It's official... Kita is Certifiable!

Discussion in 'tech' started by Kita, 26 Mar 2015.

  1. Kita

    Kita Should Update Title

    You would be doing the world a favor if you made it a policy to break all javascript you come across :D And be sure to include how stupid the company is to be using Javascript on their website in your report, so management doesn't just fire the designers, they replace their damn code.
     
    • Like Like x 1
  2. Lain

    Lain End of line. #resist
    Sneaky

    Well, not only is Javascript making a comeback, but it seems VMWare is becoming more valuable then previously has been.

    At a meeting this morning with clients I was hoping to sign, there was an inordinate amount of questions about VMWare. More than one would generally be concerned about as a security specialist.

    There's not much I need to know about VMWare, specifically, other than how to break it. VMWare is surprisingly robust, and generally not considered a worthwhile attack vector.

    Exceptions might be if I was looking to dump the cluster, or duplicate the guest devices. This type of procedure is over the top lengthy and totally worthless from a security audit perspective, and completely useless during a penetration test (yes, there's a difference).

    Blah. Maybe they call, probably they won't. I'm fluent in VMWare enough to use it for my own projects, and administrate existing clusters, but I am not what I would call a VMWare expert.

    Good Times
     
  3. Kita

    Kita Should Update Title

    Ya, I have gotten a bit of a whiff of VMWare being a big deal too. There are a number of job postings that ask for it specifically (but most don't care what you use), and the big red flag for me was the school I got my certs only offered VMWare classes as an option for learning virtualization. It was on my list of classes to beg for, but I tapped out my funding and couldn't get any more classes than I already had. It's a shame, because they threw money at tons of people who can't even finish their courses, taking away funding for people like me who could easily keep going into advanced stuff, and cheating out the people who spent their funding on something they couldn't get through. I guess that is where all the doubt came when I signed up, there must be a track record of people doing a career change and falling on their faces when they go to take the classes. Honestly, the school should be doing an assessment and rejecting students who they can tell won't be able to make it through. But rejecting money thrown at them by a government funded program would be bad business, of course. Just like updating the sad tech used in a TECH SCHOOL whose network and PCs are overwhelmed on a regular basis and unable to handle the load and demands of their own fucking proprietary materials. Sheesh. They charge ASININE amounts for their classes, and I did not see a single cent that remained on campus for improvements or spent on the students, nor was there any sign that a single cent had been spent on improvements for years. Everything was dusty old digital material given to everyone. Their obviously massive profits all go back to corporate. A shame.

    Ok, tangent. I obviously didn't think very highly of the school... :p
     
    • Hug Hug x 1
  4. Lain

    Lain End of line. #resist
    Sneaky

    Understood. I don't think much of our education options in general. TBH I could probably have competently taught most of the networking courses I was enrolled in and had surpassed the programming requirements for most of my structured language classes long before I entered college.

    I'm currently trying to decide to remain dialed in and specialized, keeping my edge as a security analyst and pushing the boundaries of both technology and my sanity, or start rolling it back a notch, taking some softer contracts that are more about systems administration and policy shaping.

    That might limit my exposure to the parts of my job that tax my humanity and permit me to drop a few levels of cynacism (provided I stop looking at Facebook regularly ;) ).

    This latest contract is such a contract. They want someone to come in and clean up a mess the previous person left. They have a new IT head, but he's not an industry standard type, he wants to mold the shop into his version of what he thinks it's all about, which includes a large investment in co-location and virtual machines.

    Personally, I've always been a 'brick and mortar' girl. I like companies that invest the time to install a proper server room with adequate hardware, facilities, and resources to manage same, permitting the company to control it's own assets, rather than placing their lifeblood into the hands of a co-location datacenter which may or may not be able to service the massive customer load they have taken on (because datacenters routinely take on more clients than they SHOULD be managing, then rely on automated software and lackluster technicians to babysit VM 'racks', calling someone like you or me when the fit hits the shan to mop up the mess).

    So....... whatever. I'm not going to degrade the quality of my performance or capitulate to ridiculous ideas that have no place in the modern world where security is one of the highest priorities and co-locating your administrative and finance servers is a huge boner.

