Don’t shoot the #Infosec Messenger

Don't shoot the #Infosec Messenger

When doing a security disclosure to any organization or company, one must be delicate and careful on how you craft the message to the recipient. It is not an easy process to disclose that there are issues, especially when its unsolicited. No one likes to hear there are issues in their cybersecurity.

However, to companies and organizations who do receive these disclosures, take a moment please to not shoot the infosec messenger. As someone who identifies security issues day in and day out, it is a thankless job. Countless hours are poured over information data sets, and at the end of the day, they rarely see a bug bounty like the ones you hear about from Facebook, or Twitter.


It is extremely sad to hear that the recipient of this disclosure deems or jumps to a conclusion that the messenger is a rogue, malicious actor. However, think about it for a moment.  The fact that an individual or entity took time to say something to your organization or company should generally be an indicator that their intentions are not malicious or ill-intent, and they potentially found something of interest and it might be worthwhile to investigate. If their intent was malicious, they would never have taken the time to reach out and say “there’s a potential problem and it doesn’t hurt to take a few moments to look at it with some scrutiny.”

It is also not an opportunity to be disrespectful or unprofessional to the individual or party who reached out to contact you. It is not the opportunity to insult their analysis. They most certainly do not understand your business processes. They may very well have information, or intelligence feeds that you may not know exist. The really good researchers know how to leverage those intelligence feeds and do not require any tools or scans to be launched against your infrastructure to determine security issues.

Being disrespectful or unprofessional to this very individual or company may lead to a potentially future awkward moments where they may be the people you will call to help you out when there are security issues or data breaches.

If there are questions about the analysis, it never hurts to ASK politely and professionally. If the conclusion is incorrect, or data doesn’t match, ask them how they drew their conclusions and their analysis (You most certainly do not have to volunteer any information to them for social engineering concerns).  Most entities whose intent is help you will offer information on how they drew their conclusions and share with you what they found.

It is never wise to burn a bridge.

CyberPatriot National Finals this week

CyberPatriot National Finals this week

n2c6fw-b781279339z.120140312113222000g6k1is0g2.1This weekend marks the end of CyberPatriot VI with the National Competition at the Gaylord National Convention Center in National Harbor, MD. It has been an amazing journey these last few months guiding and training these brilliant young minds at Troy High School. As my responsibilities and duties conclude for this season of CyberPatriot VI, I reflect upon the joys, the frustrations, the highs and the lows. And yet, I can not help but smile and experience joy at every moment. Honestly, I felt like I got the better end of the deal. I gained so much more and grew in so many ways that I think my mentees’ do not even realize.

I want to say it’s easy being a cybersecurity mentor, but it is almost like a full time job. Thankfully my fellow colleagues at Net Force has been gracious enough to allow me some leeway to make up some hours in the evening during mentorship sessions. Thank you to my colleagues for the flexibility and patience on my ever changing schedules.

I am extremely proud of each member of this year’s CyberPatriot VI team at Troy High School. I kept throwing more at them and they kept rising to the challenge.

I encourage everyone to consider mentoring a team or a few students next year. It is extremely rewarding emotionally, spiritually.

To next year’s mentors:

  • Care for your mentees. Make that emotional investment. There is nothing more rewarding when they see you and their faces light up. Especially in victories, when they see you and they will come running to you and hugging you. You will in many ways become an older brother/sister figure in their lives.
  • Be patient. Be compassionate. Be merciful. Be full of grace and forgiveness. Mentees will drive you crazy. Mentees will make mistakes. This is all part of the learning process. That is why they are here: to learn, to grow.
  • Be accessible. Be available. Students hear the word mentor and they automatically put distance between themselves and you. Close the gap and engage them. Engage all of them. Even that shy mentee in the corner. Get to know who they are.
  • Encourage your mentees. Build them up. It is easy to become discouraged. Each student has unlimited potential. We as mentors need to teach them how to harness that potential.
  • Everything matters. The technical skills. The soft skills. The behavior. Who they become as an individual. Help them to become better men and women. Groom them to be polite, respectful, honorable young men and women. They will adopt your behavior, your good and bad habits. Chivalry is not dead. 😉
  • It is okay to not know everything. I will be the first to say I don’t know everything or anything. Don’t be afraid to ask for resources, help, guidance and wisdom. I attribute much of my success with my group of mentees this year was not of my own knowledge or doing, but going out and asking questions, and seeing how my professors and other coaches/mentors approach things and actively listening to them. Everyone will share with you a small bit of information which will tell you what worked, and what didn’t work for them. Focus on your strengths. Identify your weaknesses. Let those who have strengths in your weaknesses help you.
  • Most importantly: what you do matters. By being a part of their lives, you will shift their lives in ways you will never know or understand. Positively influence them. You will inspire them to achieve great things.

