Entries Tagged 'wisdom' ↓

image credit (with permission): Matthew Michael Stits

Have you ever taken part in a Capture the Flag (CTF) hacking event?

CTF is an intense and at times wholly frustrating experience. Some of the qualities you need include a technical and/or tactical bent, a puzzle solving mindset, competitive tendencies, mental and physical stamina and a mini fridge stuffed with Red Bull.

Every year at Defcon, the CTF contest takes place over a 2 day period. For many this won’t be news - what is new is that a rare opportunity has just opened up. You and your friends have a chance to be the group running the CTF. That’s right, you could be the team that designs, develops, deploys and runs the contest in Vegas.

All things must change, and after years of hard work and consistent advances Kenshoto has decided that it is time to let someone else have a chance to run CTF. We will forever miss their crazy videos and clever configurations. After taking it to the next level, creating a spectator sport out of geeks sitting at their keyboards 0wning machines, and helping CTF gain fabulous recognition around the world, Kenshoto has officially retired as the organizer and hosts of DEFCON’s CTF. The contest is not over, merely in transition to the next keepers of the flame. This is the opportunity you and your crew, company, or government have been waiting for!

You too can pour your heart, countless thousands of hours into planning, producing, and executing the world’s most famous contest of hacking skills. All of the contests at DEFCON are run by volunteers, and CTF is no different.

My intent is to make a game that’s fun for its participants. Kenshoto did a fabulous job of allowing CTF to be a team and spectators sport through scoring visualizations, commentators, game updates. They took it to a new level in one area, and you can take it to another. The heart of hacking has many facets!

CTF is made of many parts from the actual teams, the organizers, observers, third party supporters, the press, con attendees wanting in on some action, and those newbies wondering WTF.

If you have ever participated in a CTF and found yourself disagreeing with the way it was run or walking away with lots of nifty ideas for how you’d run one, now’s your chance to put those ideas into action at Defcon in Vegas. Find out more at the Defcon 17 blog. Deadline for submitting your concept is the 28th February.

What If I’m Not Ready To Lead

Now, if you’ve never participated in a CTF contest and you enjoy attack and defense then I highly recommend you consider taking part in one. It doesn’t have to be Defcon, although that would give you an unforgettable experience that few can claim.

I see CTF as an excellent opportunity to learn more about yourself. You can’t beat the cut and thrust of a live, competitive event to help you discover your strengths and weaknesses and to experiment with different tactics. If you play in a team you stand to get even more from it as you learn from your peers (and they learn from you). What you learn may surprise you. Everyone brings something unique to the table and you may find some of your assumptions about the caliber of other players challenged (for better or worse). Oh, and don’t think you have to an uber-hacker to take part - you don’t. Sometimes our feelings of pride or perfectionism stop us from taking part in the very things that we stand to gain the most from. As they saying goes: ‘Get over it’ :P.

The Side Benefit of CTF That Few People Talk About

Oh, and did I mention the benefit CTF has on your CV/resume?

To a hiring manager faced with inexperienced candidates applying for an entry level penetration testing position, it demonstrates you have experience dealing with emotions frequently accompanying a pen-test. Reading tech books and RFCs is vital, practicing your hands on skills on your home test lab is beneficial, attending conferences to learn new techniques is great but the real winner is demonstrating you can apply what you learn in the face of real-world constraints.

Your CTF experiences are a great talking point for the interview - especially if you are fresh out of college and have little real world experience to point to. Besides, any hiring manager worth their salt is going to give you a hands-on technical challenge as part of the recruitment process. Does that sound stressful? It should do - its not just your technical skills that are under scrutiny. It’s your ability to assess a situation, make decisions and act on them within a timeframe you may feel is insufficient and with less information than you’d ideally like. In other words, its a lot like real world penetration tests (and Incident Response!).

Participating in CTF gives you an edge on those candidates that have never had their back to the wall trying to answer 3 questions: Which target? What tactic? Which tool/exploit? That is when you lean on your CTF experience and help them decide that your name belongs on their shortlist.

