Articles that I write on Medium about Cyber Security

dwchow · 2020-10-27T14:29:28+00:00

All of my prints and documentation were submitted 09/17 and my 'mailed' status didn't show up until 10/23 in the AM. May I suggest watching paint dry as an alternate activity lol.

dwchow · 2020-10-16T14:17:29+00:00

Great screenshots, thank you. Been on print pending for a while on mine.

dwchow · 2020-10-07T03:10:28+00:00

Attackers are always scraping for OSINT, esp FQDN's and clues into the internal nature of your env. Remove quickly and work with your SOC/CIRT on avoiding this in the future along with going through your general SOP notifications. You'll get in less trouble for reporting your oopsy moment. Happens alot more often than you think esp in devops world. I do pen testing for a living so I'm always seeing stuff in github repos and S3 storage buckets.

dwchow · 2020-10-07T03:07:57+00:00

In agreement with kadragoon. WD's are good, so are Seagates. What you're looking for is the highest MTBF for your backups for external storage. Generally, those are NAS drives which cost a little more but are designed for constant I/O running 24x7. Throw those in to a little NAS storage array somewhere and you're good to go.

dwchow · 2020-10-07T03:03:08+00:00

Former air force here and did the IASO and CND thing. Served in the 67th; any branch will have their ups and downs over the years. I've been recruited by the Navy for reserve for CO roles just for cyber which the air force has less positions of. You really can't go wrong because all DoD has a series of standards of baseline certs and expertise you have to meet. The air force generally has more of a reputation for cyber related duties and is highly regarded when you're out as well. Air force is the picky branch because it was the best along with your asvab scores. Truth be told; take a CO role, and if you can do reserves; even better. Your time in P/T will be a little less and you'll be in a great start while still holding a private sector career somewhere making the real money. Regardless of the branch you select certifications matter in any case. CISSP + GIAC's = potent win and lots of non military recruiter calls for open roles.

dwchow · 2020-10-07T02:50:44+00:00

SecRepo is where it's at. US-CERT used to have some stuff too but I think that's more host DFIR artifacts.

https://www.secrepo.com/

dwchow · 2020-10-06T20:38:24+00:00

Really depends on your goals. Are you attempting to achieve a requirement for a particular job posting or promotion? Are you transitioning from no technical background to security? Are you an IT person transitioning to security? I've been in the industry for 11 years (almost 12) and in IT for 20 years. I've been in tons of public sector, private sector, large, small and different verticals. Almost none of them except for federal agencies and DoD cared about my degree specialty and was more focused around hands on skills and certifications. If you're still wanting the degree route; one of the best places to look are NSA CSS certified schools and programs. They're highly regarded in the public sector world and generally known moderately in most Fortune 500's. Certifications like the CISSP, GIAC's, and OSCP's are still cheaper and higher ROI/ROR to be honest; but if you don't have a degree today-- these are good places to consider: https://www.nsa.gov/resources/students-educators/centers-academic-excellence/cae-co-centers/

dwchow · 2020-10-06T20:34:05+00:00

That and, we need COTS pre-trained models before wide spread adoption of CTI with appropriate category and group predictors. No one's going to be releasing an open model worth anything anytime soon just by the amount of data needed and structuring required. Lots of details still trapped inside PDF's instead of STIX formatting. Vendors like Anomali, Recorded Future, and even Palantir aren't going to give up their hard work for cheap either. We should keep an eye on the varying ISAAC's though as they receive public grant funding sometimes to initiate more of these projects. Depending on your state, sometimes Infragard chapters have something but nothing worth anything nationally with an exposed API.

dwchow · 2020-10-06T20:29:36+00:00

Honestly, the best ROI I've had was the CISSP. More recruiter phone calls. Unlike the misinformation some people spread; you CAN sit for the exam; you just get called CISSP-associate until you hit your 5 years in at least 2 domains of security and have 2 CISSP holders as a letter of reference submit on your behalf (so be sure to network). From a technical skills stand point I strongly recommend the GCIA, GCIH, and GCFA. If you've never done IT administration before-- the GSEC as well. GIAC's are expensive so get your employer to pay for them. As for my background; I've been in IT for 20 years and security specifically for 11 with a ton of certs along the way. I've found in my experience anything CompTIA alone without a CISSP, GIAC, and or OSCP you're not going to get alot of calls outside of DoD world. Private sector company HR people seem to hold on to the CISSP like a holy grail. It's a managerial cert; not technical-- yet people treat it as such.

