Quick blurb so I can remember this. A bubble chart can make a handy display for pentest findings – and prioritize them. It’s a simple way to identify and display high-impact, low-cost issues. Here’s an example of a bubble chart with some findings pre-populated. If you’re interested in using this, just create a copy and go to work.
I was recently pointed to a great speech entitled “You and Your Research” given by Richard Hamming of Bell Labs (and Hamming codes!) fame. It’s essentially Hamming giving his insight on how to do great work as a scientist. I think it’s relevant for anyone doing infosec research today.
Here are my key takeaways:
- Work on important problems.
- Luck favors the prepared mind.
- Courage is a characteristic of the successful.
- Plant acorns to grow oak trees.
- Follow the greats in your field.
- Every defect can be looked at as an asset.
- Knowledge and productivity are like compound interest.
- Keep track of flaws in your theories.
- Work on problems you’re committed to.
- Get emotionally involved, otherwise your subconscious goofs off.
- Reach out to people outside of your field.
- Pursue opportunity when its presented.
- Find and know the important problems in your field.
- Practice makes perfect.
- Schedule some dedicated time to make “great thoughts time”
- Open doors -> more input -> finding the right problems.
- Zoom out to see the larger problem.
- You want others to stand on the shoulders of your work.
- It’s not sufficient to do a job, you have to sell it.
- Write clearly and well so that people will read it.
- Learn to give formal talks.
- Learn to give informal talks.
- When giving a talk, start slowly and paint a general picture of why its imporant, and give a sketch of what was done.
- Educate your boss, get other people to ask for what you need.
- Take advantage of the systems around you to scale yourself.
- Know thyself & watch thy ego.
- The appearance of conforming gets you a long way.
- Don’t spend effort needlessly fighting the system and don’t fool yourself by creating alibis for disappointment.
- A little extra effort goes a long way with people.
Powerful words to guide your career.
I recently had a college student ask about getting into Information Security. Here’s his question:
My biggest issue with my current education is the broad scale and lack of clear direction on how to achieve my goals. I know that I am very interested in penetration testing. Ethical hacking in general is a very big interest of mine. But as for what area of security, I’m not even sure what the options are.
Cool – sounds like the biggest thing is to explore, and decide on a first direction knowing full well this
may will change as you learn more. You may want to try writing your current goals down, and working toward them (or, better yet, working backward from where you’d like to be).
Penetration testing – or as you call it – ethical hacking, is still a very… tradecraft career. Fundamentally though, it’s a form of testing. The best thing you can do is dive in and start learning about the systems you’ll be coming up against. If i had to choose a tester that had a bunch of certificates and lab experience vs a tester that knew and had been an administrator of systems he’d be testing, i’d choose the latter.
Penetration testing has split into some broad specializations – though it’d be best to sample amongst them
- Mobile & IoT
- Web Application
OWASP is good for learning web and mobile attack methodologies.
You’ll want to check out netsec’s career thread – this happens quarterly. This will give you a great sample of existing careers, and you can start to research on the things you’ll need to learn.
There are many [other] threads on the net about how to get started in infosec.
Here’s another one i wrote about 10 years back, specific to penetration testing. It’s amazing how much of this is still relevant.
Reddit’s /r/netsec is a great resource for staying on top of what’s happening in the technical security field
Stack Exchange is another one with a bit more of a question/answer focus – good for researching when getting started.
As far as building a reputation while you’re in school, the best things you can do:
- Get on twitter and start contributing – there’s a strong contingent of security folks on twitter
- Jump on Github and start publishing tools / code
- Jump on Bugcrowd and HackerOne start reporting bugs, building a profile.
- Publish papers, blogs, code, anything that you can point to as a resume builder.
- Go to conferences, meet folks. Find positive folks that will help you, and find ways to help them.
- Learn everything you possibly can.
You’re looking for a job in a field that has massive unemployment, so you’re in the right place at the right time. But be warned, it’s a fast-moving field and requires you to be motivated if you want to be good.
