At Threat Stack, we attend a lot of conferences: They can be a powerful way to connect with like-minded professionals and educate yourself on what’s new and trending in your industry. Since we attend so many conferences ourselves — in fact, the Threat Stack Team just got back from another great AWS re:Invent out in Las Vegas — we wanted to share some advice on how you can keep secure while you’re attending conferences.
Anytime there’s a large group of people, especially one that has its roots in tech, security can become a concern. More devices in one place and a concentration of industry players can mean a field day for casual or targeted hackers. Luckily, there are security basics and hygiene best practices you can follow to ensure that traveling to a conference doesn’t mean opening up a wider attack surface for yourself or your organization.
Here are our tips for staying secure while you enjoy yourself at conferences.
Protecting Your Devices
First, treat your devices with care when you do any sort of traveling — and certainly at a conference or other large gatherings, where the chances of getting hacked multiply. It’s easy to get sloppy, but that’s also why hackers are so successful at breaking into devices and stealing company information.
Take Inventory and Maintain Control
First, take an inventory of the devices you’ll be carrying with you. Many people travel with a phone and a laptop, and some travel with tablets and wearables or IoT devices as well. Make sure you know which ones you are bringing with you and where they are at all times. If you don’t need a device during the day, leave it in your hotel room (ideally in a lockbox) where it will be less vulnerable.
While you are out and about at a conference, make sure you never leave a device behind, even if you’re just running to the bathroom or charging your phone. Ideally, you should always have your devices on your person or in a private, protected location (remember that lockbox?) for maximum security.
Use Good Passwords and Autolock
Make sure the security settings on the devices you take are as good as they can be. You should password-protect the devices themselves and set up an autolock after a timeout (keep it short) for laptops, cell phones, tablets, and any other devices. Also, pay attention to the settings on your devices. Your apps should not be able to display messages on the lockscreen, since this could open your information and privacy up to leaks, even before someone cracks your password.
Next, consider how secure your other passwords are for applications and websites you will visit during the conference. We recommend that you use a password manager like LastPass or 1Password. These programs can help you avoid the need to memorize passwords (which usually leads to people using the same one or simple variations across multiple services — which is not a best practice). You can also use these programs to auto-generate passwords that will be extra-secure. Research shows that passphrases are more secure than passwords, so rely on these when possible.
Employ 2FA and Geotracking
We also recommend that you use Two-Factor Authentication whenever possible to make it as difficult as possible for someone with ill intentions to get into your applications. You can also consider using a service like Find My (a function formerly provided by the Find My iPhone app) or Prey that will allow you to geotrack your devices if they are stolen or lost and remotely wipe them if needed. It’s a good idea to have a plan like this in place in case one of your devices is lost or stolen, and these two programs can help you take the necessary measures if that does happen.
Avoid Unsecured WiFi
Another thing to consider at conferences is where your internet is coming from. If you can help it, avoid connecting to unsecured public WiFi networks, or any network that is not trusted. Ideally, you should only connect to the conference location WiFi if it is clearly marked and password-protected. You can also set up your phone as a hotspot or purchase one before you hit the road, since these are far more secure. And be careful who you share the connection with. If your company has a VPN that you can use on the road, this will add a further layer of security when you’re connected to the internet.
Thinking Before You Tweet
Conferences are a good time to engage with other folks in your industry, and social media can help you connect with these people. However, you need to be careful about what you post, especially during conferences. This is a key part of “OPSEC,” which we define as, “Actions taken to ensure that information leaks don’t haunt you.”
For example, if you are attending a conference and want to snap a photo with colleagues, make sure that no sensitive information is visible on paperwork, screens, whiteboards, etc. before you do so. You’d be surprised what we’ve seen people accidentally post online.
Reverse image search also means that people can use the photos you post and do research on who you are, where you are, and what your company is all about. Depending on your industry, the type of work you do, and various privacy concerns, this can become a security issue.
In these instances, you’re better safe than sorry, so just make sure you think through the potential consequences of any social media and other internet posts you decide to put up during a conference.
Watching What You Say
Similarly, conferences can be thorny from an in-person OPSEC perspective. Think about how many people at your conference work for your competitors or customers. It’s easy to fall into work chat with a colleague who is at the conference with you and forget that someone may be sitting next to you or within earshot that shouldn’t hear that information.
For this reason, we recommend that you think very carefully about discussing:
- Company secrets
- Intellectual property
- Future plans or roadmaps
- Product development
- Legal or PR issues
Loose lips can sink ships, so just as you would with social media, think carefully about what you discuss in public, especially at conferences. At Threat Stack, we tell new hires, “Watch what you say, where you say it, and who you say it to.” Keep private information private, and when in doubt, zip your lips.
Final Thoughts . . .
Conferences can be a fantastic opportunity to challenge your assumptions, learn new ways of doing things, and exchange ideas with others in your field. As long as you follow the best practices above, there’s no reason for a conference to become a security hazard. Keep your devices well secured and think before you tweet or talk. If you do, you’ll be well on your way to an experience that’s not only enjoyable and profitable — but safe and secure as well.