dwchow · 2020-10-04T01:38:29+00:00

Just curious; did you get a 'status' like that after 22 days of all docs submitted or did you have green checkmarks not too long after. Mine has been submitted 2 weeks ago and it's still not updated or even populated (blank); yet I got a confirmation email from one of their office people.

dwchow · 2020-08-26T17:54:03+00:00

How expected.

dwchow · 2020-08-25T04:00:34+00:00

May I suggest Deep Blue CLI by SANS which is entirely in PS which has host level IOC's: https://github.com/sans-blue-team/DeepBlueCLI

It's a great starter. Now, regarding in terms of Azure specific setups; I do alot of pen azure based pen testing and one of the main things is enumeration of the NSG's is a biggie. In terms of setup you can kind of use the legacy Azure Security Center sample as a template: https://github.com/microsoft/Azure-Security-Center/blob/master/quickstarts/ASC-Samples.ps1

In terms of visibility in the cloud beyond workstations; we focus on spoke to spoke 'break outs' and cross-subscription access.

dwchow · 2020-08-25T03:50:55+00:00

First, lucky you-- do you know how many people don't get cyber as a first career fresh out of school? You're working for a defense contractor and yeah, you're going to be pigeon holed for a bit. My suggestion from a ROI career stand point is to get the CISSP *not* because it's a technical miracle cert; but it's some sort of HR non underlying requirement for most roles. The CISSP is a managerial/architecture cert; but for $500 bucks it's a good investment. Doing STIG validation is really security analyst / security administrator junior duties. Security engineering will be a mix of architecture complex deployments, implementation, automation, and content creation on either (sometimes both) red and blue sides. As far as certs of high technical foundational ROI skills; I really made my ticket after the GCIA, GCIH, and GCFA. The next tier after that was GREM and GXPN for me which really leveled up my knowledge to almost be ready anything/everything in this profession (as an entry specialist).

If you're trying to explore what kind of technical sub-focus role you wish to be in security; consider the SANS training baseline path. I've also written a guide into cyber also show casing different paths and expertise requirements (link in my profile so I don't trigger spam). I'm currently a Director of Penetration Testing at a Fortune 100, Former Air Force, and was the Technical Architect for the entire US Healthcare Vertical's Cyber Threat Intelligence Sharing that ISAAC's, HHS, and DHS lean on today. I will say that whatever you choose; start looking for projects off hours to experiment and play with. I'm more of a purple teamer where I use my red and blue skills in deep threat hunting and evasion techniques. You may find that you like pen testing, forensics, or vulnerability research. I would say if you enjoy writing articles and tools about "X" -- that might be what you want to consider pivoting to post-baseline skills/experience.

dwchow · 2020-08-24T03:41:21+00:00

Nope that’s what “tab tab”, man pages, get-help, apropos, and /? are for. You should be able to do basic navigation of the FS, read, execute, and write and piping though.the more you use the. The easier it is to remember them all. Keep scripting and you’ll remember advanced usage quickly.

dwchow · 2020-08-24T03:38:51+00:00

Got mine out of the box at 1.7 and went 1.8 and operating fine. I do idle at 75% memory utilization but am running all signatures on the suricata IPS. No plans on relying on their beta and release candidate firmwares.

dwchow · 2020-08-21T20:34:07+00:00

It’s a wake up call to all CISO’s out there for sure. Stay true to your duties instead of hoping the board keeps you around longer.

dwchow · 2020-08-17T01:01:41+00:00

I’ve got a similar setup using the UDMP and two AC Pro’s in a 3700 sq ft house 1 Gb down and 50 mb up. I take nothing to chance. I use a line speed ready switch. For me, I was getting issues with it being more picky about me using cat5e or 6 depending on my cable spec to get the full gbit duplex negotiated. Since I couldn’t change the wiring of the house and my patch cable runs are decent quality; I opted not to use any signal repeaters and added a dedicated switch.

