I keep a lab at home, but I honestly don’t upgrade the underlying guts of it very often. I really got sick of rebuilding things in my early years as an IT admin. I like when things work, and as long as they keep working and my threat profile remains the same, I tend to keep the underlying infrastructure pretty much untouched. I’d rather wrestle and play with the VMs that run on top of things, ya know?

Typically, my upgrades come about when I change hardware. Or when something doesn’t work. Tonight, I tried to install Kali 2019.4, but I had some hard, unknown stops that felt like vm host limitations. Rather than fight with it, I thought I’d upgrade my VMware server.

My main lab is an Intel NUC device running a VMware ESXi 6.0 bare metal install. I really dislike the web management interface in modern VMware, so I’ve clung to 6.0 for about as long as I’ve been able to. I also really like having the option of running consoles from the vSphere Client application.

Upgrading the ESXi installation is about as easy as it gets. I verified some instructions and then went to town.

esxcli network firewall ruleset set -e true -r httpClient
esxcli software sources profile list -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep -i ESXi-6.5.0-2019
# I decided to choose ESXi-6.5.0-20191204001-standard and move on!
esxcli software profile update -p ESXi-6.5.0-20191204001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

[InstallationError]
[Errno 28] No space left on device
vibs = VMware_locker_tools-light_6.5.0-3.116.15256468
Please refer to the log file for more details.

Well, that sucks, but I definitely have room on my device. A quick search showed me that this is an updating error that I could fix by letting ESXi use diskspace as swap when needed, which it apparently needed for the upgrade. A quick visit to Manage > Settings > System Swap got me squared away and the above update command succeeded in surprisingly minimal time. Next, I rebooted the device. Then, I returned the local firewall option to false and I logged into the management console and confirmed my version was 6.5.

I then installed the VMware Remote Console application in order to use a standalone app instead of browser windows for console access. Either way, I dislike them, but the standalone app is the lesser evil. I downloaded version 11.0 from VMware directly, but it can also be grabbed when first trying to open a remote console off a VM.

My core VMs fired up just fine (pfsense and a jump box), I was then able to install Kali 2019.4 without issues at all. I have no idea what the real fix was, but I’m glad that a mere ~30 minutes later I’m past the issue.

Usually when I study for a certification or course, or even for comprehension on a topic, I have steps written down to check off on my journey to that goal. I’ve probably always worked off checklists, but it feels like I rely on them more as I get older, as there’s really no excuse to not use them and forget things or lose ideas to the ether. My time really does have a personal value, and I’d like to make sure I spend it well and efficiently.

When I decided to tackle learning more about cloud security, I knew the topic involved reading and listening to materials on a topic that I’ve not been highly exposed to. And I wanted to make sure I planned out how to spend my time so that I could plan the rest of my year and have an idea when to schedule exams.

The above screenshot is a sheet I maintain on Google Sheets. In it, I basically use a Gantt chart style format to track my progression of tasks and how long they will take. I estimate the hours involved,  record the actual hours I spent, and then the remaining hours and % hours used adjust automatically. The % Complete column I update manually. For instance, I may estimate 10 hours for a task, but find it only takes me 4 hours. I can then record 4 hours and still set it to 100% complete.

Do I really care how many hours are left? Not really, but it’s a way for me to practice skills for Project Managers-Lite and be familiar with a sheet like this. Lots of things that PMs do to perform and track projects are intuitive, pragmatic things that I can use for other purposes, even if I don’t know all of the specific terms in some Body of Knowledge.

And since this is just for my own personal tracking, there’s really no grading or performance evaluation based on how accurate or well I track this; it’s really best effort and its accuracy isn’t crazy strict. It’s truly just about keeping myself on target. (And, I suppose, it reminds me what I did on my route to a certification so that I can post about it later without much recollection effort!)

I will also add that one of the more important steps in pretty much every major learning effort I tackle is researching what others have done before me. This was a huge effort in something like the OSCP where I would read reviews and thoughts and threads from others who had experienced and passed the course/exam and what they recommended for prerequisite knowledge and resources to understand prior and during the learning phases. I still do this as much as possible, and it leverages strengths I have in effectively and efficiently Googling and sifting through information and then organizing and prioritizing what I really need to do.

Every year I try to make some achievable goals for myself for learning, practicing, and getting certified in various topics related to my career in IT and infosec. I’ve been in the industry for over 18 years, and this is the fourth year I’ll have made and pursued concrete goals. In my early years, I learned a ton through informal self-education, and later on pursued a trickle of formal certifications. Then I coasted a bit, and have since made specific effort to formulate goals and plans to achieve them. More often than not, the number of things I want to learn and do far exceeds my capacity to pursue them in a given year, but I do try to make concerted effort to make progress forward through the backlog and keep my activities focused on some goals.

