Are you a hacker?
-
Your standards of what defines a “hacker” are probably much lower than my own standards. So don’t take offense to what I’m about to say. It’s just my opinion. Booting up Kali Linux and using pre-installed pen testing programs that other people made for you doesn’t make you a hacker. Likewise, having a CEH certification doesn’t make you a hacker either
-
If you don’t even understand how exactly these tools work, then how can you brand yourself as a hacker on Instagram? If you possess only basic knowledge about web security, advanced attacks, programming, data networks, application security, network security, and so forth, then how can you expect anyone to take you seriously when you say you’re a hacker?
-
I can confidently and fairly say I possess advanced knowledge in these above areas. I’ve legally hacked web sites, web applications, Windows machines, wireless networks, and even performed penetration testing in an academic environment. I’ve built my own programs to assist with hacking. But, despite all that, I still do NOT consider myself a hacker at this point in time. So, if I don’t even consider myself a hacker, then what does that make you? I personally know real hackers, and I think their knowledge and skills in exploit development are a step above my own skills. This just means I have my own weaknesses that need strengthening. Unlike many of my peers, I can be honest with myself and my own abilities.
-
I won’t ever consider myself a bonafide, professional hacker until I’m PAID to be one lol...You probably won’t hold yourself to such high standards as I do...But, I refuse to pretend to be someone I’m not. I just want to remain humble and share information about cybersecurity
-
However, too many people want to jump straight to the top without putting in the work. So, if I’ve described you at all, please take off your “Guy Fawkes” masks and just be comfortable with who you are...don’t worry, you’ll get to where you want to be in time. But, if you want to consider me a hacker, then be my guest. Just keep in mind, I have never once said I was a hacker. Nor did I ever brand myself as a hacker ;)
“How do I start in cybersecurity?”
-
FIND A CAREER PATH
The cybersecurity field is incredibly broad, thus identify what roles might interest you. Understand the responsibilities, requirements, salaries, certifications, and skillsets associated with each role. Places like Cybersecurityeducation.org and SANS.org, have interactive cybersecurity roadmaps that you can review. Knowing what you’re aiming for in the long-run can help lay out a clear path for you
-
EDUCATE YOURSELF
Start learning. All Cybersecurity professionals understand the CIA triad, endpoint protection, network security, operational security web security, access control, malware/advanced attacks, risk, and so forth and so on. The amount of information seem infinite, and to make things worse, it’s always changing. If you don’t know any of this yet, you’ll need to start from the bottom and learn the basics (we all started from the bottom). If you like school, then consider enrolling in a cybersecurity-related program at a college or university. Other than going back to school, there are other opportunities to go through cybersecurity training, either through your current employer, online training, or self-study
-
GET CERTIFIED
Cybersecurity positions aren’t typically entry-level, so it helps to have something that might legitimatize your skills or qualify you for the job. CompTIA.org and SANS.org have these incredible IT certification roadmaps that will help launch your cybersecurity career. When you identify a specific cybersecurity role that interests you, note any certifications that are generally required. For example, many of you aspire to be penetration testers; therefore, you’ll likely want to aim for GPEN, GWAPT, GXPN, GWAN, LPT, or even OSCP, just to name a few
.
.
.
(Continued in the comments)
When creating your website, here are some great steps to take when securing your password recovery/reset process
-
RECOVERY PROCESS
Initialize a password recovery/reset and notify the user. Only request the user’s email address and do not provide feedback on whether or not it’s contained in the database. Don’t let hackers confirm whether the user exists in the system
-
PROTECT THE ACCOUNT
Upon the initiation of a password recovery or reset, don’t lock the user out of the account or deactivate the password. If a hacker initiated the request, that’s a DoS
-
VALIDATION
All password recovery/resets should create a secure token. The token is just as good as a password and should be hashed and stored with a time stamp in the database separate from other user login data. At the same time, the token should not contain any information that could be associated to the user (e.g., name, email, birthday). We saw cookies like this in the past. Likewise, the token should not be easily guessable
-
VERIFICATION
The email address should receive a password reset link over HTTPS for secure transit. Do not specify the username or password in the email. For added protection, this link should only be valid for a limited amount of time. It’s also a good idea to include 2FA when recovering the password (i.e., Security questions must be secure). If it’s a reset, make sure the user is prompted to enter their old password first before they create a new one
-
DESTROY TOKENS
Destroy the tokens for obvious reasons and notify the user their password has been changed
-
RE-LOGIN
Direct the user to a new login page to re-login. By re-logging in, a new session is created with new session IDs. Any hacker who has an existing session with old session IDs should be immediately logged out
-
AUDIT
Log each step of this process, including the time the recovery/reset was initiated, the time the password was changed, etc. just never log the actual password to the internal servers
Organizations must identify risk: the likelihood that a threat exploits a vulnerability. Determining risk levels help to discover likely threats, weaknesses, probable impacts, suitable controls, proper mitigations, etc.
