reviewing my 2019 learning and career goals

I really thought about not comparing what I did in 2019 with what my planned goals were, but then I realized that’s not useful to me at all. And there’s no real need to only restate what I did this year. I see I predicted that I’d be far too aggressive with my planned activities, and I was right! Still, I think it’s normal for me in this regard to over-commit to things and then accomplish what I can, rather than plan to underachieve and coast through another year. I used to do that, and I don’t really want to at this point in my career.

Rather than go through the full list, I figured I’d just pluck out the things I planned to formally pursue.

SANS SEC542 (GWAPT) at SANS East – Success! I ended up going to SANS East, earned a SEC542 coin, got first in NetWars, and later earned my GWAPT.

TBD Second major training: Black Hat USA Trainings or SANS SEC573 (GPYC) Python or SANS SEC545 Cloud – Failed! This one wasn’t really my fault. I aggressively (so to speak) requested budget for this at work, but that never came to fruition.

Linux+ – Success! I took and passed both exams before CompTia refreshed the cert and broke from LPIC-1, meaning I got the lifetime version from CompTia and still also got the limited one from LPI. Not only was this a goal for this year, but this is probably the last “certificate bucket list” item I’ve long had on my wish list from back when I didn’t even do this learning stuff regularly (thanks to a company and manager who didn’t value personal development).

SLAE (+ OSCE prep) – Pushed back! I don’t consider this too bad of a fail. I still want to start this track through to OSCE, but I also understand this is a labor of love more than it will benefit my career/work at this moment. It, again, will get on my list for 2020.

CCSP (Cloud) – Sorta Success! Honestly, this one morphed into something bigger and more formal than just pushing for CCSP. I’ve decided to make a concerted and bigger dive into the cloud security world. I pushed CCSP out to 2020 and instead earned my AWS Cloud Practitioner Certification and the Cloud Security Alliance CCSK. And since then, I have been hitting coursework and labs to attempt the AWS Solutions Architect Associate exam very soon. After that, my plan is to earn the CCSP and then the AWS Security Specialty.

Pentester Academy tracks (+Red Team Lab?) – Low usage! I haven’t given this enough love, just like I haven’t gotten back into HTB or other labs like I want to. I’m considering this a fail, and will be re-prioritizing for next year.

Linux Academy – Success! Hey, I’ve been making heavy use of this this year! I also dropped PluralSight as I wasn’t making heavy use of it.

Splunk Fundamentals & Power User – Dropped! I had wanted to pursue this, but this definitely was chopped off early. This is more of a work item, and my role hasn’t really allowed me to be in Splunk as much as others on the team have been. And that’s OK. I let this one slide to make more room for the cloud focus.

As far as my informal topics go, most of them just didn’t get as much love as I’d like to have given them. I’ve stuck to a few books that weren’t intensive time-sucks like The Phoenix Project, Tribe of Hackers, Tribe of Hackers Red Team, Red Team: How to Succeed By Thinking Like the Enemy, and Infosec Rockstar. I think I may repurpose “informal learning” into two paths: informal topics and maintenance/improvement paths.

I still attend SecDSM and BSides Iowa as expected, but I didn’t hit any other cons this year. I really should try to get to Defcon next year in the new digs…

the phoenix project, a personal path

Years ago, I became aware of the book The Phoenix Project (Kim, Behr, Spafford) and added it to my wishlist, but never actually picked it up. I remedied that issue over the past couple weeks by picking it up on Kindle and going through it. Rather than post a reaction or my thoughts on the book (at least for now), I just wanted to tell a small personal story that this book made me think about again.

Back around 2007, I worked as a sysadmin, and one of my main duties was supporting the servers hosting our critical web sites that developers developed. Thankfully we were already well into the virtualization takeover, but we were still using Microsoft’s Network Load Balancer tool to spread load across about 7 Windows Server 2003/IIS 6 web servers in one data center (the outfitted closet behind my desk). These sites ran .NET code using all sorts of virtual directories and COM objects tucked into corners of the server. And other things which I’ve thankfully lost memory of!

We had dev, test, and production environments, if I recall correctly. Deployments to dev and test took place Tuesday and Thursday afternoons, and would take several hours of manual work and testing to perform, during which time that entire environment was inaccessible to anyone due to the things needed to be done to support installations and configurations of IIS and COM. Part of the COM install was done by a homegrown tool built by someone I didn’t know and no longer supportable, but the rest was manual labor. And if one team needed a deployment, every other team pretty much had to feel that outage with the shared resources.

When I took this over, I immediately started doing a few things that seemed natural to me. I first made a clear checklist to follow for each deployment (know your work!), thereby removing the need to remember each step. I then started automating the pieces I knew how to automate using batch scripts to move files around.

At this same time, my company was also performing the implementation stages of a company-wide DR/BCP project. We added a second data center and my server farm was about to grow from 7 production web servers and about 4 dev and test servers into about 50 and more. We were also plugging in dedicated hardware load balancers as a much needed upgrade to NLB. And we then needed to solve file replication challenges when supporting two data centers that needed to fail over each other. Exciting times!

But this expansion meant I needed a new solution for deployments. Devops was still not really a thing. PowerShell had just recently come out, and I decided to try learning it in support of this coming build-out. I mean, no one wants to work for hours and hours just doing tasks that a monkey could do on servers.

So I created a PowerShell script that would perform these deployments automatically. My script would run on every production web server perpetually. They would all “check in” to a common configuration file and would “elect” a master who would do the controlling of another installation configuration file. When I needed something configured, my script would orchestrate the installation kick-offs with each other server in a predefined sequence. When a server received a command to do an install, the script would delete everything in IIS and remove all the other things, and then build them all back in every time. I had around 100 sites on these servers, and it was pretty glorious to see them all run through these installs for a few hours. I minimized downtime when possible (you know, database changes making this not possible) by utilizing the load balancer to know when a server shouldn’t have traffic, and when it was good to have traffic again. This was all replicated to separated (and expanded) dev and test environments as well as the servers on the DR site. Flipping over to a DR test was really just a matter of changing DNS and waiting a bit while the database then also failed over (pre-Availability Group days).

I solved quite a few problems with this setup. I lowered the amount of time an admin needed to spend doing deployments. I also lowered the amount of time overall for deployments. Deployments could be scheduled and run unattended at any time (weekends, nights). Outage windows were greatly reduced when they were even necessary. Most of the time, by orchestrating traffic direction by the load balancer, I could allow devs to do seamless deployments any time they wanted. I could scale this up (to an extent) to accommodate our expanded environments. I was able to achieve server consistency by not only removing human hands from the deployments, but because I rebuilt every IIS server, I eliminated those inconsistencies admins introduce when troubleshooting something, getting interrupted, and never getting back to set things back to how they should be. With a few networking exceptions, my dev environment was also comparable to the production environment, so if a developer could get their code to run in dev early in the dev cycle, it would also run in prod (none of this, “it works on my laptop!” crap). As a side benefit, no one could add something to the server that wasn’t part of the known build procedure, as the script would wipe it out or just not know to include it. And the script and its configuration file were self-documenting for what was needed.

Things were good, but they got better as time went on. When we migrated to Windows Server 2008 and IIS 7, I completely rewrote the script. I removed the need to pass a “master” token around and decoupled the script from the servers. I ran it on a dedicated system and utilized remote sessions to make changes on the servers. I also decoupled the actual copying of web code from my scripts and better utilized DFSR. This allowed developers to make simpler file changes within seconds if they wanted to. This also pushed management of “dev first, then test, then prod” pipelines to development hands, taking me out of that decision structure. I also made sure my script could install pieces and parts of sites rather than the whole server, if desired (will still keeping the ability to do a full clean and install). When moving to Windows Server 2012 and IIS 8, I again made smaller changes to improve support.

