Looking for some interesting catch phrases and taglines for security awareness? My favorite? “You’re a big fine hard drive, won’t you back that thing up.” I also like, “Compliance is the residue of good security.”
Month: August 2017
good rules to live by to be yourself
Diving outside the norm again, I found this list of 8 Habits of Incredibly Interesting People to be, well, incredibly interesting. In the past 6 months, I’ve realized I’ve added a few people to a list I never really knew I had: People I admire, look up to professionally and personally, and whom I would love to share dinner and conversation with to learn from them and emulate them. And these persons really do match the below items pretty well.
They are passionate. (I would add that they are enthusiastic, and infectious!)
They try new things. Interesting people do what interests them.
They don’t hide their quirks. (Be yourself.)
They avoid the bandwagon.
They check their egos at the door. An egomaniac is never interesting.
They’re always learning. To interesting people, the world has infinite possibilities.
They share what they discover. The only thing interesting people enjoy as much as learning is sharing their discoveries with others.
They don’t worry about what others think of them. Nothing is more uninteresting than someone who holds their true self back because they’re afraid that other people might not like it.
Good rules to live by to be yourself.
discussing the owasp top 10
Looking for some talking points or high level discussion about OWASP Top 10 items? The Infosec Institute has a series of blog posts going over them, such as this one: OWASP Top 10 #7: Insufficient Attack Protection.
lockpicking, work, gen con, and critical role
Activity got a little sparse here over the past few weeks. Part of the reason has been busyness at work. But another part of it has been tackling some personal activities. For the second year in a row, I went to the tabletop gaming convention Gen Con in Indianapolis. Between attending and preparing to go, that took quite a lot of my free time. Much of the rest of my free time has been spent trying to catch up on some new youtube channels and fitting them into my other habits and priorities. First, I’ve been turned onto BosnianBill’s YouTube channel which has 1000+ lockpicking videos. These are absolutely excellent; they’re small digestible videos and Bill talks wonderfully through everything he is doing while giving the viewer a very clear, close view of his work and clear audio of the progress as well. I’ve skipped around a bit to check other things out (I’m otherwise working backwards through his channel), and I found a tutorial video he did about picking spool pins and it’s absolutely invaluable and amazing how well he teaches lockpicking. Definitely a channel to subscribe to.
I’ve long been aware of the Critical Role show on Geek & Sundry since it began, but I’ve never taken the time to watch it since I knew it would be a timesuck. Essentially, the show is a group of voice actors playing D&D. I knew I’ve love it, and I finally started watching it a few weeks ago, and my fears were confirmed: I absolutely love it and need to keep watching to catch up. It’s also stoked my interest in D&D again, but not quite enough to pursue finding a group yet to scratch the lifelong itch. Maybe I’ll find a way to fit that in!
Lastly, I’m also watching some Linux courses over at Linux Academy, partly for my own learning, partly to normalize what I’ve learned over the years (and close some gaps), and partly to satisfy some training expectations at work. I’ll eventually be ready for, but won’t be taking, the Red Hat Certified Systems Admin test. Unless my title has “Linux” in it, I don’t think actually spending the money and time to take the test will be worth it to me, but the learning will be very nice to have. This sort of fills in my allotted personal learning time for the moment with something not terribly hard and with very little overhead pressure for the summer months.
Anyway, those have been my major timespends over the past month.
five signs of leadership in management
I love me lists, but I usually don’t delve too far outside of technical articles when I post things on here. However, an article I saw on my LinkedIn feed caught my eye and read really nicely: How Can You Tell Someone Has True Leadership Skills? Look for These 5 Uncommon Signs. I think these five items are all key items for a good manager, at least for me. And I like that the article doesn’t devolve into over-tried things that don’t apply to everyone like, “Good leaders reward their employees with recognition or gifts.” I do also like the way several items can spark more thoughts on what’s written between the lines, specifically the items to practice transparency and create psychological safety. The latter is a very interesting way to word this. Normally, I think about innovation and the flexibility to learn, make small mistakes, and come out better for it. A poor culture will be intolerant to mistakes. I like the idea of labeling this as creating psychological safety, since really, that’s what it is, and that term can encompass other things than just quelling the risk and pain of failures and mistakes.
being the expert of becoming the expert (or not at all)
Read an article this morning, Ten Unmistakable Signs You’ve Stayed At Your Job Too Long, which I thought I would comment about on here for each bullet point, but then I decided that was pretty boring. However, a few points kept bouncing around in my head. They are:
1. As you look ahead at your projects over the next 12 months, you don’t see anything that you haven’t already done a million times before.
