DerbyCon the beginning…

I have to say without a doubt that the first day at DerbyCon was tremendous!  Everything seemed very well run from the beginning and organized.  The Hyatt Regency has very nice conference facilities that are easy to access; literally just through the main entrance.  It’s also nice having the track rooms and other activities (Lock Picking village, Hardware Hacking, Vendors) on the same floor and accessible within an extremely short walk.  Some of the sponsors of the event such as Accuvant, fishnet security, Rapid7, No Starch Press, and Syngress were onsite.  Enjoy the venue for now, I suspect as it continues to grow in popularity a much bigger space will need to be found.

Even though Black Hat and DefCon were just last month the presenters had fresh and new material that had not been seen (at least that I can recall).  It was also nice only having the one track to choose from to ease one into the cornucopia of security goodness that will occur over the next few days.  A few notable moments and observations:

  • Those attending the con seem to be much more of the Black Hat crowd, the 30-something security professionals (there were a few mohawks out there but not many).
  • Dave Kennedy, Adrian Crenshaw, Martin Bos have pulled together the “who’s who” in information security for this event.  There’s not a talk on schedule that doesn’t pique my interest!
  • The venue is excellent for the inaugural event.  The audio/visual was excellent and there were no technical mishaps or outages during the technical presentations.
  • Seeing the Adaptive Penetration Testing session with Dave Kennedy and Kevin Mitnick may have been the icing on any Fanboy’s proverbial cake.  To see both present and then Dave reveal the new changes in the SET by performing a demo was awesome and I know made many anxious for the updated release this weekend.

There was one talk that really stood out and that was Johnny Long’s Hackers for Charity update.  It’s interesting and refreshing to see the community aspect of the Con.  With so much individual projects and presentations, to actually see what the Security and H4x0r community can accomplish for a great cause is very inspiring.  This is not the only Con to have this type of presentation for a need in the community but again, to hear of the scale and difference that people are trying to make with their skills, time, and resources is truly astounding!  I’m also impressed that regardless of the religious beliefs of Johnny that individuals can see that what he’s doing is much more than a calling for him.  Providing the Ugandans with food and a valuable skill, they are not only giving them a lively hood, they are giving them hope for a better life which they are realizing with Johnny’s non-proft and others that are linked with his group.  Another extension of what he’s doing can be found at InfoSec Without Borders.  This is an initiative to help charities and non-profits with their information security needs.  I hadn’t given it much thought in the past or even realized that non-profits don’t have the staff or ability to help secure their assets and data.  This struck me just as hard as what Johnny’s non-profit is doing in Uganda.  Both of these really have me wanting to give back both in time and money and I will definitely be reaching out to see what I can do to help.  I hope that others step-up and consider volunteering or donating to these worthy causes.

Great first day!  Heading off to the Accuvant party at the Maker’s Mark Lounge on 4th Street for some frosty adult beverages and a chill night.

Get ready for the ride, the next two days are gonna be off the hook!


DerbyCon is the Shizzle Bizzle!!

How many times do we as security professionals, nerds, and H4x0rs get to participate in a ground breaking industry event?  Not many, and this is one not to be missed!!  Better than the Shamwow and more versatile than the Magic Bullet DerbyCon is poised to give many other security conferences  a run for their money.  The schedule for the event reads like the “who’s who” in information security and is poised to be just as good as DefCon, ShmooCon, and ToorCon.

Interested?  Good, then click the image above!!

I’m thinking that this will the Sean Connery James Bond of Security Conferences to come.  I hope to see you there!

Certifiably certified certification

Outside of the normal security stuff from Dark Reading I came across an article on Security Certifications. I’ve had some great conversations with different risk and security individuals on this topic and while most agree that it shows you’re competent in the discipline it also has a dark side.  A side that hopefully the security certifications are not heading toward but I’ve seen evidence to the contrary.  I’ll keep from naming certs that, in my estimation, are being abused or at the very least misrepresented by some who have them but I’m fairly confident that you know what certifications.

REWIND… back to the late 90’s early 2k’s.  Radio ads blasting about the shortage of IT professionals  an the promise of a great salary after you obtain the latest and hottest certifications.  Take the test online to see if you have the aptitude and ability to get yours in 6 months!  What certification can you earn?  MCSE (Microsoft Certified System Engineer), CNA (Certified Novell Administrator), CCNA (Cisco Certified Network Administrator) among other top tier certifications…

Listener1:  Wow!  I can become certified in less than 6 months and they guarantee that I’ll pass!

Listener2:  And we can start making real money!!!!  Did you hear that?  Companies are paying more than 60k for someone with those!!!!

Listener1:  Yeah, let’s go and blow the 7k it’s gonna cost us to get certified!  We’ll be able to pay back the loan in no time once we get the job.

REALITY… The market became flooded with these paper tigers who had no practical experience but they had a certification!  Like any good multi-level marketing scheme those who got in first realized the gain and got out while the rest rode out the trend without no realization on the salary claims being made.  Wah, wah, wahhhhhhh….. Thanks for playing!!!  I saw that time and time again with these guys coming in and not even being able to perform basic troubleshooting because it wasn’t something they learned how to fix or do in their class.  Or better yet, I’ve got some idiot telling me that what I’m doing is wrong, even if it corrects their mistake!  Sounds to me like the certification mills have churned out a true disparity of certified to practical skills.  I haven’t heard much about those lately, maybe my economics class was correct in saying the market will correct itself!