-
INVENTORY AND ANALYSIS OF ASSETS
Inventory assets and estimate their worth through a business impact analysis. Analyze assets according to vulnerabilities, damage, and potential impact. Use this to develop a security categorization that helps identify the most risky assets in your environment
-
EVALUATE CURRENT CONTROLS
Analyze current security controls and compare them to the recommended security controls identified in NIST SPs, ISO 27000 series standards, or even CIS’ CSCs. Note which security controls need more development and review
-
IDENTIFY RISK LEVELS
Use the output of the information gathered in your evaluation to develop an insight as to the level of risk the organization is currently facing. This is usually a quantitative monetary value or a qualitative value (low, medium, high). Identify where risk is acceptable and where risk must be reduced. This allows senior management to appropriately prioritize any gaps
-
PRIORITIZE
Focus on the high-priority risks first and identify the controls that are needed. Many organizations prefer putting their attention on where they perceive the most risk to be while others concern themselves where they can achieve the quickest solutions at the lowest cost. It all depends on the organization’s business mission and culture
-
IMPLEMENT & IMPROVE CONTROLS
Implement the controls, either by leveraging existing controls through updated and enhanced security features, or by adding new controls where no security capabilities exist. Organizations should aim to automate most of their security tasks
-
VERIFY AND MONITOR NEW CONTROLS
Verify that these controls are correctly in place. Then, build a long-term plan to monitor these controls, measure progress, identify trends, and consistently communicate the results to relevant senior management. Then, re-evaluate later on
CHALLENGES
Insight from various types of org.’s reveal the following challenges with endpoint management:
-
1. LARGE ENVIRONMENTS. 61% of respondents have >1,000 endpoints in their environments
2. OS COMPLEXITY. Most org.’s utilize different types of OS’s; in fact, 12% of respondents reported at least 11 different OS’s that they manage within their environment
3. ENDPOINT VISIBILITY/SECURITY. Some org.’s do not have insight into the total number of their endpoints. And, 33% of respondents need at least two days to detect security incidents
4. PATCHING. This is one of the most crucial ways to keep endpoints safe and 25% of respondents need at least one month to patch their servers
-
SOLUTIONS
An org.’s environment is complex enough already. Many respondents report using servers dedicated solely to endpoint management, which is great; however, there are org.’s using up to 10 management servers. Additionally, 83% need between 1 and 9 tools to manage endpoints. Org.’s should thus dial down the complexity by limiting the amount of management servers and tools. To address OS complexity, org.’s should research an existing toolkit that, with a quick upgrade or feature, can be made compatible with multiple OS’s
-
Analyze the teams responsible for security management. 96% of respondents indicated their IT staff is handling endpoint patching, which is not IT’s responsibility. Likewise, the majority of respondents have only 1-5 members monitoring endpoints. Org.’s should clearly identify the role of IT and security operations and determine how much support security is providing to endpoint management
-
43% of respondents had no insight into the number of open source/freeware tools within their environment. Org.’s must evaluate their current tools and never commit to any tool until they know it’s the correct one. They should also evaluate the effectiveness and budget costs of their endpoint management
-
Integration/automation is great because there’s too much data to process and too many variables to leave up to manual decision making. Surprisingly, 48% of respondents report that their levels of automation/integration is at 50% or greater, which is good, but not great
BLOCK NEGATIVITY
I watch a man who pays too much attention to his haters, and by doing so, he gives them too much power
-
Some people will discreetly harm you with their passive aggressive behavior. Don’t let this flame your ego. They don’t hate you because of you. You need to bear in mind that their behavior likely stems from the insecurities that they battle within themselves. And that behavior is likely elicited from your hard work because your success and valiant efforts are spotlights shining on their failures and regrets
-
Don’t even address the issue with them; let them be. He who does not truly know himself will be taken over by his own shadow. It’s the very same archetype in Jungian psychology whereby the conscious ego refuses to acknowledge the undesirable, unconscious weaknesses of the individual’s personality (e.g., superiority-complexes, low self-esteem, low self-confidence, narcissism, jealousy and anxieties)
-
He/she acts maliciously towards you in response to psychological-defense mechanisms, such as self-validation and psychological projection. Pay them no mind. If you’re familiar with the Greek mythological heroes, many of them had to realize and conquer their own weaknesses, even if it meant going to hell and back (literally). Your haters also have to accept their weaknesses and learn to just join you instead of hold you back. If we could all just encourage one another, life would be a lot easier. As humans, we just sadly screw things up.