    Good Times
     
  5. Lain

    Lain End of line. #resist
    Sneaky

    And javascript sucks, let it go! :p
     
  6. Kita

    Kita Should Update Title

    Oh my. If you decide to invest in ANY skills, you should focus on cloud computing. I have been doing tons of networking, tons of interviewing, and EVERYONE is moving into the cloud. The Brick and Mortar ops are vanishing. I was also originally focusing on applying to places that hosted their own services on-site, since that is also where I am most comfortable, but found this to be way too limiting to be feasible to find work. It is also why there are no technician jobs available. Tons of data center net admin and coder jobs, but almost none for techs. Most tech jobs I see are temp contracts through staffing agencies and sound like just setting up offices. The company doesn't want or need full time techs. Everyone is moving their operations to the cloud with no plans of ever hosting their own, no matter how big they get. Like you are seeing, even large companies are switching over, using centralized co-data centers, use a hosted service (check out companies like Switch who host things like fucking Ebay... they are MASSIVE), or have their own little building in Nebraska or some shit. Oh, I am seeing tons of job listings specifically requesting AWS experience too, so keep an eye on Amazon's cloud services if you play the stocks. :p Anyways, companies don't want to deal with their own tech, and outsourcing is the new model for every department.

    I think it is a lot of 'passing the buck' kind of mentality. The data center worries about security, back-ups, availability, and keeping the equipment up to date. That is a shitload of paperwork and load off of senior IT management, and I wouldn't be the least bit surprised if this mass exodus to the cloud is because management wants less on their plates. It is a single point of failure, of course, but that has always been a problem in the enterprise IT world, even when they kept their shit on-site. They want so badly to have 'simple' solutions that are easier for managers to deal with that they hobble themselves.

    I have a sneaking suspicion this will be a constant point of contention between me and senior IT management once I get into the game. I know I will find solutions that are a single point of failure (and may or may not be working correctly) and be a constant place of concern/ constant employee frustration/ constant stream of repetitive work for me, try to get something new to fix it, and end up getting into arguments and slapped down by management who are fine with 'good enough for now'. With the little work I have done in security and talking to people, I know that the attitude most take is the same as the one I have encountered with management in other fields; 'We haven't had a problem yet, so the solution is fine'. And I cannot convince any management otherwise, because that is the mantra of management. They don't differentiate different departments and how the needs require different tactics. IT managers are regular managers who are good with computers, or IT people who have been out of the game too long to keep up. Effective management is their first priority, and effective solutions are defined by them as effective management. This is why I DESPISE middle management and the corporate world. They are setting themselves up for failure, and I have been playing this game for years. Even prepping food, I didn't hear it *too* often, but from management I have gotten "I haven't made anyone sick yet, so doing it this way is fine." You can imagine how much that shit made me cringe. There is a reason I was the health code queen; I was horrified with what I saw and wanted to do all I could to fix things, and used health code regulations to back me up. Not so lucky in IT. IT doesn't have regulated standardized requirements that I can point to in order to justify taking preventative measures or fix shit that is very wrong. Company policy is always a joke, no one ever follows it and it is always filled with holes. And no one ever enforces it. Even if it requires something like a secure password, I can point to it and be brushed off and told to stop 'rocking the boat' and to just 'work with the team'. I am not one to follow rules just because they are there, I follow them when they make sense and have a damn good reason for existing. Neutral good over here. If the rules exist so good can be done, then I follow them. If rules prevent good from being done, I blow them off. I think management is Neutral lazy. It must be a thing.

    Ok, morning caffeine ramblings :p But, ya, get used to seeing everyone in the cloud, and start to beef up whatever you need to in order to accommodate it. You are going to corner yourself out of work if you only take brick and mortar, because the industry is not going to stop shifting to the cloud. And it is happening quickly too, new companies don't want to cost of setting up their own server room and are starting in the cloud, and companies due for upgrades are saying 'screw it' and moving into the cloud instead of upgrading. You may even find yourself staring down an aging rack room, management who doesn't want to pay to upgrade, and the only feasible thing you can recommend is to trash the racks and move to hosted services. If you can find a decent one that meets your specs for security, you can save them from choosing a worse service, at least.

