Linux security focus

der.hans PLUGd at LuftHans.com
Mon Apr 1 23:51:14 MST 2013 

Am 13. Mar, 2013 schwätzte Lisa Kachold so:

moin moin,

> Hans has mentored Linuxities in Phoenix (and California at ScaLe) for many
> years now and is supposed to be a fair teacher.

Danke.

> Security careers are not just pursued through any one arena.
>
> WE ARE ALL responsible for SECURITY in our own lives, with technology, and
> in our professions.

A little slow in response, but I wanted to respond and agree with Lisa on
this.

Those of us that are professionals obviously have responsibility for
security in what we do. Those who aren't professionals ( this includes
spouse, children and other family members of the professionals ), also
have responsibility for security.

We can't individually keep ahead of everything that's out there, but we
can still have good general practices. Unfortunately, those will likely
continue getting more complex :(.

> Security compartmentalization can be a huge problem, especially when we
> attempt to educate the masses.
>
> The best way to get into security is to DO IT.  Since there is a great deal

Again, Lisa is absolutely correct. For whereever you're at, investigate
the security risks of your day to day job. Generally, though, you should
not test security of production or customer boxen without express ( in
plain text ) permission from management.

> of material covering the full OSI stack, and many protocols, we suggest
> that you attend DefCon in Las Vegas.  Also, studying for and taking ANY
> certification is one of the requirements.

Anyone in the southwest interested in security should be going to DEFCON.

It's fairly easy to get to as PLUG and ASULUG do ad hoc ride-sharing for
it or it's a short flight.

DEFCON now also has a kids program for those of us with children.

Come give security presentations at PLUG, ASULUG, OWASP, etc. and let
others learn from your knowledge. You learn a lot in order to be able
to teach, so it really is a good exercise. For instance, it's a great
exercise to help prep for interview questions :) and it's something that
can go on the resume.

More good stuff from Lisa below, so I won't truncate this time.

ciao,

der.hans

> After you have one or two respectable certs to your name, you can pretty
> much work anywhere.  They are not going to quibble about less than 2 years
> experience.  You can gain experience by attending local events from UAT, to
> DeVry Hackfests, to OWASP monthly groups.
>
> Assuming and requiring someone else will "educate you" is antithical to
> hacker thinking.  You have the ability to "go look".  You can by taking
> things apart, start observing (using regular tools from Firefox Developer
> plugin to gdb, to an inline sniffer) security behaviors.
>
> I recommend you go to the Phoenix Public Library and read every Security
> book they have (excluding fiction).   They have a few study guides as well
> for certifications.  It's recommended that you take a class ONLY if you
> don't feel confident to go through the materials and take the test
> successfully.   I recommend that you also READ the full OWASP site, and
> play with the various security distros and tools (Nexus scanning, free scan
> tools and network discovery tools).
>
> Somewhere along the line you will find an affinity to one area:  forensics,
> virus, VLAN Layer 3/VPN, application including SQL injection, web
> applications, bluetooth, wireless, buffer overflow/fuzzing, systems
> exploits via patch management holes, human social engineering.    While you
> might get glazy-eyed with one particular area of security, it's doubtful
> you will actually have the opportunity to work in that one area.
>
> Most baby security analysts (without a 4 year degee) are ticket hockey
> resources, as I have said before.  If you have the capacity for pure
> research, or coding, you can write plugins for Metasploit for instance  -
> getting a name for yourself via your open source contributions.   Putting
> up a blog and hanging out your shingle (after you have a certain
> confidence) for the purposes of scanning web systems or assisting with post
> exploit forensics.   Putting on presentations for local groups and
> submitting to DefCon is you have something really cool or noteworthy (which
> will come from full immersal into all things security) will get you noticed
> and raise your stock.
>
> Again, while a degree or classes are NOT necessary, some employers, like
> the NSA and Federal Government require education for each one of their GS
> levels.  They do hire contractors from time to time, but if you plan to
> work on the cutting edge of cyber security - government is where it's at.
>
>
> So, I will question you:
>
> 1) Do you have a copy of Backtrack5 or another exploit distro available and
> have you going through the tools available?
> 2) Have you watched every video available on YouTube?
> 3) Have you scanned or tested your own systems?
>
> Those are basic things we all need to be doing (not just security
> professions) but it gives you a place to start.
>
>
> On Wed, Mar 13, 2013 at 1:07 AM, der.hans <PLUGd at lufthans.com> wrote:
>
>> Am 12. Mar, 2013 schwätzte blake gonterman so:
>>
>> moin moin blake,
>>
>>
>>  I attended a few of the stammtisches a few years back, but kind of fell
>>> out
>>> of the Linux community...
>>>
>>
>> General topics meeting this Thursday at Iguana Mack's and Stammtisch there
>> next Tuesday :). Lisa mentioned the hackfests as well.
>>
>>
>>  I've been working at a medium sized company trying to figure out where to
>>> go next. A coworker of mine is suggesting I go down the road of Unix
>>> security. To that end, I've built a small lab at home and have started
>>>
>>
>> The quarter is just starting, so you can get into a GNU/Linux Security
>> class at a community college if you want.
>>
>> Get into Chris' class in Mesa if you can, but you'll need an override from
>> him. Or get into Joey's class in Goodyear.
>>
>> http://classes.sis.maricopa.**edu/index.php?keywords=**
>> cis271dl&subject_code=any&all_**classes=true&terms[]=4132&**
>> credit_career=B&credits[min]=**gt0&credits[max]=lte9&start_**
>> hour=any&end_hour=any&**startafter=&instructors=<http://classes.sis.maricopa.edu/index.php?keywords=cis271dl&subject_code=any&all_classes=true&terms[]=4132&credit_career=B&credits[min]=gt0&credits[max]=lte9&start_hour=any&end_hour=any&startafter=&instructors=>
>>
>> MCC now has a student group focused on security as well.
>>
>> Also, get into CactusCon if you can.
>>
>> http://www.cactuscon.com/
>>
>>
>>  getting back into learning to tools available. I'm not looking for a
>>> glamorous pentesting position, just a functional security position focused
>>> on Linux.
>>>
>>> I'm curious what people already in the field are focused on these days. I
>>> have quite a bit of experience with FIM (tripwire) and I'm focused on
>>> mcafee Web gateway at work currently.  Once my contract is over at the end
>>> of the year, I want to focus on more Linux relayed work.
>>>
>>> So, is there a need for a dedicated Linux security person here in the
>>> valley, or should I focus on the sysadmin portion and work security into
>>> the mix?
>>>
>>
>> There will increasingly be a need for security professionals. It's the
>> nature of society.
>>
>>
>>  By the way, I have the RHCSA certificate, I just decided standard sysadmin
>>> work wasn't for me.
>>>
>>
>> There's a RH security cert as well. Estrella is probably the route to go
>> if you want to pursue that.
>>
>> ciao,
>>
>> der.hans
>> --
>> #  http://www.LuftHans.com/        http://www.LuftHans.com/**Classes/<http://www.LuftHans.com/Classes/>
>> #  Intelligence without compassion is a waste.  -- der.hans
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>
>
>
>

-- 
#  http://www.LuftHans.com/        http://www.LuftHans.com/Classes/
#  Schlie

More information about the PLUG-discuss mailing list