do you need a degree to be good at what you do?

Still reading through Tribe of Hackers. I, like most everyone, definitely holds back on punches when it comes to the, “Do you need a degree/certification…? question. So it was a nice moment this morning to read up on some industry blogs to run across Harlan Carvey swing and hit on his responses to the questions in that book, particularly about needing a degree/cert. I think he’s right, but it’s important to note the clarifier: ” Do you need a degree to be good at what you do?”

That said, all of his other answers are wonderful, too! Of particular note are tidbits about engaging on social media, mentoring and sharing, realizing that we make some mountains bigger than they are, and bosses don’t like surprises!

That sort of reminds me of the old school way the sysadmins are born. Often, a more senior admin will get a junior-ish new hire and throw them into the fire without much help. Basically sink or swim. No one really liked that, but it just sort of happened, probably since back then many of us tech geeks were socially awkward…hence being in IT! Today, mentoring in any formal or informal fashion is the way to win allies and friends. Transparency is a close cousin.

attended sec542 and netwars at sans east

About a week or so ago, I and a coworker attended SANS East in New Orleans. I was in town to take SEC542 and he was taking FOR610. We arrived a day before registration was open.

I just have to say that I absolutely enjoyed New Orleans! I’ve been to a few cities in recent years for training, and most really have pretty generic character; they’re just another city with maybe good weather. But New Orleans and especially the French Quarter has a great character to it with absolutely wonderful food, fun people, shops galore, and music everywhere. Combine that with beautiful weather (50-70 degrees in February winter is beautiful to me!) and thick mysterious fog every morning and I loved it.

We were in town the night of the Super Bowl, so after registering for classes, we navigated an impromptu Boycott Bowl block party (New Orleans Saints had their Super Bowl berth stolen from them two weeks prior and they’re a little sensitive!) to join the SANS opening reception at Fulton Alley for open buffet, bowling, and bar. Super excellent time out there, and I would visit New Orleans again some other winter.

My background gives me a good foundation for this course. I’ve not only managed my own sites and servers, including their (somewhat simple) code, for many years, but I also spent about 15 years as a security/sysadmin in charge of hundreds of critical business web sites and servers and working closely with developers. I’ve also gone through the PWK course and earned my OSCP, and done many HTB boxes over the past few years, all of which has given me exposure to web app vulnerabilities, exploit execution, and red team tools. In all, I feel comfortable with web applications, but my confidence isn’t all there when it comes to efficiently and accurately performing a “real” pen test against a site. (More on this later.) I’ve used some of the tools we’d use in the course, like Burp and wpscan in the past, but others I have not, like ZAP and BeEf.

To prep for the class, I mostly brushed up with courses on web app testing on YouTube or PluralSight. The most notable courses that really helped were 2 courses for 3 hours of Burp Suite on Pluralsight by instructor Sunny Wear and a series by Dawid Czagan on web app hacking also on Pluralsight.

The SEC542 class itself consisted of 5 days of lecture followed by a CTF competition on day 6. The class is pretty solid in covering the basics of web application technology, OWASP Top 10-styled weaknesses and exploits, and the beginnings of conducting web application assessments. The instructor (Eric Conrad) was excellent in adding value to the course with personal stories, advice, examples, and encouragement.

There were maybe about 30ish labs over the 5 days. Some labs are very basic where you just follow the directions to perform a quick directory traversal or XXE attack. But others later on offer a little more chance to choose your own difficulty and how many hints/guidance you take, which works especially well in something like the Python-related labs where I just needed a few pointers from Google and the books on how to do a few things and I could mostly do them with my own script. That sort of open-ended lab actually doubles as nice practice, rather than just pure introduction and copying

The day 6 CTF was an absolute blast and my penultimate experience at SANS East and SEC542. We split into fairly random teams based on when people came in. I think one team was somewhat pre-picked, but ours was pretty much, “Yeah, sit down, join up!” We had 3 teams in our class (online teams competed only against each other), 2 consisting of 5 students, and ours with 4 students.

As we got going, I started doing scans of the network using nmap and nikto, and doing really quick assessments on the results to draw attention to any suggested targets (“WordPress here! SSL here! CGI script there!”). My other teammates cleared out the level 1 book questions while this happened. I had my back to the classroom screen, so I didn’t see the jumping around of the team scores very much, but my impression is that for the most part first place traded hands quite a bit.