    I know it is a thing that companies would rather pay $5000 to repair a 25 year old super special system than pay $15,000 to replace it, even if it has needed $5000 repairs yearly. So they are all for paying $5000 a month for hosted services rather than $50,000 for new racks. That is corporate math for ya. And the lesser of two evils is really the best option sometimes. You can't save them from themselves, but at least you can turn them in a direction that will be doing the *least* damage or is perhaps easier to clean up before they dive off a cliff.
     
    • Hug Hug x 1
  7. Kita

    Kita Should Update Title

    Oh, and everyone wants me to know Azure and Citrix setups for basic tech jobs, which is a killer for me since I won't ever get experience with them until I get my foot into the enterprise door. It is a sign of how dependent they are on the cloud, and how I am both way over-qualified and under-qualified. Some nose-picker who has been remotely imaging and resetting passwords on terminals for a year is more qualified to work on systems for big companies than someone like me who can build all their systems from scratch with just a budget and a consultation, and troubleshoot and fix any and all issues with PCs. They don't need that. They want to image the system if there is a problem, trash it and requisition another one from their supplier if that doesn't fix it, and reset passwords all day instead of teaching people how to use systems securely. Systems are not customized, they are standardized based on images built by one person. They don't care that I know how to build nice systems and optimize them, they have one guy who gets paid good money to build and order and manage the same system used for the hundreds of terminals. They just need grunts to follow instructions.

    This world is not for me either. :(
     
    • Hug Hug x 1
  8. Lain

    Lain End of line. #resist
    Sneaky

    Maybe we need a new niche. Time to brainstorm some new models.

    I'm comfortable as a consultant, working multiples contracts instead of working for a singular entity.

    I just need to roll it back a bit. Maybe I start delegating more of my 'lesser tasks' to a qualified apprentice who hasn't yet been bombarded with the sickness that is humanity.

    This leaves me free to do more pen testing and less auditing.

    For the uninitiated, security audits are generally performed with full knowledge of the IT staff in advance, performed on site by the auditor(s), and limited to times when systems are more likely to be idling so as to have the least impact on daily workflow.

    Penetration testing is usually done with full knowledge of the IT MANAGERS in advance, are performed in a variety of locations, and are not limited to times when the system is more likely to be idling, in fact it is encouraged to engage the system and it's caretakers at times when they might be impacted by the engagement (because not all hackers are savvy, and not all hacks are meant to be subtle).

    Social engineering is almost never a part of a security audit, and is almost always a portion of a penetration test.

    Security Audits are meant to assess a systems possible vulnerabilities to standard engagements performed on a regular basis by a variety of assailants.

    Penetration tests are designed to achieve a goal, capture the flag style. Examples include assuming control over a server(s), network device(s), Point to Point connections, denial of service assaults, replacing credentials, removing credentials, creating credentials, the list if infinite and all goals are outlined in advance, so that the target's IT management can observe the process without interfering with the process.

    Penetration tests usually are done within a 'window' of time, while Security Audits are always scheduled for a given time, and performed with the assistance of the IT staff. For example, you might know that sometime in the next two weeks someone will be engaging your system. You do not know who, what, when, where, or what type of attack is coming, only that you can expect something. Usually by the time the client knows the Penetration test has taken place, it's already been completed.

    I'm really baked so I'm just doing a brain dump and probably no longer posting anything of value.

    Good Times
     
    • Like Like x 1
  9. Lain

    Lain End of line. #resist
    Sneaky

    I remember one of my original points ;)

    Security Audits are more likely to produce results that will make you wish you hadn't seen them. This is where you will be scanning each and every node on a system and if the client so desires, examining staff workstations and laptops to see if they are complying with company standards, have proper policies in place, haven't installed or removed mission critical software, and are generally behaving.

    Security Audits lend the advantage to the client, as they have time to prepare in advance and are aware of the attack vectors being tested, as such they will focus on those areas explicitly and usually you find those areas are bolstered moreso than they might usually be. (But this is good they took the time to learn to beef shit up, never bad).