4. You know every procedure in your company. You know every piece of software. You know the purpose (and the time and location) of every standing meeting. You know so much that people constantly ask you for advice — but knowing as much as you do, you should have a lot more influence than you have.
5. Your muscles aren’t growing. You can’t even remember the last time you did something really cool at work or learned something powerful. At this point, you are just treading water.
Now, this can easily dive deep into a conversation about innovation and corporate tolerance to (minor) failure. But I wanted to put that aside since that is a topic that is beaten to death (even in my own head). Even talking about corporate culture is a bit out of my scope (though very relevant).
But my main interest was this question:
Do you want an employee (or to be an employee) who is best at what they do and already an expert in their daily tasks, or one who is driven to learn, but not yet necessarily the expert at their daily tasks?
I’ve posted the question elsewhere, and gotten good, thoughtful answers. In the end, I don’t think it terribly matters as long as I’m happy in my self and job and progress. Be good at what I learn, and have enough latitude to learn (which implies not necessarily being good yet), with small non-fatal stumbles, when the opportunity arises. It’s possible being an “expert” is the wrong frame of mind to have, like saying your idol for CEO is Steve Jobs, which just isn’t realistic and will ultimately be unrequited.
small list of online paid and some free security training coursewares
Around Q4 2016, I started shopping around for access to some technical learning/courseware sites. The main impetus was to get my own personal learning back on a semi-regular track, and a side purpose of preparation for earning my OSCP. I’ve had these notes floating around in my “training ideas” notes for a while now, and I wanted to get them out, but not lose them. And hey, that’s why I have a blog!
Please note that theses are not all-inclusive and the prices may be off (some of them may be 2016 holiday pricing). I have seen some ITProTV courses, but what I went with for myself was PluralSight and LinuxAcademy access. The former I’ll likely keep active, but the latter will be something I probably drop off after 2017. I really like PluralSight’s offerings so far, and LinuxAcademy is going to nicely fulfill some desire to round out my Linux knowledge. Most everything else in the paid flavors I probably have not tried out enough to comment on them. The free stuff will probably stay in my training ideas/to-do lists in some form or other.
training/courseware sites (prices as of ~Q1 2017)
PENTESTERACADEMY—–$99 first month, $39 after 100 max video plays (can download them, though)
LYNDA COURSES -free 10 day trial, 19.99 or 29.99/mo, latter allows video download
codeacademy.com: python – automate scans —free course, $19.99/mo for extras
securitytube-training —$39/mo
ITPRoTV —courses site, $57/mo
gogotraining —$37.50/mo
pluralsight —-$29/mo or $299/yr, free trial for 10 days
cbtnuggets.com —-$84/mo, 1 free week
packt —29.99/mo ebooks and videos
testout —$79/mo
linux primers: linuxacademy —videos, 7 days free, $29/mo, downloadable audio
pentesterlab.com/bootcamp —exercises and videos, $19.99/mo
Safari Books Online monthly sub for access
Qwiklabs.com access
HackingDojo courses/lab $99/mo
https://www.hacking-lab.com/index.html
some free courses or training to consume
metasploit unleashed free course
SecurityTube – Buffer Overflows, Assembly/Debugging —-free video site
cybrary.it – advanced pen testing (and others) —-free
FSU Offensive Computer Security free course —free, youtube vids and slides
SSTEC Tutorials on YouTube (Kali Linux): https://www.youtube.com/channel/UCHvUTfxL_9bNQgqzekPWHtg
Bhargev Tandel Kali and other pen testing channel: https://www.youtube.com/user/bhargavtandel
***OpenSecurityTraining.info —-free, some video, many just slides
linux primers: penguintutor.com —free, text tutorials
linux primers: debian-tutorials.com —-blog style
from rob fuller: dumping laps passwords with ldapsearch
From Rob Fuller comes this article on dumping LAPS passwords using ldapsearch. LAPS is a Microsoft solution to manage and randomize local admin passwords on member systems. To do so, these passwords are stored in AD. For old, non-updated LAPS implementations, a user can just read these. Current installations require an extra permission. These permissions usually mean that abusing LAPS is a “win more” type of situation (i.e. you already pwn the domain, so now you can pwn more). But, there may be situations where some users who are not full admins in AD do administrate systems enough to have this access (maybe help desk persons or departmental admins). Also, it’s worth noting this weakness as part of knowing your risk when handing out privilege accounts. For instance, Sam may be given a privileged account, but keep in mind that Sam probably also now has access to read local admin passwords, which may or may not have been knowingly intended. Similarly, any account that has this access that is disclosed/cracked means all these passwords should be changed as well.
