Inside ShowMeCon: Community, Education, and Security with Dave Chronister

February 18, 2025

Blog post generated by ChatGPT and reviewed and edited by me.

Cybersecurity conferences have become essential hubs for professionals looking to expand their knowledge, connect with industry leaders, and gain hands-on experience in emerging security trends. Among these, ShowMeCon stands out as a premier security event that blends corporate professionalism with hacker culture. Recently, on the Exploring Information Security podcast, I sat down with ShowMeCon founder Dave Chronister and organizer Brooke Deneen to discuss what makes this conference unique and what attendees can expect in 2025.

The Origin and Vision of ShowMeCon

ShowMeCon was founded with a clear mission: to provide high-quality security education in an engaging, community-driven environment. Unlike traditional conferences that often feel like corporate networking events, ShowMeCon fosters an atmosphere where security researchers, IT professionals, and ethical hackers can exchange knowledge in a collaborative setting.

During the podcast, Dave Chronister shared the story behind ShowMeCon’s inception, emphasizing the importance of bridging the gap between technical expertise and real-world security applications. By creating a space where attendees can both learn and engage with top security minds, the conference has grown into a must-attend event for security professionals.

What Sets ShowMeCon Apart?

One of the defining aspects of ShowMeCon is its ability to strike a balance between corporate and hacker culture. As Brooke Deneen explained, the conference offers a professional yet welcoming environment that caters to both seasoned professionals and newcomers to the field.

Key Features That Make ShowMeCon Unique:

Immersive Venue: Hosted at the Ameristar Casino in St. Louis, the setting provides a comfortable yet dynamic backdrop for networking and learning.
Engaging Speakers: The event prioritizes bringing in experts who are not only knowledgeable but also passionate and approachable.
Hands-On Learning: ShowMeCon features training sessions, Capture The Flag (CTF) competitions, and lockpicking villages, offering attendees the chance to apply their skills in real-world scenarios.
Expanding Reach: The ShowMeCon team is exploring ways to expand the conference to new cities like Nashville, ensuring more professionals have access to top-tier security education.

Highlights of ShowMeCon 2025

The upcoming 2025 edition of ShowMeCon is set to be bigger and better, with new elements designed to enhance the attendee experience. Some of the highlights include:

The Return of Pre-Conference Training: Attendees can participate in deep-dive workshops led by industry experts.
Exciting Themed Experiences: This year’s event will feature a Fallout-theme, adding a creative twist to the conference experience.
Stronger Community Building: Encouraging new speakers and first-time attendees to engage and contribute to the security conversation.

Why You Should Attend ShowMeCon

If you're looking for a conference that goes beyond lectures and sales pitches, ShowMeCon is for you. Whether you're an IT administrator, security analyst, penetration tester, or student, this event offers valuable insights and opportunities to:

✔️ Learn from industry experts in a practical and engaging environment.
✔️ Network with peers and leaders who share a passion for security.
✔️ Gain hands-on experience through CTFs, training sessions, and interactive villages.
✔️ Explore new security trends that will shape the industry in the coming years.

Final Thoughts

ShowMeCon continues to grow as a hub for cybersecurity professionals. With its community-driven approach, diverse speaker lineup, and immersive experiences, it’s clear why this event has become a staple in the cybersecurity world.

🚀 Want to attend? Visit showmecon.com to learn more and register for the 2025 event.

🎙️ Listen to the full conversation on the Exploring Information Security podcast and you may just hear the discount code to save $50 on tickets or training: Podcast Website

See you at ShowMeCon 2025! 🔐🔥

Understanding the 2025 HIPAA Security Rule Proposal: Key Changes and Implications

February 17, 2025

In January 2025 I put together a presentation on the proposed changes to the HIPAA Security Rule. You can view the live recording on the ExplorSec YouTube channel. With Valentines Day recently passing I though this would be a good time for a blog post on the proposals for the HIPAA Security Rule. Below is a ChatGPT generated blog post using the transcript from that session that I’ve reviewed and edited .

The U.S. Department of Health and Human Services (HHS) recently proposed updates to the HIPAA Security Rule, aiming to enhance the cybersecurity resilience of healthcare organizations. These changes are in response to the evolving threat landscape, rising breach costs, and the need for stronger regulatory oversight. Let’s explore the proposal, its timeline, and the most significant updates impacting the healthcare industry. The proposal can be viewed at this link: https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/index.html

Why the Change?

