Friday, February 1, 2019

BSides Long Island

By Don Becker, Kees Leune, Stephan Wolfert

This past weekend marked the inaugural BSides Long Island cybersecurity conference. It might also have been the first security conference in an “old-money mansion” with valet parking, and roasted vegetables, steak and salmon for lunch! The coffee wasn’t half bad either! Pretty good for a $20 admission fee!

BSides security conferences happen all over the world, and are meant as small, information technical cybersecurity conferences with little or no vendor presence on the program and run as not-for-profit events. The idea is that there is ample time for talking with other attendees and that the presentations are selected based on content, rather than on who you work for.

BSides Long Island Logo

The BSides conferences started in Las Vegas, NV in 2009. The official reason was that a number of speakers who submitted presentation proposals to the Black Hat conference, but whose proposals were not accepted, decided that they had valuable information to share. In response, they decided to organize their own conference. The group ended up renting a house in Las Vegas and, today, almost a decade later, there are BSides conferences all over the world.

BSides Long Island took place on Saturday, January 26, 2019, in the De Seversky Mansion on the grounds of New York Institute of Technology in Greenvale, NY. Since the conference sold out weeks before, the expectations were high.

As with all good conferences, the conference kicked off with a keynote speaker. In this case, the keynote was delivered by Dr. Anita D’Amico ‘84, an alumna from Adelphi University’s Institute of Advanced Psychological Studies (currently the Gordon F. Derner School of Psychology). Anita presented some of her DARPA-funded research about human factors in cybersecurity to an audience of several hundred attendees and shared several surprising findings, which may impact how we organize software development life cycle processes. For example, her research solidly dispels the idea that “many eyes make good code.” The work also demonstrated that co-location of software developers has little to no effect on code quality.

Dr. Anita D'Amico presenting the Keynote

After the keynote, the conference broke up in a number of different tracks. There was an education track, primarily focused on people who had little or no experience in the field, a track called Threat, Vulnerabilities and Compliance, a track for Security Software and Networks, and, last but not least, a Capture-the-Flag track.

In this Capture-the-Flag (CTF), participants are given the task to break into a system and prevent others from doing the same. CTFs are a common element of many security conferences; sometimes they are similar to this one, a “King of the Hill” challenge, while others are more about solving increasingly difficult puzzles. The latter category is known as a “Scavenger Hunt” and they are great fun to participate in.

The CTF was built on a popular framework from GitHub called RootTheBox. The challenge difficulty ranged from easy to very difficult. There were approximately six teams of up to three participants. The objective of the CTF was to gain access to six servers that were built for this challenge. This CTF touched on many different offensive security techniques. One of the greatest challenges was getting administrative access on a server before others did and then to lock down the computer! Overall a fun learning experience!

Where BSides differs from many of the other conferences our team has attended is that the focus here is not strictly on the Higher Education sector. At many of the conferences we already frequent, we’re hearing from our peers at other universities who are dealing with many of the same issues we do. However, sometimes it’s nice to hear the private sector perspective. Apart from a colleague at Suffolk Community College, pretty much everyone we spoke to and everyone whose presentations we sat in on was from outside the education sector. While our tactics may differ from those of a network of auto dealers, the problems of securing a network and its data are fairly universal.

Cybersecurity is a discipline in which trust is key. Conferences like this help a lot. Meeting peers eye-to-eye, in an informal setting, sitting down and chatting about common issues, and sharing a (good) meal are great relationship builders. BSides did a fantastic job at this.

What’s ahead? Well-- the next regional BSides will be in New York City, in January 2020. But, if you cannot wait, and you don’t mind traveling, there are plenty of other opportunities, all around the world!