1606205_593625814873_615704767_oTo my mentees/protégés/future colleagues/friends/brothers in cybersecurity:

  • If you happen to win this week, awesome, but give it your all. Have no regrets. At the end of the competition, walk away with your heads held high knowing you did your best at that moment in time.
  • Be confident in your skills. You know your stuff. You have been preparing this entire academic year. You are ready. Remember, this is a journey of a lifetime. This is only the beginning of something amazing. Not the end. Tomorrow is and will be another day. This is the time of your lives right now. You’re never going to forget it. It will be all over in a moment. No sad faces. No regrets. Just go out there tomorrow and have a blast. Live it. Carpé Momentum. (Seize the Moment). Have fun.
  • I have complete confidence in each of your abilities, talents, skills, knowledge.
  • I’m extremely proud of each and everyone of you. Each of you have grown so much and I can not stress that each of you are amazing individuals.  You’ve won my admiration, my respect, and I look forward to the day each of you join the ranks in this industry full-time. Each of you have accomplished much this year, and to the senior class that is leaving high school, I hope all of you will return and mentor future CyberPatriot teams and individuals. I hope you also look at being part of the US Cyber Challenge as well

If you are in the National Harbor, MD or DC Metro Area this week, I encourage everyone to come out this Friday, March 28 and check out CyberPatriot VI. Tours will be given all day at the competition venue (Gaylord National Center)

2014 Western Regional Collegiate Cyber Defense Competition (WRCCDC) Analysis

2014 Western Regional Collegiate Cyber Defense Competition (WRCCDC) Analysis

Last Saturday marked the beginning of the 2014 Western Regional Collegiate Cyber Defense Competition Season with the successful completion of qualifiers. Over the past four years, I have watched this competition expand and grow so much that there are now fourteen universities and colleges across California, Nevada and Arizona vying for a chance to compete at the National Collegiate Cyber Defense Competition with several more schools looking to assemble teams in coming months to compete in the 2015 season.

For the schools that advanced, congratulations. See you at the end of March where you will face off against some members of our own Net Force Red Team.

For those who were unable advanced, and walked away disappointed, don’t. This is just merely the beginning of your journey.

I encourage you to continue pursuing this field, this challenge and don’t give up! Failure only happens if you walked away and gave up. No one becomes good in this field or any other field without hard work, and practice, practice, practice. There is no secret to success.

Furthermore, WRCCDC itself has increased in challenge, difficulty, and it will continue to be that way. It’s not meant to kick you out of the competition because we don’t want you there. We honestly do. Rather, the adversary is getting better every day and we need to get the good guys to be stronger, faster, better, in terms of being to do analytics, analysis, triage, and incident response. Truthfully, we are far behind where we should be. The adversary is becoming stronger each and every day and we are too. We simply have not overtaken them yet.

Lessons Learned:

wrccdc-2014-qualifers-topologyHere are some notes that you most likely experienced and areas to work out. Note not everything will apply, however after watching four seasons of teams compete, there are always a few items that will always stand out that affects all teams.

  • Know your environment. Know your network. We always provide a topology as a snapshot and a baseline reference. It always gives you an idea of what is possible to expect. It is also like real life. Network topologies are highly inaccurate and always inconsistent, especially in real life. But moreover, the network topology is also an indicator of where there may be potential single points of failure. For example, in the qualifiers, the central point of failure was the PFSense Box. If it went offline, it took everything offline.
  • Know where the low hanging fruit is. It’s important to know that what hurts the most in long term is going to be the low hanging fruit. It’s always the easiest fruit and tree branch that an adversary will grab onto first. If they successfully pluck the tree of its fruit or grab onto a tree branch, it’s hard to shake them off. Low hanging fruit consists of the most CRITICAL patches, as well as those pesky user credentials, among other things.
  • Know your game plan. Five minutes of planning is better than spending fifty minutes running around like a chicken without a head. The first five minutes should quite literally be all muscle memory to the point where you can come in running and know what to do without asking what needs to be done. Constantly strive to optimize your processes, and find ways to shave off a few seconds. There is always someway, a method, a technique, something that allows you to do things faster, quicker, better, smarter and expend less energy. Saving a few seconds here, and there will add up to minutes and possibly hours of savings when keeping the red team out.
  • Know the services, and know what makes them tick. Every service, whether it be web, mail, FTP, Active Directory, DNS, all have a certain combination of ports and components that make them function and tick. For example, you can always assume that Active Directory box is also a DNS box. Or that if there is an eCommerce box, it’s likely powered by some sort of database. Know what ports each service use too.
  • Know your role. Know where your single point of failure is. It’s important to be able to spread the workload and be able to know when someone is being overwhelmed. Everyone should have their specialty, but everyone should have some of the basic knowledge of how to do some of the basics or get a subject matter expert to the place where they need to be where they can do what needs to be done. Too often teams have a single expert in one area, and unfortunately teams underestimate where their single point of failure is. When it does happen and something fails, things tend to go horribly wrong.
  • Know more than simply technical skills. Brush up and polish up your soft skills. WRCCDC is simply more than a technical competition. It is a business competition. It is about people, processes, and technology.

