Last week I attended the (ISC)² Security Congress 2013 in Chicago, which took part as sub-congress with the ASIS 59th Annual Seminar and Exhibits. As I am planning to do my CISSP certification in December, we (my company and I) though, that this would be a good opportunity to get prepared and to get some more background on the certification. Also the presentations and sessions sounded actually pretty interessting- eventually they weren't.
First when I arrived at the congress, I was suprised by the size of the building, the McCormick Place- this is really a huge exhibition hall. I was wondering how much rooms they would use for the congress... when I stepped into the building this question was quickly answered. Apart of my expectations, the ASIS conference (which the (ISC) congress was collocated with) was actually a huge exhibt (at least 1/4 the size of the CeBIT). I was confused. Compared to other conferences I attended, this looked more like a huge sales pitch to me. After I attended some of the sessions/presentations, my fears were confirmed. The content of the sessions was really very high-level (although some of them were marked as "advanced").
First session I visited was actually pretty good. It was called "What’Cha Gonna Do When They Exploit You?" by Sean Bodmer. Giving some overview of how Malware usually works, he gave some thought-provoking impulses on how to better detect it and how to safeguard your systems against it. His basic idea is that he doesn't care about what opcode the Malware has, what signature the executable have and if the bad guys build heuristic code, that changes it's signature with every infection. His approach is to look at the actual behavior of what the malware does. So he starts looking at things like the Path the the malware wants access or typical files, that it wants to infect. And although I said he doesn't want to make any advertising for the company he works for (and in fact he wasn't doing any direct advertising), he still showed a great bit of examples that were based on a software, that is sold by the company he works for. Anyhow, still very interesting talk.
The 2nd session was about BYOD and how it's done at University of Saskatchewan. It wasn't that bad but he (Lawrence Dobranski) has his very own view on BYOD, which is most likely based on the fact that he works at an University and that they are forced to offer BYOD but I wasn't able to agree on everything he said- which is absolutely fine. At least it got me thinking about that subject again.
3rd talk was "Do It Yourself Command and Control, For Fun and *No* Profit" by David Schwartzberg. The presentation was about the Zeus trojan and it's botnet command & control. That wasn't really anything new to me, as I've worked with Zeus before, but though the talk was hilarious. David really knows how to present and how to keep the audience following his explanations- I really appreciate it, if someone has not only technical skills and knowledge of what he presents, but also the soft skills of how to keep peoples attention.
What really annoyed me, what the time between the sessions. The actual sessions started at 11pm and between each session was also at least 1 hour of time. I think that during that time, you were expected to visit that exhibit and get the sales guys sell you some shit- which I wasn't there for. So all in all the first day was ok, but still not what I expected.
The 2nd day was even worse. The first session I visited was "Why Metasploit Is So Powerful" hold by a guy from Cisco. So what would you expect from that title? I at least expected some focus on the Metasploit framework... far wrong. Basically everything this presentation had to do with Metaploit, is the fact that Metasploit is written in Ruby. But at the end, it was just a "Ruby is great!" talk. The speaker explaint things about what Ruby is and why it's great- and then occasionally he added a slide where he basically said "this is what makes Metaploit so powerful"- totally ridiculous! The next talk was even worse... "Why?" you're asking? Well, the actual speaker didn't even show up... it presentation was held by some of the ISC² guys. He tried to do his best (given the fact, that he didn't make the slides), but honestly... he is not a good presenter. 3rd session was a joke as well. It was a podium discussion about current securitythreats- it was more like old people talk about what the internet is. I had to leave the room after 20 Minutes.
Long story short, this congress to me was a bad joke (given that it costs $1125) and a waste of time. I could have spent my time much more productively. To me this looked more like an excuse for ISC² members to quickly add some CPE credits to their account. Also I was very shocked about the average age of the attendees. I think more than 75% of them were at least 45 or higher. Especially the ASIS part of the congress was aged wide over 50. Hopefully this is not the "information security future".
Anyhow... lessons learned, next year I am not going to attend again.