RMISC 2019 Recap

RMISC?
If you haven't heard of the Rocky Mountain Information Security Conference (RMISC) it’s definitely worth checking out.

“RMISC is the only conference of its kind in the Rocky Mountain region. A convenient, affordable knowledge-builder for IT security, audit and compliance professionals at all levels. RMISC provides the perfect blend of education, networking and opportunities that are critical to your success in today’s economy and security climate!”
–RMISC.org

***Disclaimer: This article will attempt to recap the 2019 Rocky Mountain Information Security Conference, which is a difficult task considering there are multiple sessions happening at one time and the author cannot be in more than one session at a time. This event is also PACKED with information, so condensing it into one easy-to read article is also challenging in itself. Please don't get your feelings hurt if you didn’t get a shout out. All right, let’s get to it.***

Keynotes
This year featured keynotes from cybersecurity journalists, global security experts, authors, podcast hosts, penetration testers, a comedian, and even the Chief Information Security Officer (CISO) from the Governor’s Office of Information Technology, Debbi Blyth.

​Keynote Takeaways
​Kim Zetter’s keynote on Stuxnet was incredibly informative. Stuxnet is an elegantly crafted worm and rootkit that was first uncovered in 2010 and was used to cause delays to Iran’s nuclear program to allow time for diplomacy to work. One of my favorite parts of this keynote was learning that Stuxnet reached out to a command-and-control server to be effective. This tactic would not have been effective if a firewall had been in place that prevented outbound connections to the internet from inside the air-gapped nuclear facility’s network. It was also interesting to learn how the rootkit component of Stuxnet was able to intercept commands from administrators and display misleading information, even leading administrators to believe that they had flashed the firmware of the affected programmable logic controllers (PLCLs).

Another interesting topic was the security of the voting booths here in Colorado, which was covered by Debbi Blyth. Debbi mentioned that even if these voting booths were ever compromised, the worst case scenario would be that tallying the votes would be delayed, but that the votes themselves could not be changed. She also spoke about CDOT’s recovery from a ransomware attack last year, explaining that network segmentation and backups are what saved the day. “We never considered paying the ransom”, said Debbi. She also mentioned that it has been challenging for her office to retain cybersecurity professionals on staff due to higher compensation in the private sector, among other factors. Retention is a challenge faced by many in the cybersecurity industry.

"We never considered paying the ransom"
​-Debbi Blyth, CISO

Breakout Sessions
There were more than 80 different breakout sessions this year with topics ranging from audits, threat hunting, being successful as a CISO, and live hacking demonstrations. There was even a security escape room!

​In one of the breakout sessions, DJ Schleen shared his insights into DevSecOps. He recommended that organizations start doing value stream analysis if they are not already. Similar to lean manufacturing, value stream analysis aims to reduce waste in a process by eliminating steps that do not provide value. He also shared the worrisome stat that 90% of software available today has components of open source software in the code, and that 45% of open software has vulnerabilities. He described a time he received a container image from a vendor that had 4 critical vulnerabilities built into it on day one, and how he engaged the vendor and requested that they begin to perform Container Vulnerability Analysis.  

​Another session I really enjoyed was How Threat Actors Choose Their Targets by Sherrod DeDrippo. She shared insight about a fast food chain whose point-of-sale (POS) systems were targeted because they were known to have broken chip readers. With the chip readers broken, customers had to swipe their cards and bypass the security features employed when chip readers are used. Attackers were able to compromise the chip readers and obtain the credit card information of the restaurant’s customers. Next the attackers performed a supply chain attack, targeting the food chain's vendors, then their value added resellers (VARs) who sold hardware that was well known for its remote management capabilities.

There were so many more great takeaways but one last one I want to mention: not all penetration tests are created equally. Some vendors complete automated scans, put a logo on a report, and call it a penetration test. In David Parker’s presentation titled Show and Tell From a Professional Hacker (and how I’d catch* myself), David shared a ton of real life examples of how his team has hacked into casinos, health care institutions, industrial facilities, and even banks during penetration tests.  ​

​
Vendors
Around 100 vendors came prepared this year with innovative products, fascinating displays, demonstrations, and tons of swag! There were drones, Star Wars collector items, various branded charging cables, reusable straws to help reduce plastic waste, and of course water bottles and sunglasses.

More important than the swag were the vendor demonstrations. We saw vendors demonstrate a .PST migration and cleanup tool, real-time malware detection, and more cybersecurity solutions than we could try to dive into here. Check out the full list of sponsors and exhibitors.

Job Fair
RMISC has a job fair component to help connect employers and job-seekers. It’s free for employers to set up a table for the job fair, so I was surprised to see only a few employers had taken advantage of the job fair. With over 1,400 attendees this year, I can’t think of a better place for cybersecurity recruiters to be. As a community, we will have to do a better job spreading the word about the job fair next year.

Hayden Abler, one of the job seekers I met is a recent graduate who majored in computer science and minored cybersecurity. He has completed several successful internships and created some useful solutions. He did receive an offer after his internship, but wasn’t interested in that particular role. If you’re hiring, consider connecting with him on LinkedIn.

​
Student Program
​The 2019 RMISC also had a student program this year to help young adults learn more about careers in IT & Cybersecurity. I didn’t participate in the same activities they did this year, but I’m sure the conference was an eye-opening experience for them. It was for me.

Wrap Up
Well if you’ve made it this far without dozing off, then you just might be a nerd! Overall RMISC was an incredible experience, and I’m already excited for next year’s conference. I hope to see you there!