My team was amazing. I’ve never really had many chances to work on a pen test or assessment (or even a CTF) as part of a team, and this was absolutely wonderful. We all made progress and everyone contributed investigation and success into the things they were tackling. Someone scored out the questions on one section, I took another, and another two were done before I had even looked at them. We even had one guy make some ridiculous lucky guesses to score wins, and as I said when that happened, “That’s half of hacking, making guesses and getting it right!”
In the end, we had the lead, but bought hints on the final few questions which dropped us back into second place for a while. We got pretty hard stuck on a few things, but eventually figured it all out except one last question that was bothering me badly as I knew I was almost there (turns out I was). In the end, we bought one final hint, scored the question out, and then scored the final question to take the lead in the last 6ish minutes and held it until time ran out. Super fun to earn that coin and get first, but honestly it was more awesome to run through that well-paced CTF on a team that worked so well together. We made some mistakes, but nothing so big that it messed with our energy.

So, how did I feel about this course? This is a weird space, as is much of information security disciplines where you need a certain baseline of fundamental knowledge, otherwise your uphill climb can be difficult. But the material can quickly be overpassed with just a little bit of experience (which is kind of the point of the course, yeah?). And that really leads to my only down side of the course. But it’s really not even a problem with the course, but rather with me. For almost all of these exploits and attacks, I’ve done them before between OSCP/PWK and HTB lab environments. So, honestly, good portions of this course were sort of a review for me, or rather a reinforcement. But, make no mistake, I did learn a few new things, especially the value-add stuff from the instructor.

My biggest takeaway, much like so much in information security, is that this discipline and doing these assessments takes constant and regular practice. Practice, practice, practice. Which is really the place that I am right now with my skills and level of confidence. I simply need to iterate through the things I know, over and over, get quicker and more familiar with the tools, and maybe start doing some assessments at work on our sites to compliment the things our QA teams do.

Still, could someone pass over this course with self-study and a cheaper budget? Yes, and probably not that hard, either, unlike other high level SANS courses. A student could study up on various cheaper courses or even free YouTube courses going over OWASP Top 10 attacks. And honestly, there are free tutorials on doing DVWA, OWASP Juice Shop, and Mutillidae II out there for free, which will cover the Top 10 and more. Add in doing some HTB boxes and watching along with Ippsec on Youtube doing retired boxes shows many of the attacks in a more live situation. From there, it’s really about learning the tools, and you get use out of them from HTB or PWK/OSCP, plus additional courses on those tools which may cost a small subscription to view for a few months. Still, that’s quite a bit cheaper than SANS, especially if looking to do this on your own dime. You won’t necessarily get a certificate, or exposure to other smart students, or the Netwars experience, or the value from the instructor, but I honestly think students can get past SEC542 on their own with some personal dedication.

And that now brings me to Netwars. For a third, and probably last time until they update the content, my coworker and I competed in Netwars Core. We sat at the front, which must have been a good area to sit, since the winning team and most of the individual top 5 were sitting. After two nights, I finished in first place for a coin and trophy, and my coworker fought a super close battle for 4th place! My placing was pretty undramatic, but that fight for 3rd through 6th was pretty tight. I might do Core if I ever attend a coinapalooza event (and have coins to acquire), but barring Core being updated to a version 6, I’ll likely duck into DFIR or Cyber Defense in future events now

GWAPT and the future. So, that leaves me with what’s next. I’ll be studying the materials again, making my index, and going through the labs once more in preparation for the GWAPT exam. I have pretty high confidence going into this one unlike my GCFA. During and likely after this, I will also be trying to get a practice regimen started. At a bare minimum, I want to tackle web-heavy HTB boxes, not to necessarily root them, but to practice assessment steps and tools usage (I need more confidence in fuzzing, sqlmap, for instance). I also will look into those vulnerable open source boxes for further practice (Mutillidae, DVWA, Juice Shop). I am also woefully inexperienced with REST/API and SOAP assessments, so I’ll likely find some courses or guidance on that. And lastly, I’ll also work to continue to further my Python and even Javascript exposure. I do also have a Pentester Academy sub, and they have some web content and challenges as well.

