Tech Skills Matter in Security

the_Grinch

Executed a search warrant today with our Cyber Crimes Unit (I'm in a different unit, but go out for mobile phone forensics and driving the van). House is secure and they proceed to begin the search. This typically involves finding the modem/router to get information from it. A search of the dwelling comes up with no modem/router. I walk in to assist and think back to my days as a lowly tech running coax and network cable. Find the run that comes into the house and splits off. When you look closely I realized that it split into three and not two like they had believed. Low and behold I follow it, go upstairs (as they begin to get ready to climb in the attic) and go to another bedroom. Seems there was a table (amongst some other items) piled in front of a closet. Move that stuff, open it up and there sits the modem/router (along with another computer).

Moral of the story, those tech skills you had at the beginning of your career can defintely come in handy later on when you are doing other work.

PCTechLinc

It pains me when I talk to people that have the high-end IT Security positions and they ask me extremely basic questions about technical things. When I call them on it (professionally of course), they say "oh I haven't had to work with that for years..." or "I knew that back when I was certified in NT 4.0". Can't wait until MY salary is that high that I can forget all my technical skills... /rant

the_Grinch

Haha, I won't lie there is a ton I have forgotten. Even in the last 18 months I've forgotten some of the stuff I use to do only a daily basis, but it's a big change to go from managing 18 servers (plus the software running on them) along with security analysis to dealing solely in phones for the most part. At the same time I remain humble when/if I forget something.

UnixGuy

PCTechLinc wrote: »

It pains me when I talk to people that have the high-end IT Security positions and they ask me extremely basic questions about technical things. When I call them on it (professionally of course), they say "oh I haven't had to work with that for years..." or "I knew that back when I was certified in NT 4.0". Can't wait until MY salary is that high that I can forget all my technical skills... /rant

At least they've seen/heard of NT 4.0 ..... The 'high-end' IT security people some of them haven't even worked in other fields, some came from Laptop support roles straight to security...or just auditing...or policing..

cyberguypr

Layer 1 FTW!

tedjames

That's cool that you're involved in those types of investigations! Also, it pays to be extremely observant if you're working in security or any profession that deals with the well being of others. We have to notice things that others don't.

the_Grinch

tedjames wrote: »

That's cool that you're involved in those types of investigations! Also, it pays to be extremely observant if you're working in security or any profession that deals with the well being of others. We have to notice things that others don't.

I do throughly enjoy my job and the work I do is very worthwhile. Buddy of mine has been pushing me to go back to the private sector because I would make vastly more, but the job satisfaction isn't there. Pay isn't horrible and the hours can be grueling, but there aren't too many jobs out there (in IT especially) where you can say you truly make a difference.

slinuxuzer

My personal opinion has always been that to move into a senior security position, you should be required to have a minimum number of years in systems or network engineering, employers rarely see it this way. Sadly I've seen people come straight from accounting and after being sent to five or six week long courses for "hacking" or whatever, they end up setting technical security policy for Fortune 200 / 500 companies.

The interiors of your average american company are so soft, I can't believe anyone stays hacker free.

the_Grinch

Two types of companies in this world: those who have been hacked and those who just don't know they've been hacked.

tedjames

the_Grinch wrote: »

I do throughly enjoy my job and the work I do is very worthwhile. Buddy of mine has been pushing me to go back to the private sector because I would make vastly more, but the job satisfaction isn't there. Pay isn't horrible and the hours can be grueling, but there aren't too many jobs out there (in IT especially) where you can say you truly make a difference.

That's my feeling about working in the public sector. I just get so much more out of what I do, and many of us in state employment talk and share information. We aren't in competition; we help each other out since we're all working for the greater good of the state's citizens.

tedjames

the_Grinch wrote: »

Two types of companies in this world: those who have been hacked and those who just don't know they've been hacked.

I've been saying that for years. Gotten lots of laughs with that line.

DatabaseHead

Good post and so true.

the_Grinch

tedjames wrote: »

That's my feeling about working in the public sector. I just get so much more out of what I do, and many of us in state employment talk and share information. We aren't in competition; we help each other out since we're all working for the greater good of the state's citizens.

Agreed! We do have a bit of a competition with another agency (we do the same work), but my unit and their unit work very well together (even though the agencies have issues). Within our agency we all work extremely well together and help whenever possible. Extra manpower for security, assist with skills one unit may lack and information sharing on techniques we uncover. End of the day is just like you said, we want to assist the public and working together is the best way to do that.

NavyMooseCCNA

One of the reasons I am looking at focusing on governance, policy, and compliance is that I have never had the opportunity to develop good hands on skills. I have theoretical knowledge from reading, but I found it almost impossible to find a position where I could develop the hands on skills.

the_Grinch

NavyMooseCCNA wrote: »

One of the reasons I am looking at focusing on governance, policy, and compliance is that I have never had the opportunity to develop good hands on skills. I have theoretical knowledge from reading, but I found it almost impossible to find a position where I could develop the hands on skills.