By the time I was done with the last iteration of my scripts, it was about 2013 and we ran that infrastructure until I left in 2016. We didn’t really dive too hard into devops, since we didn’t really have to. I had somewhat naturally found those concepts by improving delivery, improving consistency, reducing risk, and reducing my pain felt during deployments and in support of mistakes. No one should like to be forced into constant heroic efforts to keep the lights on.

Many of those lessons are buried in The Phoenix Project, which is really the same story of an IT shop in a (rather busy) company also discovering how devops improves IT operations. It doesn’t take an Erik oracle or threats of a business falling over to figure out how to improve operations or fancy production floor studies and terms to understand how to ease your pain and make things better. If you allow it, it should happen (to a degree) on its own as people manage their little fiefdoms more efficiently and reduce their own personal pain.

Had I remained with that company, I’m pretty sure I’d have next dumped my homegrown PowerShell scripts and done one of two things: Either continue with my fiefdom and implement more situated devops tooling like Ansible to manage the environment, or marry up to developers and their chosen packaging and deployment pipeline (their issue being they couldn’t get every team to decide upon just one).

The Phoenix Project has many more nuances; it’s like taking the IT issues of 50 companies over 5 years each and compacting them all down into one year of just one company. It’s a little silly, but it illustrates all the pain that eventually led many teams and engineers down the general path of devops. Which is still really just about keeping things in line with the whole utter point of IT: automation.

finding a quick and accurate state of security

Those who have done security consulting or auditing will probably answer this question far better and quicker than I. In fact, I bet there are checklists available that I could grab in minutes to answer this. Maybe I’ll check for some after posting…

Nonetheless, I decided to do a thought exercise with myself: What would you look at or do to discover the biggest information security issues in a corporate environment in a quick amount of time? It’s one thing to be on a job for a year and ferret out all the dark secrets, snowflake servers, and weak adherence to policy. It’s another thing to take a job interview or day-long interview with someone(s) about security posture (and more than likely get told what sounds good and correct).

But what would one look for to get a quick, accurate, and fairly wholistic look at the state of security, and thus formulate some findings and courses of action to tackle them? And I’m not going to take the easy route (necessarily) and list off the CIS Top 20 Controls, even though they’re a good place to orient the evaluating of an environment. I also want to avoid questions that few people can answer easily or are easy softballs, like knowing what data is on all mobile devices that might go missing, or that encryption is employed on all mobile devices.

1. Interview the technical people in the trenches. Ask them what the biggest security problems are. Not all of them will care about security or have any thoughts beyond their own job, and some will not be very open in group settings or with a manager present, but I have long been of the opinion that people in the trenches have a finger closer to the pulse than most management will care to admit. Find the subset of IT geeks that have security opinions, invite them to dinner and some beers/wines, and ask the questions.

2. Internal authenticated vulnerability scan that covers at least 50% of the environment and at least a sampling of every major Operating System (including workstations). There are some main goals here, such as seeing patch level and consistency, and configuration consistency in the environment.

3. Scan and analyze health of Active Directory. This includes not just looking at the objects, but permissions with a Bloodhound scan of AD.

4. Inventory scan of local administrative access (or equivalent) on all Operating Systems.

5. Percentage of confidence in these systems being accurate and complete: hardware inventory, software inventory, network and business systems diagrams.

6. The state of policies and supporting procedures documents relating to technical security controls. This is not talking about an Acceptable Use Policy for end-users or high level policy statements, but how detailed and easy these are to find and consume.

7. Describe the security awareness training offerings for internal employees.

8. Analyze network firewall policies/configurations. For this, I am looking at how organized the rules are, how tight they are, and how documented they are. What is the process to change them?

9. What are the next 5 projects related to security initiatives? If none, how many security employees are there? Basically, if someone doesn’t have security projects, perhaps they are in a mature mode with existing staff. If neither really exist beyond reaching for strange ideas that probably aren’t approved or backed by management, there probably is not much security emphasis, if any at all.

inventory is your bedrock to build everything else on top of

(This is an incomplete draft I’ve had for a while now. I don’t think I’ll ever complete it, but I didn’t want to lose it or keep it as a draft, so here it is.)

Daniel Miessler has a great article up: “If You’re Not Doing Continuous Asset Management You’re Not Doing Security.” You honestly cannot dislike that title, and the article itself is full of the points enlightened security folk should already have in their heads.

There’s a reason the top 2 controls in the CIS Top 20 Critical Security Controls are all about inventory. It drives every other thing you do in security, and without it, you’re managing by belief and never really sure if you’re being effective or not.

There are many different ways to tackle inventory, but here are some of the common ones:

  • workstation-class devices – This is usually one of the easiest to handle, since the team responsible for workstation procurement likely has an inventory of what they have in order to please customers. Being able to tap into this inventory list, or at the very least view it, is essential. For instance, how do you know you have Antivirus or endpoint protection on every workstation? You have to true that up with the inventory list. Think about the question, “How would I know something is missing security control XYZ?”
  • mobile devices (on your network and/or company-owned) –
  • servers – Typically, one team manages workstations and another team manages the servers. This team should have a handle on some beginnings of an inventory system due to licensing needs, storage/compute resource needs, and other OS-specific collections such as Active Directory or patching coverage. But the same question applies herre, “How would I know something got missed in inventory?” Or in the case of a largely Windows environment, “How do I find a new non-Windows assets that is stood up without notice?”
  • networking assets – This could include diagrams of the networks, both logical and physical when needed, for both wireless and wired networks. If the networking team manages it, it should be in this group.
  • all other network devices – This covers all the other things not nicely slotted into the above categories, like appliances or IOT. This also covers unauthorized device discovery. Essentially, if something is on the network, it needs to be found and known.
  • the cloud – The cloud is often a different beast, especially when consumed dynamically with assets coming on and off as demand moves. Worst case, you go through all other steps above over again with “cloud” in the front of it.
  • internal information systems/sites – This is about knowing the information systems that your business and users consume, which often comes in the form of internal websites, but could be other tools and systems. Largely this is defined by things that store/handle data.
  • software and applications – A huge endeavor on its own, but nonetheless important to know the software and applications in use and needed (and hopefully approved and tracked).
  • external attack surface/footprint – This is what attacks can see and will target; high risk and high priority assets and paths into the organization. This isn’t just Internet-borne, either, but could come in through other weak links such as wireless networks or VPN tunnels.
  • vendors – A good risk management program will have an inventory of all official vendors, which will fuel risk reviews and inform security of what is normal.
  • third-party services hosted elsewhere – What services does the business and its users consume that you don’t strongly control? This likely will still impact account management and permissions, data tracking, and evaluation of those services since you have some measure of intrinsic trust in them which is a potential risk for you.
  • critical business systems – This could be considered a little advanced, but it’s about knowing what’s really important to the business, which informs risk priorities, spending, and other activities like BCP/DR.
  • data/critical data – You can’t secure data if you don’t know where it is, and have some idea on what data is more important than others. Yes, this one is difficult outside of narrow compliance definitions (aka all data vs just credit card data). Honestly, this bullet item should be a top level category in itself.
  • authentication stores – This is about knowing what accounts you have, where they authenticate against (are stored), and what your users and systems actually use to do things.