    This situation is cooperative and not adversarial (until you present them with a list of shit they did wrong, a list of staff members who have violated policies, and/or illegal content found on one or more nodes they are charged with policing).

    Penetration testing is more of a game where it's you against the client. In this situation, the Penetration tester has a clear advantage because the client has already done what they feel is the best they can do, and are set in their policies and standards, they see it as an adversarial situation in which you're challenging their ego and they are trying to prove that 'some girl with a bit of skills' will never get beyond their infallible defenses. (Sidenote, there is no such thing as infallible defenses).

    Here I go rambling again. Pineapple Express, has an energy kick to it. :D
     
    • Like Like x 1
  10. Lain

    Lain End of line. #resist
    Sneaky

    Persons considering a career path in Security Consulting, a topic that encompasses a large array of specializations, would be wise to take a course, read a book, or otherwise familiarize themselves with Kali Linux. This is the new standard for Security Auditors and Penetration Testers.

    Kali Linux is a project continuation of the Backtrack Linux project. In it's most basic form, Kali Linux is a live security distribution that contains hundreds of pre-configured and ready to use auditing/penetration tools for professional security types.

    Certification in Linux is a must, certification in Kali Linux is a worthwhile investment, it will be the tool of tools for the next half decade to be sure, who knows what will happen in five years.

    Learn to use it, install it, tweak it, change it, compile it, break it, and carry it on a USB drive at all times, because you never know when you need to throw a beatdown on some smartass who deserves it ( ;D).
     
    • Like Like x 1
  11. Lain

    Lain End of line. #resist
    Sneaky

    • Like Like x 1
  12. Kita

    Kita Should Update Title

    Ya, security audits pretty much use standard tools and procedures, right? That does sound like apprentice shit. Lots of shitty paperwork too. I am sure you can pay an apprentice to run your packages for you, leaving time for you to take on more Pen tests, and still come out on top. In fact, that is how you grow! You can take on more clients if you have someone under you, then soon your apprentice is now teh mastah, you hire another apprentice for yourself and the new mastah, and it just snowballs. That is how I plan to go about with "Kita's Big Plans". Get some people who know their shit working under and with me, teach them, and form a team. Evaluate, pick out the superstars, give them their own team. I can work my way up to take on MUCH bigger projects and be given wads of cash for these all-in-one solutions (remember how I was saying how much corps love that shit?) and end up as the queen on top, taking in the reports and info gathered by my minions and packaging stuff together into a solution that is passed down back to them to implement.

    In your case, I am not sure if you stick strictly to reports, or if you also provide recommendations for fixes and solutions. I don't know the security world well enough to know if the companies prefer to have their team fix it based on reports or if they need their hands to be held. But this might be something that is needed but not really offered. Especially when the single point of failure (their internal Security Team) already failed them with the solutions they provided, and perhaps there is a need for the auditors to provide some solutions that can be worked into their current program. The solution become multi-pronged, and if you have little breakout teams, each one will find something different and have something new to add. It becomes the opposite of an all-in-one single point solution, but frankly, is the best way to address security. I think ultimately, you could do something similar to what I am aiming to do, where you work your way up, taking bigger fish clients and adding to the scope of what you do as you hire more minions. Eventually, you could be at a point where you just do pen tests for fun, and can seriously just hang out at home with Bunnie in mostly retirement, prepare reports based on the findings of the minions, coordinate them from home, and only have to show up to initial consult with the giant bill and to give a final report and take the check. You rake in the dough and land the whales while the minions do the actual work. You don't have to look at anything except THEIR final reports that you bundle together. The advantage of that model in security is that you can schedule different teams to head in each time, test something different, and implement something different, and remove single points of security failures (their clueless internal security teams). Their security teams are like the minions of YOUR minions, since they have to carry out the solutions your teams put into place.