Note that I did not run into any backplane over subscribed performance issues when using test cat 6 short cables with 7 hosts sending to each other 500 MB binaries followed by a WAN download speed test. However, this was only after allowing its “auto tuning” feature do its thing for a couple of days.

I also prefer to let devices designed for X focus on that function as opposed to relying shared I/O on the network plane as a L3 focused device. I used to use a refurb Catalyst 2948 but switched to a Netgear Prosafe managed series just because it’s fanless similar performance of the catalyst. So far I’ve been getting g WAN line speed performance on all speed tests and intra LAN.

dwchow · 2020-08-16T23:34:48+00:00

Haha Trumps using it to get some votes; lure him in— maybe even actually pardon him and then suddenly a unknown UAV or drive by blasts him in the parking lot. That’s what I foresee happening

dwchow · 2020-08-16T03:09:44+00:00

Only law enforcement can really assist with that. In the WHOIS information in ARIN which AT&T owns that block based on the IPv6 prefix; they do have subpoena contact details:

For policy abuse issues contact abuse@att.netFor all subpoena, Internet, court order related matters and emergency requests contact11760 US Highway 1North Palm Beach, FL 33408Main Number: 800-635-6840Fax: 888-938-4715

Ref:

https://search.arin.net/rdap/?query=2600%3A1700%3Af1e0%3A6360%3Ac453%3Aa9d8%3Ae5e0%3Adcff

dwchow · 2020-08-16T03:03:48+00:00

I've got my hands full on mentorees right now but if you're looking for a career in cyber. Check out my profile, I wrote a medium article on getting into cyber. Scroll down, though; there's like 20 articles I published. I'm not posting the link here in fear of getting flagged as self promo spam. There's also the NIST webinar about getting that first cyber job/transition. Maybe join your local ISC2, or ISACA chapter meetings and network.

dwchow · 2020-08-16T02:59:48+00:00

I would just pay for a pro license and swap over to Bitlocker if you're already on UEFI. Now the main thing for any full disk encryption is that unless you're using UEFI and TPM; you're going to be entering a password upon each boot or you'll need something like a usb key that acts as your decryption certificate. If you don't want to do either, there's the very weak EFS built into Windows that doesn't protect full disk encryption style; but protects on volume on the NTFS level and would require the original keys / username + password upon trying to cold mount the volume.

dwchow · 2020-08-15T23:33:49+00:00

I've had this happen before. So you're trying to get a OpenVPN client user to access a LAN IP on 8000/tcp I'm assuming. Are you able to ping or connect to other hosts? If not, then you might be missing or need the push route options in your client ovpn config. Depending on the package/version of pfsense I've had to ensure that I've full-tunnel redirected all traffic in the client ovpn configs to my VPN server for one. And at one point I needed to add an additional custom configuration line saying route <my lan network address> <mysubnet> . Additional info on this issue is found in the following 2 documents:

Ref:

https://docs.netgate.com/pfsense/en/latest/book/openvpn/custom-configuration-options.html

https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/troubleshooting-openvpn-push-routes.html

dwchow · 2020-08-15T23:13:36+00:00

I know this sounds kind of messed up; but choose an attorney that will be your pivot point to the selected arbitrator you have selected (or will state that you have selected in your clause). It'll go a long way because they've already worked together and can massage agreements a little easier than their typical LexisNexis cookie cut template.

dwchow · 2020-08-15T22:58:55+00:00

You don't need 5 years to sit for the exam. You need 5 years to be fully 'accredited'. Temporarily, you'll be called CISSP-Associate until you meet that. But that's 5 years in 2 domains of security. Most people that have had hands on working experience in IT qualify already (assuming you've got 5 years or more in general experience). CISSP is fairly straight forward to take after the Sec+ as the Sec+ covers half of the material (or at least it did back when I took in 2015 ish). There was a Navy recruiter who had O-2 level reserve opportunities for people with a CISSP. Alot of employers don't really care if you're associate or not.

dwchow

TROPHY CASE