It’s worth noting that the penetration testing / consultant career path generally requires a significant amount of travel, and can be disruptive to a family lifestyle. This isn’t always true, and there are certainly ways to make it work, but worth thinking about. Thoughts on work / life balance are for another post.
The one piece of advice i give everyone interested in getting into the field: Provide value without asking for anything in return. If you find someone you want to work with, just ask… how can i help? … Guaranteed, they don’t get asked that enough.
Handy reference list of links, storing in a single place for future use.
A Regional Internet Registry (RIR) is an organization that manages the allocation and registration of Internet number resources within a particular region of the world. Internet number resources include IP addresses and autonomous system (AS) numbers. Map of Regional Internet Registries.
- API: https://www.arin.net/resources/whoisrws/
- Request full data here: https://www.arin.net/resources/request/bulkwhois.html
- Become a mirror: https://www.arin.net/resources/request/bulkwhois.html
- Stats: https://www.arin.net/knowledge/statistics/
- API: http://rest.db.ripe.net
- Downloadable version (redacted): ftp://ftp.ripe.net/ripe/dbase/ripe.db.gz
- Request full data here: https://www.ripe.net/manage-ips-and-asns/db/faq/faq-db/can-i-download-the-ripe-database
- Become a mirror: https://www.ripe.net/manage-ips-and-asns/db/nrtm-mirroring
- WHOIS service code: https://github.com/RIPE-NCC/whois
- Stats: https://stat.ripe.net/
- API: https://www.afrinic.net/services/whois-query
- Request full data here: http://www.afrinic.net/library/corporate-documents/207-bulk-whois-access-form-
- Stats: https://www.afrinic.net/en/services/statistics
- API: https://wq.apnic.net/whois-search/static/search.html
- Request full data here: https://www.apnic.net/apnic-info/whois_search/using-whois/bulk-access/copyright
- Stats: https://www.apnic.net/publications/research-and-insights/stats
This was originally written in early 2017 for a friend of mine that asked for advice about how to avoid being hacked when traveling abroad. It mirrors much of the DHS Travel Safety advice, but is meant to be a little more practical. I’m re-posting it here for the benefit of others. Note that this checklist applies for pretty much any hostile cyber environment – but was written with China in mind.
If you have reason to think that you’ll be targeted – particularly if you have access to data valuable to the country you’ll be traveling to – seriously – don’t take your PC into the country. Set up a burner device and use it only in combination with a VPN service. Otherwise… proceed with caution:
- Set a lock and PIN on your phone.
- Turn on your phone’s auto-lock.
- Add a privacy screen to each device.
- Ensure you’ve configured full-disk encryption on the device.
- Configure two-factor authentication whenever possible.
- Configure Android or Apple’s Device Finder so you can remote wipe.
- Ensure you are running the latest software versions.
- Sign up for DHS’s Travel Alerts.
- Completely power-down the device before you arrive at your destination. Attackers can easily siphon data off a locked PC.
- Keep devices close to you and within sight at all times.
- Do NOT let authorities take the device from you during entrance / exit.
- Do NOT leave systems in your hotel room.
- Do NOT plug any media – USB stick, SD card, etc – into the system.
- Do NOT use the internet without a secure VPN connection. Many VPN services won’t work, but Express VPN seems the safest and most likely to work in China.
- Turn off Wi-Fi and avoid any public / hotel / café Wi-Fi connections unless you are automatically connecting to a VPN at time of login.
- Avoid logging into any account on any shared computer.
- Assume all HTTP/S traffic outside of a VPN will be inspected and is thus compromised.
- Keep Bluetooth off – I’m not aware of any exploitable vulnerabilities bluetooth, but no sense in exposing the attack surface if it’s not needed.
- Wipe the burner machine and re-image.
- Rotate any used passwords upon return. Use something like 1Password or Lastpass to make this easy.
- If any services share the password you used while abroad, assume it’s compromised.
Each person’s situation is unique and this advice is specifically designed for the business-person headed to China, but if you follow this advice, you’ll be a difficult target.