Sometimes you just gotta keep trucking. I was definitely in your shoes when I started out and the industry hasn't changed much in the almost decade I've been in it. Everyone wants you to have experience, but doesn't want to give you the means by which to obtain it. I will say I very much enjoyed the policy/compliance arena, but having some hands on experience definitely assists in that sphere. The IT people you deal with will have much better respect for you when they realize you have technical skills behind you. I'd often change their views towards a policy when they saw that I understood where they were coming from and could offer a solution that would not only pass compliance, but technical muster.

LonerVamp

It's not so much about forgetting it due to salary. It's forgetting things due to a) time and b) lack of practice/renewal/refreshing, and c) new things.

Just to illustrate those...

a/b- This is why that game show from years ago, "Are You Smarter Than a 5th Grader," was pretty wicked and yet depressing. Basic questions are asked that kids are exposed to as they sponge up knowledge. But so much of that is lost as we get older. Capital of ...wait...what country? I don't even remember that country! Watching that show was an exercise in tickling my brain, knowing I knew that once, but can only guess now.

c- I've been in tech for 16 years, and done pretty well for myself. I have weaknesses. I am bad with my mobile devices. I don't fiddle with them like I used to; I literally just want them to work and do what I want. Updating an app and having it change my life or screw up my phone is a nightmare anymore. Likewise, I loved XP, knew it inside and out, ran WindowBlinds, etc. I'll never know an OS as well as I knew that one. And indeed, now that I haven't done desktop work in many years, those guys can run some circles around me on things (though I still have low level skills that are always applicable, like reading the damn logs).

Time moves on, technology changes, and we get older and move on as well. It happens.

paul78

the_Grinch wrote: »

I do throughly enjoy my job and the work I do is very worthwhile. Buddy of mine has been pushing me to go back to the private sector because I would make vastly more, but the job satisfaction isn't there.

Wow - It's been pretty neat to read your posts over the years. That's awesome to see where you landed and what you do. Sounds like you are enjoying the work and that's really hard to beat. Most of the forensics folks that I know in private sector find the work to be extremely monotonous if they are in a corporate enterprise. And for those in consultancy's - the work is grueling since they are often traveling and dealing with billables.

NavyMooseCCNA

the_Grinch wrote: »

Sometimes you just gotta keep trucking. I was definitely in your shoes when I started out and the industry hasn't changed much in the almost decade I've been in it. Everyone wants you to have experience, but doesn't want to give you the means by which to obtain it. I will say I very much enjoyed the policy/compliance arena, but having some hands on experience definitely assists in that sphere. The IT people you deal with will have much better respect for you when they realize you have technical skills behind you. I'd often change their views towards a policy when they saw that I understood where they were coming from and could offer a solution that would not only pass compliance, but technical muster.

A lot of what I do is assessments to determine compliance with DFARS 252.204-7012 by using NIST.SP.800-171. We're thinking about doing vulnerability assessment in addition to the documentation reviews. I was asked to learn about vulnerability assessment and using some pentesting techniques to uncover vulnerabilities. I've spent the past few days reading, watching CEH videos on FedVTE, and starting to download various tools and setup a small environment to learn how to use the tools.

tedjames

NavyMooseCCNA wrote: »

A lot of what I do is assessments to determine compliance with DFARS 252.204-7012 by using NIST.SP.800-171. We're thinking about doing vulnerability assessment in addition to the documentation reviews. I was asked to learn about vulnerability assessment and using some pentesting techniques to uncover vulnerabilities. I've spent the past few days reading, watching CEH videos on FedVTE, and starting to download various tools and setup a small environment to learn how to use the tools.

If you can swing it, I recommend trying the eLearnSecurity Penetration Testing Student course. It's pretty focused, and you learn a lot about the entire process.

NavyMooseCCNA

tedjames wrote: »

If you can swing it, I recommend trying the eLearnSecurity Penetration Testing Student course. It's pretty focused, and you learn a lot about the entire process.

My company won't swing paying for this. What I really need is access to a virtual testing lab where I can experiment with these tools, that is close to free. Does such a unicorn exist?

the_Grinch

NavyMooseCCNA wrote: »

My company won't swing paying for this. What I really need is access to a virtual testing lab where I can experiment with these tools, that is close to free. Does such a unicorn exist?

Unfortunately, nothing I know of is close to free. The biggest killer is most likely the licensing of the various operating systems. Computer, storage and internet are cheap...Windows licenses (in the scope you would want/need them) are definitely not.

NavyMooseCCNA

the_Grinch wrote: »

Unfortunately, nothing I know of is close to free. The biggest killer is most likely the licensing of the various operating systems. Computer, storage and internet are cheap...Windows licenses (in the scope you would want/need them) are definitely not.

This begs the n00b question of where someone like me can go to experiment without hurting anything. We have a handful of desktops here that haven't been used in a long time. I'm not entirely sure how useful networking them up would be as a lab to experiment.

tedjames

NavyMooseCCNA wrote: »

My company won't swing paying for this. What I really need is access to a virtual testing lab where I can experiment with these tools, that is close to free. Does such a unicorn exist?

