GOING ON THE OFFENSIVE


After having been away from the information security profession for a couple of years, I've decided to get back into it. Furthermore, I've determined that my entry point will be to learn more about offensive security.

Back then...

If you would have told me ten plus years ago when I was first getting into the industry that my future self would be studying for a certification called Certified Ethical Hacker I probably woudln't have believed you.

Back then I thought that if you didn't already know what was in your infrastructure then you had enough problems already, meaning fix that problem first. What's more, it didn't help to have an external scan done anyways, because it simply presented a list of systems and ports that were open and vulnerabilties based on the servers banner. These scans that were not smart and were easily fooled with a banner change. Of course an external scan is not the same as a pentest, but at the time I considered them the same.

I also felt, as most professionals do, that with enough time all systems are defeatable--with enough time everything can be broken. So I wasn't sure what the point was.

I knew that I didn't like automated scans, that everything is breakable given enough time, and understood the basic concepts of "hacker" techniques and common vulnerabilties (buffer overflows and such), and that was about where I left it. I just configured my firewalls, learned about Snort, and tried to do the best I could.

But this is now

Times have changed. When I first started in security 9/11 had just happened. Certainly that event changed the mental landscape of North Americans, if not the world. Then, more than a decade later, Edward Snowden triggered a landslide of surveillance disclosures which I again has changed the mindset of people with regards to information security and privacy.

After that we have smaller, recent events like Heartbleed and the "Celebrity Picture Hack of 2014", certainly aftershocks, but in combination these continous security breaches weigh heavily on society's group psyche.

These events have made me curious as to the current state information security.

What's new in "offensive security?"

Recently the Washington Post wrote an article titled "The ethics of Hacking 101" which brought up some questions and thoughts.

Interestingly one of the professors quoted in the article requires the students not to work in the private sector when the course is over, though I'm not sure how he could guarantee that.

“In order for me to teach these real-world attack skills, these students have to be trusted,” he said. “They cannot go to work for the private sector.

“There’s no reason to teach private-sector people how to use Stinger missiles,” he continued. Similarly, he said, you don’t teach them to use cyber weapons.

Cryptographer Matthew Green has this to say about "offensive security":

I should mention that:

  1. By "offensive security" I don't mean attacking back. I guess governments might think about this in terms of "cyberwar" (if that's even a real thing) but I'm not a government.
  2. I'm only talking about "ethical hacking", which to me is just learning about how about the various tools and methodologies attackers use in order to create a better defence.

As far as other changes, I think we use technology a lot more. Smartphones have swifty changed the world given that many of us now carry a small, powerful, internetworked computer with us at all times, one that runs millions and millions of lines of code, as well as any number of third party applications of varying quality.

Certified Ethical Hacker

Some people in IT have become negative towards certifications. I certainly have been in the past. The reality is that every job ad I look at related to information security has several certifications listed, usually with at least one as a "must have." The CEH isn't as commonly listed as the CISSP (which I used to have) or the CISM, and is certainly for a different line of work (offensive security versus management of security or compliance) but it is in a few of them. I'm a pretty technical person and to keep me interested the certification should be technical.

The CEH seems like the perfect place for someone in my position to use to reboot. The certification is not too expensive or daunting. It's been around for a while so there are lots of resources--classes, books, blog posts, etc. It'll be a good way to refresh my security knowledge and it's a clear goal to work towards.