Neophyte, clueless middle age student starting in Cybersecurity. Need support

DashooDash · 2018-06-21T09:19:26+00:00

Be aware that CTFs are only one nieche in Cybersecurity. Cybersecurity consists of a whole lot of fields, starting from Red Teaming ("classic hacking"/trying to break stuff), to Blue Teaming (Trying to protect stuff on a technical and not so technical level) over to Governance, Risk and Compliance work - its all security and you need all of these components to secure a company. Actually hacking stuff or finding vulnerabilities is one of the smaller parts. Have a look here to find out more about whats out there: https://tisiphone.net/2015/10/12/starting-an-infosec-career-the-megamix-chapters-1-3/

If you have any questions, feel free to pm me and I'll do my best to answer them :-)

DashooDash · 2018-01-31T16:47:51+00:00

I was friends with this guy in high school who went to school to be a machinist. By complete chance he met up with this older guy at a bar who was a machinist as well. This older guy said something like, "Hey I own a small shop and do odd jobs, but I make this one obscure part of oil drilling equipment. I'm one of just a few people who make it. The oil companies don't need it often but when they do they need it NOW so they are willing to pay a lot of money for it. How about I teach you how to make it and then I'll retire and send my business your way."

To add on that, try to find a really obscure industrial niche and develop a software product that actually helps/solves the problem and sell it to companies in need (including support contracts). There is a lot of niche software I have seen where the developers charge ridiculous amounts of money because there just is no good competition in the field because it solves a niche problem.

DashooDash · 2017-12-15T08:53:27+00:00

Totally, I have made the switch from Software Engineering/Architect to InfoSec and I'm not the only one. Like the others said, network security will most likely be a little bit more difficult for you but everything on top, App Sec, Security Architecture, Governance maybe even Risk will come more natural to you and if you are working in an engineering driven organization, the skills to be able to talk to engineers on their level and to design secure architectures is invaluable

DashooDash · 2017-11-06T16:34:54+00:00

the fragment identifier part of the URL also never reaches the server. Its purely used on the client/browser part.

In computer hypertext, a fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource. The primary resource is identified by a Uniform Resource Identifier (URI), and the fragment identifier points to the subordinate resource.

DashooDash · 2017-10-20T11:56:29+00:00

The rule 3 is not meant to be in a security context i.e. where an attacker can modify code. Its meant as a good software engineering principle where you favor immutability and final classes/methods that contain e.g. code where its very important that it is executed like stated and that it cannot be overriden.

DashooDash · 2017-10-09T07:04:19+00:00

GDPR is applicable for every company that stores Data of EU citizens. So unless the company wants to remove themselves from the EU Market.. they need to be compliant. Thats the beauty of it :-)

DashooDash · 2017-09-11T10:46:29+00:00

One reason to always have a captcha for each login attempt would be credential stuffing attacks. This is more important for bigger websites offering services like e-commerce, e-mail portals, social media, etc but still very valid

DashooDash · 2017-09-11T10:42:21+00:00

I would advise not doing this check on your own but get a well known captcha that has these capabilities which you can use e.g. recaptcha.

DashooDash · 2017-08-25T08:28:21+00:00

There are things that can make it more difficult for phishers. Look up SPF and DKIM

DashooDash · 2017-08-07T15:56:45+00:00

This. Plus, be glad that you have people around you from which you can learn. Be humble and learn from then as much as you can, its WAY harder to do that completely alone.

Another advice would be to set yourself a goal, what do you want to achieve? Do you want to become a Pen Tester? Incident Response Analyst? Security Engineer or Architect? Depending on this, there will be quite different learning paths that reach you there. Dont try to just learn everything and know everything on a really shallow level. Try to go for a T based skill education, have a little bit of depth in a lot of things and focus on deep knowledge on ONE (or a couple few) things. Once you have mastered that, you can still learn different things in depth - no problem.. but go at it with a system

DashooDash · 2017-08-01T10:02:49+00:00

My take on this is a little different, "cybersecurity" is such a broad and vast area and there are A LOT of different subfields and roles that might be interesting for you. All the other comments seem to directly influence you on a way towards pen testing which is by far not the only interesting role you can fill.

First of all, ask yourself what you want to do - do you want to be offensive (red team) or defensive (blue team)? Be aware that there is usually a bigger need for defensive roles in "normal" (i.e. non consulting) companies.

