cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Winning The Loser's Game of Information Security, Personal Edition

Level 12

"If you know both yourself and your enemy, you can win a hundred battles without jeopardy."

-- Sun Tzu, The Art of War

Hi there! The past few weeks, as the Thwack Ambassador, I have enjoyed sharing the information security topics that interest me and getting great interactions with you. I have learned a lot from your comments and stories, sometimes fun, too. Who said that Geeks had no sense of humor? I highly recommend you to read Kevin Crouch's daydream of syldra in my second June Ambassador blog post, There is No New Thing Under the Sun. What about BYOD?

In this last June Ambassador blog post, I would like to focus on the indispensable part of an information security system: You and Me. I'm going to share a few things that can keep us moving forward in this rapidly changing field and that can make us better contribute to the organization we work for.

Learn To Be A Hacker

Sun Tzu in the Art of War stated that to know your enemy, you must become your enemy. My employer is supportive in my infosec trainings. I was sent to take incident handling and pentesting classes and I learned a great deal of hacking stuff. I also learned about those hacker communities. You don't have to be a hacker, but you need to know how to protect from hackers. OK, you can call yourself white-hat hacker.

Read A Lot

In my early stage of my infosec career, I was captured by Richard Bejtlich's writings on his TaoSecurity blog. All four Bejtlich's books are in my library. There is much information that we need to learn and absorb available in books, web sites, blogs, and forums, etc. Oh, please tell me you read Kevin Mitnick's Ghost in the Wires.

Get Informed

I receive email feeds from US-CERT and SANS. My InfoSec Officer gets email alerts from MS-ISAC (Multi-State Information Sharing & Analysis Center). The security vendor specified information is useful, too. For example, the Zero Day Initiative (ZDI), found by TippingPoint, now part of HP, is a great source of information on vulnerabilities and attacks. Now, if Microsoft releases patches out of its regular Tuesday cycle, it will be a really big deal.

Keep Learning

I have to confess that the first time I heard MDM was in a vendor luncheon. I encourage you to attend conferences and vendor events. Black Hat is a good conference I think of. There is always something to learn, sometimes with nice meal(s). Also in those conferences and events you will have opportunities to network your fellows.

Understand Networking And Other IT Disciplines

I am not talking about Social Networking. I am talking about Networking. Nothing can lie what's on the wire, but you need to understand how stuff on the wire works, like Ethernet, TCP/IP, and higher layer protocols. An understanding of Windows login details will help you figure out the last break-in. And you may have already known that Python is a popular programming language among hackers.

Be Willing To Share

I am pretty active on Twitter and I keep Twitter for professional stuff; all personal/family/leisure stuff stays on Facebook. I got a lot of work-related information from my fellow Tweeps and they got from me. It's a win-win for us. You can't fight this infosec battle alone; you need support from your colleagues and other people. Even if you have the honor to work by yourself for infosec in your organization, share what you learned and what you know to others on different platforms, like this Thwack Community. We build up each other.

Are you with me in this journey? What's your opinion? I am looking forward to hearing from you.

58 Comments
Level 12

I have been enlightened by all your posts so far. Thanks mfmahler . As advised, i will learn more, stay informed, be a white hacker and be willing to share.

MVP
MVP

Completely agree with you; staying engaged in the community is the best way to learn. You'll find many local events that are typically free to attend, too. Lots of opportunities to meet with the people you interact with online. And if you're really into this InfoSec thing, check into the many local events (this is especially true in Maryland) that let you test your skills with CTF and other games.

Lastly, home labs are great for learning about offensive security. Build a few test machines and hammer away at them!

Level 10

This is an excellent write up!

I completely agree with you mfmahler. I keep up on Security as a hobby. I would like to move that way someday. Staying informed, and keeping up on it is key to success in that field though, as I of course have some security friends.

Level 10

I forgot to say, I recently just started to learn Python for that very reason. Using it to build your own tools, script things, etc.

MVP
MVP

All your posts have been good advise. I fully believe in staying one step ahead of any new items that are out there. And you are right when you say to keep learning. Everyday there is always something new to learn out there no matter it is. Always look for that opportunity to learn something new, no matter if it is in IT or not.

Level 12

i completed agree Corey Bussard

Level 11

I've really enjoyed your blog posts on infosec.. For me, its difficult to go an learn hacker material or be on THOSE sites.. Even though, I know that is silly.  I agree completely that its necessary to learn how hackers think and their methods order to protect my network from potential harm.  I think that is one think that your blog has really been beating into my stubborn brain.

Thanks for taking the time to write and challenge me.

Jim

Level 17

mfmahler , Good work!

Level 12

Thanks mfmahler  its been great reading your post awesome work.

MVP
MVP

Great stuff !

I just need to find some time to read the books you referenced above.

Networking is a wonderful tool, especially if you have a local users group you can make use of...but then other resources such as Thwack can also provide some level of networking.
It just depends on the level of information you need...

Level 12

esther I'm glad that the information is useful to you.

Level 12

michael stump When you mentioned InfoSec and Maryland, it reminded me that when I took a SAN training in New Orleans, the guy sitting behind me was from NSA...