There are different methods to find this out:

  • process/documenting – This is the default method shops will use to track inventory. If someone stands up a new box on the network, they update some inventory sheet or make sure they follow some checklist to include the new asset in something else (adding it to monitoring, patching, or joining a domain). This is a trust exercise, as you need to trust that every team member follows the process and every process is all-encompassing. This includes decommissioning assets as well. This should also include the assignment of ownership: who in the company is ultimately responsible for this asset?.
  • active/finding – Most of the time, security should assume the worst (trust, but verify), which would be finding assets that are weird exceptions or just get missed in the normal process. Active inventorying means looking out onto the network and scanning it, finding assets, identifying them, and pulling them back into visibility/compliance. The opposite is true as well, you want to find assets that aren’t meant to be there!
  • passive/watching – There are also passive techniques to find devices, such as watching all network traffic or alerting (and even blocking) unauthorized assets from accessing the network. This is still a fallible control, but it is part of the puzzle of knowing what is on a network.

There are a few caveats to the above. First, it’s not 100%; there may be a “bump-in-the-wire” or other passive device on the network (think a network tap just collecting data). There are also device peripherals (mice, keyboards, headsets, readers of various types…) Tackling this is a bit advanced. Second, especially with the active methods, this needs to be done continuously, or the controls need to be continuously active. If you do active scans once a day, an attacker or insider could still turn on a device, do whatever, and turn it off in time for the next scan. Handling these windows is why we practice continuous improvement and defense in depth and why we map out maturity plans.

And Miessler includes 5 questions that drive the measurement of a security teams based on how they answer them:

  1. What’s currently facing the Internet?
  2. How many total systems do you have?
  3. Where is your data?
  4. How many vendors do you have?
  5. Which vendors have what kind of your data?

consuming infosec news and social commentary

(This is just me publishing an incomplete post from the past.)

How do I consume and keep up with infosec news?

Twitter is an always-running stream of water. You walk up to it when you’re thirsty, take a drink, and then walk away. You don’t try to catch everything that falls through while you walked away.

Those of us who grew up with IRC don’t find that a weird or foreign concept, since it often operates the same. You walk away from IRC for a day, and then come back, but you don’t typically try to read the entire buffer of any busy chat. You look for a few topics of interest, perhaps, or highlighted key words, but otherwise you just sit back down, read a screen or two up, and plug yourself into the conversation as is. Busy Discords can work this same way when conversations are not split up into multiple channels.

Pet peeve: Breaking topics into too many channels too quickly. This setup works for very busy forums or messenger/chat locations. But it kills momentum for anything not super large. It splinters discussions down from a healthy rate to a trickle that won’t keep anyone engaged for long. It also requires its users to keep clicking through various channels for any chance to keep up with conversations. I think what happens is new Discords/Slacks/Forums see how the big established ones do it, and they try to emulate that structure immediately. But that doesn’t work in the end. You need traffic first before justifying the splintering. (As someone who has lived 90% of my adult life in some form of online community, and as someone who has run several of them years ago, I have plenty of opinions on this topic…)

music to learn and hack to

(publishing an old “incomplete thoughts” draft) We all have a preferred environment and/or music we prefer to hack and learn and work in. Most recently, I spent much time at home practicing and learning in the PWK/OSCP labs and exam, and often to a background of music. I thought I would share some of my interests in this regard. If you read nothing else here, at least go give SomaFM a listen, particularly their DefCon Hacker Radio and Groove Salad stations. I’ve been a regular listener of Groove Salad since around 2003, and it’s absolutely excellent.

When I’m heads-down doing something, most of the time I’m probably listening to one of four types of music.

The most common for me is “chill out” music, largely electronic, but could also be acoustic or traditional. This largely stems from enjoying new age music from the 80s/90s, which then expended into electronic music through the late 90s and on (think Enigma and Kitaro transitioning into Underworld and Sasha). Unless I’m listening to my own stuff, this is where I’ll tune into Groove Salad on SomaFM. I don’t remember how I found the station or why or what led me there, but it definitely solidified “chill out” as a thing that I totally dig. (And I totally geeked out when BackTrack used to include a SomaFM bookmark in their default browser!)

I’ll also enjoy other electronic music, but if it has more intensity or a beat to it, I don’t include it into the chill category, and instead gets lumped all together into my general electronic folder. This encompasses anything from classic trance, goa/psytrance, dubstep, edm, and so on. I tend to stick to my own collection when listening to this, but might queue up a large set of stuff on YouTube, or use SoundCloud to listen to some sets or DJs, or maybe Pandora, or Digitally Imported feeds on TuneIn Radio.

Sometimes, I’m in a really heads-down mood or just want something less electronic, and I’ll turn to either normal classical music, or something less orchestral like cello, guitar, or piano artists doing their own thing. Most of the time when I listen to this, I’m firing up TuneIn Radio and just listening to the Iowa Public Radio Classical station. No ads, decent quality, good variety. Failing that, there’s tons of long collections on YouTube to listen to.

Lastly, I’ve also always enjoyed hard rock which borders into metal, but never really metal. I tend to be pretty picky when it comes to this (Metallica, Tool, White Zombie which betrays my age…), but more lately I’ve gotten into symphonic metal bands. I still have plenty of things I consider to be “harder” rock music (basically anything more intense than “pop” music), and sometimes that’s my mood.

common guides to pen test pivoting and tunneling (or tunnelling)

Tunneling and pivoting through a network can be a slightly mind-bending experience at first. I did plenty of this during my time in the PWK labs, and the guide, Explore Hidden Networks With Double Pivoting, proved to be very useful. Likewise, A Red Teamer’s guide to pivoting, looks like an excellent resource, largely if you have root access already and need a better way to get back out. (Edited to add this new one:

As a bonus, the second link also includes some shell upgrading techniques at the end.

Other links:

For my time in the labs, I started out using single hop local SSH forwards through a pivot point that I had owned in the remote network. This works just fine if you know that port 80 is open and all you want to do is connect to port 80 inside a network you don’t have direct access to. That looks something like:

ssh root@ -L 81:

Later on, I learned to do more dynamic SSH forwards with proxychains:


I used a dynamic ssh tunnel via John:
ssh -f -N -D j0hn@ -p 22000
Tested with :
proxychains nmap -sT -Pn

ssh -f -N -D sean@
leafpad /etc/proxychains.conf
proxychains ssh -f -N -D root@ -p 222
leafpad /etc/proxychains.conf
proxychains ssh luigi@

And even later, I did double pivoting using proxychains:

ssh -tt -L8080:localhost:8157 sean@ ssh -t -D 8157 mario@ -p 222
set up proxychains to use our forwarded port 8080:
leafpad /etc/proxychains.conf
strict_chain or dynamic_chain
socks4 8080

the oscp cocktail, preparing the pwk

A while back I earned my OSCP. I have written my reviews of it in two parts, once just on the logistics of my course experience, and another with advice to others. I often see requests on what to do to prepare for the OSCP or what it takes to earn it, and I have a saved response that I often give out to those learners. And I realized I’ve never really put it down here on my blog in complete format (a large chunk of it comes from the aforementioned advice post). So, here it is in entirety: my advice to people with the question, “Am I ready for the OSCP?” (A.K.A., part 3 of my OSCP series…)

Let’s first take a step back and ask this question: “What do you hope to get out of the OSCP experience?” In other words, “What is your purpose?”   

There are two main goals for the OSCP, though one really overshadows the other. First, the OSCP cert will open doors to pen testing and other security jobs; it’s a way to confer some immediate credibility amongst those who know what the cert is about. Secondly, and most importantly, the cert and lab are ways to teach pen testing methodology and frame of mind; how attackers work. It’s not about pwning more systems, or getting another add on the resume/CV; it’s about learning how to think like an attacker and efficiently evaluate systems and provide value for customers and admins.  

