Tuesday, January 3, 2017

My Perspective: Getting into Information Security as a Career

Say you want to be a hacker or stop the bad hackers as a career path. You like computers and want to get into the Information Security field. There are many paths and specializations. I will give my perspective and experiences in this post.

Love for computers and technology

In my early years, I loved playing games on the old commodore64, atari, Apple IIgs amongst other computers. Then the internet blew up and this www stuff began appearing. I got a 56k modem and was running a Gateway 486. I learned the ins and outs of Windows 95, registry, settings, viruses and more. I wanted to learn more. I went into the Air Force and started providing computer support. Not just software, but hardware. i learned Windows NT, Exchange, and early implementations of Active Directory and Windows servers. I always wanted to learn more and more. I was happy and enjoying learning how software and Operating systems worked and didn't work.

This is a good starting step. Everyone now days have technology. They have smart phones, laptops and work on them every day. Some have interest into how things work. Kids learn where settings are, even how to code and troubleshoot computer problems. You may have even seen where kids have figured out how to break into teacher computers by guessing usernames and passwords.

Specializing into a field or Generalize

After I got out of the Air Force, I worked installing Unix based Firewalls and various types of Windows servers around the world. A love for Unix/Linux grew. Command line was awesome. No fumbling gui and quick response output. I later became a Firewall administrator and soon after a Security administrator, to include IPS/IDS administration. This turned into password cracking, vulnerability scanning, remediation, AV/HIPS administration and more. Security became my number one priority and passion. Many things were learned and shared amongs co-workers. Learning of system weaknesses and vulnerabilities and how to prevent them. So to speak of specialization, later, I became a Network Security Specialist. I worked in a SOC type environment and logging became the big thing. SIEM and enhanced Vulnerability management became a primary duty. Attack patterns, vulnerabilities and event monitoring were amongst the activities we performed.

To gain more insight, training was really important. SANS provides great training and I was able to attend the Intrusion Detection, Penetration Testing and Windows Forensics classes. I also at this time studied and obtained my CISSP. I had previously obtained my CCNA while in the AF as well as MCSE in Windows NT (old skool). These certs were important in obtaining my next position as a Security Consultant/Penetration tester. The change into pentesting was not an easy one. When you start in a specialization you tend to be entry level and salary is appropriate to such. So this transition was a bit hard, but worked out well. Getting experience is important in the position you are in. For example. While working in the SOC, i performed more than vuln scans. I ran some internal pentesting activities where I could to enhance my skills. Kali Linux and other tools were commonly used.

Importance of Experience

I later moved onto another pentesting gig and gained more experience and with constant work on testing, projects and clients. Variety of types of pentesting exists. There is Social Engineering, Phone SE, Physical tests, WiFi Tests as well as the typical external/internal network tests. This is not even taking into account Web Application or Mobil app testing.

Again, training is always a plus such as Social Engineering Training from the guys at SocialEngineer.org, as well as OSCP training.

Experience is always more important and what counts. Wether you go above and beyond in your job and take on extra security type work, or you continue gaining experience from entry level and move up in the ranks, experience needs to be obtained. Certs and training can help you get into the door, even setting up your own hack lab can definitely benefit, but real world action is what proves you can do the work and get hired.

Programming

A plus for any security practitioner is to be able to code and create your own tools. If you can gain notoriety for creating a tool, this is also something employers will look at.

I forgot about a College Degree

I see Degrees and Certifications as similar tools that can be used to get your start in an entry level position, whether it is IT or InfoSec. When I went to school, Computer Science was the only program that was relevant. Now there are Information Security degrees and more specialized programs. I have looked into some, even if to just get my piece of paper, but it is all stuff I already have knowledge on and I would rather spend the money and specific training programs.

So Degrees are good to get a basic foundation, but in my case, on the job experience and training was able to get me all I needed to start off.

Summary

So to sum it up, learn how systems work, then how they are broken, then how bad guys do so. Gain experience in the desired position of your choosing. Use certs, lab experience, education to get your foot in the door. Once you are in, work hard to learn more and more. Keep up as best you can with the latest threats and attacks.

Finally, never give up. Patience is sometimes required and things may not always go your way. Keep at it, keep improving and ask for guidance and help from those you look up to.



Friday, February 26, 2016

Return of the Stealth

So I am back on this blog. Just got rid of my old hosting. Was going to try tumblr, but chose to use google domains with blogger for full google integration. Not stuck on it, so we will see how it goes.

I attended AHA last night after a long, long absence.

I need to get ready for BSides Austin.

Thats all i got. later.

Friday, January 21, 2011

Latest Security Breaches

So all of a sudden lately we have seen a bit of a rise in breaches going on:

Gawker
http://gawker.com/5713056/gawker-security-breach-were-here-to-help

This one was a compromise of user/password information. Reminds us not to use the same password for different sites. Password management software is good to use.

IBM Developer
http://www.computerworld.com/s/article/9204300/IBM_DeveloperWorks_site_hacked_and_defaced

Website defacement of one of IBM's sites. Here we learn that we need to do web app testing. It is stated that IBM was doing maintenance during the hack. That sounds like some good timing, but if it is the case, then take some protective measures as you "perform maintenance/pull down your pants to use the bathroom".

Trapster
http://www.computerworld.com/s/article/9205660/
Another user/password compromise. Trapster Iphone/Droid apps dont require registration but those who have, may have been compromised. Another Gawker type incident. Tweet from this incident:
"Don't use the same password on multiple sites!"

Lush Cosmetics
http://www.theregister.co.uk/2011/01/21/lush_cosmetics_hack_attack/
Website attack that resulted in the loss of credit card data. Makes you think twice who you decide to shop with.

Friday, January 14, 2011

0 Day Vulnerability in MS Windows | How to prevent compromise

MS has not released a patch for this vulnerability, but here are some steps to protect yourself.

1 - Don't use an account that has admin rights as your primary user account. Have an admin account but only use it to install applications. There is a way to run a exe as another user.

2. Run a fix it if provided. In this case for this vuln, a fix it is provided by MS.

3. Be careful what you open. Social engineering is how a lot of hackers rely on successfully gaining access to peoples systems.

Here is a video displaying this exploit in action:

Microsoft Patching: 0day still around and no forecasted release date

Microsoft Tuesday was a few days ago and no patch was released for the graphics rendering engine vulnerability. In a web conference, when asked when the patch was going to be released, Microsoft said they would not forecast a date. I understand this. I just wonder how mad they are with google researchers, when for the 2nd time(that I know) they release an exploit to force Microsoft to work hard for a fix.

MS is probably getting upset with these guys. Way I see it, its their fault. Take these guys more seriously.

Anyways, check out this site for a workaround:

http://support.microsoft.com/kb/2490606

I am working on putting out a video of how this could be exploited. Microsoft and IBM Xforce report that this is not being exploited in the wild.

Thursday, January 13, 2011

BSides Austin 2011

So it time once again for BSides to come to Austin. Even better than last year with 2 Days. Mark March 11 and 12 on your calendar and register here.

http://bsidesaustin2011.eventbrite.com/

I have also made some changes to the site. I was at my own hosting, dumped that. Then i was at tumblr, bumped that. Now I am at blogger. Hopefully this works out. I think it will.

Thanks for following.