DerbyCon is the Shizzle Bizzle!!

How many times do we as security professionals, nerds, and H4x0rs get to participate in a ground breaking industry event?  Not many, and this is one not to be missed!!  Better than the Shamwow and more versatile than the Magic Bullet DerbyCon is poised to give many other security conferences  a run for their money.  The schedule for the event reads like the “who’s who” in information security and is poised to be just as good as DefCon, ShmooCon, and ToorCon.

Interested?  Good, then click the image above!!

I’m thinking that this will the Sean Connery James Bond of Security Conferences to come.  I hope to see you there!

Advertisements

Certifiably certified certification

Outside of the normal security stuff from Dark Reading I came across an article on Security Certifications. I’ve had some great conversations with different risk and security individuals on this topic and while most agree that it shows you’re competent in the discipline it also has a dark side.  A side that hopefully the security certifications are not heading toward but I’ve seen evidence to the contrary.  I’ll keep from naming certs that, in my estimation, are being abused or at the very least misrepresented by some who have them but I’m fairly confident that you know what certifications.

REWIND… back to the late 90’s early 2k’s.  Radio ads blasting about the shortage of IT professionals  an the promise of a great salary after you obtain the latest and hottest certifications.  Take the test online to see if you have the aptitude and ability to get yours in 6 months!  What certification can you earn?  MCSE (Microsoft Certified System Engineer), CNA (Certified Novell Administrator), CCNA (Cisco Certified Network Administrator) among other top tier certifications…

Listener1:  Wow!  I can become certified in less than 6 months and they guarantee that I’ll pass!

Listener2:  And we can start making real money!!!!  Did you hear that?  Companies are paying more than 60k for someone with those!!!!

Listener1:  Yeah, let’s go and blow the 7k it’s gonna cost us to get certified!  We’ll be able to pay back the loan in no time once we get the job.

REALITY… The market became flooded with these paper tigers who had no practical experience but they had a certification!  Like any good multi-level marketing scheme those who got in first realized the gain and got out while the rest rode out the trend without no realization on the salary claims being made.  Wah, wah, wahhhhhhh….. Thanks for playing!!!  I saw that time and time again with these guys coming in and not even being able to perform basic troubleshooting because it wasn’t something they learned how to fix or do in their class.  Or better yet, I’ve got some idiot telling me that what I’m doing is wrong, even if it corrects their mistake!  Sounds to me like the certification mills have churned out a true disparity of certified to practical skills.  I haven’t heard much about those lately, maybe my economics class was correct in saying the market will correct itself!

I’m not against certification at all.  I have a few myself, but they are in things that I actually have experience in that is backed up by my resume and a list of people that are willing to provide recommendations.  I also, don’t have any issue with the testing centers.  My issue is in how they’re marketing their services for certifications.  There are many which are reputable and have been used for those in the field who are looking to expand their repertoire.  My fear is that we have people with security certifications, because they’re the hottest, most sexy thing on the market that will make them beau-coup greenbacks.  In reality, all it is doing is detracting from the legitimate security professionals who’ve put the time into the profession and realize that the certifications are just another step in their career and not just a payday.  It’s also potentially promoting a false sense of comfort that the individual a company is hiring is fully competent.  To me this is the most disturbing part is we’ve not got people proselytizing security and not being able to practically help protect the company that’s hired them.  How many times have we been in meetings where a self-professed, certified, security guy starts spouting off “we need to secure…”, “if we don’t we’ll be hacked” and other self serving comments to instill FUD in those in the meeting.  In my mind, not only did they diminish the certification but they made the rest of us look like a bunch of Chicken Little’s.  Why?  Because they used emotion and passion to invoke a response from something they’ve read about rather than having the practical experience and data to back up the request or argument.

