SOCNET

Go Back   SOCNET: The Special Operations Community Network > Areas of Expertise > Technology and Communications

Reply
 
Thread Tools Display Modes
  #121  
Old 20 February 2018, 19:16
BOFH's Avatar
BOFH BOFH is offline
I aim to misbehave
 
Join Date: Jul 2004
Location: \\Gibson\garbage
Posts: 4,257
Quote:
Originally Posted by HighDragLowSpeed View Post
Not likely the popular opinion here but....

1. There is a lot more to cyber than pen-testing. Actually, pen testing is just a fairly narrow slice of the pie that answers the question, "can someone get into my network using some set of known tests?". Pen tests don't answer the question, "has the network already been breached?". The results of a pen test only provide a list of things to work on and not a state of compromise of your network. That said, even many pen testers don't understand the difference.

2. Most pen testers suck technically. The majority are good at physical access/social engineering to gain credentials. While still exposing many valid vulnerabilities, this approach is completely antithetical to the far more technically oriented approaches in any of the recent majpr breaches (home depot, Target, OPM, you name it). Pen testers generally succeed because most organizations either are focused on the perimeter, think that adherence to compliance frameworks alone is "good enough", or they just are woefully unprepared.

My opinion is that a pen tester won't be able to add value to a defensive security program until they are able to demonstrate two things (A) the ability to execute a kill chain that doesn't start with social engineering and (B) have a deep understanding of the artifacts/indicators that their activities leave behind both on the machines they compromise and other machines to which they want to laterally move. While it seems obvious in theory, that's a fairly rare find in practice.

My suggestion is understand where pen testing fits and be good at it enough to understand how to take what you know to make tangible technical improvements to a security program. Otherwise, it's just a cert...and, gawd knows, we have a bijillion of those running around.

So much this!!
__________________
"...for those who man the battle line, the bugle whispers low, and freedom has a taste and price the protected never know..."


While true:
Continue
Reply With Quote
  #122  
Old 20 February 2018, 20:05
Paul85 Paul85 is offline
I still think I'm fooling everyone
 
Join Date: Aug 2013
Location: Poland
Posts: 1,364
Quote:
There is a lot more to cyber than pen-testing. Actually, pen testing is just a fairly narrow slice of the pie that answers the question, "can someone get into my network using some set of known tests?". Pen tests don't answer the question, "has the network already been breached?". The results of a pen test only provide a list of things to work on and not a state of compromise of your network. That said, even many pen testers don't understand the difference.
I occasionally bump into these kinds of people in my line of work. I transitioned from CF to DLP/data security/systems security (and still am one leg in CF) plus I had several years of work as an IT admin for several small and medium companies so I was able to see the broader picture from the get go.

Penetration tests are just a small part of red team work and they have value IMO only in bigger context, just as sociotechnical ones do. So, to be a good pentester you IMO have to be able to see the big picture, be able to understand your role in it, be able to fit into it and provide rest of the team with valuable output that helps harden the defences and allows the rest of the team (both red and blue) to intermingle it into their work so the output report actually carries valuable info on how to harden the defences and what to look for if they are breached. It's a combined, hybrid operation and not one man shot. Long story short, the pentester has to be able to see and analyze his work not only from the red position but also from the blue position and be able to show the blues how and what to look for. Most of the people know that systems can be broken into. But they need solutions, not just flashy actions.

If anything, the 11 years of my work have taught me extreme humilility in saying that I know something or that I can do something. I always tried to provide my clients with solutions based on combined effort of entire team. So the IT dept could actually learn and understand what the hell happened instead of being blitzed and told: "Haha, you have been compromised. You suck".

Last edited by Paul85; 20 February 2018 at 20:12.
Reply With Quote
  #123  
Old 20 February 2018, 20:13
SVDuckman SVDuckman is offline
Confirmed User
 
Join Date: Jul 2007
Location: US
Posts: 124
I don't disagree at all. At this point I'm still new to IT. I'm currently a Title 32 technician and my job title is IT Asset Manager. I appreciate my job, I do, but I feel I have more to offer than handing out computers. Sure, it is a job that needs to be done, but I'm wanting something more technical. I'd like to get into cyber security but much like general Information Technology, it is a very broad field.