outline for building and running a soc
I’m not currently doing it, nor have I read this whole article, but “SOC Architecture – How to build and run a Security Operations Center,” seems like a good article to reference to start with if I happen to consult with someone who is attempting to build a SOC.
effort is being made today to groom fake online personas
Most people think of phishing attacks as flash-in-the-pan events; you get a contact that looks like spam, treat it as spam, and delete it. But criminal organizations are becoming better about social engineering via social media these days. And they are taking their time to create fake personas, groom contacts, and eventually gain trust enough to influence a target’s behavior to do something they normally wouldn’t, such as open a file. SecureWorks has one such story posted, and it’s eye-opening to see the amount of effort that an attacker may go through to target a particular person or organization. (Though to be fair, the web cam porn industry has probably been doing this for years, as have ‘revenge porn’ criminals, and state-sponsored espionage since the start of the internet.)
from cnn: networking as an introvert
I normally just get news from CNN and not actual useful advice. But this is two in as many days! Anyway, How do I network if I am an introvert? I’m an introvert. I’m terrible about small talk and I tend to assume more people don’t want to know me or respect my viewpoints. I can always get past that, but it does take time. More time than small interactions usually allow. This article has some great advice that rings of truth.
Fake interaction. I never really thought of “small talk” as “fake interaction,” but I have to admit that phrase is appropriate. Introverts often have an internal personality and their external one is more guarded and is often made to mimic their audience. This then feeds a little bit of the imposter syndrome. As the article suggests, we introverts still should just be ourselves and try to let that guard down a little bit. Life is short, and people do care about us and our opinions and expertise.
Asking questions. Just like in dating, a good way to break the ice or open dialogue for someone who doesn’t “do dialogue,” is to ask questions. Most people like talking about themselves, and the attention is a positive feedback loop. Ask question, interject when possible, and be attentive. This works on pretty much everyone. But, what questions to ask? Aren’t all the ice breakers part of that damn small talk that we hate? Well, sometimes. For events, ask what someone does for work. Ask them how they decompress from life in IT/infosec. Ask them something that pertains to the talk you’re waiting on or just saw (did you understand all of that, or that was amazing, I’ve always wanted to…). Offer your name, and if you’re present in online communities, make sure they know that name as well. Even just a small interaction works, and you can then ping them later in the social space. I really like the article’s suggestion of, “What’s your favorite part of your work?” or some variation of.
Meet fewer people as a goal. Pick people sitting near you or someone else off to the side. Be interested, say hi, and introduce yourself. Consider this like a video game quest. Talk to 3 people at this all-day con that you didn’t know before, get their name and maybe where they work if it is that kind of event. And already be comfortable and ready to divulge your online screenname if you have one. If not comfortable, make one that will be comfortable to give up.
Just meet people. I don’t think introverts should go into “networking” with a specific goal of meeting people for job hookups. That is exactly the sort of fake interaction we’re terrible at doing. Instead, do some networking with the goal of just meeting people and sharing names and some information about each other. That doesn’t need to be faked, and can start that somewhat long road us introverts tread to getting to know someone better.
careerisms to reflect on
Sometimes I read an article and really like it. Sometimes I just like parts of an article. Sometimes I like parts, and really have nothing to say about it, but want to keep it or some soundbytes from it around for personal reflection. The article, Career advice you hear all the time that’s actually bunk, is one such source.
“Passion is not something you follow. It’s something that will follow you…”
“…put your head down and focus on becoming so good you can’t be ignored. It’s typically at this point that you’ve gained the leverage needed to shape your working life into a true source of passion.”
Take this advice instead: “Be valuable.”
You’re never hired for your skills or experience alone, she says. Managers hire you to make their lives easier and to make them look good in front of their bosses and clients.
“Meet your deadlines.”
“Leap when opportunity knocks.” (As opposed to only sticking loyally to a company for many years.)
“Build your value” (Rather than building your brand online.)