I have a bunch of options for this year, and with the way the year is starting out, I may have some fluid choices to make as the year progresses. For the first quarter at least, I have a solid priority that won’t change. From there on, I’m just giving myself some options while planning on doing some maintenance of skills and make use of the wide range of online labs and platforms available these days.

Honestly, I have quite the backlog of one-off courses, lab environments, challenges, presentations, and other things to do and consume that I don’t want to spend most of my free on-keyboard time in 2020 doing formalized training towards a certification. I want to keep free time and energy set aside to do these sorts of filler tasks, bits of learning, trying new tools, and chopping away at the large list of things I want to do, complete, or learn. Keeping the time free also lets me do things like sign up for a month-long lab (paid) if I so desire, without wondering if I’ll actually get to it in time.

Formal Training/Certifications

AWS Security Specialty (Q1) – The next step on my cloud journey, and really the goal of this journey is studying to understand this topic and pass the cert exam. I consider this one to be somewhat technical and a little hands-on, since I plan to work within AWS a bit more during the studying of this. I expect this to take about 1 quarter.

Either CCSP, CISSP-ISSAP, or CSSLP – I’m skeptical how useful the CCSP may be, and I’m not sure I’d make great use of the CSSLP. The CISSP-ISSAP domains also look pretty familiar and known to me, but it would be a nice progression to consider. Overall, I don’t need to commit to more than 1 of these this year. And no matter the choice, these are book-study activities where I may learn some additional tidbits.

Either AWAE (OSWE) or SLAE (towards CTP/OSCE) – I do like to mix in hands-on-keyboard activities along with book-study plans, and these would be very much hands-on events. I’ve long wanted to do the OSCE, and I’ve long slated SLAE as a precursor towards it. AWAE is new and I may get a little bit more worth out of it. Either way, I probably can’t do both of these in one year, and I really should get one at least started in 2020.

SANS course/cert – This item goes away if my work budget doesn’t allow for a choice of SANS course. If my choice of course/cert does get approved, I actually wouldn’t anticipate the preparation for the exam would take a full quarter; I’m initially planning just a month.

Informal Training

Pentester academy. I have this subscription and I should make concerted effort to fill some gaps in the above studies with some time going through these courses for understanding. With no exam or post-completion activities, these can be the sort of thing I sit down for a week or two and binge through.

Various specific courses signed up for. I have several free-tier courses I’ve signed up for in the past 6 months that I’d like to pursue. They’re nothing crazy intensive, but not something I can bang out in a weekend or even 1 full week. Hence, they get placed here. Doing some of these one-offs may be “important” enough to me to include in my goals in a more ad hoc fashion as the year progresses.

Maintaining or improving existing

Maintaining existing knowledge or skills is often a lot easier than learning something brand new, so I try to make use of this section before the list of new things I’d like to get to. The things I want to maintain or improve specifically: web app testing, linux, pentesting, forensics, powershell, Burp Suite.

HackTheBox and web app testing platforms and labs. Honestly, I can get plenty of practice by continuing to semi-regularly dive into HTB and dissect various web app testing platforms and labs. The platform of choice is usually Kali and Burp, and HTB challenges often can introduce chances to practice some scripting and forensics.

Informal new skills

Reversing – I have a couple books, free courses/tutorials, and other resources to use here.

Binary exploitation – SLAE and some HTB pursuits may start to give me confidence in this topic.

AWS – I plan to get more AWS experience not only with earning the next cert in that part, but also doing an AWS project to stand up a public wiki again. I had one years ago that I hosted, but when I moved to my current cloud provider, I just left the wiki behind. I kinda miss it.

Python – I have a bunch of small tasks and topics I can use as fillers and as excuses to do some more Python scripting.

Other

AWS Wiki project – A project just to stand up and utilize and maintain a wiki platform again, this time hosted in AWS.

Defcon – I’d like to attend Defcon this year, and if so, I need to plan this sooner than later!

Blog – I just want a reminder to keep blogging.

Pocket – I have lots of things sitting in Pocket that I should start consuming.

Career Goals – I should make a concerted effort to decide where my career should go and specifically what I want to do. This is basically a 5-year plan. This has always been hard for me, since I like doing almost anything in security, as long as I have support to do it.

Certs to renew

CISSP – Just my yearly reminder to declare a few CPEs just to keep up.

CCNA Cyber Ops – This actually expires 3/2021, so if I wait until 2021 to look into this, that’ll be really late! Renewing this probably means taking the exam again (not worth), taking Cisco CCNA R&S (marginal value to me), or taking a CCNP level exam. I’m inclined right now to say I will let it lapse, but I want to make specific effort to research this.