Friday, August 17, 2012

Lifelong learning, being 100% certified, situational awareness, and my thoughts

     My route to becoming an InfoSec practitioner was anything but traditional. For this I am thankful. Why? Because I discovered a breadth of information that has served me well in life.
     This story begins in 1990 when I first joined the Navy. I joined between my Junior and Senior years of high school. The underlying reasons for me joining are as follows:
         
1. I was 17 and knew that I wanted to see more than the "Golden Triangle" of Texas. ( my travels took me as far as Dallas to the north, San Antonio to the west, and Pensacola, FL to the east.)
2. I wanted to go to college but didn't know what I wanted to do when I grew up
3. Home life sucked and I wanted out

The job I signed up for in the Navy was entitled Cryptologic Technician (Maintenance). This is code for "mostly works in air-conditioned spaces" and Class "A" school located in Pensacola, FL. At least that is all I knew about it from the information sheet I read. An entire career of 20 years was based on those 2 things. Looking back I ask myself "how stupid could I have been?" and "how lucky was I?" My school lasted for almost 1 year (was supposed to be shorter) and I learned electronic theory, AC/DC theory, soldering, recorder theory, how receivers and transmitters worked, how to run a maintenance shop, and the troubleshooting methodology. This is where my first failure came into play.
     All my life, schoolwork came to me easily. I was bored with school and always spent minimal effort on homework, etc. This caught up with me in Pensacola. A class in power supplies theory and maintenance ended with me failing the module. I got rolled back into the next upcoming class and was told that I would lose my slot in school if I failed again. Nothing learned other than the "walk of shame sucked." From Pensacola I went to an advanced course in electromagnetic transmissions and intercept for submarine systems. Once again, I fell into the routine of just getting by. Once again, I almost got dropped from training. Once again, I took the "walk of shame" and learned nothing.
     At this time I met a man named Rob Bartlett. He introduced me to a thirst for knowledge, not just a quest for checks in the boxes. Rob, if I have never thanked you, I am doing it now. Still not knowing what I wanted to do when I grew up, I began taking college courses to figure it out. My majors, in order of declaration were: Mathematics, History, Psychology, Occupational Psychology, Computer Studies, and finally Business. I took classes at:

 The George Washington University                     Coastline Community College       
Hawaii Pacific University                                      Community College of the Air Force
University of Md University College                     Prince Georges Community College
Excelsior College                                                   American Military University
Carnegie Mellon University/CERT                        Webster University
National Cryptologic School                                  other formal training institutes

This 13 year meandering through collegiate life led to a very broad background of knowledge, a better understanding of how different people approach a problem, and an understanding of written goals/requirements.
     Something else I learned from Rob was to take any class offered by the military regardless of what it is. This led to me taking classes anytime offered (something I still do today). I have taken some really cool classes that were never meant to be taken by someone in my career field. I have not performed a pen test in over 6 years but I ended up taking Dave Kennedy's SET class at BlackHat. Why would I spend all that money for something I may never perform again? Because my boss offered and it is an opportunity to learn something new. Plus, I got to meet new people with various backgrounds and learned from their experiences.
     If you search for the subjective "knowledge" as opposed to the objective "results" (cough* paper MCSEs* cough * paper CISSPs*) you will understand the point of certifications. They are something you can frame and show your friends as a badge that says I took a test. Same goes for a college degree. A degree is something you can frame and show your friends that says I took lots of tests. If done properly, you can show your friends these pieces of paper and then debate the merits of, say, a truly air gapped network,  how it would be implemented, and the upside/downside of that network. Moreover, you can speak about it with authority and experience because you have operated/managed one not just read about one when you read the majority of an article in Slate magazine once.
     Do I see value in certifications/degrees? Absolutely! The value, in my humble opinion, is that I can put them on my resume as a check in the box. This should allow me to get my foot in the door for an interview and then I can use my experience to get the job. What about the plethora of jobs that do not mention certs/degrees in the requirements. Fine. I can put my certs/degrees on my resume, placing a check in the box I drew on the form myself, get an interview, and use my experience to get the job. This should be the emphasis of ANY hiring official. The questions should not be what boxes can you check, they should be what can you show me and tell me about how you would handle x.
     A short story to prove my point. While in the Navy, I was given the opportunity to screen all junior officers, all with fancy degrees, and senior enlisted members deploying to Iraq and making recommendations on who should go. I was told to give these guys a test to measure how successful they would be in the field. (As if could actually be done.) My test was simple. 100 questions. Multiple choice. You have 5 minutes to answer them all. Begin! After this was handed in, never completed, I would give each person a scenario.
           {You are providing tactical intel support to a Ranger company. Your purpose is to tell them which of 2 doors they should kick in, using highly specialized cell phone intercept equipment. What do you do. The officers with technical degrees would usually begin by walking in an ever increasing circle, attempting to get a fix on the target, and would then make a recommendation. The enlisted personnel would usually think for a second or two, then tell the Rangers to kick in both doors, interrogate the subjects, and arrest the guilty party (probably the guy with the cell phone in his hand).}

      I always recommended the enlisted guys. I caught flack for my recommendations because officers are required to lead for promotion while enlisted members are taught to lead and promoted because of it.