My OSCP prep advice is pretty much always the same, and yet it depends on what every student brings to the table. For me, if I were making an OSCP cocktail: 

  • 1 part Windows admin – know how to turn services on and off, add users, change passwords, browse through cmd and windows explorer, RDP, etc.
  • 1 part Linux experience – Know how to move around directories, read files, create files, use a text editor, create users, change passwords (linux essentials or linux+ prep courses will help)
  • 1 part LAN networking – TCP/IP knowledge, ports, arp, wireshark/tcpdump familiarity, firewalls (host and network), dns
  • 1 part security knowledge – general attack classes, goals, major OS vulns over the past 20 years; a pen test course or book works
  • 1/2 part Kali experience – poke around it a bit, experience installing it, logging in, location of some tools and the interface
  • 1/2 part Metasploit knowledge – have used it a bit, run through the free Metasploit Unleashed course
  • 1/2 part web server/client knowledge – nice to have hosted anything with apache/iis in the past and understand config files, ports, php/javascript a little, client vs server-side processing, dash of SQL syntax
  • 1 part coding/scripting logic/basics – if you can make a bash/perl/powershell/c/python script or have coded in the past enough to read and minorly edit script/code chunks, you should be good to start; nothing amazing
  • Sprinkle of efficient Google searching ability 

Bring all of that or more to the table, and you’re set to be slammed in the face with the course material and then hit the ground running in the labs.  

Keep in mind, the course is an entry into pen testing; it’s not a requirement to have popped root shells in the past. The course will grab your hand and start you off the on the path. 

If you want the best example of what you’re in for, go to cybrary and have a perusal at Georgia Weidman’s Advanced Penetration Testing course. It’s free, and will be the closest and quickest way to see what you’re in for. Vulnhubs and hackthebox are fine for practice and to understand the process of enumeration, but they’re not necessary at all. 

Google for OSCP reviews. They are full of suggestions and resources, and usually give a great idea of what the course and exam experiences will be. Don’t over-mystify the course or exam, and thus, don’t over-prepare! Dive in and get on it. 

Try to become familiar with the Kali Linux and the tools it has and the layout. This will be your home base for the course, and has pretty much everything you’ll need.

For those newer to Linux, start using a distro on a day-to-day system and find some online courses on Linux security and administration and shell scripting/commands. Linux+/LPIC-1 level skills are good, anything beyond is great. Also suggest a Bash Shell/Scripting primer.

For those newer to Windows, find some courses on Windows security and OS administration. This includes hosting server-type applications (e.g. web platforms).

Learn some Metasploit. It’s worth it and it’ll get used, whether in the course or beyond as a pen tester. Off Sec has a free Metasploit Unleashed course.

Learn some basic, free, staple tools and get comfortable with working various switches: nmap, unicornscan, curl. Google the top 100 security tools and at least know what you could use each one for. You don’t need to wield/install each one, but feel free to try any out.

To get familiar with some of the big security issues over the past 15 years, grab a copy of Hacking Exposed (McClure, Scambray, Kurtz).

For pen testing theory, check Penetration Testing: A Hands-On Introduction to Hacking (Weidman) or the slightly more up-to-date The Hacker’s Playbook 2 (Kim). The Hacker’s Playbook 3 is even more updated!

Have a decent enough grasp of networking to know how TCP/IP works in general, use and read some Wireshark/tcpdump output, and understand IP addressing, firewalls, and ports.

Have a decent grasp of how web technology works, from configuring web servers, looking at simple HTML/PHP/ASP code, simple SQL queries, and how browsers interact with the web server.

Install some security-related browser add-ons and poke around the Developer tools in place in every major browser these days (F12).

Dive into Python or Perl enough to get into Socket or web request programming. Very useful to start swimming in the ocean of editing or making exploit code or enumeration scripts. Having had a course or class in basic programming is great, as you can start to consume any language if you know the logic. (This is not necessary, but very nice!)

Start thinking like an attacker. This often comes with experience, but start thinking of ways you can get to Goal X or Access Y. What mistakes do you look for? What isn’t default?

Lastly, know that OSCP/PWK comes with course materials and videos that teach you everything you need. So don’t think you are going into this being tested from day 1 and spend 2 years trying to prepare for something that is meant to teach you new skills in the first place. You’re going to be learning from day 1 until day X.

So, what can you do to practice, if that’s what you feel you need to do? Download and install a Kali VM. Join Hackthebox (HTB). Watch Ippsec YouTube videos on retired HTB boxes and follow along. Download VMs from vulnhub and follow walkthrus on those boxes. Read OSCP reviews for more viewpoints. Pwn and have fun!

passed ccsk

In mid-August, I continued my studies into cloud security by tackling the Cloud Security Alliance Certificate of Cloud Security Knowledge (CCSK) v4 (2017). This is a vendor-agnostic certification based around guidance documentation for cloud security topics (commissioned from Securosis, by looking at the author list). This is a really good treatment of cloud security, with heavy applicability to pretty much everything other than procedures on how to actually do the things in various services.

Logistics. The cost is about $400 and comes with 2 attempts to take the 90 minute 60 question exam. The exam itself is mostly multiple choice with some true/false questions thrown in. Passing is 80%. The exam is also available online, so you can not only take it at home any time you want, but it is also an open book exam. The study materials are really threefold. About 87% of the exam is taken from the CSA Security Guidance v4 (2017) which is 152 pages long. The rest of the exam is pulled from the CSA Cloud Controls Matrix (a spreadsheet of controls) and the ENISA Cloud Computing Recommendations (~150 pages). If you’re absolutely crunched for time, I think a student could be fine just being aware of the ENISA and Controls documents. Though, honestly, they’re really good materials to consume, exam or not. Oh, also they’re all free to download past a register-wall you can fake out.

Exam Details. The exam questions from the ENISA and Cloud Controls Matrix materials are actually labeled to say they refer to those materials, so you don’t really have to guess. I had some questions with those dreaded “A and C” or “A and B” answers. I would also say that about half of the questions I could do a Find on the materials relatively easily, and less than half the questions were much harder to do that. It definitely helps to know the general format of the main document and where answers will come from and I found it pretty clear most of the time which domain a question came from. The only overlapping domains that get a little confusing are the Management Plane and Infrastructure Security domains. I ended up using 86 of the 90 minutes on my first pass through the questions, with an answer for every one. I then spent all but 20 seconds of the remaining time reviewing 6-8 questions I had marked for review. You do not get to see the answers after you finish, but you get an extensive breakdown on how you did on the 14 domains and 2 additional materials.

Realistic Expectations. I think someone with 1-2 years of cloud experience will still find something to learn through the exam. Someone with 2+ years of general infrastructure IT or IT security should be able to follow along pretty easily as well, and learn a lot about cloud computing considerations. This isn’t some crazy difficult senior level type of certification, but it’s also not a push-over either. I think it’s really the price tag that keeps it from being something you just do to pocket it, and you only do it when you actually want/need it. I think anyone working in cloud security or even engineering/architect should honestly have this cert unless their experience level is already beyond it. There is also training offered, but I honestly am not sure it would be necessary unless someone is new to IT.