    I suppose there are plenty of companies that do security solutions, but like I said, I don't know if they stick to standardized shit. Because that is their flaw that you can find a niche in if so. Don't use standard solutions or proprietary software your uber security corp developed. Keep the shit new and up to the team to develop, then always mix it up when you send people out. Thinking like a hacker is what the security world is all buzzy about, and letting your teams get creative and always trying new vectors with fresh teams and perspectives is how to do that. I have found security to be FAR more interesting than network or system design for that reason; the more creative you are, the better you are at your job. The model I would follow for systems deployment for my own plan would have me honestly using a pretty standard deployment that I tweak a bit for each case, but otherwise would just be taking preconfigured and preplanned shit, plugging them together, and sending it out. But security needs a different approach. A logistics hub (you) for dispatch and assignment, but otherwise, the teams are only following loose guidelines that you set forth, and using their judgement to find the best way to make it happen. If you hand pick and train your team leaders from the beginning, keep yourself involved until it is able to take on a life of it's own, you can have confidence that they would be doing shit the way that you would do it. And just sit back in mostly retirement with Bunnie, and rake in dough. It is like the CISO life, showing up for meetings and making tons of money for it, but without being tied to a soul-crushing corp. :)
     
  13. Kita

    Kita Should Update Title

    Kali has been on my radar for a bit over a year now. Still havent played with it... but it is on my Pi USB as one of the installs to try! Yes, there is an ARM version of Kali :p It would be AWESOME for an ominous black pi box that handles VPNs and maybe even TORs. Something easy to slap on the home network, and maybe even to turn into a custom firewall or proxy or something. Cool stuff can be done. :) Kali can be the gatekeeper to the home network or remote access, so you can use a mixed system environment and still get consistent security. You can lock down the IoT devices that are notoriously insecure too. Once I figure it out, I am gonna pop it onto a live boot USB and load it up with security tools. I have only used very basic stuff up until now because I really haven't had a need/ been exposed to anything really serious yet.
     
    • Like Like x 1
  14. Kita

    Kita Should Update Title

    Must be the season... I am getting overwhelmed with interviews!

    Good problem to have :) I have really slowed down on the applications, because I am fielding interviews and emails and calls for a number of good positions. I am very hesitant to interview for some crap jobs in town. Two had good interviews, but are the worst jobs I have interviewed for. One is help desk, and the guy keeps playing it up as a highly technical role. He really wants me for some reason. I would be sitting at a desk, helping people connecting their i-devices to the company product. Just... no. Not when I am getting this many interviews for actual tech jobs that probably pay more. It was a referral and I really don't want to tick off the network it came through, so I am humoring the process.

    Also interviewed for a seasonal technician job at a distribution center. They pay very well and hourly, from my understanding. But, it is seasonal and not much room to grow fixing computers in a warehouse. It's an easy in, easy out, at least. Get experience on my resume and keep applying in the mean time, ready to bail at the end of season. The issue is signing a lease for a place then being tied to town, which I do NOT want. My parents don't want me here if I am working. It would be messier to deal with than a clean break out of state with a full time gig. New opportunities should open in town next year, so it wouldn't necessarily be all bad... but I really want out of here if I can't secure something I actually want.

    An in-person interview tomorrow (maybe, still waiting to get a firm time) and a phone interview too. Video interview Monday. Waiting to hear back to set up another one later in the week. And two more emails I fielded and am waiting to hear back from. (one from Amazon! FINALLY.) Waiting to hear back about the interview today, the one two weeks ago (they said 2-3 weeks) and that other one three weeks ago (not holding my breath, should have heard back by now :( ) I lost count of how many phone screenings I fielded and never heard back from. I have a feeling I am forgetting another interview I did too. Meh.

    I just hope these interviews move quickly, before I take the crap jobs out of uncertainty/ insanity. >.<
     
    • Hug Hug x 1
  15. Lain

    Lain End of line. #resist
    Sneaky

    Yes, most of the time. You will find that some shops prefer certain toolsets over others when performing audits, this usually has to do with insurance concerns or maybe the admin just likes a particular set of tools. I carry a large variety of tools, both Windows and *nix based, but tend to push Kali when I'm prompted for input, or provided with a choice.

    The short answer is that everyone wants to believe they are the most expertly trained person on the planet and will take an ego blow when this is proven otherwise. What people need to understand, and convincing IT types of this is like trying to solve a crossword puzzle blindfolded, is that no one is perfect, and we're all working to the same goal, security.