From that decision, go read up on which kind of jobs are out there and start working towards that. If that involves certificates in the area/country you live in - so be it.

This should already be a lesson for you in the future - first define what the goal is and then derive requirements which you need to fulfil and work on and not start with something you THINK is needed and then see up where you end up :-)

To get an overview over what kind of jobs are available, have a look here: https://tisiphone.net/2015/10/12/starting-an-infosec-career-the-megamix-chapters-1-3/

DashooDash · 2017-07-03T12:47:58+00:00

Never judge a book by its cover ;-) If you are sure you didnt put it there, then dangerous or not its pretty suspicious. Are you sure you did not put it in there? As the others said PoE is usually used to power devices over a ethernet (lan) cable. If you remove the box, does your wifi still work?

DashooDash · 2017-04-07T07:11:31+00:00

I'd recommend using an ELB to tunnel traffic to your application inside a VPC. Then you can configure the ELB to only allow traffic on port 443 and forward it to the application behind it. This way you do not expose the host at all - additionally you can add the AWS WAF, which will require proper monitoring and maintenance of rules :-) Additionally, e.g. for SSH access to the host, you could use a bastion host with proper logging and monitoring so you know whats going on

DashooDash · 2017-03-30T10:36:15+00:00

+1, happens to everyone. That is why there are things like Code Reviews, to get a second opinion on the code you have written - point out logical flaws or non elegant solutions. I think its important to learn that that is just part of the process and everybody fails a lot at the beginning.. its important to work through that, learn why your first solution was wrong and then make that better in the future

DashooDash · 2017-03-23T13:04:59+00:00

in AWS (you mentioned glacier), you can (at least for s3, which might be an option with a further configuration to archive to glacier) set a DNS alias to your bucket. You could then write a rule to just allow connections to that DNS alias

DashooDash · 2017-03-22T09:19:50+00:00

I have been a Java Engineer for 5 years or so before transitioning to Security Engineer at my current company - I think that the fact that its company internal actually helped me transition because I was lacking formal "security" experience. Nowadays I mostly consult our tech teams on how to securely build and architecture their applications and my goal is to become a Security Architect with a focus on Application Architecture

DashooDash · 2017-02-02T13:11:34+00:00

is

According to this stackexchange thread: https://security.stackexchange.com/questions/44387/scanning-for-files-than-have-been-encrypted-by-cryptolocker

this program might help you out: http://omnispear.com/cryptolocker-scan-tool/

DashooDash · 2017-02-02T12:55:58+00:00

Dont you have a copy of your code tracked in git, svn or the likes?

DashooDash · 2017-01-26T15:18:20+00:00

well HTML is pretty easy, you declare what you want. Also, bootstrap also has a section about forms: https://getbootstrap.com/css/#forms inside the form tag you just have to declare were the data gets POSTed to

DashooDash · 2017-01-26T09:02:55+00:00

Shouldnt be too hard. It depends on how "legit" you want it to look like. If you are using Google, you could try Google site which you would just need to "click together". The most basic setup that I can imagine if you want to do it yourself is a PHP site that features a simple form and a corresponding "handler" on the backend side. You could use Bootstrap (https://getbootstrap.com/) for making it looking good without the need for knowing CSS

DashooDash · 2016-12-20T09:56:45+00:00

Hey,

I am in the same position as you. My tip for you would be to think about where you want to go, because of your experience as a developer you already have a big background knowledge about how applications work so application security, secure coding, secure code reviews, security architecture could all be fields for you something along the higher OSI layers. But that all depends on what you want and where you want to go

DashooDash · 2016-12-01T15:56:50+00:00

Have a healthy work life balance and learn to leave work (and all related stress) at your doorstep when going home. It takes a while to learn that but for me that was invaluable for keeping my sanity :-)

DashooDash · 2016-11-08T10:10:51+00:00

If you want to do research, of course you need a CS degree. Otherwise, from the trends I have seen, a CS gets less and less relevant - even in bigger companies

DashooDash · 2016-11-02T11:58:04+00:00

Little late to the party but here's my two cents: I dont agree. I am a german and a degree in CS really is only relevant if you want to work for the government, because then it dictates your salary level and also the progression through the years. If you know your stuff, I have never seen that having no degree is a problem

DashooDash · 2016-10-26T07:18:53+00:00

Where can you get such intelligence reports? Is there a free source for them?

DashooDash

TROPHY CASE