I guess I'm just trying to figure out what I need to do to get the next step. Should I go after an operating system cert like Linux+ or should I move to get one of the more advanced security certs. The college I work for part-time will buy me a voucher for any CompTIA exam. I hope you guys don't take this as me whining, I'm just trying to figure out how to make that leap into something higher paying and Cyber Security isn't going anywhere any time soon.

I'd be willing to send someone my resume to look over if you think it would help. Thanks.

Last edited by SVDuckman; 20 February 2018 at 20:15. Reason: fixed a sentence
Reply With Quote
  #124  
Old 20 February 2018, 21:31
HighDragLowSpeed's Avatar
HighDragLowSpeed HighDragLowSpeed is offline
Been There Done That
 
Join Date: Dec 2006
Location: Only Place For Me
Posts: 5,204
Quote:
Originally Posted by SVDuckman View Post
I don't disagree at all. At this point I'm still new to IT. I'm currently a Title 32 technician and my job title is IT Asset Manager. I appreciate my job, I do, but I feel I have more to offer than handing out computers. Sure, it is a job that needs to be done, but I'm wanting something more technical. I'd like to get into cyber security but much like general Information Technology, it is a very broad field.

I guess I'm just trying to figure out what I need to do to get the next step. Should I go after an operating system cert like Linux+ or should I move to get one of the more advanced security certs. The college I work for part-time will buy me a voucher for any CompTIA exam. I hope you guys don't take this as me whining, I'm just trying to figure out how to make that leap into something higher paying and Cyber Security isn't going anywhere any time soon.

I'd be willing to send someone my resume to look over if you think it would help. Thanks.
check your PMs
__________________
"I know of no country in which there is so little independence of mind and real freedom of discussion as in America." - de Tocqueville, 19th century

God made machine language; all the rest is the work of man.
Reply With Quote
  #125  
Old 27 February 2018, 08:31
CV's Avatar
CV CV is offline
Authorized Personnel
 
Join Date: Apr 2003
Location: US
Posts: 7,680
Quote:
Originally Posted by SVDuckman View Post
I don't disagree at all. At this point I'm still new to IT. I'm currently a Title 32 technician and my job title is IT Asset Manager. I appreciate my job, I do, but I feel I have more to offer than handing out computers. Sure, it is a job that needs to be done, but I'm wanting something more technical. I'd like to get into cyber security but much like general Information Technology, it is a very broad field.

I guess I'm just trying to figure out what I need to do to get the next step. Should I go after an operating system cert like Linux+ or should I move to get one of the more advanced security certs. The college I work for part-time will buy me a voucher for any CompTIA exam. I hope you guys don't take this as me whining, I'm just trying to figure out how to make that leap into something higher paying and Cyber Security isn't going anywhere any time soon.

I'd be willing to send someone my resume to look over if you think it would help. Thanks.
A+, Net+, Sec+, then Linux+. Build incrementally and master the basics. You can skip A+ if you already have a good understanding of computers. Net+ and Sec+ will give you a solid foundation from which you can choose your path, too. Cybersecurity has many functional areas. Linux+ is great for learning *nix CLI and structure. It's not a bad choice to go after, but alone won't necessarily land you a gig.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #126  
Old 27 February 2018, 22:01
SVDuckman SVDuckman is offline
Confirmed User
 
Join Date: Jul 2007
Location: US
Posts: 124
Quote:
Originally Posted by CV View Post
A+, Net+, Sec+, then Linux+. Build incrementally and master the basics. You can skip A+ if you already have a good understanding of computers. Net+ and Sec+ will give you a solid foundation from which you can choose your path, too. Cybersecurity has many functional areas. Linux+ is great for learning *nix CLI and structure. It's not a bad choice to go after, but alone won't necessarily land you a gig.
I have A+ and Sec+. My Linux experience is limited, but I'm currently running the latest LTS release for the Mint distro. Thanks for the advice, CV!
Reply With Quote
  #127  
Old 28 February 2018, 11:12
BOFH's Avatar
BOFH BOFH is offline
I aim to misbehave
 
Join Date: Jul 2004
Location: \\Gibson\garbage
Posts: 4,257
Quote:
Originally Posted by SVDuckman View Post
I have A+ and Sec+. My Linux experience is limited, but I'm currently running the latest LTS release for the Mint distro. Thanks for the advice, CV!