That sounds like quite a lot, but honestly this is about forming a long-term practice and experience habit for web assessments. And to my viewpoint, being conversant and ready-to-go with web app assessments is a core pillar for anyone looking to be on or near red teams/offense.

Will I take SEC642? I don’t know. Some of those topics definitely are things I’m less comfortable with today, so it is still in my top several classes to look at if I get another opportunity to attend something. But other options are tempting as well, such as SEC573 (Python), SEC617 (Wireless Pentesting), SEC660 (Exploit Writing), FOR610 (Malware Reversing), SEC588 (Purple Teams), SEC545 (Cloud Security), and FOR572 (Network Forensics). It might just depend on what lines up best with what I and my company need when the chance opens up.

my tribe of hackers contribution, part 4 of 4

This post is a continuation of my answers to the questions posed in the Tribe of Hackers book. I am answering these questions before reading the other responses in the book in an attempt at self-assessment.  And to mark any changes of insight after consuming the book. This is part 4 out of 4.

(Part 1) (Part 2) (Part 3)

12. What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?

Be aware of what you’re putting online about yourself and whether that is important to you in any way. Ultimately, live life and don’t shy away from technology.  Turn on automatic patching. Use unique passwords, and change them regularly.

13. What is a life hack that you’d like to share?

I don’t really have life hacks, or at least I don’t think of them that way. Just keep learning and improving. If something rubs you wrong or doesn’t seem like it is in its right place, fix it and/or move it, or change your attitude about it and move on. Be happy, but not at the expense of others.

14. What is the biggest mistake you’ve ever made, and how did you recover from it?

Professionally, I’ve not really made any large mistakes that have made me fearful about my job or even an annual review. However, I will cover a personal mistake, a professional mistake, and a career mistake anyway.

My biggest personal mistake may be my phoning in of high school and early college years, which led to low motivation in college and being 100% unsure about what career and life I wanted. I nearly failed out of college, but pulled myself back up after 2.5 years in a major that wasn’t calling me, and switched over to one that was, to successfully salvage the experience. I wish I had applied myself more in my younger years, but more so I wish I knew what I wanted earlier than I did. We are asked as young people to make life decisions very early, and often without enough preparation. That becomes a weighty decision experience. Then again, I wouldn’t change anything that has happened to me, as I enjoyed my childhood, and everything before now has directly led to where I am and who I am today.

My biggest professional mistake was probably assigning an ip address to a server that was an undocumented in0use address on the interface of our perimeter firewall. This address conflict brought down that interface, halting all traffic to and from the Internet. Obviously, troubleshooting this brought things back in 5 minutes, but that’s a pucker moment you’d rather not have to go through. Lessons learned, though: document everything, consult that documentation, and verify anyway.

For my career, my biggest mistake should be not having as confident a voice about my skills and knowledge that reflects my actual skills and knowledge. I have warred with imposter syndrome in the past, and I probably still war with it today when I think other people already know what I know, so why speak the obvious, right? But that’s folly. Even if that were true, speaking up still stokes the sociality of life, work, career, and networking with peers, which leads to connections, friends, learning, and growth. This is probably a small war I’ll fight until such a day as I am regularly teaching others in some measure of a formal setting.

At the end of the day, mistakes make us stronger and have made us who we are today. Learn from them, don’t be afraid of them. Go deeper. Try harder.

my tribe of hackers contribution, part 3 of 4

This post is a continuation of my answers to the questions posed in the Tribe of Hackers book. I am answering these questions before reading the other responses in the book in an attempt at self-assessment.  And to mark any changes of insight after consuming the book. This is part 3 out of 4.

(Part 1) (Part 2) (Part 4)

9. What is the best book or movie that can be used to illustrate cybersecurity challenges?

Of all of these questions, this is the one I have left blank for the longest, and I still honestly do not know what fills this the most. The only work that comes to mind might be Daemon by Daniel Suarez. I read this shortly after it came out, and it was scintillatingly wonderful and scary at the same time. For movies, Sneakers is the only example that comes to mind now. Maybe if I revisit this list, I’ll have better answers by then!

10. What is your favorite hacker movie?

Movies are a pastime of mine. I definitely have hacker-related movies that are guilty enjoyments like Antitrust, Swordfish, eXistenZ, Enemy of the State, Foolproof, Ghost in the Shell, Weird Science, and even a great movie like The Matrix.

