If you’ve never been to any cyber security conferences, then hopefully this can convince you!
If you’ve never been to any cyber security conferences, then I cannot recommend them enough. While larger ones like DEF CON and DerbyCon (RIP) are great, you can even start with your local BSides. Not only are security conferences a great way to learn new tools and techniques, but they can also be so much more.
Table of Contents
- Cyber Security Conferences – Introduction
- Who Should Go to Cyber Security Conferences?
- What Can You Expect at a Hacker Conference
- Are There Specific Dates for InfoSec Cons?
- Information Security Conference Locations
- Why Go to Cyber Security Conferences?
- Going to Your First Security Con
- More Hacking Conference Links and Resources
- Cyber Security Conferences – Conclusion
Cyber Security Conferences – Introduction
Conferences allow you to connect in person, see some talks, and learn what the community is all about.
Most cons should have something for everyone: talks and presentations, job fairs and networking, parties, or everything in between.
And, if you like CTFs, then conferences usually have at least one that you can win some AWESOME prizes at.
Who Should Go to Cyber Security Conferences?
Honestly, I think anyone with the opportunity should go to a security conference!
If you are in a security-related role, then the reasons for hacker cons should be fairly obvious.
That said, I think people in non-security-related technical roles have almost the same reasons, if not more, as security professionals.
Even non-technical people can learn a lot at conferences and might enjoy seeing a different type of con than what they are used to.
I’ll cover some more reasons to attend below, but believe me that you don’t have to be a hacker to enjoy yourself at a cyber security conference!
What Can You Expect at a Hacker Conference?
While it will vary from conference to conference, I’ll try to cover what you can usually expect.
First, if you are traveling to a conference, there will usually be a hotel nearby (if it isn’t being held at one). I’d recommend at least looking into this hotel, as it can usually be cheaper and/or more convenient.
As far as the hotel is concerned, I wouldn’t leave any valuables in it where possible. While this is generally good advice, I’d say it goes double for conferences. Between hotel staff performing room checks, as well as possible threat actors, it’s a good idea. While hotel safes are decent storage, don’t forget that staff can unlock these if they have to/want to.
Regarding hotel or con internet, you can use it, but be safe. Don’t visit anything over HTTP, and try not to use anything important during your time there. I also recommend some form of VPN (I personally use NordVPN on my machines, so that’s what I’d recommend) for privacy and security.
When it comes to badges or entry, these will also vary from con to con. That said, most cons have an entry fee (I’ve seen $20 up to $300) that covers your entrance to the entire event, occasionally food, and any local side-events or parties.
You might have to pre-register or stand in a line for these badges, especially if it is a larger conference.
If the conference provides food or beverages, expect there to be a line. I’d try to beat the crowds to these or go off on your own for some of the local fares. When I am at events like this, I like to buy my own drinks and snacks so that I don’t have to worry about it. Picking up some coffee, protein bars, soda, jerky, etc. for your bag or room will keep the hanger away.
Also, don’t be surprised if you are tired, sore, or hungry/tired during your conference days. You’ll be on your feet, moving around, talking, and possibly drinking alcohol more than usual. Try to stay ahead of these and stay hydrated along with a decent night’s sleep.
Other than that, expect to have a good time, and to take in as much as possible. Don’t go in without too many expectations, and be willing to change your plans/feelings on the fly!
Are There Specific Dates for InfoSec Cons?
There are actually no specific dates for InfoSec cons, as they happen year-round.
That said, I’ve noticed that more cons occur in the summer months, as opposed to the winter months.
If you are interested in BSidesLV, Black Hat, or DEF CON, then these all occur in the summer months, usually early to mid-August.
For a larger list of specific dates, check out https://infosec-conferences.com/. While they might not have every conference, it’s a great place to get started.
I also recommend joining your local security meet-up groups and Twitter. This will help you figure out where and when your local cons, for example BSides RDU, are happening.
Information Security Conference Locations
As you may have guessed, you can find an information security conference at most small to medium-sized locations!
That said, there are likely more cons in the United States, and that is what I’m most familiar with.
If you are local to the Triangle, then definitely head to BSides RDU.
Last, but not least, don’t neglect your local or smaller conferences. They are easier to find, might have people you know, and are usually much cheaper to attend!
- ShmooCon 2017 - More Talks, More Moose, More Fun!
- CarolinaCon 13 - When a 12 Step Program Isn't Enough
- BSides MCR 2017 was an UnBEElievable Time
- CarolinaCon 14 - Shall we Play a Game
- BSides Denver 2018 - Hacking the Mile High City
- BrrCon 2018 - Honestly, not Really that Cold
- NorthSec 2019 - Into the Great White North
Why Go to Cyber Security Conferences?
I’d say one of the biggest reasons to attend a security conference is the learning, at least for me.
Obviously, as an attacker, there are plenty of new TTPs that you can learn at a conference.