This stuff is very deep, and is intended to be an instructor resource, but the information is all good stuff. I don't know if you're ready for this level of information or not (that's not a knock...it's just deep stuff, and may need to be built up to), but when you are, and you start going through it, feel free to reach out, and I'll help however I can.

http://opensecuritytraining.info/Training.html

I also run an "infosec mentors" group, if you want an invite. It's mostly people in my local area, but you're more than welcome to hang around and ask questions.
__________________
"...for those who man the battle line, the bugle whispers low, and freedom has a taste and price the protected never know..."


While true:
Continue
Reply With Quote
  #128  
Old 1 March 2018, 12:37
CV's Avatar
CV CV is offline
Authorized Personnel
 
Join Date: Apr 2003
Location: US
Posts: 7,680
Quote:
Originally Posted by SVDuckman View Post
I have A+ and Sec+. My Linux experience is limited, but I'm currently running the latest LTS release for the Mint distro. Thanks for the advice, CV!
Linux+ is fine, but the cert isn't as beneficial as others. You can learn Linux+ content, and have it in your back pocket. If you're cert-chasing (which is fine), I would substitute it for CEH.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #129  
Old 1 March 2018, 20:14
SVDuckman SVDuckman is offline
Confirmed User
 
Join Date: Jul 2007
Location: US
Posts: 124
Quote:
Originally Posted by BOFH View Post
This stuff is very deep, and is intended to be an instructor resource, but the information is all good stuff. I don't know if you're ready for this level of information or not (that's not a knock...it's just deep stuff, and may need to be built up to), but when you are, and you start going through it, feel free to reach out, and I'll help however I can.

http://opensecuritytraining.info/Training.html

I also run an "infosec mentors" group, if you want an invite. It's mostly people in my local area, but you're more than welcome to hang around and ask questions.
Some of that stuff is admittedly over my head, however I'm not opposed to starting at the beginner tier and working my way up. Also, sent you a PM regarding the InfoSec mentors group you mentioned.

Quote:
Originally Posted by CV View Post
Linux+ is fine, but the cert isn't as beneficial as others. You can learn Linux+ content, and have it in your back pocket. If you're cert-chasing (which is fine), I would substitute it for CEH.
I'm not necessarily cert-chasing just looking at what I can do to prove to employers that I have the chops for a more technical role.

Thanks for the resources and advice!
Reply With Quote
  #130  
Old 10 April 2018, 17:20
LSUinNL LSUinNL is offline
Registered User
 
Join Date: Oct 2011
Location: San Antonio, TX
Posts: 8
Splunk

I saw this today and wanted to pass it on.

Free Splunk training for Soldiers and veterans. Once signed up, you have
30 days to complete the training.



1. https://workplus.splunk.com/veterans

2. Verify with Troop ID, create an ID me or sign in if you currently have
an account.

3. Answer the questions to validate veterans and active military status.
Here are a couple of the questions:
a. @mail.mil email address?
b. USAA membership ID?
c. DD 214

3. Create a Splunk username or use your existing login.

4. Within 2 business days Work + should send you an email that will allow
you to access the classes at $0.

5. Go back to https://workplus.splunk.com/veterans and log in. The
following classes below will be available:
a. Courses: Using Splunk, Searching and Reporting, Creating Knowledge
Objects, Splunk Infrastructure.