What is the point Branden?
1. Seek knowledge, understanding, and experience NOT papers, titles, and pretty frames
2. Never pass up a chance to learn
3. Like a child, learn from everything you do, taste, smell, and touch
4. Be humble. Nobody likes people who think they are smart, they like smart people.
5. If something you do now seems painful, it is ok. Next time will be less painful.
6. Teach others. You will learn from this too.

     So I know that this is kind of scattered all over the place (I blame insomnia). To make matters worse, I will not edit this in the morning before I publish it. Hey, why write something twice? Especially when no one reads this anyway.


Monday, August 13, 2012

Book review: The Basics of hacking and penetration testing

    This story, of the book review anyway, began in the class Inside and out of the Social-engineer Toolkit (SET) by David Kennedy. I decided to attend this class when my boss discovered money in our budget that had to be spent before the end of the state fiscal year. 
     A surprise student in the class was Kevin Mitnick. During a break, Kevin began to chide Dave Kennedy about the fact that his book, Ghost in the Wires, supplanted Dave's Metaploit book as the Amazon bestseller. Dave's response was to point out that another book beat his out on another bestseller's list on the Amazon site. Lo and behold, the author of this book, Patrick Engebretson, was sitting next to Kevin Mitnick! Never one to pass up an opportunity to support a good ribbing, I immediately purchased to book, The basics of hacking and penetration testing: Ethical hacking and penetration testing made easy.
     I am glad I did. Engebretson does an outstanding job of laying out, in an easy to read way, a complete guide for those interested in breaking into pen testing. This book begins by introducing the concept of "zero entry hacking." Much like a zero entry pool, that gradually slopes from dry land to deep depths, the ZEH concept allows anyone to pick up this book and begin work. 
     Engebretson follows the ZEH concept with a quick differentiation of blackhat vs. whitehat. He focuses on three key concepts that separate the two and clears the air for the reader. Next, he introduces the reader to some of the most important tools a pentester will ever use, BackTrack Linux and a good lab.
     Finally, Engebretson introduces a simple 4 step methodology that summarizes what pen testing is all about. He spends the rest of the book detailing his simple methodology in a concise and comprehensive manner.
     I recommend anyone breaking into the pentesting world buy this book before they start. In addition, even though this book title begins with "The Basics of," I recommend it for even the seasoned pentester. 
     Good luck Patrick! May you sell plenty of books! At least enough to allow you to buy some cool toys.

Tuesday, August 7, 2012

Yeah! DerbyCon!

     Last year I had the distinct pleasure of attending the first DerbyCon. I say pleasure because this conference, in its inaugural offering, was better than any previous conference I had been to. **Hold your horses** That is a bold statement you may say. Let me explain myself...
   
     1. The presentations were top notch. BlackHat (in the old days) and DEFCON style topics. Hey, you don't believe me. Check out last year's schedule for yourself. https://www.derbycon.com/schedule-2011/
     2. The attendees and presenters did not walk around with "rock star" attitudes. One of many examples I witnessed first hand: Deviant Ollam, well known for his physical security and pentesting skills, could have taken over at the Lock Picking village. He did not. Why? As he put it at the time, "This is their show and they are doing a great job!"
     3. As far as I know, there were no security issues and the Goons/Jockeys/Security Team or whatever they were called were professionals and without the attitude I saw from some at DEFCON. Not knocking DEFCON, I understand how difficult it is to herd 15,000 attendees around. They did a good job too but some had a "because I said so attitude."
     4. The founders/organizers seemed to care on a personal level about the attendees, not just the conference as a whole. I mean, hey, with a handle like PureHate, I expected something different from Martin Bos. Now that I know more about him, that handle is way off the mark.

This brings me to the reason I decided to ink this today. It all started with a tweet.


Uh, What! Really! Who does that! Especially since the previous tweets were talking about how they received 10 times as many CFPs this year as compared to last year!

This is something I could not get mentors in a formal mentor program to do. Much less a small team of people to do for hundreds, or possibly thousands, of people.

Now I know that everything is not all roses and there are still questions about how this Con will be in 10 years, but I think you will all agree that the foundation is right.

I am so looking forward to seeing everyone there this year. Lets get together and do lunch! Or come to my presentation (fingers crossed).