Not only can defenders learn about new attacking techniques, but there are plenty of talks for the Blue Team at most conferences nowadays.
For anyone in a non-security technical field, there is still plenty of opportunity for learning. You can increase your security awareness, and think of ways to defend the products, systems, or services that you are in charge of at your organization.
Finally, for non-technical people, you may still have the chance to learn. This will vary from conference to conference, but many hacking cons will have entry-level talks for users of all experience levels. Even if you don’t understand everything in a talk, you can pick up a lot about security awareness and protecting yourself on the internet.
These points only cover the learning aspects of conferences as well! They are still a great place to find a job, play with some cool gadgets you may never see again, or just party with some interesting hackers.
Plus, if you’re really lucky, you might just find your favorite conference ever, like DerbyCon.
Going to Your First Security Con
Even if this isn’t your first security con, hopefully, these tips can help you make the best of your time there.
First of all, listen to the conference staff. They are not only there to help you out, but also to keep you as safe and entertained as possible.
In the same vein, try to follow the 3-2-1 rule; three hours of sleep, two or more meals per day, and one or more showers per day!
You should try to bring at least some of the following things so that you don’t feel unprepared.
- A backpack or a small bag (to carry some of this stuff).
- Water bottle(s), ideally refillable.
- A batter pack – to keep your devices charged.
- Laptop/tablet – if you want to take notes or participate in CTFs.
- Pen and paper – for notes if you’d like.
- Any medication, including pain relievers like Ibuprofen
- Cash – some vendors or conferences will not take credit cards
- Comfortable shoes
- Business cards – if you want to share them for networking reasons.
- Alternate credit card – if you need to cancel a card, try to use one without recurring monthly bills.
When you are going out to eat or drink, make sure to double-check your bills. While this is good travel advice in general, people might think it’s funny to charge your room/table for something that they ordered.
Conference Talks, Or How to Spend Your Time
If you have never been to a security conference before, then I recommend spending most of your time going to talks. You can also visit villages or side events, but talks are the main draw at these events.
After your first few visits or conferences, you can definitely mix it up.
For bigger cons, if you want to see talks, then plan ahead. If you are trying to watch a very popular talk, you’ll want to be in line during the talk before it. Sometimes you can stay in the room for the next talk though, which is always nice.
Also, if you miss a talk that you really wanted to see, then they will usually be online.
Other than the talks, if the conference has them, then definitely check out the villages and side events. These will be a ton of fun and not something that you can catch up on after the conference has ended.
Finally, if you want to ask a speaker questions, then DO IT! They are as excited to talk to people about their work as you are, and love sharing knowledge. That said, if you are going to take up a lot of their time, maybe try doing it over dinner/drinks instead of outside of the conference hall.
Conference Device Security
Last, but not least, I wanted to circle back to protecting your devices and information at hacker conferences.
First, only charge your devices using a direct power plug, don’t connect to any random USB outlets/cables that you find.
Next, be sure to turn off Bluetooth and wireless if you don’t need them. People have been known to set up fake mobile networks, and your traffic could be intercepted due to that.
On that note, be sure to take the following precautions, in case you do end up on a malicious network. Note: The smaller the conference, the less likely you are to have to worry about these things. That said, it’s good advice in general if you want to be as protected as possible.
- Turn off auto-updates on all of your devices until you get back home.
- Update and patch everything before you leave home. This will prevent you from downloading malicious patches, as well as keep you more secure.
- Change the passwords for anything that you accessed once you get home.
- Uninstall applications that can access your personal or financial information.
- Don’t scan any random QR codes.
- If you buy a fun (wireless) hacking device, don’t be a jerk and wait until you get home to play with it.
- Bring a portable battery pack, as your phone is likely to die due to all of the other wireless signals and jamming that may occur.
- If you can bring a “burner” laptop or phone, then consider that, especially if you’re going to something like DEF CON. It’s much easier to completely wipe a device that you don’t care about once you get home.
Finally, consider a VPN service that you either pay for or set up yourself. This will give you an extra layer of security, and prevent some of these man-in-the-middle attacks.
I personally use NordVPN on my machines, so that’s what I’d recommend for privacy and security.
More Hacking Conference Links and Resources
If this massive post about cyber security conferences wasn’t enough, then here are a few more links.
- Preparing for Hacker Summer Camp
- The Official DEF CON FAQ
- DEF CON 29 Planning Thread
- DEF CON 28 Reddit Mega-Thread
- Lonely Hackers DEFCON Guide
- (Vegas) Hotel Safety
Or, if you prefer a video, why not watch the DEFCON Documentary?
Cyber Security Conferences – Conclusion
If you still don’t want to go to a cyber security conference, then I don’t know what I can do to convince you.
I have personally met friends I still have to this day, and have been offered jobs at cons.
Beyond that, once you get the con bug, you might even end up speaking at one!
Let me know in the comments what your favorite conference is, or if you are planning on going to your first con soon.
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.