Navigating the world of information security

Category: Cybersecurity

  • Ethics and Integrity in Cybersecurity

    It’s an open secret that cybersecurity/technology vendors have a significant influence and impact in the enterprise information security space.

    Vendors often try and gain your business with gifts such as dinners, lunches or more. While there’s nothing wrong with that in general, it becomes a slippery slope with the bigger and more lavish items that you might be offered. This can truly position you in a bad spot with vendors holding significant leverage over you.

    With that said, there needs to be a certain level of ethics from cybersecurity professionals and cybersecurity leaders who are entrusted with purchasing and implementing technology at organizations. For instance, officers and directors at organizations (generally) have a duty of loyalty and a duty of care as they’re entrusted with steering the ship in the organization’s best interest. Regardless of your organizational role, breaching these principles can have lasting negative consequences, including the erosion of trust and respect across various teams and divisions within the organization. Once the organization and your peers no longer trust you, then you are setup to fail.

    So if you’re reading this, always take a moment to reflect if that fancy vendor paid experience or trip is worth your dignity and respect. Think about the potential of losing your trust from peers by being persuaded with lavish gifts and experiences rather than what’s right for the org, and think about what kind of leverage vendors might be holding over you. Your career is worth more than that.

  • Static Code Analysis in a CI/CD Workflow Using Github

    Integrating static analysis tooling (sast) into ci/cd pipelines has honestly never been easier. So let’s set up something really quick using Github Actions and CodeQL.

    Here we’ve setup a “super secure” application, but before we deploy or check in code, we should probably setup automated sast scanning.

    Navigating to the security tab, you should be able to see the button to setup code scanning.

    Let’s add CodeQL! This is an AWESOME sast tool that allows for so much customization. Click the button to add it to your repo.

    Here’s the .yml config which shows the out of the box configuration. It’s set to scan the main branch on push or pull requests.

    Go ahead and commit the yml config and setup is done! This is just the default and out of the box config so this is barely scratching the surface. Below you see the jobs running.

    You can see in the image below all the scans were automatically kicked off when a commit was pushed. Moving forward, all push and pull commits to the main branch will automatically be sast scanned.

    And here’s the output of the results. Yay?

  • Incident Response: Free Online Resources for Quick Wins

    I wanted to share some free online resources for anyone looking to do some quick and dirty “spot checks” on suspicious files or URLs without having to setup a full blown sandbox environment and getting into malware analysis.

    The first resource is a super powerful online sandbox called Any.run (https://any.run/)

    Creating a free account is straightforward. Once you’re in, you have access to an environment to upload any suspicious files or to check a suspicious URL. NOTE: Do not upload anything that could potentially be confidential as this online tool will share the data.

    Upon login, we get to this home page above. On the top left corner, there’s a “new task” button. Let’s use it!

    We have a few things here when trying to detonate this. First we selected a 32bit Windows 7 VM (64bit requires the paid version). Second, we grabbed a malicious url from URLhaus. Let’s see what it does πŸ™‚

    Here’s the tool setting up the virtualized environment and detonating the potential payload.

    …and the end result! Pretty awesome! You can see the suspicious link was “clicked” and the payload executed in an online sandbox environment hosted by any.run. There’s several http connections here and something definitely seems “phishy”! This could have been a user on your network!

    IOCs can be generated and sent to your SIEM as well!

    Any the icing on the cake definitely has to be the MITRE ATT&CK MATRIX mapping! Nice!

    The second online resource I like is Hybrid Analysis (https://www.hybrid-analysis.com/).

    Hybrid Analysis is a great way to check a suspicious file or url with a similar concept to any.run.

    Let’s upload a file and see how it does! NOTE: Do not upload anything that could potentially be confidential as this online tool will share the data.

    In the image above, I uploaded a random pcap file I had lying around. The analysis checked it against virustotal and metadefender and it looks like it’s “clean”. Let’s try a malicious file now πŸ™‚

    Here’s what the end result of a malicious file would look like. Yikes!

    Hopefully these resources can help you out for some quick IR spot checks. I’ll leave some additional resources below as well. Thanks for reading!

  • How to Properly Exit Vim

    I just use nano. πŸ™‚

    Image result for thinking meme

    (kidding! sort of.)

  • Are Cybersecurity Certifications and Degrees Worth It?

    I often get asked this and my answer always shocks those who know me. I’ll be blunt, cybersecurity certifications and degrees are NOT needed to be successful in this industry or to attain a job in information security.

    While anecdotal, some of the most successful cybersecurity professionals I know either don’t have degrees or have degrees in unrelated fields such as Hospitality Management, Arabic Studies or Fashion. Additionally, one of the best security engineers I’ve ever worked with, has no security certifications at all and has an unrelated business degree.

    Security certifications and even degrees (to an extent) seem very “gatekeep-y” to me. Not everyone has hundreds to thousands of dollars to drop on security training/certifications or degrees, especially if they’re just trying to break into the field. I personally think the industry might be actually missing out on some real talent with different perspectives because of this.

    Full disclosure, I have several security certifications and a cybersecurity degree, but I enjoy learning and taking those exams and courses. It really has nothing to do with attaining a job in the field (for me). When I got my first security analyst job, I had neither a security certification or degree. Subsequent jobs after that first analyst role were always attained based off my experience.

    What ultimately matters, is competency. Employers want to know if you have the skillset necessary to work in the security field. Looking for certifications on a resume is an “easy” way for them to “determine” that, but really it’s not the only way to show that you know a subject in information security.

    So what do you do if you don’t have a security certification or degree and are trying to break into the field? Well, there’s a lot of free things, but I’d say start a blog and write about things you’re learning. If you’re really new, Professor Messer has a great YouTube Series on Security+. Hackthebox has a free tier and that’s fun to play with. Some great learning YouTube channels include: Black Hills Information Security, IppSec, Stok, TheCyberMentor, and Network Chuck just to name a few. I’d also recommend joining a local security group such as a local defcon group, attend a Bsides security event or other local security event (post pandemic of course). Things like this will help you learn. Once you have a job in IT or in cybersecurity, then I’d recommend seeing if your employer can help with either certifications/training/school.

    For me, I didn’t have the means to pay for certification exams or training before I got into tech. I was struggling to pay bills. I had no degree, no certifications and no experience. But I was determined to break into the field. I spent so much time online with various free resources, and volunteered at local auto shops helping them troubleshoot IT issues. Eventually, a hiring manager took a chance on me for my first IT position, which ended up changing my life forever.

    I’m definitely not saying certifications or degrees are useless, they have their place. Some jobs may even require them (such as DoD jobs). But at the end of the day, this is an industry that needs skills, not paper.