**Please note that there is a 30 day time limit on all courses once they
are started**
Reply With Quote
  #131  
Old 10 April 2018, 21:06
SVDuckman SVDuckman is offline
Confirmed User
 
Join Date: Jul 2007
Location: US
Posts: 124
Quote:
Originally Posted by LSUinNL View Post
I saw this today and wanted to pass it on.

Free Splunk training for Soldiers and veterans. Once signed up, you have
30 days to complete the training.



1. https://workplus.splunk.com/veterans

2. Verify with Troop ID, create an ID me or sign in if you currently have
an account.

3. Answer the questions to validate veterans and active military status.
Here are a couple of the questions:
a. @mail.mil email address?
b. USAA membership ID?
c. DD 214

3. Create a Splunk username or use your existing login.

4. Within 2 business days Work + should send you an email that will allow
you to access the classes at $0.

5. Go back to https://workplus.splunk.com/veterans and log in. The
following classes below will be available:
a. Courses: Using Splunk, Searching and Reporting, Creating Knowledge
Objects, Splunk Infrastructure.

**Please note that there is a 30 day time limit on all courses once they
are started**
Nice!
Reply With Quote
  #132  
Old 11 April 2018, 06:16
CV's Avatar
CV CV is offline
Authorized Personnel
 
Join Date: Apr 2003
Location: US
Posts: 7,680
Learning Splunk (and log aggregation) is a great skill to add. Good find!
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #133  
Old 11 April 2018, 10:00
BOFH's Avatar
BOFH BOFH is offline
I aim to misbehave
 
Join Date: Jul 2004
Location: \\Gibson\garbage
Posts: 4,257
I've started working through this one with my DFIR team (I'm currently the only RE on the team, and I'm trying to cross-train). Excellent intro course, and I wish it had existed back when I was getting started.

https://securedorg.github.io/RE101/
__________________
"...for those who man the battle line, the bugle whispers low, and freedom has a taste and price the protected never know..."


While true:
Continue
Reply With Quote
  #134  
Old 11 June 2018, 12:40
CV's Avatar
CV CV is offline
Authorized Personnel
 
Join Date: Apr 2003
Location: US
Posts: 7,680
Thumbs up

It's been a while since I've added to this thread. Not much has changed in the landscape other than the big nasty monster that is GDPR. GDPR (General Data Protection Regulation) is a regulation in the European Union that affects how entities can store, process, and manage an individuals personal info. It's a huge, sweeping law that has implications with many US-based business as well.

I could create an entire new thread on just Privacy and GDPR, but I'll spare SOCNET unless someone really wants me to.

That said, Privacy has quickly become a hot-cake in Cybersecurity. It would behoove any security practitioner to pick up some knowledge in privacy and even a certification to validate it. The CIPP is fairly well respected, but it's written by attorneys, so be prepared for extra dry content. Read more here about the certification: https://iapp.org/certify/cipp/

Personal commentary, it's a sad state of affairs that the EU is absolutely crushing the US in terms of privacy protections for individuals. They are light-years ahead of us and GDPR provides a start contrast in just how we operate here. One would think the Fourth Amendment is stronger, but case law seems to say otherwise, as do the actions of our government in relation to collection and storage. /rant
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #135  
Old 11 June 2018, 15:39
cedsall's Avatar
cedsall cedsall is offline
giving you a number
 
Join Date: Aug 2010
Location: Washington, DC
Posts: 395
Quote:
Originally Posted by CV View Post
I could create an entire new thread on just Privacy and GDPR
Let me sum it up: "We have a new privacy policy..."
Reply With Quote
  #136  
Old 11 June 2018, 18:51
HighDragLowSpeed's Avatar
HighDragLowSpeed HighDragLowSpeed is offline
Been There Done That
 
Join Date: Dec 2006
Location: Only Place For Me
Posts: 5,204
GDPR isn't really a cyber issue - it's a data governance and data treatment issue. Lots of good things in GDPR that should be done anyway that positively impact one's cyber efforts.