When I was starting out, I had a bunch of questions about life in the IT security industry but no-one with real Infosec experience to turn to. I simply didn’t have the connections back then, nor a trusted advisor/mentor. Looking back, the downside was I took some longer paths than necessary in the learn/fail cycle. The upside is that ultimately I learned to do that quite quickly (failing cheaply and quickly is a desirable trait).

What Is Your Question?

If you have a question about some aspect of working as an IT security professional, send it in and I’ll reply right here on the blog. I’ve been in this industry for 10 years and am happy to share my learning/experience. To understand a little about my background, check my about page.

As guidance, the question should be short and to the point with enough context that I can give you a meaningful answer. By context I mean a few sentences about your situation - enough that I can have a good shot at giving you an answer.

My promise to you is that if you send in a reasonable, well thought out question, I *will* post a reply right here on this blog. Plus I’ll leave comments open on the blog post so other readers can chip in and give their perspective. I won’t publish your email address and will scrub any other personal identifiers except your first name.

What’s a good question?

Simple: anything that helps someone else answer their question

Yeah baby, this is all spreading good karma…

Send your questions to: craig.balding@gmail.com

P.S I’m treating this as a 28 day experiment - I’ll extend the experiment if people find this useful.

image credit: coscurro

I stumbled across a great video on a blog post from the SOURCE Boston conference.

Careers in information security are often difficult to navigate, with the industry changing more and more radically every year. This is even more true in an economy that isn’t necessarily thriving. We’re going to talk about the important skills, traits and knowledge that a security pro needs to build a long-term and successful career – not just the usual stuff (like “get certified”), but the real-world knowledge that teaches you how to have the job that keeps you challenged, growing and well-compensated.

If you are even thinking about a role in Information Security or wandering about your next step in the industry - this in-depth talk by Lee Kushner and Mike Murray is for you.

How do you keep yourself special? Share in the comments…

photo credit: нσвσ

1. Be A Security Cool Cat: Place penguin stickers on every surface in your cubicle. Stick at least 3 on the dual boot company issued laptop (that hasn’t had a kernel upgrade in 6 months). Use BlackHat stickers for bonus points.
2. Be An Undercover Open Source Evangelist: Unfailingly, recommend open source solutions as more secure. Be sure to quote ‘more eyes, less vulnerabilities’. Recite frequently . Always forward security advisories about commercial products to your boss.
3. Walk the Tech Talk: Learn at Least 10 Bash Keyboard Shortcuts. Treat this as a party trick. Perform rapidly in sequence whenever anyone watches your screen. Giggle and pass the keyboard over and say ‘Your turn!’.
4. Be All Knowing, Jedi Warrior!: Say ‘Trust but verify’ whenever you are asked a question you do not understand. Make it clear in meetings that you trust no-one and “verify” solely through a Google/Secunia search.
5. Impress with a Penetration Test!: Download Metasploit, spend 7 hours modifying the web interface: create custom graphics and hack up the CSS files. Start Metasploit running before you leave for the day. Use Camtasia to capture all screen activity so you can review in the morning. If all went well upload to YouTube and link out via facebook.
6. Practice Defense In Depth’: When you are asked ‘What is the Risk?’, grin inanely and say ‘I’ll tell you after I break out the vulnerability scanners’. Run at least 3 vulnerability scanners to get ‘defense in depth’.
7. Latest *Is* Greatest!: Clipboard stealing attacks are *always* a bigger issue than the CISCO infrastructure with default passwords (how did they get there?!).
8. Educate The Great Unwashed with a Deep Dive Security Awareness Program. Educate end-users about Cross Site Scripting and SQL injection attacks. Don’t invite the outsourced developers - they already know this stuff and have deadlines to meet.
9. Impress Your Peers - Perfect the RFC Shoutout: Pick at least 10 common protocols and learn the associated RFC numbers. Intimidate IT colleagues by shouting out the RFC numbers whenever they mention the protocol.
10. Start A Security Blog: What Can I Say?