You are right! Home labs! With the powerful personal computers today and the convenient virtualization software, learning is right at the fingertips.

Level 9

Local events are great for this.  Get some knowledge, network a bit, and have fun.  Can't beat that.

Home labs... yeah, that can be fun, but sometimes it feels like a second job.  Cost can be an issue too, depending on how elaborate you want to be.  Something that works well for me is find a group of people that are interested in building a lab and share the cost and work across.  Where would you find these people? Hmmm... A LOCAL EVENT, OF COURSE!

Level 9

I hear that Maryland is fun for local events.  Maybe I should pop out that way some time to check one out.

Level 12

ttl Thank you for sharing these links.

P.S. I like your username TTL.

Level 12

Thank you, Corey! It's nice for you to go this route.

Python becomes useful nowadays, not only for security, but also for network automation (SDN).

Level 12

Thank you, Kurt H.

We want to learn so much and find 24 hours a day is not enough.

Level 12

Thank you, Jim; I'm glad that you enjoyed the content I put up. I also want to say that thank you for taking time to share your thoughts here, too.

Without go to hacker sites, you may want to check the excellent Hacking Exposed series to learn the hackers' minds.

Level 12

Thank you, cahunt and thanks for stopping by.

Level 12

Thank you, Aaron Denning. Hope the information is useful to you.

Level 12

Jfrazier You are spot on for the local user groups! In this age of cyber activities, we need human interactions.

Level 12

Well put, dwoj.

I've found that infosec tools can be tested and learned with a decent laptop. Just be careful when connected to company's or home's network.

MVP
MVP

it's true! lots of InfoSec gamification events sponsored by "industry." you'll always run into a few ego-maniac neckbeards, but most people in the community are happy to help and share their knowledge.

Level 10

I completely agree! The more I have learned in Python, the more I feel I can use it to automate everything!

I have been using PowerShell/PowerCLI for automation up to now. I cannot wait to start integrating some Python scripts now!

I am on a programming kick. After I am more comfortable with Python, I think I will learn some C, or C# next. It has been proven to be very useful already knowing the basics of Python.

Thanks!

Level 21

InfoSec is a new discipline for me so it has been a great experience following your posts and reading this final set of pointers so I want to thank you for that.  I have found InfoSec to be a very fascinating discipline; however, at the same time I have also found it very difficult to approach.  InfoSec has an entry level set of responsibility and expectations that is significantly higher than other disciplines so it's very nice to see seasoned veterans in the field that are willing to share their knowledge and help folks like myself.

Level 7

First this is my first post on Thwack, and this topic is near and dear to my heart.what mfmalher is talking about. I am currently a SOC manager and have a team of new infosec analyst to well seasoned  analyst. I also have a Security Architect, Forensic Analyst and Compliance working on the team. One of my expectations for the team is to never stop learning, never stop practicing, never stop moving forward. The more youthful analyst want me to have a large budget to send them off to the more expensive training and conferences, unfortunately the budget does not support that on a regular basis nor does the company. However, within this industry there are so many other avenues to obtain the additional knowledge as well as share what one does know and I encourage this behavior on a regular basis. I do not need stagnate infosec professionals that believe they know everything. These individuals are no good to the organization or the community. I especially like the reference to the Art of War I think this is a great book to read for anyone in a war!

I have found another great forum for knowledge, THWACK!  Okay I will wipe my nose off now!

Level 12

@byrona I'm encouraged that the information I shared is useful to others. Thank you for taking time to leave feedbacks here.

I heard someone describing the difference between the regular IT folks and the infosec folks. IT folks make the life of people in a company easier while infosec folks make that harder. I don't know if this contributes to your thought that infosec is very difficult to approach.

Level 12

donwraysx4 Welcome to the awesome Thwack community!!!

My hat's off to you of your mindset for your team! I remembered I asked the NSA guy what's his secret in keeping forward when I took the SANS Incident Handling class, he replied, "Practice, practice, practice". I'm pretty sure he didn't just refer to playing Doom (yeah, he went online for Doom whenever a break during the class).

For your youthful analyst: Sometimes it doesn't need big budget for excellent infosec trainings. I've just looked up CBT Nuggets and they offer training for the EC Council Certified Ethical Hacker 8.0. It's affordable for $99 a month for all-access.

Level 7

mfmahler, I appreciate your words. I have passed the EC Council idea off to the analyst and some will take advantage of this opportunity.

Level 7

Now I want to take one specific bullet point you state "Be Willing to Share" I have seen this one statement build a team up to be very strong and just the opposite tear a team apart by not sharing! I am going to date myself now, but when I started in IT, first it was not called IT then, A technician needed to know all areas from programming to micro miniature soldiering. Today though we have become specialized in areas of IT and not one person has the ability to know everything. The life of a IT Generalist is short lived unless they choose one area to really sink their teeth into, and I chose Information Security mostly management and forensics. Now I have a team of 9 info sec people and each has a strength in security that balances out the team. However, I require each to continually learn and train each other as they learn something new or are stronger in a specific area like Malware Re-Engineering or some tool we use. If anyone individual does not like sharing they are not long for the team as their will be animosity amongst the team and I will have to enact the part of management that is rather ugly but at times needs to be exercised replace that person. Sharing has another aspect that is a little more restrictive and that is between organizations even if in the same industry. This is reasonable to a point need companies need to protect the brand as well as reputation and shareholders. That is why organizations such as US-CERT, INFRAGARD, Thwack, etc... where info sec people can share and fight the good fight are so important.

