Inside ShowMeCon: Community, Education, and Security with Dave Chronister

February 18, 2025

Blog post generated by ChatGPT and reviewed and edited by me.

Cybersecurity conferences have become essential hubs for professionals looking to expand their knowledge, connect with industry leaders, and gain hands-on experience in emerging security trends. Among these, ShowMeCon stands out as a premier security event that blends corporate professionalism with hacker culture. Recently, on the Exploring Information Security podcast, I sat down with ShowMeCon founder Dave Chronister and organizer Brooke Deneen to discuss what makes this conference unique and what attendees can expect in 2025.

The Origin and Vision of ShowMeCon

ShowMeCon was founded with a clear mission: to provide high-quality security education in an engaging, community-driven environment. Unlike traditional conferences that often feel like corporate networking events, ShowMeCon fosters an atmosphere where security researchers, IT professionals, and ethical hackers can exchange knowledge in a collaborative setting.

During the podcast, Dave Chronister shared the story behind ShowMeCon’s inception, emphasizing the importance of bridging the gap between technical expertise and real-world security applications. By creating a space where attendees can both learn and engage with top security minds, the conference has grown into a must-attend event for security professionals.

What Sets ShowMeCon Apart?

One of the defining aspects of ShowMeCon is its ability to strike a balance between corporate and hacker culture. As Brooke Deneen explained, the conference offers a professional yet welcoming environment that caters to both seasoned professionals and newcomers to the field.

Key Features That Make ShowMeCon Unique:

Immersive Venue: Hosted at the Ameristar Casino in St. Louis, the setting provides a comfortable yet dynamic backdrop for networking and learning.
Engaging Speakers: The event prioritizes bringing in experts who are not only knowledgeable but also passionate and approachable.
Hands-On Learning: ShowMeCon features training sessions, Capture The Flag (CTF) competitions, and lockpicking villages, offering attendees the chance to apply their skills in real-world scenarios.
Expanding Reach: The ShowMeCon team is exploring ways to expand the conference to new cities like Nashville, ensuring more professionals have access to top-tier security education.

Highlights of ShowMeCon 2025

The upcoming 2025 edition of ShowMeCon is set to be bigger and better, with new elements designed to enhance the attendee experience. Some of the highlights include:

The Return of Pre-Conference Training: Attendees can participate in deep-dive workshops led by industry experts.
Exciting Themed Experiences: This year’s event will feature a Fallout-theme, adding a creative twist to the conference experience.
Stronger Community Building: Encouraging new speakers and first-time attendees to engage and contribute to the security conversation.

Why You Should Attend ShowMeCon

If you're looking for a conference that goes beyond lectures and sales pitches, ShowMeCon is for you. Whether you're an IT administrator, security analyst, penetration tester, or student, this event offers valuable insights and opportunities to:

✔️ Learn from industry experts in a practical and engaging environment.
✔️ Network with peers and leaders who share a passion for security.
✔️ Gain hands-on experience through CTFs, training sessions, and interactive villages.
✔️ Explore new security trends that will shape the industry in the coming years.

Final Thoughts

ShowMeCon continues to grow as a hub for cybersecurity professionals. With its community-driven approach, diverse speaker lineup, and immersive experiences, it’s clear why this event has become a staple in the cybersecurity world.

🚀 Want to attend? Visit showmecon.com to learn more and register for the 2025 event.

🎙️ Listen to the full conversation on the Exploring Information Security podcast and you may just hear the discount code to save $50 on tickets or training: Podcast Website

See you at ShowMeCon 2025! 🔐🔥

The five stages of cybersecurity grief from Mathieu Gorge at the 2024 Palmetto Cybersecurity Summit

Impressions from the 2024 Palmetto Cybersecurity Summit

February 26, 2024

Last week I had the pleasure of attending the 2024 Palmetto Cybersecurity Summit in Columbia, SC. It was a great conference with a good venue and really great speakers. The keynote speakers brought a really great insight and of course the hot topics was artificial intelligence (AI). I’m hoping to attend again next year!

Prior to the conference I presented at ColaSec which is a local cybersecurity user group that I helped start about 10 years ago. I gave my threat modeling talk that I presented at the conference the next day. I like using ColaSec as a first run for my talks because I get a lot of really great feedback to refine the talk. You can watch the talk on ColaSec’s YouTube page. I adjusted the acronyms section and made some other minor adjustments to make the talk flow better. That helped for the conference the next day because I realized I had 10 less minutes for my presentation due to a reading error.

What I’m really excited about for this years conference is doing a demo of a live threat modeling session. I have about 20-25 mins of content and then we get into the demo. I like it because I want people to get a feel for how a threat modeling session should flow. I am planning to switch up the demo for each talk so that each version is a little different.

One of the things I rate conferences on is the drinks and food. I’m happy to report that the conference got an A in both regards. They had tea which is great because I’m not a coffee drinkers and the food was pretty good. Sometimes you go to a conference and the food is just meh or in a box. This was not the case for this conference. The other thing to call out is the chairs. Big comfy adjustable chairs. You could spend all day in those chairs.