However, my favorites boil down to two choices. Sneakers is wonderfully cute and I absolutely love the hacker team dynamic, but Hackers is alone near the top of my favorite movies. It has the best soundtrack (Halcyon On + On is my desert island song), great pacing, acting, and writing, and while it is somewhat ridiculous, it reflects a certain counter-culture caricature of how hackers viewed themselves in the 80s and early 90s. Yes, it is dramatized and unrealistic, but it never seems to take itself too seriously. It really captures a certain hacker ethic and culture in the process. Ultimately, it’s just fun and I could watch it over and over forever.

11. What are your favorite books for motivation, personal development, or enjoyment?

For personal and professional topics, at various times in my life, I tend to come back to The Book of Questions by Gregory Stock and The Rules of Work by Richard Templar. I will also dig up and re-read the full collection of Calvin & Hobbes as well.

For enjoyment, I come back around to reading fantasy books on occasion. I started reading adult level fantasy books around the 4th grade, and devoured them up to college years. I still play Dungeons & Dragons and fantasy video games, but sitting down with a good fantasy book allows me to revel in nostalgic moments exhumed from my childhood many innocent years ago. Those were some pure times.

my tribe of hackers contribution, part 2 of 4

This post is a continuation of my answers to the questions posed in the Tribe of Hackers book. I am answering these questions before reading the other responses in the book in an attempt at self-assessment.  And to mark any changes of insight after consuming the book. This is part 2 out of 4.

(Part 1) (Part 3) (Part 4)

4. Do you need a college degree or certification to be a cybersecurity professional?

No, but they can help. A college degree is less important than it used to be, but the experience can teach many life skills at an age when young adults are busy finding themselves. Beyond that, you can learn a lot about a profession as well, and a degree can get you past HR filters that may otherwise reject those without a degree.

Certifications are a useful vehicle to learn topics and have something tangible that at least somewhat attests to some knowledge on those topics. These are things that can add to your marketability, either for yourself or as an agent of another entity. At the end of the day, though, those are just tools, and they don’t replace being an expert in your chosen domain. Regardless how you get there, be a master of your domain.

5. How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?

I’ve always had a love of puzzles, mysteries, and a sense of curiosity and creativity. I first thought about IT security back around 2000 when I wrote a long-gone article for a video gaming community about what sorts of careers someone who grew up with PC gaming could get into, and information security was one of them. But, it wasn’t until I picked up a random IT book at Barnes & Noble to continue my post-graduate learning: Hack Attacks Revealed by John Chirillo, that I fell in love with the topic.

For my career, I officially got started having a security interest while doing normal IT desktop, technical support, and sysadmin duties. If something related to security came up, I would tackle it, set it up, configure it, or evaluate it. I remember sitting with government pen testers and showing them Metasploit shortly after it came out. I spent nearly 15 years with a general sysadmin title, but largely doing security-related things. In recent years, my title has shifted to officially be a security one, which makes selling myself a little bit easier!

I would advise someone beginning a career in cybersecurity to have one or more career goals in mind, and some ideas written down on how to get from where you are today to those goals in 1, 3, 5, or 10 years. And pursue that. Keep your eyes on the horizon, and move towards it. Seek advice from peers and those you want to emulate. Always be learning and always be active, whether in a cybersecurity role at the start of your career, or in a more general IT role. Either way, you can effect changes in security postures, learn more, and build skills that will directly carry over to the time when you arrive at your cybersecurity goals.

I would also suggest being involved. Share your knowledge, teach others, meet other professionals and hobbyists locally, and be part of the cyberspace and meatspace infosec communities.

6. What is your specialty in cybersecurity? How can others gain expertise in your specialty?

I don’t really have one, which might mean my specialty is about being generally good at many things. But, if I had to pick one, it would be about thinking like an attacker; playing five moves ahead and solving those problems.

And to get anywhere, it is all practice, practice, practice. Don’t be afraid to fail and learn. Practice, fail, practice, do better, practice, succeed, practice, improve.

7. What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?

Be a good person, be intelligently enthusiastic, be an expert, and be honest about your desire to effect appropriate improvements. Be honest, about everything, including things you don’t know.