HIPAA, originally enacted in 1996, has undergone several updates, with the most recent in 2013. However, with data breaches in healthcare rising sharply, the government is taking action. The cost of healthcare breaches has surged by 50% since 2020, with an average breach costing $10.1 million per organization. Additionally, cybercriminals continue to target healthcare organizations despite previous claims that they would avoid them. In 2023 alone, the FBI received 250 ransomware reports from healthcare organizations—the most of any industry.

Proposed Timeline

January 6, 2024: Proposal released
March 7, 2024: Public comment period closes
Spring 2025: HHS reviews comments and finalizes the rule
2026: Full compliance expected for specific requirements

Organizations have an opportunity to provide feedback before implementation, making this a crucial period for healthcare entities to review the proposed changes and assess their impact.

Key Changes in the HIPAA Security Rule Proposal

Revised Terminology and Definitions

Several terms are being modified or newly defined to eliminate ambiguity and prevent misinterpretations that have historically allowed organizations to circumvent security requirements. Notable changes include:

Security Measures: Clarified to apply to both systems and information.
Technical Controls & Safeguards: Expanded definitions to include firmware and hardware components.
User Definitions: Adjusted to remove ambiguity between human users and system entities.
Addressable and Reasonable & Appropriate Requirements: Refined to ensure organizations do not misinterpret them as optional.

Asset Inventory and Risk Analysis

One of the most critical updates is the requirement for a comprehensive asset inventory of all technical assets that create, receive, maintain, or transmit electronic protected health information (ePHI). Organizations must:

Maintain a written inventory including device IDs, software versions, responsible personnel, and locations.
Conduct annual risk analyses aligned with NIST cybersecurity standards.
Update network maps to track ePHI movement and access points.

Patch Management Requirements

For the first time, HIPAA is setting explicit timelines for patch management:

Critical vulnerabilities must be patched within 15 days.
High vulnerabilities must be patched within 30 days.
Organizations must document any exceptions and review them annually.

Workforce Security and Training Enhancements

Organizations must establish stronger internal security measures, including:

Mandatory security training for new hires within 30 days.
Job description reviews to align role-based access controls with actual job functions.
Regular cybersecurity performance goals for employees, focusing on increasing phishing report rates and improving security awareness.
Security training on new technology implementations, such as new systems that handle electronic health records (EHRs).

Strengthened Physical and Technical Safeguards

The proposal mandates that organizations demonstrate operational enforcement of security policies rather than relying solely on documentation. This includes:

Mandatory encryption of ePHI at rest and in transit.
Elimination of default passwords for all devices.
Multi-Factor Authentication (MFA) requirements (with exceptions for FDA-approved medical devices).
Stricter controls for legacy systems, including the requirement that manufacturers must still provide security updates; otherwise, organizations must replace outdated systems.

Business Associate Agreements (BAA)

Healthcare organizations rely on third-party vendors to handle sensitive patient data, and the proposal introduces stricter rules around vendor agreements:

Vendors must report security incidents within 24 hours of detection.
Organizations will have up to one year to update contracts.
New requirements will apply to healthcare plan sponsors, who previously were not subject to the same security obligations.

Addressing Emerging Technologies

The proposal acknowledges the impact of new technologies in healthcare, requiring organizations to assess and prepare for:

Quantum Computing: Organizations must develop a roadmap for quantum-resistant encryption.
Artificial Intelligence (AI): Organizations must inventory AI use cases and assess associated security risks.
Virtual Reality (VR) in Healthcare: VR devices must comply with access management, patch management, and risk management protocols.

Financial Impact and Justification

The estimated cost for implementing these new security controls across all healthcare organizations is $6.8 billion annually. However, HHS argues that if these measures will reduce healthcare breaches by 7-16% and will effectively pay for itself. For individual organizations, first-year compliance costs are estimated at $4.65 million, but with healthcare breaches averaging $10.95 million in damages per incident, the investment is likely to yield significant long-term savings.

What’s Next?

The proposed HIPAA Security Rule updates aim to close loopholes, modernize security requirements, and enforce stricter compliance. Healthcare organizations should begin:

Reviewing their current security policies, training programs, and technical safeguards.
Assessing their vendor contracts and business associate agreements.
Engaging with industry groups or submitting public comments before the March 7 deadline.

For additional details on the HIPAA Security Rule proposal and how to submit public comments, visit the official HHS website.

What are your thoughts on the proposed changes? Let us know in the comments below!

Key Takeaways from NIST SP 800-50r1 – Building a Cybersecurity and Privacy Learning Program

December 2, 2024

In September 2024, the National Institute of Standards and Technology (NIST) released the updated Special Publication (SP) 800-50r1, "Building a Cybersecurity and Privacy Learning Program." This is an update to the 2003 NIST Special Publication (SP) 800-50, Building an Information Technology Security Awareness and Training Program. I hadn’t realized that there was a NIST publication on building a security awareness program. It’s good to see an update after 21 years! Here's a look at the key insights and recommendations from the updated publication. This was written with the help of ChatGPT.