The keynotes were really great. Mathieu Gorge talked about cybersecurity from a broader global level and the 5 Pillars of Security Framework. The picture above is the five stages of cybersecurity grief. William MacMillian was the former Chief Security Information Officer (CISO) at the Central Intelligence Agency (CIA) and he talked about his experience taking over there right before Solarwinds came out. He also talked about platform centric vs best-in-breed and how platform can provide simplicity to security teams that live in a world of complexity. Both provided some different perspectives and insights on the cybersecurity landscape and dropped some thought provoking ideas.

The majority of talks I attended were around AI. Before I get to that though I also went to Michael Holcomb’s talk on industrial control systems (ICS/OT). He gave some really good insights but more impressive he put together free ICS/OT courses on YouTube for people looking to get into the ICS/OT space.

The second day was filled with talks on AI. That will be a thing throughout this year and potentially for the next 2-3 years. I love that it’s something new to learn. A lot of the conferences I’ve attended in the last few years haven’t really provided me with the opportunity of learning new things. A lot of the talks just confirmed my own ideas and thoughts around security topics. Nothing really challenged those ideas either. There is value in confirming my knowledge and experiences but I want to continue to learn. AI is that current topic.

Dr. Sybil Rosado talked about the social engineering aspects of AI. While she talked about some of the malicious uses of AI she was a big proponent of using AI and learning how to work with it. She’s a professor at Benedict College in Columbia, SC, and has seen students using it. She actually likes that it’s making the writing better. Dr. Donnie Wendt talked about deepfakes and how they’re playing a role in the world today. It’s super easy to use and get started with. My own thought is that deepfakes are a great way to improve a security awareness program simply by talking about it and showing some examples. Plus there are already attacks where someone is using AI to imitate a voice and ask for money to be sent. Finally, Tom Scott talked about managing your security program with AI. One nugget that really stuck with me was that AI does not remember your interaction in a new chat. To continue to train it you need to keep the same chat.

The conference was a really great start to the year for conferences. I learned some new things, got to meet some new people, and catch up with some people I haven’t seen in a while. I’d definitely recommend checking it out for next year. Talking to one of the organizers it sounds like it’s going to get even bigger.

There’s going to be some really great talks at the 2024 Palmetto Cyber Summit

Maximizing Your Conference Experience: preparing for the 2024 Palmetto Cyber Summit

January 30, 2024

I will be at the 2024 Palmetto Cyber Summit February 21-22, 2024, in Columbia, South Carolina. The schedule is up and I’ll be speaking at 2:15 pm ET in SALON C on the first day, February 21. One of the things I like to do as I prepare for a conference is pick out a schedule for myself. This usually doesn’t take long about 20 minutes. Picking the talks I’d like to go see allows me to utilize the conference to its fullest.

Now, I don’t go to most of the talks at a conference because I usually end up talking to people. HallwayCon can be a great use of time to network and gain knowledge from other people at the conference. When I’m not talking to someone that’s when I’ll usually hop into a presentation. In the post I want to walk through my process for anyone who is new to going to a conference.

The first step is to pick a place to put down the talks of interest. This should be something mobile friendly. At one point I was using Microsoft Excel or Google Sheets but spreadsheets can be hard to read on a mobile phone. Now I use some sort of notepad or Google Doc. If the conference has a hard copy of the agenda I may transfer my notes to there so I have a hard copy. For this conference I’m going to try this post.

Once I’ve figured out where I want to put my selections I start going through the schedule. If there are two talks I want to see at the same time slot I pick the one I prefer and then put the other down as a backup. If there’s not talk then I plan to talk to vendors or go wander around the venue. Stepping outside for a break is also an option. I usually put down the time, location, title of the talk, and the speaker.

Below are talks that are of interest to me currently. As expected AI is the hot topic and I’m looking to better understand other people’s viewpoints on it and how it’s used. Sometimes I’ll be in a talk where I don’t learn anything new but it confirms my current knowledge. I’ve also been in talks I don’t plan to go into because I decide to go with someone else and they make a compelling case for the talk. They speaker is also a factor. I try to support the people I know by going to their talks.

That’s one of the things I do to prepare for a conference. I now have one less thing to worry about at the conference and can take it in more fully. I also have a plan that allows me to take full advantage of the conference. Leave a comment below with your tips for attending conferences. Also, come say “Hi!” if you’re at the summit.

