The Shaming and Heckling of #Infosec

The Shaming and Heckling of #Infosec

Do not let any unwholesome talk come out of your mouths, but only what is helpful for building others up according to their needs, that it may benefit those who listen.” – Ephesians 4:29

First, I understand this blog entry might sound a bit like “Monday Night Quarterbacking” or “Jumping on the Bandwagon”, and you are entitled to your own opinion.

Reading what my good friend Rafal Los wrote about “Living in Glass Houses – #Infosec Industry’s Culture of Shaming” wrote Monday evening, I have to agree with him. Information Security is Hard.

I like to equate being in the information security/cyber security industry being the same as in the intelligence community.

To quote the movie The Recruit,

Our failures are known. Our successes are not.”

The work and life of those in the intelligence community is a tireless and thankless job. Recognition is limited. Success stories are never told. Failures have repercussions and consequences.

The work and life of security and IT audit professionals share similar parallels. It is a tireless and thankless job. Recognition is limited. Success stories are never told. Failures have repercussions and consequences.

Security is, and will always be, challenging on both offensive and defensive. It is a matter of degree. Both sides generally lack the support and resources to do the job while at the same time are some of the first scapegoats in the wake following a security incident.

From an offensive/penetration tester perspective, there is always a finite amount of time and resources trying to rush in and identify risks without breaking the business or the piggy bank in the process. I somewhat question when a penetration tester announces they found a single vulnerability and concludes their job is complete. As part of any security engagement I have been on, there is always that lingering feeling that I missed something and warrants a closer look.

From a defensive/information security analyst perspective, it’s not easy as between managing the day job (Layer 1-7 issues, putting out fires, doing investigations on security incidents, and normal responsibilities) and managing the night job (Layer 8 and 9 issues: Finances and Politics), it is miracle in some sense that some firms actually have security in the first place given the finite budgets they are given to work with and the sheer level of red tape they have to go through to get anything accomplished.

Being part of the Western Regional Collegiate Cyber Defense Competition for the last four years has taught me that playing defense is never as simple as doing a single thing. Whether it be people, process, or technology, something will fail, and that failure will lead to the compromise of a system or entire network. These blue teams (defenders) consistently have to anticipate every single strategy the red team (attackers) will use and win every single battle red team wages. In contrast, red team has the opportunity to win a single battle (or a few small skirmishes) to win the war. The same is true in the real world.

I challenge anyone out there, whether you are in the information security industry or information technology field, or simply a bystander to understand the complexities we face together. The criticisms, and demanding someone should be fired for this illusion, this perception of incompetence needs to stop. The heckling, shaming must stop, even if it is at a cyber competition. There is no such thing as secure. Even security firms are a target.

I challenge everyone that instead of shaming or heckling, we should be encouraging, and edifying one another. Don’t tear people down. Build them up to be even better security professionals. As cliche as this is, we are all in this together.

Perspectives and thoughts on US Cyber Challenge

Perspectives and thoughts on US Cyber Challenge

The US Cyber Challenge is a camp that pushes students to become cyber security professionals. Being a cyber security enthusiast, I wanted to attend. I had the privilege of attending the Cyber Camp in San Jose this summer on scholarship, and it was one of the best experiences I have had in my life. From tactical attacks to finding friends, I felt like the camp taught me more in one week than I have learned in a year of regular school.

At the camp, I admit I was lost for a bit. After a little walking around and meeting other people with the same passion as me, I was happy knowing there were people I could turn to with questions who I could call friends. Since we were placed in dorms, we were forced to mingle, laugh together, and share what we learned. Living in my own apartment, this was very different to me. I helped people set up machines, and people shared their industry experience, helped me break down barriers, and allowed me to continue improving myself. On the first night, I remember the emphasis on family and the icebreakers to push us closer together. Some people formed coalitions, but the idea is we all became comfortable with each other.

The first day of training arrived and a SANS instructor, Alissa Torres, taught us about Memory Forensics. The topic was very interesting, though I wish the presentation were a little slower, because most of the information went over my head. Of course, if it were slower, then we would be learning for days or weeks. The same applied for the days following Reverse Engineering Malware, Tactical Attacks, and Writing Exploits. I could not keep up with the information overload, but I really enjoyed it. I can understand the idea of what they were all saying and recall some tidbits I thought were important, and that was cool with me because I was learning what I wanted to.

One class I enjoyed was Tactical Attacks by Jim Shewmaker. Why? Because I love the idea of being a red team hacker and breaking into things. I was able to keep up for every little detail, and I used and expanded on my current knowledge of Metasploit and its abilities. I love the fact that while we were soaking in all this information, we had about an hour or two to apply what we learned. I was able to hone my tactical attack skills, which proved useful on capture-the-flag day.

With sponsors from prestigious organizations, such as VISA, Facebook, FireEye, and even the FBI, the camp was able to excel when it came to offering quality instructors and great material. Moreover, I noticed the willingness of the sponsors to talk to us and even offer us jobs. I had a great time discussing the various sectors and mingling with the array of professionals presented to us by the camp and even walked out knowing some amazing connections.

The whole week was a blur. The strenuous training, late nights, and the capture-the-flag competition at the end of the week went by and we could return to our normal lives. By that time, I was so accustomed to the lifestyle that I wish that the camp was a little longer. As they say, all great things come to an end, right? Nope. We carry on the experiences and continue to find ways to improve ourselves. We continue talking to the great friends we made at the camp. I ended up seeing US Cyber Challenge friends at other events, and we are able to high five and mingle as great friends do. US Cyber Challenge left me with one of the best experiences ever. Would I go again? Yes.

Report Links Cyber Attacks to China’s Army

shield-iconIf you had not had the chance to read Mandiant’s intelligence report on the recent cyber attacks, it’s a decent size read that’s worthy of your time. What’s interesting is that that Mandiant clearly identifies the threat, the attackers as Unit 61398 of the China’s People’s Liberation Army or PLA.

We’ll post our thoughts on it later, but for now, we’re trying to share the report as it’s an interesting read. It only strengthens our commitment and philosophy that security is beyond what we know today. It incorporates intelligence, understanding, conceptualization, design, building, and many more elements to provide a much more secure environment

Due to Mandiant’s servers being slammed with people downloading the report, we’ve uploaded a compressed zipped copy on our servers here. We’ll add additional capacity should demand warrants it.

 

Download Here:

Mandiant_APT1_Report

Mandiant_APT1_Report.pdf
MD5: 936FEB234F60CFBF6916BA61FBAB2781
SHA-1: 3974687624EB85CDCF1FC9CCFB68EEA052971E84

Mandiant_APT1_Report_Appendix

Mandiant_APT1_Report_Appendix.zip
MD5: FD103F16BBBB28162C23BE3A47371AA9
SHA-1: ABF9D09A991E56393D18433644FF0DBA907A9154