    Generally, my team offers a report we call, "Suggested remedies for issues presented". In this report, we outline the issues we've deemed as important to address, and listed them in our assessment of their priority to be remedied.

    In this report, we also list, briefly, the standard fix (provided there is one) for each issue and references to more information. We then offer the client three options.

    1. We can walk away and it's all your issue. If anything goes wrong, it's on your team because my team has signed off on the report and you have signed a disclaimer stating that we provided what we believed to be solid remedies and you chose to dismiss us and handle the issue internally.

    2. We can stay, and advise your team (usually we leave a contact and move on to the next contract, she's our public interface most of the time, and is needed at the beginning and end of the project) on how to remedy the issues, allowing your team to address the issues while we watch and assist in understanding the whats and whys for the corrections.

    3. We can make the corrections for your team, then provide your team with training (or not) if you so chose. This is the only instance in which my team will assume responsibility should an issue occur within the first quarter following the work (provided that your team has not made 'adjustments' to the remedies we've put into place, and we're not responsible for things we didn't remedy).

    Now you understand why I moved to Penetration Testing, and am doing very few Security Audits. PT is where the dynamic work is, and the challenge to invent crazy solutions to issues most people give up on.

    Welcome to my world. You're going to make a great security type, and that's less stress on the rest of us. ;)

    To dream. :D
     
    • Like Like x 1
  16. Lain

    Lain End of line. #resist
    Sneaky

    Real world Penetration Testing

    Problem: Access information located behind a robust firewall/IDS on a network that enforces strict password rotation policies. IT management is savvy but overworked. Wireless scans provide no possible wireless access points for remote access. Network is standardized point to point to local broadband provider.

    Solution: During a recon visit to the site an open LAN jack was discovered in a location that was obscure enough to go unnoticed. a Nanorouter was installed over the open port (appears as a wall blank now), and the PoE boots up the Nanorouter. Now wireless access is available to the Pen tester.

    Pen Tester scans the network. This LAN port is on a public subnet that has been segregated from the administrative side. This is good policy. The bad part of the policy is that someone, probably from IT under orders form someone clueless about technology, created a trust between the public network and the private one for all addresses in the upper C block of the assigned subnet (for the layman this means if I use the right address, anything above *.*.*.225, I will traverse from the outside of the public network to the inside of the private one, negating the effect of a firewall and a segregated subnet).

    Resolution: Security by obfuscation is never the answer. Security specialists worth their credentials will asses the value of each and every address on the subnet they have access to (because of shortcuts like this). Install a properly configured VPN server and condition your staff to use the VPN when accessing the internal network from public spaces outside the office.
     
    • Like Like x 1
  17. Lain

    Lain End of line. #resist
    Sneaky

    We should write a real world security book. The problem is there are so many books already. Talked myself out of it.
     
  18. Lain

    Lain End of line. #resist
    Sneaky

    Real World Penetration Testing


    Problem: Access ADS Domain controller to create unauthorized user and elevate privileges for admin access.

    Solution:

    PenTester (over phone): This is Shiela from corporate (yes Shiela is a real person and she works at corporate and she happens to work in IT, she's a boss, but a busy one we don't ever talk to, mostly e-mail), I need to add a user to the system, there's an auditor coming in to run quarterlies and we're behind schedule. I will fax over the information, make sure that it gets done before they arrive this afternoon.

    The receptionist will now recieve a fax, from Shiela's office. (This is not a magic trick we're in Shiela's office, we've asked to use the fax machine, we're there servicing her Verizon account and need to get the changes in immediately so she can resume her work day ;) )

    The help desk tech will now do one of two things. She will either give the information to the IT manager, who will execute the fax because it came from the right place on company letterhead after a pushy call from Shiela, or she will do it herself because she feels the urgency and wants to impress her superiors.

    Turns out she executed the fax herself, in the hopes that she would impress someone and be seen as a person who gets things done.

    Resolution: Even when it seems that information is coming from a credible source, always verify. A quick Google or a call to the vendor supplying the alleged auditor will either confirm or not the existence of the auditor. Really, though, this one is on Shiela. We simply walked into her office with a Verizon shirt on and started talking about her account as if someone had called us and we were there as they had requested. Rather than verify any of it, she allowed the auditor access to her phone, laptop, and router, and then allowed him to make a fax on company letterhead.