That said, ignoring the marketing hype and reading through the actual regulation, there's very little in terms of cyber specific requirements.
__________________
"I know of no country in which there is so little independence of mind and real freedom of discussion as in America." - de Tocqueville, 19th century

God made machine language; all the rest is the work of man.
Reply With Quote
  #137  
Old 12 June 2018, 08:42
Silverbullet's Avatar
Silverbullet Silverbullet is offline
Administrator
 
Join Date: Aug 2000
Location: Bunker
Posts: 15,036
I deal with GDPR everyday, including provoding products and services that have to be GDPR compliant. In a nutshell it puts control of a persons PII in their control. Opt in as compared to opt out with huge regulatory penalties for those organizations that don't comply.

Data handling is a key component of the regulation.
Reply With Quote
  #138  
Old 12 June 2018, 09:49
MountainBum's Avatar
MountainBum MountainBum is offline
Vivat Fraternitatis
 
Join Date: Apr 2004
Location: OCONUS
Posts: 897
Quote:
Originally Posted by BOFH View Post
I've started working through this one with my DFIR team (I'm currently the only RE on the team, and I'm trying to cross-train). Excellent intro course, and I wish it had existed back when I was getting started.

https://securedorg.github.io/RE101/
Amanda's legit. And hot.
Reply With Quote
  #139  
Old 12 June 2018, 14:38
CV's Avatar
CV CV is offline
Authorized Personnel
 
Join Date: Apr 2003
Location: US
Posts: 7,680
Quote:
Originally Posted by HighDragLowSpeed View Post
...there's very little in terms of cyber specific requirements.
Implementation of tools and capabilities that store or process personal information--to include metadata (such as cookies, et al.) means there's a huge cyber implication. Article 32 of GDPR alone is enough to make that correlation.

Privacy and Cybersecurity are hand in hand. There's little way around that when managing human data. These points aside, I am merely trying to add to this thread to assist those seeking employment or lateral movement within security, cybersecurity, or information assurance. Learning Privacy is a big way to bolster your prospects.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo
Reply With Quote
  #140  
Old 13 June 2018, 06:15
HighDragLowSpeed's Avatar
HighDragLowSpeed HighDragLowSpeed is offline
Been There Done That
 
Join Date: Dec 2006
Location: Only Place For Me
Posts: 5,204
Quote:
Originally Posted by CV View Post
Article 32 of GDPR alone is enough to make that correlation.
There's 99 articles in GDPR. Almost every one is around how an org governs and treats data. You've pointed to one that certainly reinforces my other point.

Quote:
Originally Posted by HighDragLowSpeed View Post
Lots of good things in GDPR that should be done anyway that positively impact one's cyber efforts.
From Article 32 itself - which of the below shouldn't a sound cyber program already have?

"implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk"

"ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services"

"restore the availability and access to personal data in a timely manner in the event of a physical or technical incident"

"regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing"

"appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed."


I've boiled down all of article 32 above. If I asked you to point me to one that establishes some new cybersecurity standard or prescriptive cyber requirement in that article or any other that isn't just an existing sound cyber practice, I'd be waiting here for a long time.

The problem is that more people read the marketing hype than read the actual regulation. I'll stand by my statement that GDPR has involved lots of cyber marketing hype for what is essentially a data governance and data treatment exercise that falls outside of cybersecurity.

If your GDPR efforts within an org originate from the cyber team rather than whomever "owns" the data, I'd suggest that you are doing it wrong.

Quote:
Originally Posted by CV View Post
Learning Privacy is a big way to bolster your prospects.
This I agree with.
__________________
"I know of no country in which there is so little independence of mind and real freedom of discussion as in America." - de Tocqueville, 19th century

God made machine language; all the rest is the work of man.

Last edited by HighDragLowSpeed; 13 June 2018 at 06:27.
Reply With Quote
Reply

Thread Tools
Display Modes

Our new posting rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -4. The time now is 22:04.
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2018, vBulletin Solutions Inc.
Socnet.com All Rights Reserved
SOCNET 1996-2018