So you’re probably asking well what certifications would I select and why.  Here’ a small subset of my list:

  • If you’re going to be in Management then the CISSP (Certified Information Systems Security Professional) and CISM (Certified Information Security Manager) are good.  As a bit of  a disclaimer, do not expect someone with a CISSP to be extremely technical.  The CISM is a bit more technically focused but not as in-depth technically as it could be.  Again, from the Management perspective I would expect a Manager to have one of these as the breadth of knowledge is required versus a certification that is more technically focused.
  • If you’re going to be a security assessment/pentester type, again this is my opinion, the OSCP (Offensive Security Certified Professional) is one of the more technically in-depth certifications.  Based on my experiences with those who have this certification, they really know how to get in and perform manual and tool based pentesting.  After learning that Dave Kennedy (ReL1k) has even gone through the testing has put the Offensive Security certifications even higher on my legitimacy radar.
  • There are also vendor certifications like Cisco’s which I think are valid but for my own path more of a way to get deeper into their technology.

I’ve ranted enough on this for the evening….  Paper tigers are a pet peeve and only serve to over saturate an already tough profession with their inexperience and inability to provide solid recommendations that actually make a company more secure.

Oddjob, grab your bowler and sharpen the new ceramic blade we bought… Time to go hunting!

Security is no guarantee, vigilance is!

Going through one of many portable drives I came across this video I made.  The company shall remain nameless but it was probably made around 2005 in a vacant office within the building.  I remember that we wanted to create an educational and fun video around the physical aspect of cabled laptops and the false sense of security they provide.  During that time there were a rash of thefts and the response to the thefts were to buy the cables and mandate that they be used.  Alas, the tools of our security became another challenge to the “Gone in 60 Seconds” crew.  Forget the fact that you can pop the top of the work surface and most of the cubical prairie dog population will ignore or have their iPod full blast.  This was much more subtle and effective.  During lunch or before/after hours, it was the perfect physical exploit.  Now Oddjob and Jaws had a physical asset to resell with the potential for access to valuable data that could be sold and resold in secondary markets.

The funny thing is that this is still as relevant today as it was back then…  Security is no guarantee, vigilance is!

The start of it all….

Bond: I think that’s enough, Goldfinger, you’ve made your point.
Goldfinger: Choose your next wittisism wisely, Mr. Bond, it may be your last.
Bond: Do you expect me to talk?
Goldfinger:No Mr. Bond I expect you to die!

Okay, okay… Yes I have a fascination with James Bond!  What nine year old growing up in the late 70’s and early 80’s didn’t want to be the suave, debonair, and dangerous Mr. Bond.  With all the cool gadgets and cars, spying was easy and the women easier!  Ahhh, the days of a chocolate milk martini, shaken not stirred was “de rigueur” and the realistic cap guns that had the look of a Walther and the magazine for the caps have long faded into the past.

So what does this have to do with security and risk?  A lot if we look at all the social engineering and breaking in, whether buildings or computer systems, to obtain information to protect the interests of the Crown and save the world!  Ah, yes it was very simple and the computers could be fooled with the very simple brute force attack.  Why?  Because it follows the fact that users, no matter how evil or clever they are, want easy access to their systems, and Mr. Bond was smart enough to see through their facade and guess it in a few tries.  Why was Mr. Bond able to get information from people?  Because he understood the words that opened up the gate to the helpful human nature and how to use deception to appeal to that human nature.

Eureka!  Thank you Mr. Bond!  The whole time you were just preparing us for our as unknown careers in the cyber world.  Through your skullduggery and exploits we have the basic framework for penetration/security testing and assessment: reconnaissance, enumeration, analysis, exploitation, and exfiltration.  Is that all of the steps?  No, but these are the main areas that set the stage for what we do as security professionals engaged in that type of activity.  In a round about way it is also a way for security professionals to identify risk through assessment and what those mitigating controls should be.

With that said, are security and risk inherently the same?  No, but there are commonalities as they are both trying to identify vulnerabilities for remediation before the incident.

Okay, enough for tonite and an okay start to kick off the blog!

  • December 2017
    M T W T F S S
    « Apr    
     123
    45678910
    11121314151617
    18192021222324
    25262728293031
  • Categories

  • oddjob

  • Enter your email address to follow this blog and receive notifications of new posts by email.

    Join 60 other followers