My results. I have a long background in IT solutions and systems and security (15+ years), which means the material felt very comfortable to consume and made for easy (if dry in some sections) reading. My cloud experience is minimal, but growing right now (I passed the AWS Cloud Practitioner certification about 2 weeks before this one). When I sat to use my first attempt on this material, I did so not really being confident that I would pass, but wanting to see what the exam was like and what my gaps were. I typically have 2 desktop systems at my desk (3 monitors total) and I can set up another dual-monitor laptop when needed, which I did for this. Doing so allowed me to have all three documents up while also having the exam front and center. This let me look things up very nicely. I also had some somafm going on in the background as my preferred mood music. I felt good going through my first attempt, and was surprised by passing on that first try quite comfortably. I will say if I hadn’t been able to look up answers, I don’t think I would have passed this as the questions really do get a bit tricky. That said, the material along is well worth the time spend to read and reference as you or your organization make moves into modern cloud services.

passed aws cloud practitioner

A few weeks ago I took a couple exams and passed them both. One was the AWS Cloud Practitioner exam. This is the entry level AWS certification that teaches students how Amazon Web Services works, the services offered, and the pricing and billing concepts. AWS suggests people with 6 months of experience with AWS should attempt this course, but honestly that could probably be less.

I have been working in IT since 2002 and as a systems administrator since 2004 with heavy emphasis on web support and infrastructure. I have a deep level of knowledge on all sorts of concepts that helped digest and understand AWS offerings pretty quickly. But, other than maybe a singular hands-on workshop a few years ago, I’ve really not been hands-on or actively knowledgeable about AWS at all beyond hearing about insecure S3 buckets and this Lambda serverless craze. And really, my lack of knowledge has probably been around not having personal time to dive hard into it, and also until recently not having worked for a company that adopted anything cloud-based.

And that brings me to my motivations, which foremost includes the business I work for going hard into cloud adoption in the next couple years. Also, as I get older and technologies come and go, I do feel the need to remain current, or at least conversant with current stuff. And I really felt like there were two places I could improve and grow a lot: application security and cloud (AWS) security. So, to tackle the latter topic, I’d decided to soft-scope some AWS studying into the second half of 2019.

I opted to start with AWS Cloud Practitioner mainly due to the fact that I really didn’t think I knew AWS enough to pass that exam if I had taken it 6 months ago. And that would have been true! There’s zero chance I would have passed, and likely not even gotten anything but the concepts/benefits of cloud-computing correct. The goal is to go further, so this cert is just a stepping stone into AWS.

For study, I followed a pretty quick timeline lasting only about a month. I had planned to take a little bit longer when I was less sure about the scope of the material, but in my timeline I built in a review period where I would drop other ideas and tasks if I felt like things were progressing well and I had overestimated the exam depth. That was a good idea, as I ended up finishing the exam in something like 20 minutes with a 957/1000 score, and saved several additional weeks of work and study.

I first signed up for a 7-day trial at ACloud.Guru. I had read that they’re a great training resource, but maybe could go deeper into some topics and best consumed alongside a second resource. So I started there. I then cancelled my account on day 6, so I really spent no money on this step.

I took Introduction to AWS (1 hour), AWS Certified Cloud Practitioner 2019 (5 hours), AWS Certification Prep Guide (2.5 hours), and as a bonus to myself, the Mastering the AWS Well-Architected Framework course (4.5 hours). Most of this was pretty good, with the clear standout of the Well-Architected Framework course which was excellent, and easily digested due to my background. Still, I didn’t feel completely prepared for the exam. It’s hard to tell for sure, but I suspect I may have been a lot closer to the passing cut off if I had just done these courses.

I also started working through the Udemy “course” AWS Certified Cloud Practitioner Practice Exams 2019 by Neal Davis which I purchased when it was on sale for $20. These are 6 practice exams and probably ate up about 10-12 hours of effort to take and review them. I highly recommend going through these practice exams. The only caveat is that these exams are decently harder than the real exam I took. But, that’s a good thing! I scored around 76-86% on these.

I also have a Linux Academy subscription already, so I augmented my studies with a newer course AWS Cloud Practitioner (CLF-C01) by Tia Williams (11 hours) . There are also some labs scattered in here, which, while very much just follow the instructions and click things, was nice to get some hands-on time for me, since I really haven’t had any. Also, note how this course is much longer than the one from ACloud.Guru. In my estimation, had I stopped and not done this Linux Academy course, I’m not sure I would have passed the exam; it would have been close!

I also made a couple Coggle mindmaps during my studies to keep track of the groups of concepts and services. This was a wonderful idea I found mentioned on another blog review of the course. ( )

As a last step, I took a few hours to breeze through actual material from AWS, namely the Overview of Amazon Web Services, Architecting for the Cloud: AWS Best Practices, and How AWS Pricing Works whitepapers.

As I said, I had more things planned, but I suspected this is more than enough to pass the exam, and apparently I was correct!

Moving forward, I plan to do more cloud studying before the end of the year. Next, I’d like to read the materials for and pass the CCSK certification. I will then start preparing for the AWS Solutions Architect – Associate exam and start doing some AWS projects. My ultimate goal is to earn the Security Specialty in early 2020 and maybe the CCSP later in 2020 as well. I’m still being a little aggressive here, but I think this is doable and a little less pressuring like lots of my other heavy technical studies in the past few years.

I would also say that unless someone is comfortable discussing the various services in AWS, the benefits of the cloud, the pricing structure of AWS, and the support offerings, this cert is a good and pretty inexpensive (in time and money) option to get started. Otherwise, for others with comfort in the above topics, it may be worthwhile to just dive into one of the Associate level tracks.

passed linux+

A few weeks ago I took a couple exams and passed both. One was the Linux+ (powered by LPI) LX0-104, which is the second exam in the Linux+ certification track. This pass resulted in my earning both the Linux+ and LPIC-1 certs as I had taken and passed LX0-103 earlier this summer.

I’ve been a relatively casual user of Linux since about 2001. I’ve used it as my primary desktop at home for probably the last 10 years, but that doesn’t mean I’m any sort of power user. I know enough to pilot myself on Kali Linux through the PWK labs and the OSCP cert, and probably approach a Linux administrator job. My day-to-day tasks on Linux at home are just general web browsing and media playing on Ubuntu; things where you can just set things up and stay in the GUI all day every day.

Still, all of that exposure left me very comfortable in Linux and able to pick up on things very well to fill in my gaps of knowledge when studying the Linux+ topics.

And that is the main part of my motivation for this cert: To shore up my foundational knowledge on Linux. I’m comfortable, but I certainly have gaps as I am not a full-time Linux admin or power user. And having that strong foundation can carry over to many other things like cloud servers, linux forensics, linux pen testing, securing linux servers, etc. While I’m comfortable in Linux, I’ve seen the opposite end of the spectrum in something like the SANS forensics course FOR 508, where students with nearly 0 Linux experience have a huge learning curve just to be able to operate inside the main forensics tools and VMs. I’m glad I’m not at that point, but going even further helps that comfort.

I’ve also long looked at Linux+ as a cert I’d like to get to illustrate some knowledge of Linux, but have never really put the time or effort into pursuing it. At the start of this year, I found that CompTia was going to change this cert later this year by updating its content from v4 to v5, ending the relationship/connection with LPI, and also converting the lifetime status of the cert to by something you’d need to renew. I really like my lifetime Security+, so this change helped prompt a decision to make getting this cert a goal of mine for this year.

Since I already had a Linux Academy subscription, I used them as my primary resources for studying. As the Linux+ cert content is being updated, some of these courses are no longer useful, and I was initially confused on which courses I should be focusing on. I utilized the Linux Academy labs for tasks I wasn’t quite as familiar with. Their cloud-based ability to spin up a CentOS server for me to read man pages and help files was really nice!

I started with Linux Essentials (14 hours) last year, and finished it early this year.

I followed that up with LPIC-1: System Administrator Exam 101 (v5 Objectives) (21 hours), which was partly confusion on my part due to the exam changes, where I should have been looking at v4 content and not v5. Still, I welcome the learning.

Then I completed Linux+ and LPIC-1: System Administrator – Exam 101 (v4 Objectives) (20 hours) before taking and passing the first exam.