Understanding THE Cybersecurity and Privacy Learning Program (CPLP)

Name Change! The document introduces the Cybersecurity and Privacy Learning Program (CPLP) as an overarching framework that includes awareness campaigns, role-based training, and workforce education initiatives. Aimed at fostering a culture of security and privacy, the CPLP is a strategic effort to manage risks and comply with federal regulations, such as FISMA. With privacy becoming a much bigger topic in the last 10 years, rolling it into an cybersecurity awareness program makes sense. This could cross multiple teams depending on how an organization is setup.

CPLP emphasizes awareness and education, incorporating role-specific training alongside general awareness activities, and focuses on encouraging behavior change to reduce risks and foster a culture of security. Continuous improvement is integral, with metrics and evaluations used to adapt programs to evolving needs.

The CPLP Life Cycle

NIST defines a four-phase life cycle for managing CPLPs: Plan and Strategy; Analysis and Design; Development and Implementation; and Assessment and Improvement. These phases involve developing a strategic vision that aligns learning objectives with organizational goals, identifying learning needs and creating tailored program designs, building or procuring learning materials and deploying the program, and measuring effectiveness while refining strategies based on outcomes. This iterative approach ensures that the CPLP remains dynamic and aligned with organizational needs.

Leadership and Organizational Roles

The success of a CPLP hinges on active involvement across all levels of the organization. Senior leadership plays a crucial role in providing strategic direction and resources, while CPLP managers oversee program design, delivery, and metrics. System users, on the other hand, are responsible for adhering to policies and participating in required training. Leadership participation, such as senior leaders engaging in training themselves, reinforces the importance of the program. Leadership buy-in is the first step to getting any sort of program off the ground. Heavily regulated industries are easier to get buy-in for than others.

Metrics and Measurements

Effective CPLPs rely on a mix of quantitative and qualitative metrics to evaluate success. Quantitative metrics include training completion rates, reductions in incidents, and compliance statistics, while qualitative metrics involve employee feedback, focus group discussions, and behavioral observations. NIST emphasizes using these metrics not just for compliance but to drive meaningful behavior change and demonstrate return on investment.

This section was helpful for thinking about what sort of metrics to have. One of the examples brought up is click rate which is a highly volatile statistic. A better statistic is report rate which is a positive behavior an organization wants to encourage within their population. The document doesn’t define what an organization should have for metrics but instead provides guidance.

Integrating Privacy into Cybersecurity Training

One of the standout updates in SP 800-50r1 is the seamless integration of privacy training into cybersecurity programs. It highlights the interconnected nature of these disciplines and the need for training to address both cybersecurity incidents and privacy risks, such as data re-identification or misuse. Teaching employees about privacy risks enables them to recognize potential problems and implement procedures that minimize such risks.

This is big within healthcare. Reports like the Verizon Data Breach Investigation Report show that the healthcare industry has higher internal threat actors due to mistakes and errors with handling information. This can lead to huge privacy implications for the organization.

Tailored Training for Diverse Audiences

CPLPs should be segmented to address specific needs. General users benefit from training on fundamental security practices, such as phishing awareness, while privileged access holders require advanced training on managing sensitive systems. Those in specialized roles undergo deeper training specific to their risks and responsibilities. Tailoring training ensures that it remains relevant and impactful for all user groups.

Easy to suggest much harder to do. A good starting point is what’s mentioned in the publication: all users; privileged access account holders; new employees; and staff with cybersecurity and privacy responsibilities. Tailored training should be broken down further into departments such as service desk and finance but this is a good starting point.

Focusing on Improvement Without Punishment

One of the critical takeaways from NIST SP 800-50r1 is the emphasis on using cybersecurity exercises, such as phishing tests, as opportunities for learning and improvement rather than punishment. The publication highlights the importance of informing employees that these exercises are conducted randomly and that the results will guide future learning activities. Such exercises should not be punitive, nor should employees be singled out for their responses. By framing these activities as learning opportunities, organizations can gather valuable data on vulnerabilities while fostering a supportive environment that encourages employee growth and engagement with cybersecurity practices.

A Culture of Learning

At its core, SP 800-50r1 promotes a culture of continuous learning and adaptation. From onboarding new employees to advanced training for cybersecurity professionals, the document underscores the importance of embedding cybersecurity and privacy awareness into organizational DNA. By viewing cybersecurity and privacy learning as an evolving process, organizations can be prepared for emerging risks and technologies.