I’m not against certification at all.  I have a few myself, but they are in things that I actually have experience in that is backed up by my resume and a list of people that are willing to provide recommendations.  I also, don’t have any issue with the testing centers.  My issue is in how they’re marketing their services for certifications.  There are many which are reputable and have been used for those in the field who are looking to expand their repertoire.  My fear is that we have people with security certifications, because they’re the hottest, most sexy thing on the market that will make them beau-coup greenbacks.  In reality, all it is doing is detracting from the legitimate security professionals who’ve put the time into the profession and realize that the certifications are just another step in their career and not just a payday.  It’s also potentially promoting a false sense of comfort that the individual a company is hiring is fully competent.  To me this is the most disturbing part is we’ve not got people proselytizing security and not being able to practically help protect the company that’s hired them.  How many times have we been in meetings where a self-professed, certified, security guy starts spouting off “we need to secure…”, “if we don’t we’ll be hacked” and other self serving comments to instill FUD in those in the meeting.  In my mind, not only did they diminish the certification but they made the rest of us look like a bunch of Chicken Little’s.  Why?  Because they used emotion and passion to invoke a response from something they’ve read about rather than having the practical experience and data to back up the request or argument.

So you’re probably asking well what certifications would I select and why.  Here’ a small subset of my list:

  • If you’re going to be in Management then the CISSP (Certified Information Systems Security Professional) and CISM (Certified Information Security Manager) are good.  As a bit of  a disclaimer, do not expect someone with a CISSP to be extremely technical.  The CISM is a bit more technically focused but not as in-depth technically as it could be.  Again, from the Management perspective I would expect a Manager to have one of these as the breadth of knowledge is required versus a certification that is more technically focused.
  • If you’re going to be a security assessment/pentester type, again this is my opinion, the OSCP (Offensive Security Certified Professional) is one of the more technically in-depth certifications.  Based on my experiences with those who have this certification, they really know how to get in and perform manual and tool based pentesting.  After learning that Dave Kennedy (ReL1k) has even gone through the testing has put the Offensive Security certifications even higher on my legitimacy radar.
  • There are also vendor certifications like Cisco’s which I think are valid but for my own path more of a way to get deeper into their technology.

I’ve ranted enough on this for the evening….  Paper tigers are a pet peeve and only serve to over saturate an already tough profession with their inexperience and inability to provide solid recommendations that actually make a company more secure.

Oddjob, grab your bowler and sharpen the new ceramic blade we bought… Time to go hunting!

Security is no guarantee, vigilance is!

Going through one of many portable drives I came across this video I made.  The company shall remain nameless but it was probably made around 2005 in a vacant office within the building.  I remember that we wanted to create an educational and fun video around the physical aspect of cabled laptops and the false sense of security they provide.  During that time there were a rash of thefts and the response to the thefts were to buy the cables and mandate that they be used.  Alas, the tools of our security became another challenge to the “Gone in 60 Seconds” crew.  Forget the fact that you can pop the top of the work surface and most of the cubical prairie dog population will ignore or have their iPod full blast.  This was much more subtle and effective.  During lunch or before/after hours, it was the perfect physical exploit.  Now Oddjob and Jaws had a physical asset to resell with the potential for access to valuable data that could be sold and resold in secondary markets.

The funny thing is that this is still as relevant today as it was back then…  Security is no guarantee, vigilance is!

The start of it all….

Bond: I think that’s enough, Goldfinger, you’ve made your point.
Goldfinger: Choose your next wittisism wisely, Mr. Bond, it may be your last.
Bond: Do you expect me to talk?
Goldfinger:No Mr. Bond I expect you to die!

Okay, okay… Yes I have a fascination with James Bond!  What nine year old growing up in the late 70’s and early 80’s didn’t want to be the suave, debonair, and dangerous Mr. Bond.  With all the cool gadgets and cars, spying was easy and the women easier!  Ahhh, the days of a chocolate milk martini, shaken not stirred was “de rigueur” and the realistic cap guns that had the look of a Walther and the magazine for the caps have long faded into the past.

So what does this have to do with security and risk?  A lot if we look at all the social engineering and breaking in, whether buildings or computer systems, to obtain information to protect the interests of the Crown and save the world!  Ah, yes it was very simple and the computers could be fooled with the very simple brute force attack.  Why?  Because it follows the fact that users, no matter how evil or clever they are, want easy access to their systems, and Mr. Bond was smart enough to see through their facade and guess it in a few tries.  Why was Mr. Bond able to get information from people?  Because he understood the words that opened up the gate to the helpful human nature and how to use deception to appeal to that human nature.

Eureka!  Thank you Mr. Bond!  The whole time you were just preparing us for our as unknown careers in the cyber world.  Through your skullduggery and exploits we have the basic framework for penetration/security testing and assessment: reconnaissance, enumeration, analysis, exploitation, and exfiltration.  Is that all of the steps?  No, but these are the main areas that set the stage for what we do as security professionals engaged in that type of activity.  In a round about way it is also a way for security professionals to identify risk through assessment and what those mitigating controls should be.

With that said, are security and risk inherently the same?  No, but there are commonalities as they are both trying to identify vulnerabilities for remediation before the incident.

Okay, enough for tonite and an okay start to kick off the blog!

  • September 2011
    M T W T F S S
  • Categories

  • oddjob

  • Enter your email address to follow this blog and receive notifications of new posts by email.

    Join 61 other subscribers