Evaluating the current threat landscape isn’t an easy task. Expert knowledge gained from the practitioner community might reveal a dystopia of some sorts. The TTPs leveraged by our adversaries are abundant and ever-changing
-
Many organizations and institutions offer reports or surveys that identify useful trends. We find a large percentage of cyberattacks go for the lowest hanging fruit, like email. A successful phishing email bypasses many security layers, such as the network perimeter security controls, like the firewall
-
When researching the threat landscape, evaluate who’s being attacked, who’s behind them, and what the primary motivators are. More information can be gleaned if we focus beyond just how the incidents occurred, but by also identifying what types of threats are occurring according to region and interest
-
This type of knowledge is the key to your analysis. If you know something about the past, it may help anticipate the future. Knowing what threats are currently at your doorstep today gives you the opportunity to better prepare tomorrow
In researching the threat landscape, email tends to be a common attack vector. It is the road most-traveled for intrusions and delivering malware. Threat actors prefer email because it’s automated through bots, it’s trivial, and often successful. The most pervasive reason is likely because it targets the human element, which is often the weakest link in security. What are some protections against threats posed by email?
-
TECHNICAL GAPS FROM CIS
Disable/Uninstall unnecessary or unauthorized browser and e-mail client plug-ins and add-ons. Too many of these increase the attack surface because they have their own vulnerabilities as well
.
Limit javascript and other scripting languages in the browser. Javascript is frequently used in XSS and other web-based attacks
.
Use SPF by deploying SPF records in DNS and enabling receiver-side verification in mail servers. The aim with this control is to prevent hackers from spoofing emails that appear to come from a company’s own domain, which is one way to prevent phishing
.
Scan mail attachments for malicious code or file types unnecessary to the company’s business before it reaches the user’s inbox. This would include email content filtering and web content filtering. This can be done using cloud-based or hardware-based appliances, such as Cisco E-mail Security or FireEye ETP
-
TRAINING FROM SANS
This is a docus on the human element. SANS “Securing the Human” recommends the Advanced Cybersecurity Learning Platform (ACLP). SANS also has courses that will teach security practitioners how to implement a security awareness program in their org. These programs often contain computer based training, monthly newsletters, security blogs, self-education options, security awareness games, and so forth that will teach employees on the dangers of human error
-
List some more controls:
.
.
.
When storing passwords, they’re usually put through an irreversible hashing function before storage. When a user logs in, his hash is compared to the stored hash to determine if it’s a valid authentication
-
Hackers can crack these hashes. Depending on his resources, he can try billions of candidate passwords per second. Thus, for a little extra protection, the system concatenates these hashes with an additional, randomly generated value called a “salt.” The salt is different for each hash, and the user does not have to remember it. This salt creates a completely new hash. Salts are meant to protect weak passwords by adding the extra value, but their susceptibility to cracking still exists
-
One clear benefit of a salt is that it makes rainbow tables infeasible. Since each user has a different salt, it’s not practical to store pre-computed hashes of common passwords in a rainbow table. He would need a new table for each salt. In addition, the file size of these rainbow tables becomes too large. For that reason, rainbow table attacks aren’t as common as they once were
-
But remember, a salt doesn’t prevent password cracking through brute force or dictionary attacks. It merely slows it down. For someone with a few GPUs, it’s just another obstacle. Likewise, computers just get faster every year
-
The best way to store a password is by passing it through a key derivation function, like PBKDF2 or Bcrypt. These algorithms not only concatenate the password with a salt value, but they also take the hash and run it through thousands of different iterations to produce the final hash value. Even the key length can be defined for hash output, such as a 256-bit output key. The more iterations, the slower the algorithm, and subsequently, the longer it takes to crack. This can cause a delay for the user, so there should be a compromise between security and convenience when deciding the number of iterations