Conclusion

NIST SP 800-50r1 offers a robust roadmap for organizations looking to strengthen their cybersecurity and privacy posture. For organizations aiming to enhance their cybersecurity and privacy programs, reading SP 800-50r1 is a great starting point. A focus on building culture and rewarding people will help change behavior and reduce the human element in incidents.

Explore the full NIST SP 800-50r1 publication here.

DevSecOps and other security buzzwords that will make the endangered list in 2024

January 11, 2024

This all started when Tim Tomes asked for DevSecOps resources on LinkedIn:

I’ve never been a big proponent of the term DevSecOps. I believe the “Sec” is silent and that DevOps should already have security baked in. That’s a post for another time though. As I thought about it I hadn’t really heard the term in a while. Some of that may have to do with being in a broader space and no longer focused on just application security. I decided to hit up Google Trends to see what it had to say about the term DevSecOps.

Search trend for “devsecops” via Google Trends

Using ChatGPT I asked for DevSecOps resources. It provided some Microsoft, GitHub, GitLab, and a DevSecOps University. The best one is probably the GitHub project Awesome DevSecOps but that hasn’t been updated in three years. The other resources were stood up between 2022 and 2023. AI has probably over taken a lot of other conversations on the internet in the last year.

I looked at two other buzzwords Digital Transformation and Zero Trust. Both had similar trends to DevSecOps.

Search trend for “Digital Transformation” via Google Trends

Search trend for “Zero Trust” via Google Trends

I suspect AI is definitely impacting and we’re starting to see less interest in the other buzzwords.

I’d be okay if the term DevSecOps went away or was at least less used. I believe security is something that’s already baked in when done right. We don’t need to add our own flair to terms people use in other industries. I expect AI will start to ooze into buzzwords and continue to overtake buzzwords that have emerged over the last several years.

Leave your thoughts in the comment section below on other buzzwords to add to the endangered list.

This post first appeared on Exploring Information Security.

Cybersecurity Predictions for 2024

January 1, 2024

Here are my predictions for 2024.

Exploring Information Security relaunches

I will be launching Exploring Information Security as a company in 2024. I may or may not have some insider information. I’m in a bit of a career transition and I have the opportunity to try turning this idea into a company. More details to come.

New buzzwords

I asked ChatGPT for some 2024 buzzwords. A couple of my favorites include:

Cyber Resilience: Focusing on an organization's ability to continuously deliver the intended outcome despite adverse cyber events.
Regulatory Compliance Tech: As regulations around data privacy and cybersecurity tighten, technologies and solutions to aid in compliance will be crucial.

Cyber resilience is an interesting one because I’ve worked in the Incident Response space for the last several months and the difference in backup plans for a ransomware attack varies by company in the small to medium business market. Some have a plans on how to continue to operate while others have zero ability to operate while down. This is basic disaster recovery planning and it doesn’t have to be malware it could be a natural disaster. I expect ransomware will become more of a topic in disaster recovery planning.

ChatGPT gave me plenty of AI buzzwords and I think that’s what we’ll see more of in 2024. AI will be thrown in everything even more than it was before. I imagine some form of AI defense or AI security will emerge as well because it’s a bit of a hot topic.

More breaches reported earlier and then updated later

As I recently wrote last week, Okta and 23andMe A New Public Relations Tactic in Disclosure? I suspect companies will report breaches sooner with limited information and then update later. First impressions are a hard thing to overcome. This is something companies will look to exploit as they try to control the public relations narrative.

On the less cynical side the new SEC incident disclosure rules are in effect and companies have less time to report on a breach. This could mean companies are reporting with less information and then need to update later. We’ve already seen a ransomware gang try to use this new disclosure rule to their advantage by filing a complain with the SEC because the company refused to negotiate.

Social engineering continues to make a comeback

With groups like Scattered Spider and LAPSUS$ emerging over the last couple of years I expect there to be more social engineering based attacks to get into an organization. We saw it in the second half of this past year with the MGM and Caesar and Okta hacks. The Verizon Data Breach Investigation report highlights the human element every year. We are the most susceptible systems to an organization. Everyone can be manipulated in some way.

Finally, AI will start to have a large impact on the workforce

AI is here to stay and I can tell you from experience that it is very useful. It will change society significantly over the next 10 years. Next year is going to be a big year. 70-80% of this site is built with the help of AI. I would not have been able to put up as much content without it. It’s been a great learning opportunity.

Development and documentation based professionals will be impacted the most this year. People not use it will put out more work than their co-workers. People that don’t will be let go because they won’t be needed. Developers are already using it to start code and build unit tests. GRC folks can write 10 policies in a matter of just a few hours. I did it for a company last year. Whatever field you’re in, I’d recommend starting to get familiar with it now because the next generation of professionals are already there.