Lastly, I took Linux+ and LPIC-1: System Administrator – Exam 102 (v4 Objectives) (23 hours) before taking and passing the second exam.

From the exams, I don’t remember much about the first exam already, but on the second, I did score lower than I wanted to score. I blame that on taking a month to start studying AWS before my exam date, so most of my exam experience was pulled from ingrained experience rather than recent memory from studying things. To be fair, I only spent about 25 minutes on that second exam.

The exam was fine, but it was definitely off-putting to get several questions dealing with IPv6 vs IP4 and IP addressing and subnetting. I get the need, but should have been out of scope of this particular type of exam.

I was a little skeptical taking this on as a personal goal this year, as I already know plenty of Linux and it was maybe sort of a “I had this idea years ago and I’d like to complete it” sense of vanity. I also really had nothing to gain from the cert itself; it won’t land me my next job or trigger a raise. However, I’m glad for having done it, as it’s really my first formalized amount of training on Linux, which helped answer questions, fill in gaps, and learn some new things. (So, that’s why dual booting was such a pain so many years ago!)

I feel more even more confident in Linux now, which can open up further doors down the road like diving harder into Linux forensics, Linux pentesting, managing my own attacker platform better, and so on. These were all probably approachable already for me, but now even more so.

Moving forward, I don’t have any plans right now to get any other Linux certifications. The effort and cost for pursuing the Red Hat or Linux Foundation tracks when my job title does not include “Linux” just isn’t a priority for me. If I had to choose one, it would be difficult. Red Hat is more recognized, but Linux Foundation wouldn’t require travel. I wouldn’t entertain doing any more LPI as it is just multiple-choice.

For others looking to get this cert, I think for anyone looking to be a Linux administrator should make the Red Hat or Linux Foundation tracks a priority, with this an optional step along the way. I’m not really sure the cert itself is worth it, but the studying towards it would be. For someone with no or little Linux experience looking to put something on the resume, maybe for a blended security role, and not looking to do a hands-on admin practical, this makes for really one of the only options. After October, 2019, there will be Linux+ and LPIC-1 as separate, competing certs, but I’m not sure which would be preferred. Probably Linux+ as it could help support renewals of other CompTia certs, and vice versa. For someone comfortable in Linux, this really becomes a personal decision that could go either way, which is the boat I was in.

passed gwapt

Less than 2 months ago I sat for SEC542 at SANS East in New Orleans, and this past Friday I sat for the GIAC Web App Penetration Tester exam and passed with a 97%.

My goals and background. My purpose for taking this course and exam was to gain more experience and comfort with web app pen testing methods. I’ve worked in web server/client environments as a sysadmin and security admin for many years, and I’ve had some exposure to web offense tactics and tools from the PWK/OSCP days and from various HTB boxes as well. I’ve not made or maintained any “modern” web sites, but I have some web coding experience back in the painfully early years of the web and feel comfortable reading or tinkering with most preexisting code. Going into this course, I already knew some of my weaker points: I am not entirely confident with SQL and sqlmap; my exposure to Burp Suite seemed limited (and exposure to ZAP being nil); and I also had not done much with Python in regards to requests and web work.

It speaks more to myself than to the course that I probably overestimated the material a bit (or underestimated what I already know). Pretty much across the board, with my offensive experience above I had probably seen and performed most of the attacks that we went over. That said, my weaknesses listed above were largely addressed. But, beyond working more with Burp, ZAP, sqlmap, and python, I really ended up being somewhat ready to move past this material. Now, that’s not to say I’m ready for advanced stuff, but I think it might be more accurate to say I’m ready to gain more progressive hands-on experience with testing web apps, either live or vulnerable testing apps.

My study process. After taking my first SANS/GIAC exam last year, I formulated what I would expect to be my repeatable process for studying for future exams. But, for SEC542, I definitely deviated from that process and skipped quite a few things. Once getting back from class, I started skimming through the material, doing a first pass on highlighting key terms and concepts. I have a process of highlighting tools and external resources that are tool-like, like cheatsheets, with an orange highlighter, terms and definitions and concepts with a green highlighter, and I underline in pen anything else useful so that they catch my eyes when I’m looking for answers later. If a topic continues on the next page, I put a highlighter arrow to the next page.

After that, I worked through all of the labs again, which I admit, was a very quick breeze as none of the labs are really that complicated or long. In doing so, I also highlighted information in the Workbook just like I did the other books.

The index process. Next, I started work on the index. Now, this course has a Day 6 CTF book, and in the back of this book is a very rough index. Sadly, I didn’t really like the index, but I also didn’t want to leave a trove of information on the table, so to speak, so I spent a few days transposing that index into my own index spreadsheet. Once done, I then started with Book 1 and began augmenting that given index with my own index items, as well as the definitions and concepts I wanted for each term. I did this for all of the daily books (except the CTF one) and the Workbook.

The way I make my index is to just have three columns: term, notes, page (1-101 format). I don’t shy away from expanding the size of a row if I need lots of text (word wrap). I separate each book into its own sheet, and I copy/paste those sheets into a master sheet which I then order alphabetically. The workbook is referenced as w-101. If I add something from another source, like a practice exam answer explanation, I’ll just mark it as x. I’ll then later get it printed and bound at Kinkos. This time around, it took $19 to print and was pretty thick…

I took particular time this go around to make note of any commands and screenshots of tools. This way, if on the exam I am looking at a tool output or some command, I have a shot at finding a comparable bit of output in the materials for comparison. Often, I would put the command verbatim into my description for that line, as nothing but sqlmap were really long.

The goal of an open book exam is to be able to efficiently and correctly answer questions by using those materials, and to do that, you have to manage your seek time. And that seek time plus tolerance for recollection or finding exact answers is going to differ from person to person. For me, I like enough context on each line of my index that I can tell where I should look for something about XSS types when I have 15 individual references to “XSS.” I don’t expect to always find answers just in my index, but I do give myself a shot at doing so. Ultimately, however, I expect to get into the books and find the “for sure” answer quickly. I do this with my index, but also sometimes with tabs along the tops of the books for key pages, tools, and topics.

In retrospect, I’m not really sure how useful the provided index ended up being, as I trust my own index was probably going to cover the bases. Honestly, the given index had some mistakes and included some weird terms from some weird places that added nothing. In the end, it maybe just resulted in a larger index than the FOR508 index I mast last year (and I think that material more warranted a larger index).

One note about the SEC542 material that I noticed. Way too often for my tastes, the authors didn’t actually define terms. Instead, they would describe them anecdotally, and maybe list some uses for that term to be gone over in more depth in later pages. This made defining terms very strange, and it added extra references for terms. For instance, Stored XSS is mentioned well before it is actually dealt with, but I had to keep both references. (I suppose you don’t have to, but *I* had to, if you know what I mean.) I also challenge you to find a succinct definition of XSS somewhere. I think I would have appreciated a bit more structure in that regard, but the material is effective either way. On the flip side, I like the “attacker perspective” that closed out various attack topics.

The rest of the preparation. Once I had my index finished, I tabbed the tops of the book pages. This makes for easy flipping to sections when I know generally or exactly where a topic is in the materials, letting me skip the index completely sometimes. This was more useful in the FOR508 exam which has more repeated reliance on tables and charts, but I did find myself using these on the exam as well. For example, a digest authentication question is going to be in the….drum roll….digest authentication section! There’s really no hunting around needed in that case.

Before sending off my index to be printed, I first took my first practice exam. I used the books and electronic spreadsheet (without using the search features) during this practice exam, and also did not use Google or other references. During the practice exam, I specifically turn on the ability to see explanations of all answers, rather than just the ones I miss (sometimes I may guess and get it right, but not be sure why!). If something is missing from my index, I’ll write down the topic or term quick. In the end, I scored 90% on the first practice with about 10 minutes to spare.

