How do I get into Information Security?

I’ve worked in the Information Security field for close to a decade and there are some questions that I get asked a lot.  One of these questions is “How do I get into the Information Security field?” and it’s a bit harder to answer than you might think.  After having stumbled my way through an ad-lib answer to this question a few times, I thought it would be worthwhile for me to compile a more thoughtful response. So, to that end, this is my response to that question.

As you might guess, the short answer is: it depends.

In general, I wouldn’t recommend following the path that I did to get into security. I sort of fell into a security role early on in my career and skipped a lot of early time spent cutting my teeth doing IT support. You certainly CAN go that route if the chips fall in a way that lets you, but what results is that you wind up spending a lot of time going back and figuring out all the basic ‘how the hell does all this work’ stuff at the same time that you’re supposed to understand enough to be able to secure it. It’s doable, you just have to be willing/able to learn in parallel and be able to pick up new concepts fairly quickly.

The course that I would actually recommend is to not start in Information Security at all. Information Technology as an overarching practice focuses on making a wide range of different technologies work together to accomplish a specific task. A simplistic example would be an environment where servers need to communicate with one another and with end-user devices (eg: workstations) over network infrastructure. A good Information Security practitioner will understand all of those pieces (network devices, servers, end-user devices, etc) well enough to be able to identify ways that an attacker could exploit weaknesses to gain access that they aren’t authorized to have. Whether that’s access to devices, to information, or to anything else, the end goal is ultimately the same: stop attackers from gaining access to <insert sensitive thing here> that they aren’t authorized to have. So on some level, Information Security specialists need to have enough general Information Technology knowledge to be able to speak accurately and efficiently about the environment, and then extensive specialized knowledge about the threat landscape (about the practice of security).

Given that Information Security practitioners need at least a solid foundation in general Information Technology, I would highly recommend that anyone looking to get into Information Security start in a more general Information Technology role. Conceptually, it almost doesn’t matter what specific role is the starting point, the important point is that an Information Security practitioner have had hands-on experience supporting some type of technology that an Information Security practitioner would then have to secure.  It gives a very concrete understanding of the real world and solidifies what would otherwise be more of a textbook knowledge of the technology.

In an ideal world, there is some type of technology that really interests you and you should get a job that involves you learning/supporting whatever that piece of technology is.  If you’re really interested in whatever that technology is, you’ll be more engaged and consequently learn a lot more about the entire environment as a whole, not just that specific piece of technology.

Failing some insatiable interest that you already know about, I would recommend starting in either a systems or network administration role. Understanding the ins and outs of how server and network infrastructure works (from daily administrative experience) is immensely helpful. Transitioning from one of those two roles into Information Security is really pretty easy. If a systems or network administration role isn’t easily available or achievable, a help/service desk or development (programmer) position would be next on my list of recommended starting points. Help/service desk technicians have the opportunity to learn all about end-user devices and how they work which again, is a foundational component to all Information Technology environments. I’m throwing development into the mix as well because if you have a strong programming background, it’s very easy to transition into application security which is a specialization within the Information Security practice which focuses on (you guessed it) coding security.

So, recommended starting points in order:

1. System Administrator (virtually interchangeable with item 2)
2. Network Administrator
3. Developer
4. Help/Service Desk technician

There are basic ‘entry-level’ certifications which can help you solidify your technical foundation which I would certainly recommend. Specific to Information Security, I would recommend the CompTIA Security+ or ISC2 SSCP certifications as a starting point. These two certifications are very similar and both give a good, broad assessment of a wide range of security practices. Beyond those two, the typical ‘gold standard’ certification is the ISC2 CISSP which will help greatly from a career standpoint. SANS courses are much more specialized and will provide a really good understanding of specific aspects of Information Security. If you’re taking SANS courses though, you’re probably already in the Infosec field and likely aren’t super interested in this.

That’s about the extent of my thoughts on the ‘how do I get into Information Security?’ question. Hopefully it’s helpful.

 

Firewalk via NMAP

Not new by any means but I came across an ISC post that was talking about the firewalk technique and I figured I’d drop a little update here for it.

Firewalk is a scanning technique used to try and determine firewall rules.  Basically, to try and determine what’s getting blocked or allowed by a firewall.  It uses a TTL expiration technique to accomplish this.