    At WRCCDC, and any other CCDC, it is a test of your ability to manage stress, your project management skills, your leadership skills (remember everyone can lead, not everyone has the authority), your skills as a team member, investigator, communicator (with each other and with management), a writer, and your wisdom to know when you need to ask for help when you’re simply overwhelmed. There are simply so many soft skills that leads to a successful team. Yes I know you may disagree with me on this, however, successful teams know their limits, and identify weaknesses. They work together to overcome those weaknesses or ensure they cover the weaknesses with their strengths. They work together to find compensating controls and processes. Leaders are encouraging and they help build their team members up.

WRCCDC is an interplay of people, processes and technology. It tests the dynamics and personalities between people. It tests your processes. It tests your technical skills and know-how.

I look forward to seeing each and every one of you compete in the coming months. Remember, this is only the beginning of an amazing journey, not the end.

Encouraging Aspiring Future Cyber Defenders

Encouraging Aspiring Future Cyber Defenders

IMG_1102_largeThe process of building, nurturing, encouraging, developing, inspiring, and training future cybersecurity professionals is an ongoing lifecycle for us at Net Force. For the second straight year, our team has been working with Cal-Poly Pomona, Los Angeles Unified School District and CyberPatriot to identify and encourage new and rising talent in the industry.

This past weekend especially was a landmark occasion for those of us in Los Angeles. Over 350 middle and high school students from across Southern California gathered together for the first annual “Cyber Day Los Angeles”. Students as young as sixth grade were given Windows images to debug and remediate security issues while the advanced and battle-tested students also engaged in a Linux Capture-The-Flag (CTF) Competition.

These students represent our future team members and colleagues. It is such a huge priority for those of us at Net Force to have more friends than enemies. We want to see these students become our allies rather than those who go to the dark side. It makes our lives significantly easier.

Training future talent is a key component to defending our systems. As I wrote before, defense is not easy. Competitions like CyberPatriot and events like Cyber Day Los Angeles ensures that we have the brightest minds working on the ongoing battle against cybercrime. Cyber Threats continue to be the biggest threat to organizations alike with increased sophistication. Adversaries are becoming more adept in this field to a point where adversaries are making a profession of being evil. Knowing that these young minds are coming down the pipe brings some comfort.

At the end of the day, I find it inspiring and encouraging to see so many students, from both middle and high schools across the Southern California, gather and share a passion for cyber security.

Perspectives and thoughts on US Cyber Challenge

Perspectives and thoughts on US Cyber Challenge

The US Cyber Challenge is a camp that pushes students to become cyber security professionals. Being a cyber security enthusiast, I wanted to attend. I had the privilege of attending the Cyber Camp in San Jose this summer on scholarship, and it was one of the best experiences I have had in my life. From tactical attacks to finding friends, I felt like the camp taught me more in one week than I have learned in a year of regular school.

At the camp, I admit I was lost for a bit. After a little walking around and meeting other people with the same passion as me, I was happy knowing there were people I could turn to with questions who I could call friends. Since we were placed in dorms, we were forced to mingle, laugh together, and share what we learned. Living in my own apartment, this was very different to me. I helped people set up machines, and people shared their industry experience, helped me break down barriers, and allowed me to continue improving myself. On the first night, I remember the emphasis on family and the icebreakers to push us closer together. Some people formed coalitions, but the idea is we all became comfortable with each other.

The first day of training arrived and a SANS instructor, Alissa Torres, taught us about Memory Forensics. The topic was very interesting, though I wish the presentation were a little slower, because most of the information went over my head. Of course, if it were slower, then we would be learning for days or weeks. The same applied for the days following Reverse Engineering Malware, Tactical Attacks, and Writing Exploits. I could not keep up with the information overload, but I really enjoyed it. I can understand the idea of what they were all saying and recall some tidbits I thought were important, and that was cool with me because I was learning what I wanted to.

One class I enjoyed was Tactical Attacks by Jim Shewmaker. Why? Because I love the idea of being a red team hacker and breaking into things. I was able to keep up for every little detail, and I used and expanded on my current knowledge of Metasploit and its abilities. I love the fact that while we were soaking in all this information, we had about an hour or two to apply what we learned. I was able to hone my tactical attack skills, which proved useful on capture-the-flag day.

With sponsors from prestigious organizations, such as VISA, Facebook, FireEye, and even the FBI, the camp was able to excel when it came to offering quality instructors and great material. Moreover, I noticed the willingness of the sponsors to talk to us and even offer us jobs. I had a great time discussing the various sectors and mingling with the array of professionals presented to us by the camp and even walked out knowing some amazing connections.

The whole week was a blur. The strenuous training, late nights, and the capture-the-flag competition at the end of the week went by and we could return to our normal lives. By that time, I was so accustomed to the lifestyle that I wish that the camp was a little longer. As they say, all great things come to an end, right? Nope. We carry on the experiences and continue to find ways to improve ourselves. We continue talking to the great friends we made at the camp. I ended up seeing US Cyber Challenge friends at other events, and we are able to high five and mingle as great friends do. US Cyber Challenge left me with one of the best experiences ever. Would I go again? Yes.