After that, I intended to do an actual read through of the material as well as listen to the mp3 audio of the course (given by the other author!). I only did about day 1 on both of those and decided to forgo those steps in my process. I took the second practice exam just like the first one, and scored 90%. After that, I sent my index off to be printed. Until exam day (about a 2 week gap), my only studying was just occasionally opening the books to flip through the topics and keep the layout and topics somewhat fresh in mind

Alternate material. Now, not everyone can afford SANS courses, but the information in SEC542 can actually be very easily gotten from other sources.

For practical lab-like experience, work on things like DVWA, Mutillidae (both of these were heavily used in the course labs), and OWASP Juice Shop. In addition, every attack can be found somewhere in the HTB boxes (ask someone who’s popped most of the boxes if they can guide you to good candidates, or browse IppSec’s YouTube videos and sample each one for web app opportunities). If you’re lucky enough to have access, the PWK labs also have plenty of web app practice available. Between all of those items, you should be exposed to every attack in this course and beyond.

On the tools, it really absolutely helps to have some Burp exposure and some Python exposure. I actually really recommend courses on PluralSight for both topics. There is a course or two by Sunny Wear going over how to use Burp that is just awesome. And there are a few beginner Python courses as well that helped me quite a bit to get started. (If you do pick up a sub to PluralSight, it also has decent courses on many of these web attacks, too, by Dawid Czagan and Troy Hunt.)

Everything I know about ZAP came from this material, and I suspect just a 20-minute video on ZAP examples would cover it well enough. I just don’t have any particular ones to list here. Of all the topics, I’d have to say web fuzzing is the hardest topic to pick up on one’s own.

For other tools, exposure in the course is light, so just using sqlmap or nikto or recon-ng or nmap or wpscan or beef somewhere on some target is probably good enough to understand it enough. For Python, focus on understanding the basics of Python and then also the requests library.

For attacks, just go through the syllabus and the OWASP 2017 Top 10 web flaws. This course pretty much sticks to that list. Do know how to find and perform Shellshock and Heartbleed attacks, though. (HTB has those boxes!)

Otherwise, just go through the course syllabus and the exam topics item by item until you feel comfortable talking about them and their differences

One thing the course doesn’t go over much at all is source code analysis, but pretty much everything in the labs is open source (umm, you control the VM!), so an enterprising student could look at the flawed code on their own. This is probably a step I need to incorporate as I look at further practice.

After all of that, honestly, you don’t need the course anymore! (But let’s face it, the extra advice from the instructor, the full coverage on the topics, and meeting other professionals in person adds to the course value.)

My next steps. After GWAPT, my next steps on the web application attacking front is to gain more casual experience through practice via self-study on DVWA, Mutillidea, OWASP Juice Shop, and others. I want to particularly make a point to use various tools for the attacks, rather than sticking to just one. And I also want to make sure I can do things manually or with Python scripts when appropriate, and review source code whenever I can for practice identifying flaws (and maybe fixing them?). I have a sub to Pentester Academy which also has extensive web hacking tracks

Will I take SEC642? What about AWAE from Offfensive Security? Maybe, but SANS will entirely depend on whether my employer wants to support me in that next step, and I may be able to swing AWAE on my own if I can carve out that time.

Will I get to any of these this year? I do have other goals and things for this year, but the continued self-study is one I want to stick to. I don’t today do web assessments for internal sites at work, but that opportunity may be right around the corner, and I intend to be part of that.

do you need a degree to be good at what you do?

Still reading through Tribe of Hackers. I, like most everyone, definitely holds back on punches when it comes to the, “Do you need a degree/certification…? question. So it was a nice moment this morning to read up on some industry blogs to run across Harlan Carvey swing and hit on his responses to the questions in that book, particularly about needing a degree/cert. I think he’s right, but it’s important to note the clarifier: ” Do you need a degree to be good at what you do?”

That said, all of his other answers are wonderful, too! Of particular note are tidbits about engaging on social media, mentoring and sharing, realizing that we make some mountains bigger than they are, and bosses don’t like surprises!

That sort of reminds me of the old school way the sysadmins are born. Often, a more senior admin will get a junior-ish new hire and throw them into the fire without much help. Basically sink or swim. No one really liked that, but it just sort of happened, probably since back then many of us tech geeks were socially awkward…hence being in IT! Today, mentoring in any formal or informal fashion is the way to win allies and friends. Transparency is a close cousin.

attended sec542 and netwars at sans east

About a week or so ago, I and a coworker attended SANS East in New Orleans. I was in town to take SEC542 and he was taking FOR610. We arrived a day before registration was open.

I just have to say that I absolutely enjoyed New Orleans! I’ve been to a few cities in recent years for training, and most really have pretty generic character; they’re just another city with maybe good weather. But New Orleans and especially the French Quarter has a great character to it with absolutely wonderful food, fun people, shops galore, and music everywhere. Combine that with beautiful weather (50-70 degrees in February winter is beautiful to me!) and thick mysterious fog every morning and I loved it.

We were in town the night of the Super Bowl, so after registering for classes, we navigated an impromptu Boycott Bowl block party (New Orleans Saints had their Super Bowl berth stolen from them two weeks prior and they’re a little sensitive!) to join the SANS opening reception at Fulton Alley for open buffet, bowling, and bar. Super excellent time out there, and I would visit New Orleans again some other winter.

My background gives me a good foundation for this course. I’ve not only managed my own sites and servers, including their (somewhat simple) code, for many years, but I also spent about 15 years as a security/sysadmin in charge of hundreds of critical business web sites and servers and working closely with developers. I’ve also gone through the PWK course and earned my OSCP, and done many HTB boxes over the past few years, all of which has given me exposure to web app vulnerabilities, exploit execution, and red team tools. In all, I feel comfortable with web applications, but my confidence isn’t all there when it comes to efficiently and accurately performing a “real” pen test against a site. (More on this later.) I’ve used some of the tools we’d use in the course, like Burp and wpscan in the past, but others I have not, like ZAP and BeEf.

To prep for the class, I mostly brushed up with courses on web app testing on YouTube or PluralSight. The most notable courses that really helped were 2 courses for 3 hours of Burp Suite on Pluralsight by instructor Sunny Wear and a series by Dawid Czagan on web app hacking also on Pluralsight.

The SEC542 class itself consisted of 5 days of lecture followed by a CTF competition on day 6. The class is pretty solid in covering the basics of web application technology, OWASP Top 10-styled weaknesses and exploits, and the beginnings of conducting web application assessments. The instructor (Eric Conrad) was excellent in adding value to the course with personal stories, advice, examples, and encouragement.

There were maybe about 30ish labs over the 5 days. Some labs are very basic where you just follow the directions to perform a quick directory traversal or XXE attack. But others later on offer a little more chance to choose your own difficulty and how many hints/guidance you take, which works especially well in something like the Python-related labs where I just needed a few pointers from Google and the books on how to do a few things and I could mostly do them with my own script. That sort of open-ended lab actually doubles as nice practice, rather than just pure introduction and copying

The day 6 CTF was an absolute blast and my penultimate experience at SANS East and SEC542. We split into fairly random teams based on when people came in. I think one team was somewhat pre-picked, but ours was pretty much, “Yeah, sit down, join up!” We had 3 teams in our class (online teams competed only against each other), 2 consisting of 5 students, and ours with 4 students.

