, don’t attach any external physical media to your device. It may seem convenient to access vendor material via a USB stick or tempting to find out who an abandoned USB drive belongs to by plugging it into you device, but this is risky.
Information Security Risks
Information security risks include a greater risk of data interception via Wi-Fi, Bluetooth or via the web. Exploitation of wireless protocols remains popular, with many different attack patterns available to threat actors.
To combat these threats, don’t connect to unsecured Access Points (APs). But if you must, don’t send information – such as login information or personally identifiable information (PII) – in plain-text format, as it could be intercepted. On a related matter, make sure your mobile devices aren’t set to connect to APs automatically.
Encryption should also be used whenever possible, as VPNs and full-disk encryption can be effective in mitigating some of the risks outlined above.
When it comes to phishing and spoofed domains at an event, you may not be completely sure that the domains you connect to are not also being used for phishing campaigns. It’s therefore best practice to have a junk email address dedicated to other activity, such as performing password resets.
ATM skimmers and credit card theft is another risk to be aware of. Many attendees could be well-versed in coding and skimmer technology, and some eager individuals may be willing to demonstrate this as a proof of concept. Either have cash on you or carry a single credit card that is separate from your core assets.
‘Shoulder surfing’ is a potential risk at trade shows, particularly where people are crowded together. It’s therefore prudent not to read any sensitive information in public or give out too many personal details about yourself in conversation.
Lower-Level Risks
Other risks that industry events can present include badly-made event-specific apps that may leak information. You should not install apps other than from vetted, official apps stores and be wary of the information you pass via the app.
Barcode website spoofing is also a risk, with a point-and-click mindset likely see people sacrifice security for convenience when clicking on a URL. Do not click on links where you are not able to verify the source of the URL.
With an OpSec mindset, you’re less likely to be caught out.
To find out more, take a look at our report ‘The Best Defense is Good OPSEC’