Monday, August 6, 2012

Software coders and security responsibilities

    Recently, I was involved in a twitter "debate" in which the original poster (@Wh1teRabbit) posed a question about holding software developers responsible for their security flaws in code. As stated previously, I hate social media as a platform for any type of debate. It is simply too limiting and comments are often taken out of context.
     The point I was trying to get across is that I believe, just like on most other industries, software developers should be held liable for egregious errors resulting in security flaws. As a Libertarian, this hurts me to say because I think the market will regulate itself. If you do something stupid, and the public cares about it, you will suffer. What many people seemed to take from my posts was that I support regulating an industry and my regulation would stifle creativity. Others questioned me on how we could possibly hold software companies liable just because they suck at security. My inadequate response was that companies should subscribe to and enforce some type of SDLC program. Most responses seemed to be "experts" crying foul about how I could possibly hold them accountable.
     Fast forward one week. I read the following article about the Mars rover and something hit a nerve. (http://nakedsecurity.sophos.com/2012/08/06/mars-rover-curiosity-touchdown-and-you-think-youve-got-latency-issues/) The article was about latency problems but I focused on the beginning. The rover had to reach the planet without hitting anything in space, decelerate from 5900 meters per second to zero (gracefully), plummet through 120km of hostile Martian atmosphere, and land in a 20km zone. If we can expect this from government employees and lowest bid contractors, why do we not expect the same level of outcome from coders and software "professionals?"
    I am NOT saying that NASA is the best or always gets it right, but I am saying that sticking our heads in the sand or holding our breath and closing our eyes is not the right thing to do. NASA has had some MAJOR issues with success lately. What many people don't realize is that every failure they had was a result of not abiding by their own policies and procedures.
    Have a system and work it. To not have a system is, in my opinion, willful neglect.

Bring it on! Lets "discuss" this. I will say that if you act unprofessionally, I will remove your post. Or worse, I will rewrite your post using ... and [sic] randomly so that you look dumb.

Saturday, August 4, 2012

My first time as a speaker (BSides Cleveland)


     I have made many presentations in public before. This should be old hat. After all, I taught large groups of students before. I was an instructor for 5 years for Pete's sake. These are the things I thought about over and over on the drive up to Cleveland for BSidesCLE 2012. The problem was, that drive lasted 6 hours. Doubt always seems to visit me when I am alone, with nothing else to do but think.
     ***Flashback***While attending the annual AIDE meeting at Marshall University, I was formally introduced to Bill Gardner. Bill and I quickly decided we were friends and discussion turned to a community need for Information Security Awareness and Training. This is when we realized that we were both working on submissions for BSides Cleveland that focused on awareness and training. What are two new friends to do, well combine the presentations and co-present, of course. The problem was, I knew Bill for only 2 hours up to that point. Another problem was that we lived hours apart and could not possibly get together to practice (well, in person anyway). Never fear, my outward personality and genuine ability to feed off the energy of a crowd would see me through. Did I mention the doubt and loneliness of my 6 hour drive?
     When I arrived, my doubts and fear only grew. I originally decided to "cut my teeth" at BSides Cleveland because of its small size. This became a problem when I began introducing myself to the people there. The likes of Dave Kennedy, Martin Bos, and a host of other InfoSec "celebrities." More doubt.
     When the time came to present, my new friend (who I knew for at least 1 month now) and I hit the stage. After a few minutes (which seemed like hours) and  a little confusion on whose slides were whose we hit our stride. I fed off of the crowd like I usually do. The doubt melted away.
     I really enjoyed my first presentation at a full fledged con. It is an experience I cherish and one that will give me the courage to step out more often. I plan on submitting to DerbyCon, Hack3rCon, and any other con my boss will pay for.

By the way, those "celebrities" were some of the coolest and laid back guys I have ever met. No judging found here.

***You can watch our presentation "Focusing on the Fool: Building and Awareness and Training Program" on irongeek.com.

Thursday, August 2, 2012

Ugh! Another blogger!


   I have had some interesting conversations lately with friends, friends of friends, social media "friends", and "friends" of social media "friends". In each of these instances, the social media application used was not sufficient for me to fully elaborate on my beliefs and actually left me frustrated. Hence the newest blog of no significance in the sea of the insignificant.

   Just as a bad SunOS experience made me swear-off any *nix flavored OS (horrible mistake on my part), a bad experience blogging resulted in me not contributing to my industry for years (probably good since I am more mature in my thinking process now).

   I plan to use this platform to bore you with my ideas of Information Security, regulations and standards, and just about anything else that peaks MY interests. If you know me, you know that there will be plenty of self-deprecation, jocularity, and shenanigans (all with a point of course). You will also see me give credit for constructive criticism and you may even see me change my mind after a healthy debate.

   As usual, the disclaimer: The ideas presented in this blog are my own and do not necessarily represent the ideas of my employer.