Tim’s 2024 Palmetto Cyber Summit Schedule

Feb 21

3:00 - 3:45

SALON A - Security Protection Using OSINT - Kurtis Suhs

3:50 - 4:20

SALON C - Countdown to Industrial Extinction - Michael Holcomb

4:20 - 4:50

SALON C - The Future of Security: Embracing a Platform-Centric Appraoch - Ken Alexander

Feb 22

8:30 - 9:00

SALON B - Lessons Learned Applying Machine Learning in Cybersecurity - Jeff Janies

9:00 - 9:30

SALON B - What Neuroscience Taught Us About CyberSecurity in 1885 - Chip Reaves

11:15 - 12:00

SALON B - The Enhancement of Malicious Social Engineering with AI - Dr. Sybil Rosado

1:30 - 2:15:

SALON B - Misinformation in the Age of Generative AI - Dr. Donnie Wendy
Backup: xIoT Hacking Demonstration and Strategies to Disappoint Bad Actors - SALON C - John Vecchi

2:20 - 2:45 -

SALON B - Using AI/ML to Manager Your Organization’s Cybersecurity Program - Tom Scott
Backup: SALON A - Automating Compliance - Carl Bjerke

3:00 - 4:00 - This one is a bit of a toss up:

SALON B - Enhancing Cybersecurity: AI and Modern Threat Defense - Jim Hayes
SALON C - Know Yourself: We’ve Focused on Attackers for Too Long, it’s Time to Look Inward - Justin Scarpaci

This post first appeared on Exploring Information Security.

2024 Security Presentation Topic: Threat Modeling

January 18, 2024

I have been accepted to speak at two conferences this year: ShowMeCon in St Louis, MO, and the Palmetto Cyber Summit 2024 in Columbia, SC. I’m super excited to be speaking again in 2024. In 2023 I spoke on API security. This year it will be on threat modeling. Threat modeling is one of those the recommendations I’ve made in just about every talk I’ve given over the years. I figured it was time to dive deeper in.

As I prepare for the conference I will be blogging about threat modeling to help get my thoughts together. The abstract and outline are below. I’m waiting on a response for one other conference in the Spring. I will be submitting to other conferences later on this year as their CFPs open up. If you have a suggested conference please leave a comment below or reach out.

Abstract

Threat modeling is a critical process that helps organizations identify and mitigate potential security threats in the early stages of projects or when a legacy application is discovered with little to no documentation. This presentation aims to serve as a comprehensive introduction to the wonderful galaxy of Threat Modeling.

We will explore the fundamental questions: What is threat modeling? Why is it crucial for cybersecurity? How can it be integrated into your development and IT processes effectively? Why do I feel like I'm in preschool again?

This presentation will provide you with a structured approach to threat modeling, demystifying the process and breaking it down into manageable steps. We will discuss various methodologies and tools available for threat modeling.

Grab your towel and join us for "The Security Hitchhiker's Guide to Threat Modeling." Leave with a clear understanding of how to embark on your threat modeling journey.

Outline

Introduction

Why this talk?
What is Threat Modeling?
The Basics of Threat Modeling

Key concepts and terminology
The threat modeling process

Identifying assets and data flows
Establishing the security profile
Identifying potential threats
Assessing vulnerabilities
Prioritizing risks

Methodologies and Approaches

Overview of common threat modeling methodologies

STRIDE
DREAD
OCTAVE
Attack Trees

Pros and cons
Choosing the right methodology

Tools and Resources
Demonstrations and examples
Best Practices and Tips
Conclusion

This post first appeared on Exploring Information Security.

Meeting Dug Song - some guy who started up Duo Security

November 27, 2023

Recently at misecCON I had the pleasure of meeting Dug Song at the speakers dinner. He was the opening key note and I was the after lunch presenter on API security. When he walked in I had no idea who he was outside of being the keynote speaker. As I was scooting down to make room for him I got the sense that the guy sitting next to me was disappointed. I asked him as much and he confirmed that he would love to be sitting next to Dug and that he might fanboy a bit over me.

Something you should know about me is that I’m a bit oblivious at times. I try to treat everyone the same whether they’re a new person in the field or a rock star. And by rock start I mean a literal rock star. I’ve sat at dinner across from Neil Fallon from Clutch and had a genuinely pleasant conversation. Dug and Neil are people too and they wouldn’t be sitting with me for dinner if they weren’t down to earth.

I’m writing about this because I’ve recently started reading “The Daily Laws” by Robert Greene and I think today’s entry fits perfectly, “Assume You’re Misjudging the People Around You.” It’s a great reminder not to jump to conclusions about people. Throughout my career I’ve had people I thought were mentors suddenly stop communicating with me. I’ve also meet people that didn’t leave a great impression on me come around later in my career and make a great impression. You just never know in your career which is why it’s important to remain humble and not make assumptions about the people you meet.

What I loved about my interaction with Doug was he seemed to foster this mindset. He was very gracious and patient when I asked questions about whether he knew about MiSec (he’s the founder of the Song Foundation) and if he had ever been in startup (Duo). He also tried to steer the conversation away from him asked questions of the others sitting around him at the table. We had some great conversations about a lot of different things inside and outside of security.

Networking is huge for anyone in a career. Go out and meet people but avoid making assumptions about people. Give everyone an opportunity because you might end up finding a really great person to connect with.

This blog post first appear on Exploring Information Security.