What are your predictions for 2024? Leave a comment below.

This blog post first appeared on Exploring Information Security.

Okta and 23andMe a new public relations tactic in disclosure?

December 19, 2023

I’m starting to wonder if we’re going to see a new tactic for US based companies where they report an initial breach and then report the full extent of the breach later at a more opportune time.

We’ve already seen this whether intentionally or unintentionally with the breaches of Okta and 23andMe. Both reported a small amount of their use base was impacted. Then several weeks later came out and reported it as much larger. It would be an interesting tactic especially since the new SEC rules are now in place as of December 15, 2023, requiring companies to report a material cybersecurity incident within four business days.

Public Relations (PR) departments have always looked for ways to limit the impact of a breach hitting the news wire. They’ll often release bad news on holidays or around other major events. Caesars did while the MGM breach was hot in the news cycle. They released their own breach by the same threat actor. A couple months removed and most people only remember the MGM breach.

I’m in the security news bubble so it’s hard to say if this tactic is working. Okta is a company that’s in the security space so most people outside of security don’t care about it. 23andMe is a DNA testing service for health and ancestry discovery and it’s still early to determine the effectiveness of their PR mitigation.

Looking at it from the companies perspective, we have asked for more transparency from companies on breaches. That could be what we’re getting here. They’re providing additional information for disclosure purposes and education purposes. Being honest and conscientious is not always reward in the media. There are companies who will do the right thing but are others who will not.

I think it is a new tactic and I’ll be curious to see if more companies start trying the strategy of releasing an initial compromised and then coming back later to, “correct” it. Especially, in the case of 23andMe who has decided to update their Terms of Service to include litigation protection for themselves. It just looks bad.

This blog post first appeared on Exploring Information Security.

Log4Shell, is it really an issue at this point?

December 18, 2023

I thought reading the Veracode State of Log4j Vulnerabilites: How Much Did Log4Shell Change? by Chris Eng would be a bit of FUD (fear, uncertainty, and doubt). I was pleased to see that it wasn’t. They provided some great numbers on Log4J and remediation efforts. I was also happy to see them recognize that developers fix vulnerabilities when alerted about them quickly. This is something I talk about a lot in my presentations and with security folks. Developers want to get this right and having right approach and empathy with vulnerability management will get them to buy into these efforts.

The next line though says that the data contradicts the developers response because there is so much Log4j out there. Reviewing the CVEs in the article most of the remaining Log4J is in other packages. This is a problem with packages and open source. A package can be buried in another package. This was highlighted several years ago with the left-pad incident. A disgruntled developer removed a small bit of code that added a left-pad to the side of a website from NPM. It took down thousands of website because that line of code was buried in other packages.

This is why security needs to take a balanced approach to vulnerabilities and not lean only on severity rating. We need to be building proof of concepts. The reason why Log4j was such a massive thing was because it was buried in other packages. While it might be in another package it might not be used or accessible by attacker. In the case that it was it’s important to understand what it gives an attacker.

This is where the balance comes in for security. Just because the vulnerability is an 8-10 severity doesn’t mean that’s it’s actual severity in each environment. If it’s note exploitable it’s more like a 1-3 severity. Which moves it down the priority list of vulnerabilities of which there are usually hundreds of thousands.

Don’t get me wrong you want to get those vulnerabilities addressed but the timeline for getting them addressed changes. When I was leading the effort for Log4j remediation in our environment we used the pentest team to find what was exploitable externally. After remediating those vulnerabilities we looked internally. Most vulnerabilities could be patch but internal couldn’t be updated immediately and required a larger upgrade to accomplish. This is where we established timelines with those teams to get the vulnerability remediated because we knew what needed addressing immediately and what could take more time Just a blanket patch it all now would interrupt business processes, projects, and create hard feelings.

It’s good to note that Log4j is still out there and probably extremely important for companies to patch. Security needs to identify how much of it is actually vulnerable and work with other departments and teams to figure out the best timeline. Development teams need to be focused on more immediate issues such as the Atlassian server having a vulnerability or the latest malicious NPM package. Those are more important than a two-year old vulnerability that may or may not be exploitable. If it is exploitable go patch now!

Chucking vulnerabilities over a wall to developers is never a good strategy and will waste a lot of time and effort and degrade trust between departments.

If you are in need of consulting services on vulnerability manager or application security click the contact button below and reach out. I’m happy to have a conversation about your struggles and identify how I can best help.

This blog post first appear on Exploring Information Security.