The eLearrnSecurity Penetration Testing Student course costs $400. It's pretty cheap considering what you learn. Just put it on a credit card. Otherwise, install Oracle VirtualBox and Kali Linux (both are free) on your personal machine and then look at some of the free, intentionally vulnerable sites that are open and legal to hack: bWAPP, Webgoat, DVWA, etc. Beyond that, there's plenty of free tutorials on YouTube and free and cheap training on Udemy and Cybrary.

the_Grinch

NavyMooseCCNA wrote: »

This begs the n00b question of where someone like me can go to experiment without hurting anything. We have a handful of desktops here that haven't been used in a long time. I'm not entirely sure how useful networking them up would be as a lab to experiment.

Definitely grab the old hardware and setup your own network. I'd probably setup a restore point or get some software that will wipe out any work you performed with a reboot for the Windows boxes. Couple virtual machines for Linux and you'll be all set.

NavyMooseCCNA

tedjames wrote: »

The eLearrnSecurity Penetration Testing Student course costs $400. It's pretty cheap considering what you learn. Just put it on a credit card. Otherwise, install Oracle VirtualBox and Kali Linux (both are free) on your personal machine and then look at some of the free, intentionally vulnerable sites that are open and legal to hack: bWAPP, Webgoat, DVWA, etc. Beyond that, there's plenty of free tutorials on YouTube and free and cheap training on Udemy and Cybrary.

I wasn't aware there are these vulnerable sites that we can practice on. I was asked to start learning this stuff this week. I have VirtualBox on my PC and I have a Kali image running on it. I've been watching the CEH videos on FedVTE. I looked at Cybrary and saw a video series by a guy with a very strong accent that I had trouble understanding...

Thank you for pointing out these websites to me

tedjames

Check this out:

https://www.checkmarx.com/2015/04/16/15-vulnerable-sites-to-legally-practice-your-hacking-skills/

https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project

Just do a search on intentionally vulnerable website.

Also, if you want to score some points with the big guy, learn about and test for the OWASP Top 10. I don't know if the 2018 list has been published yet, but the 2017 list is still valid.

Re: Cybrary, check out some of the tutorials on Udemy. You can get a lot of courses in the $10 range, though some are free. They give you the opportunity to watch a few sample sessions in advance of buying. You can easily determine if an instructor fits your needs.

NavyMooseCCNA

I signed up for a Kali Linux for Beginners on Udemy and watched some of it today. Pretty good so far. Thank you for your suggestions!

tedjames

That's great! Once you start getting a feel for a few of the tools, you'll want to dig deeper. And then when you start to see how it all ties together, the lightbulb goes off. At least that's what happened for me. Map your network with nmap. Then scan it with Nessus and look for vulnerabilities that have exploits. Then use Metasploit to run your exploit. This stuff is a lot of fun.

tedjames

Here's another site for you to practice testing: Test Site

This one has a lot of bugs...

DatabaseHead

Follow up....

Another reason to keep at least one foot in the tech side.

When a recession hits, guess which jobs are ousted?

Not the technical ones, they are required to keep the lights on...... PM's, BA's, Techno Functional, Top heavy managers See ya!

Mooseboost

I often tell this story from my engineering days to illustrate why technical skills should be coupled with security:

We had a new security engineer who was hired on for their "security background" that was expected to walk in and be a bouncing from day one. They were very proud of their Cyber Security degree and CEH. Prior to coming into the NOC, all new engineers must do a stint in the provisioning team to learn procedures and get use to the tech. The provisioning team is responsible for pre-configuration and supporting third party installation field technicians. Now some time goes by and the new engineer hasn't graduated from provisioning yet. I occasionally checked in with them but never pushed the subject. Well, one day I receive an escalation from them. "Everything is down and nothing works.".. They were trying all sorts of crazy off the wall stuff that I am sure came from google. I dial the field technician and walk him through a few things. Typical symptoms of a duplicate IP. Have the tech track it down and remove the device. The new engineer had spent over four hours of time with the tech for something that should have been solved in about 20 minutes. And yes, that isn't me touting my technical prowess - the situation is described exactly in the engineering troubleshooting procedures. I close the ticket and follow up with them to figure out what the miscommunication was.. when I told her that a CPE wireless router had an IP conflict with the new firewall, this was the response: "Oh yeah.. The tech mentioned there was an old Netgear router that had the same IP as the firewall. I told him he could just plug it up to the firewall so they could keep their wifi. I figured the firewall would, like, overpower the IP with its own"...

To this day, I still crack up over it. This was a pretty common trend we noticed with some of the "straight to the cyber" guys we hired. No previous IT experience but being hired because of security degrees /certifications. I've ran into the same problems with analyst who don't understand the context of alerts because they understand network protocols or how an enterprise network functions.

Knowledge is power. Don't skip the foundation or you will never have a stable house.