    Good Times
     
    • Like Like x 1
  19. Kita

    Kita Should Update Title

    A real world security guide is what I need, cause that is what I am missing! I have all the book knowledge from reading shit online, studying, and shooting the shit with techies, but I have never done anything beyond the super basics. I wouldn't know where to begin in an audit without cheating and googling a step by step ;)

    Cause, you see, I know enough to be dangerous. I follow everything you are saying and understand the scenarios... but I never would have figured out a solution on my own because I never have had my hands on these things enough to intuitively know what to do and jump in. There is something to be said about framing all that practical knowledge into a scenario in order to get someone's brain thinking creatively with all that knowledge. :) For some reason, the social engineering is actually where my brain always snaps to first with pen testing. I think it is partly due to the drilling in my studies of how important social engineering is in real-world security, and partly due to the intersection of what I HAVE seen real world in terms of putting too much control in the hands of people who are clueless about security. I am at a bit of a loss mostly when it comes to applying networking concepts. I just plain haven't worked with them, so intuitively, don't know where holes exist because I don't know how they are set up. I think that once I start setting up large networks, wiring (or at least mapping) up buildings, the security creativity will begin to come to me naturally. I will look at something that doesn't seem right, and my brain will think 'what if...' as I consider all the bad things that could happen if things remain out of place. And I remember those things, and can use the knowledge of those little holes when I wind back around to security.

    I am kind of hoping to get a good position where I can see and touch all these things I haven't. It's why I couldn't give two shits about help desk. I know how to solve those problems, and what information I will learn is small compared to what I can learn if I was working with the whole big picture. Network setups is my big hole, followed by implementing security on large scale, even though I know conceptually what is needed and best practices. It's like I know the rules to a game, but have never actually played it. ;)
     
    • Like Like x 1
  20. Lain

    Lain End of line. #resist
    Sneaky

    It's a learning process. Experience makes it more fluid. You're basically paid to be a professional liar. You have to be able to think a bit deviously (which is why hundreds upon hundreds of security audits are a great preparation for the crazy shit people will pull to obfuscate their perversions).

    The best Pen tester is a grey hat, who isn't afraid to acknowledge that sometimes people might have to die to get the job done (I kid, but seriously sometimes collateral damage is just what happens, no one has ever died but once I dumped a cluster of file servers as an unintended consequence of something I did intend to do and the guy didn't have proper backups, which I always recommend before the test, and why I do them myself now if I'm going to wreck shop on a server).

    Social Engineering is just salesman ship. It's putting a slight bit of truth together with a whole bunch of bullshit and being confident enough to believe it. Worst that can happen is they don't buy it and you hit someone else, or try a different approach.

    Those little blurbs look simple when put into little blurbs but there's hours and even days of research on a target before anything is put into motion. You choose soft targets because they're easy to manipulate, and luck has a good part to do with it. (Who would have guessed some idiot patched over the upper C bracket?)

    Most of all, believe it. If you're the fucking Verizon tech, then be the Verizon tech. Know the lingo, have some names to drop, always helps to find a shirt somewhere with a logo on it, and slap together a fake name badge with your face on it, the logo, and random official looking whatevers. Only Verizon staff is going to be familiar with their badges, but it looks official and halts questions before they are asked.

    If someone objects, play the sympathy card, people are suckers for sympathy.... "Listen, I know I'm late I'm so sorry. This is my third late appointment this week I've been so swamped with the new job and all of these kids are running circles around me" --- Most people will empathize with having a shitty day, being late, having stress at a new job, being jammed by younger people trying to make them look bad.... observe your target and pick an angle. Sometimes you lose, but over time you learn to win more often than not.

    Appearances and bullshit go a long way when coupled with people's need to believe that they are immune to being tricked by a social engineer. You can see them at meetings about social engineering, sneering when you make comments about being on watch for people working an angle.
     
    Last edited: 15 Oct 2015
    • Like Like x 1

Share This Page