But one of the most important things in business and security is about selling yourself and selling your ideas. Speaking and selling are key ingredients for effectiveness in getting things done and leading.

I don’t run a company in cybersecurity, but if I did, I imagine my biggest stressor would probably be making sales and being good about that. I think that might be my biggest advice; gain the sales skills or align with someone who can.

8. What qualities do you believe all highly successful cybersecurity professionals share?

The willingness to say what is right, the integrity to stick to what is right, and the self-awareness to know when you might be wrong or it is just not the correct message for the day. Security is a cost and gets in the way of convenience. Being on the security team is rarely a good choice for someone who desires only to be liked and not rock the boat when it is needed. But, perfect security will never be accomplished, which sometimes mean we have to move on, and know when we’re wrong about something, and yet still walk forward with head held high to the next battle.

I digress, though. Other qualities I admire in people in general are enthusiasm, passion, integrity, constant learning, being a good person, and being an expert. Some of my favorite celebrities are like that; Adam Savage, Wil Wheaton, Matthew Mercer, Steve Irwin. These are qualities to live one’s life, and qualities to bring into one’s career.

my tribe of hackers contribution, part 1 of 4

I’ve gotten my hands on a copy of the new hotness in the cybersecurity community, Tribe of Hackers by Marcus J. Carey & Jennifer Jin. This book is a compendium of cybersecurity and hacker luminaries answering a battery of questions about themselves, cybersecurity in general, and advice for aspirants to the industry. I loved the idea for this. And I figured I would go through a self-exercise related to the book by going through the questions myself. I wanted to compose answers before reading any other responses in the book, and then later after reading the book, go back and see if any of my answers can or should be adjusted based on possible shifted perspectives. This might take quite some time, as this book is bigger than I expected!

Since the questions are sometimes weighty, and I tend to be somewhat verbose, I also figure to break the questions up into logical groupings though maintaining their original order.

1. If there is one myth that you could debunk in cybersecurity, what would it be?

There are two myths that I tend to poke at with a long stick during quiet moments. One is the idea posited by many a marketing team that some tool or process is absolute and will provide any sort of “perfect” security (while their security engineers say there are no silver bullets). Very few things are so absolute, and those that seem to be, tend to be smaller in scope. Segmentation, binary yes/no access, walls.

The other is that we, as information security defenders, can “win.” There is no winning in a sense that the attackers will be beaten and we can ride off into the sunset; there is no checkmate or surrender. This dance is going to go on forever, and we do the best we can to secure the things we have control over, and hopefully that is enough for our constituents. Never get disheartened that this fight seems to be never-ending, because that’s exactly what it is. The war won’t end, but we can win battles. Embrace that, and play the game with enthusiasm and positivity.

2. What is one of the biggest-bang-for-the-buck actions that an organization can take to improve their cybersecurity posture?

I imagine answers to this reflect where someone’s mind is, tactical or strategic. Strategic answers are a little easier, since it may mean doing multiple tactical things as part of that initiative. So, I’ll stick tactical.  Every few years I post a blog about the top 10 things I tell small/medium businesses that they should focus on to improve or start tackling cybersecurity. Pretty much any of those items is a good value option.

For this open-ended question, though, three things bubble up to the tap: 1) Know what you are responsible for. Keep an inventory or systems, data, accounts, and software. Defend accordingly. 2) Patch management. Just. Patch. The Things. 3) Least privilege. And it is this last one that I think may be the more important for this particular question, for me today. Limit privileged access, limit privileges on workstations, limit access to data. Attackers can compromise people and systems, but we need to make them work harder and longer to get to the things they want, which in turn will give defenders more chances to detect them.

3. How is it that cybersecurity spending is increasing but breaches are still happening?

Security always follows insecurity. It’s just the nature of the beast. As our technology grows more ubiquitous with life, it also becomes more complex, and thus fails complexly. Technology, the internet, and cyber-things are still in a rapid growth phase, and are showing no signs of slowing down to allow us to catch our breath. And so too are cyber attackers. And let’s face it. If no one is ever going to break into your house, there’s really no need to maintain security. Insecurity fuels this industry and our jobs. It just goes back to that never-ending dance we do.

(Part 2) (Part 3) (Part 4)