As we got going, I started doing scans of the network using nmap and nikto, and doing really quick assessments on the results to draw attention to any suggested targets (“WordPress here! SSL here! CGI script there!”). My other teammates cleared out the level 1 book questions while this happened. I had my back to the classroom screen, so I didn’t see the jumping around of the team scores very much, but my impression is that for the most part first place traded hands quite a bit.

My team was amazing. I’ve never really had many chances to work on a pen test or assessment (or even a CTF) as part of a team, and this was absolutely wonderful. We all made progress and everyone contributed investigation and success into the things they were tackling. Someone scored out the questions on one section, I took another, and another two were done before I had even looked at them. We even had one guy make some ridiculous lucky guesses to score wins, and as I said when that happened, “That’s half of hacking, making guesses and getting it right!”
In the end, we had the lead, but bought hints on the final few questions which dropped us back into second place for a while. We got pretty hard stuck on a few things, but eventually figured it all out except one last question that was bothering me badly as I knew I was almost there (turns out I was). In the end, we bought one final hint, scored the question out, and then scored the final question to take the lead in the last 6ish minutes and held it until time ran out. Super fun to earn that coin and get first, but honestly it was more awesome to run through that well-paced CTF on a team that worked so well together. We made some mistakes, but nothing so big that it messed with our energy.

So, how did I feel about this course? This is a weird space, as is much of information security disciplines where you need a certain baseline of fundamental knowledge, otherwise your uphill climb can be difficult. But the material can quickly be overpassed with just a little bit of experience (which is kind of the point of the course, yeah?). And that really leads to my only down side of the course. But it’s really not even a problem with the course, but rather with me. For almost all of these exploits and attacks, I’ve done them before between OSCP/PWK and HTB lab environments. So, honestly, good portions of this course were sort of a review for me, or rather a reinforcement. But, make no mistake, I did learn a few new things, especially the value-add stuff from the instructor.

My biggest takeaway, much like so much in information security, is that this discipline and doing these assessments takes constant and regular practice. Practice, practice, practice. Which is really the place that I am right now with my skills and level of confidence. I simply need to iterate through the things I know, over and over, get quicker and more familiar with the tools, and maybe start doing some assessments at work on our sites to compliment the things our QA teams do.

Still, could someone pass over this course with self-study and a cheaper budget? Yes, and probably not that hard, either, unlike other high level SANS courses. A student could study up on various cheaper courses or even free YouTube courses going over OWASP Top 10 attacks. And honestly, there are free tutorials on doing DVWA, OWASP Juice Shop, and Mutillidae II out there for free, which will cover the Top 10 and more. Add in doing some HTB boxes and watching along with Ippsec on Youtube doing retired boxes shows many of the attacks in a more live situation. From there, it’s really about learning the tools, and you get use out of them from HTB or PWK/OSCP, plus additional courses on those tools which may cost a small subscription to view for a few months. Still, that’s quite a bit cheaper than SANS, especially if looking to do this on your own dime. You won’t necessarily get a certificate, or exposure to other smart students, or the Netwars experience, or the value from the instructor, but I honestly think students can get past SEC542 on their own with some personal dedication.

And that now brings me to Netwars. For a third, and probably last time until they update the content, my coworker and I competed in Netwars Core. We sat at the front, which must have been a good area to sit, since the winning team and most of the individual top 5 were sitting. After two nights, I finished in first place for a coin and trophy, and my coworker fought a super close battle for 4th place! My placing was pretty undramatic, but that fight for 3rd through 6th was pretty tight. I might do Core if I ever attend a coinapalooza event (and have coins to acquire), but barring Core being updated to a version 6, I’ll likely duck into DFIR or Cyber Defense in future events now

GWAPT and the future. So, that leaves me with what’s next. I’ll be studying the materials again, making my index, and going through the labs once more in preparation for the GWAPT exam. I have pretty high confidence going into this one unlike my GCFA. During and likely after this, I will also be trying to get a practice regimen started. At a bare minimum, I want to tackle web-heavy HTB boxes, not to necessarily root them, but to practice assessment steps and tools usage (I need more confidence in fuzzing, sqlmap, for instance). I also will look into those vulnerable open source boxes for further practice (Mutillidae, DVWA, Juice Shop). I am also woefully inexperienced with REST/API and SOAP assessments, so I’ll likely find some courses or guidance on that. And lastly, I’ll also work to continue to further my Python and even Javascript exposure. I do also have a Pentester Academy sub, and they have some web content and challenges as well.

That sounds like quite a lot, but honestly this is about forming a long-term practice and experience habit for web assessments. And to my viewpoint, being conversant and ready-to-go with web app assessments is a core pillar for anyone looking to be on or near red teams/offense.

Will I take SEC642? I don’t know. Some of those topics definitely are things I’m less comfortable with today, so it is still in my top several classes to look at if I get another opportunity to attend something. But other options are tempting as well, such as SEC573 (Python), SEC617 (Wireless Pentesting), SEC660 (Exploit Writing), FOR610 (Malware Reversing), SEC588 (Purple Teams), SEC545 (Cloud Security), and FOR572 (Network Forensics). It might just depend on what lines up best with what I and my company need when the chance opens up.

my tribe of hackers contribution, part 4 of 4

This post is a continuation of my answers to the questions posed in the Tribe of Hackers book. I am answering these questions before reading the other responses in the book in an attempt at self-assessment.  And to mark any changes of insight after consuming the book. This is part 4 out of 4.

(Part 1) (Part 2) (Part 3)

12. What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?

Be aware of what you’re putting online about yourself and whether that is important to you in any way. Ultimately, live life and don’t shy away from technology.  Turn on automatic patching. Use unique passwords, and change them regularly.

13. What is a life hack that you’d like to share?

I don’t really have life hacks, or at least I don’t think of them that way. Just keep learning and improving. If something rubs you wrong or doesn’t seem like it is in its right place, fix it and/or move it, or change your attitude about it and move on. Be happy, but not at the expense of others.

14. What is the biggest mistake you’ve ever made, and how did you recover from it?

Professionally, I’ve not really made any large mistakes that have made me fearful about my job or even an annual review. However, I will cover a personal mistake, a professional mistake, and a career mistake anyway.

My biggest personal mistake may be my phoning in of high school and early college years, which led to low motivation in college and being 100% unsure about what career and life I wanted. I nearly failed out of college, but pulled myself back up after 2.5 years in a major that wasn’t calling me, and switched over to one that was, to successfully salvage the experience. I wish I had applied myself more in my younger years, but more so I wish I knew what I wanted earlier than I did. We are asked as young people to make life decisions very early, and often without enough preparation. That becomes a weighty decision experience. Then again, I wouldn’t change anything that has happened to me, as I enjoyed my childhood, and everything before now has directly led to where I am and who I am today.

My biggest professional mistake was probably assigning an ip address to a server that was an undocumented in0use address on the interface of our perimeter firewall. This address conflict brought down that interface, halting all traffic to and from the Internet. Obviously, troubleshooting this brought things back in 5 minutes, but that’s a pucker moment you’d rather not have to go through. Lessons learned, though: document everything, consult that documentation, and verify anyway.

For my career, my biggest mistake should be not having as confident a voice about my skills and knowledge that reflects my actual skills and knowledge. I have warred with imposter syndrome in the past, and I probably still war with it today when I think other people already know what I know, so why speak the obvious, right? But that’s folly. Even if that were true, speaking up still stokes the sociality of life, work, career, and networking with peers, which leads to connections, friends, learning, and growth. This is probably a small war I’ll fight until such a day as I am regularly teaching others in some measure of a formal setting.

At the end of the day, mistakes make us stronger and have made us who we are today. Learn from them, don’t be afraid of them. Go deeper. Try harder.