So I encourage sharing and work better with those that are willing to share. Remember, No one person is indispensable nor have all the knowledge!

Level 9

Going along with that, make sure you take the time to learn what the tool does before you start playing with it.  You don't want to ring all the alarms on Freeside like Dixie Flatline.

Level 9

As long as I can find cool peeps that like to share knowledge and a few drinks, I'm good to go.

Level 12

Agreed!

Level 12

Like byrona, I don't have a real strong InfoSec background.  So, this series has been a great learning experience for me.  Thanks!

Level 13

Check out itpro.tv they offer a lot of training and video and stuff. With their yearly subscription you can even download local copies of the content.

Call me a bastard, but I was thinking about chipping in with some college buddies and buying one yearly subscription and downloading a local copy of everything to study later

Level 13

mfmahler your blog posts are so useful.  It's true you need to know your enemy as he keeps changing.  

Level 11

I keep trying to learn, this is a great site to learn info from and I love your products. Thanks!

Level 9

I enjoyed the post. I try to keep up to date and try to learn as much as I can. Thwack is a great learning tool. It is easier for me to learn by seeing and doing than just reading. Teaching and sharing information with coworkers and blogs is really the way keep up to date, there is just too much to read out there

Level 11

Just keep postings...mfmahler

Level 11

.

Level 11

After reading this i want to attend a conference     

Level 11

I've read a few hacker based books and they are very good reads.

Level 13

I’ve found a few that were good as well. I enjoyed Threat Vector and even Kevin Mitnick’s book (I forget the title)

Have you any other good titles to share?

Level 9

I agree the best security analyst is one who has a wide variety of skills and could if they desired be a good hacker.  Of course tools like Solarwinds SIEM product help as well...

Level 10

Colleagues in security tell me they hear "The Company can't afford to send you to conferences and training".  Truth is companies really can't afford not to ...

Level 12

It's a kind of expense that doesn't seem to profit thus are usually frowned upon by bean counters. There's such a huge indirect ROI on this, it's a shame they can't see it...

Level 14

That's because it's a potential loss, and you can't put a money value on something like that. Bean counters by definition have to be able to quantify everything with a dollar amount and this doesn't fit that mold.

Level 12

they don't usually see the ROI till its really late...

Level 13

The only way I’ve been able to get employers to pay for conferences is to show them numbers on how devastating a SINGLE incident could be.

I mean, if a nefarious hacker was to get in through some means that you haven’t found out about by not keeping up at conferences and dropped a few tables in the database, then everything since the last backup is lost.

Let’s say you’re a sales organization and they compromised you and your mail server. They send off spam for a month or so without you realizing it and suddenly none of your salespeople’s emails are getting through., You’ve been blacklisted for sending spam.

Maybe one user falls prey to phishing and downloads a key logger. They key logger also causes some problems that look like computer issues. Just big enough to make an administrator come and log in to change something, or try at least – maybe the key logger just unmounts all the flash drives, or keeps disabling the network interface card once every day. They get an AD admin login and worm their way around your network and find your backups? Destroy them just to be mean and go on a rampage dropping tables, deleting all the email, erase configs for your VoIP/PBX, booting your virtual machines into a WipeDrive disk and destroying data just to be cruel, defacing your website, getting into your payroll records and messing with peoples pay rates – suddenly everyone make minimum wage – after they done as much damage as they could (that much damage could be managed in just a few hours of active playing) they really decide to screw you – they start erasing configs in network devices from the inside out.

You find it in the morning – no emails could go out to alert you, the mail server was compromised and taken down. You try to log into a server only to find they’ve destroyed the machine login credentials for the Domain controllers and set very complex passwords for what active directory users they didn’t disable and destroy. All your virtualized servers have literally been wiped. All emails are gone except the copies on phones and tablets. You have no internet access. Your website has been erased and replaced by a defacement. Your phones don’t work. Everyone’s SSN information has been compromised. Everyone is making Minimum wage. They erased all your on network backups. You’re screwed. All of that could stem from one person who clicked a link, got infected with a key logger, and had an administrator log in at that machine. That’s potential losses. Potentially everything could be destroyed. Burned away in the metaphorical fire of the hackers delight. Your company is pretty screwed. Even with proper offsite backups, you’re looking at weeks to rebuild that many servers. Your reputation is destroyed. You weren’t just owned, you were ruined. If you didn’t have offsite backups, then everything has to be rebuilt from the ground up. Most companies fail and disband in situations like that.

About the Author
CCIE Data Center #46006. I am passionate IT professional who splits the work hours as a Datacenter Architect and a Network Security Specialist. Yes, I enjoy this double personality professional life.