Basically, the scanner sends a probe to a resource located behind the gateway, with a TTL one higher than the gateway.  If the probe is forwarded, we would expect to receive an ICMP_TIME_EXCEEDED reply from the next hop, or eventually hit the targeted resource if the gateway is directly connected.  Otherwise the probe will timeout.

Every response that is received indicates an open port, every non-response indicates a blocked port.  The whole process can be pretty slow.

Credit:  ISC and NMAP

 

Using NMAP to Detect Broadcast Traffic

Came across this post on the ISC diary (highly recommend keeping an eye there if you don’t already).  The short version is that nmap can be used to detect any protocols that send broadcast packets (and are supported by packetdecoders.lua):

• Ether
  • ARP requests (IPv4)
  • CDP – Cisco Discovery Protocol
  • EIGRP – Cisco Enhanced Interior Gateway Routing Protocol
  • OSPF – Open Shortest Path First
• UDP
  • DHCP
  • Netbios
  • SSDP
  • HSRP
  • DropBox
  • Logitech SqueezeBox Discovery
  • Multicast DNS/Bonjour/ZeroConf
  • Spotify

Screencap to follow which shows how to use nmap with the broadcast listener script.  The example shows the result of a device with dropbox installed, a device sending ARP request (a router in this case) and a device sending DHCPv6 requests:

Visibility would depend on your broadcast domains and overall network design, but useful!

Credit: Internet Storm Center

 

Increasing Java Heap Memory

I have several applications and programs that I use professionally which rely on Java.  I don’t know about the rest of you, but Java seems to create more problems than it fixes.  One of the more annoying problems is that it simply takes a ridiculous amount of time to load.  Oracle (not that you’re listening), I’m going to hit you with some knowledge, java shouldn’t take upwards of ten minutes to load an application.

Before I get to the admittedly brief conclusion to this small rant, I would simply say that Java should run better and shouldn’t cause the compatibility issues that it does.

If you find yourself in a similar boat, I poked around and found that you can configure Java with runtime commands.  One such runtime command is to increase the amount of heap memory that Java uses.  By expanding the heap memory, Java seems to run quite a bit faster (makes sense given that you’re allocating more RAM to it).  How does one do this?

1. Launch the Java console (one way is via the control panel)
2. Go to the Java tab and select ‘View’
3. Double-click under ‘Runtime Parameters’ and input the following: -Xmx512m
4. If you want more or less than 512MB allocated to Java, replace ‘512’ with whatever number you would like.  Note that the ‘m’ denotes MB.  Also note that you shouldn’t allocate too much RAM or you will DoS yourself when Java pegs your memory utilization.
5. Click ‘Ok’ and then ‘Apply’ (duh)

Found this info here, just to kick the credit to where it’s ultimately due.

 

OpenSSL Heartbleed

I won’t deep dive too heavily into my thoughts on the recently disclosed ‘Heartbleed’ vulnerability in OpenSSL.  Bruce Schneier does an excellent job of summarizing:

“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

Basically, an attacker can grab 64K of memory from a server. The attack leaves no trace, and can be done multiple times to grab a different random 64K of memory. This means that anything in memory — SSL private keys, user keys, anything — is vulnerable. And you have to assume that it is all compromised. All of it.

Needless to say it’s a pretty serious vulnerability that has much of the IT world in a tizzy today as we all try to fix the vulnerability.

Rather than explain further, I’ll just offer some links/sites that you can use to get more information about testing for the vulnerability and identifying whether you’re impacted.

General information:

• http://heartbleed.com/

Sites for testing:

• http://filippo.io/Heartbleed/
• https://www.ssllabs.com/ssltest/

Vendor disclosures:

• http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed
• https://isc.sans.edu/forums/diary/Heartbleed+vendor+notifications/17929
• http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2076225
• http://www.kb.cert.org/vuls/id/720951

 

SSL Certificates and Exporting Private Keys

Every few months or so, I have to deal with SSL certificates. Generally speaking, this is straightforward, but when buying a certificate from a third party authority, I often need the private key which goes along with the certificate that I purchased. Irritatingly, you don’t just get this along with the certificate that you download from the CA. As is often the case, because I deal with this so infrequently, I always forget how to get the private key as a separate file after I get the certificate back from the CA. So, rather than spend up to an hour googling for this every time, I’m putting the information here.

Short version: Import the certificate into the certificate store of the server where you generated the CSR.  Run the certutil -repairstore command.  Et voila.

Credit to Entrust