The city of San Francisco is currently inundated with some of the brightest and best information security people that the world has to offer. The reason? The annual RSA Conference – essentially the mecca for security professionals.
It’s a massive event held at the Moscone Convention Center and based on previous years’ attendance, you can expect around 35,000 attendees and 500 sessions held over the period of a week… that’s huge!
But what I found interesting about this particular event is that, as I mentioned to colleagues and industry peers that I was going to be at RSA Conference 2016, all I heard about was how I should be really careful about protecting my personal information from hackers.
At first, I was stunned, but as I thought about it more and did a little research, it turns out to be a legitimate concern. The fact is that I’m going to a security conference with another 34,999 people, some of which would love to make their mark by causing some mischief!
As I dug deeper, hacking at industry events is actually becoming quite trendy. For example, the DEF CON conference has a 'wall of sheep' where the names of people who have been successfully hacked at the conference are displayed. Admittedly getting hacked at a conference for hackers is a worst case scenario, and you are better off just bringing a notepad and pen and use a public telephone if you can find one.
Staying secure at a security conference
There is quite a bit of information out there about protecting yourself at security conferences such as RSA, and essentially the general warning is: be vigilant. Some writers and experts simply advise you to go with a burner phone and nothing else. Oh, and just use it as a phone with no Wi-Fi, no Bluetooth, and no apps. To me this seems a little over the top and something more from the pages of a screenplay.
My recommendations come from my readings and expertise in the area, and my angle is one of practicality and risk mitigation. I’m not guaranteeing anything (because I don’t know you and what you will be doing at these events), but here are my top tips:
Update your software
This one may seem obvious, and it is, but I have to say it. Make sure you update all of your software. This includes the operating system and any applications. Updating these will ensure that any known security vulnerabilities are patched accordingly before you arrive at the event.
Never connect to unknown Wi-Fi access points and avoid conference Wi-Fi
Never connect to any unknown Wi-Fi access points. 'Free Public WiFi' typically isn’t. You should even be suspicious about the conference Wi-Fi. In fact, I wouldn’t connect to it either as you never know if it is being spoofed by a hacker. If your company operates in a hybrid IT environment without any compliance checking mechanisms, connecting to a compromised Wi-Fi access point can open the flood gates for hackers to steal company data. My recommendation is that if you need network access, use your own portable hotspot or 4G/LTE connection.
Use a mobile VPN
Use a mobile VPN to encrypt all network data flowing from your device. This will ensure that there is no data travelling 'in the clear'. Also, if you have a vigilant IT team, and a professional VPN solution, a 'host checker' can be enforced so that the VPN will not allow you to connect until your device is up to spec and secured to the highest level.
It's also important to confirm that 'split-tunneling' is switched off. Again, something IT should and can enforce. This will make sure that all network traffic flows through the encrypted VPN and not just some of it.
Switch off the extras
Switch off Bluetooth, NFC, Airdrop, and server based applications that accept connections from the network.
Use a firewall
Ensure that your device is using a firewall that restricts all inbound connections and that the device is operating in 'stealth mode', which means that it will not react if scanned by a network scanner.
Make sure that any hard drive or storage area is encrypted. IT groups can ensure encryption is configured by implementing the 'host checker' (mentioned above). For mobile devices, a secure corporate workspace that enables full corporate control on sensitive apps and data should also be used so that IT can help you stay secure from company headquarters.
Always use your own gear
Never plug into anything unknown at RSA. The simple reason is that you have no idea what’s on that give-a-way USB stick, and you may need that extra boost of power, but don’t be tempted by the legitimate looking USB power outlet or charging station. You never know what’s behind the wall plate.
And that’s it! I really do hope that if you are going to RSA Conference 2016 that you have a great time and if you see me on booth duty, I won’t be offended if you say no to that free USB stick.
Adam Jaques is senior director of product marketing and evangelist at Pulse Secure