How to Stay Secure at Conferences

Conferences can be an amazing way to connect with like-minded folks and educate yourself on what’s new and trending in your industry. At Threat Stack, we regularly attend and speak at conferences like BSides and DevOpsDays, and it’s been exciting to see a bigger focus on security topics in the DevOps world in recent years. Since we attend so many conferences ourselves, we wanted to offer some helpful advice on how you can keep your devices secure while you’re attending conferences. Anytime there’s a large group of people, especially one that has its roots in tech, security can become a concern. More devices in one place and a concentration of industry players can mean a field day for casual or targeted hackers. Luckily, there are key security basics and hygiene best practices you can follow to ensure that traveling to a conference doesn’t mean opening up a wider attack surface for yourself or your organization.

Here are our tips for staying secure while you enjoy yourself at conferences.

Protect Your Devices

First and foremost, treat your devices with care when doing any sort of traveling — and certainly at a conference or other large gatherings, where the chances of getting hacked multiply. It’s easy to get sloppy, but that’s also why hackers are so successful at breaking into devices and stealing company information.

Take Inventory and Maintain Control

First, take an inventory of the devices you’ll be carrying with you. Many people travel with a phone and a laptop, and some travel with tablets and wearables or IoT devices as well. You should make sure you know which ones you are bringing with you and where they are at all times. If you don’t need a device during the day, leave it in your hotel room (ideally in a lockbox) where it will be less vulnerable.

While you are out and about at a conference, remember to never leave a device behind, even if you’re just running to the bathroom or charging your phone. Ideally, you should always have your devices on your person or in a private, protected location (like your hotel room) for maximum security.

Use Good Passwords and Autolock

With the devices you do take with you, make sure that their security settings are as good as they can be. You should password-protect the devices themselves and set up an autolock after a timeout (keep it short) for laptops, cell phones, tablets, and any other devices. Also, pay attention to the settings on your devices. Your apps should not be able to display messages on the lockscreen, since this could potentially open your information and privacy up to leaks, even before someone cracks your password.

Next, consider how secure your other passwords are for applications and websites you will visit during the conference. We recommend that you use a password manager like LastPass or 1Password. These programs can help you avoid the need to memorize passwords (which usually leads to people using the same one or simple variations across multiple services — which is not a best practice.) You can also use these programs to auto-generate passwords that will be extra-secure. Research shows that passphrases are more secure than passwords, so rely on these when possible.

Employ 2FA and Geotracking

Additionally, we recommend that you use Two-Factor Authentication whenever possible to make it as difficult as possible for someone with ill intentions to get into your devices. You can also consider using a service like Find My iPhone or Prey that will allow you to geotrack your devices if they are stolen or lost and remotely wipe them if needed. It’s a good idea to have a plan like this in place in case one of your devices is lost or stolen during a conference, and these two programs can help you take the necessary measures if that does happen.

Avoid Unsecured WiFi

Another thing to consider when at conferences is where your internet is coming from. Don’t connect to unsecured public WiFi networks, or any network that is not trusted. Ideally, you should only connect to the conference location WiFi if it is clearly marked and password-protected. You can also set your phone up as a hotspot or purchase one before you hit the road, since these are far more secure. And be careful who you share the connection with. If your company has a VPN that you can use on the road, this will add a further layer of security when you’re connected to the internet.

Think Before You Tweet

Conferences can be a good time to engage with other folks in your industry, and social media can help to connect you with these people. However, you want to be careful about what you post, especially during conferences. This is a key part of “Opsec,” which we define as, “Actions taken to ensure that information leaks don’t haunt you.”

For example, if you are attending a conference and want to snap a photo with colleagues, make sure that there aren’t any key pieces of information visible on paperwork, screens, whiteboards, etc. before you do so. You’d be surprised what we’ve seen people accidentally post online,

Reverse image search also means that people can use photos you post and do research on who you are, where you are, and what your company is all about. Depending on your industry, the type of work you do, and various privacy concerns, this can become a security issue.

In these instances, you’re better safe than sorry, so just make sure you fully think out the potential consequences of any social media and other internet posts that you decide to put up during a conference.

Watch What You Say

Similarly, conferences can be thorny from an in-person Opsec perspective. Think about how many people at your conference work for your competitors or customers. It’s easy to fall into work chat with a colleague who is at the conference with you and forget that someone may be sitting next to you or within earshot that shouldn’t hear that information.

For this reason, we recommend that you think carefully about discussing:

  • Company secrets
  • Intellectual property
  • Customers
  • Future plans or roadmaps
  • Product development
  • Legal or PR issues

Loose lips can sink ships, so just as you would with social media, think carefully about what you discuss in public, especially at conferences. At Threat Stack, we tell new hires,”Watch what you say, where you say it, and who you say it to.” Keep private information private, and when in doubt, zip your lips.

Final Thoughts . . .

Conferences can be a fantastic opportunity to challenge your assumptions, learn new ways of doing things, and exchange ideas with others in your field. As long as you follow the best practices above, there’s no reason for a conference to become a security hazard. Keep your devices well-secured and think before you tweet or talk, and you’ll be well on your way to an experience that’s enjoyable and profitable, while also being safe and secure.