I recently realised that although I have worked in the information security space for almost 13 years, the last few years I have done less “hands on” work. When my last full-time employer made the switch to a full outsourced IT stack there was less of a need for the security analyst to work with technology. The team made the transition to a governance, risk and compliance (GRC) model with my role morphing into more of an internal security consultant. I was no longer responsible for doing the day-to-day task of vulnerability assessment, network intrusion detection and log management.
This didn’t mean I had no skills. It just means that my current skill set was more suited to building or advising on information security architectures, critical controls, policies, procedures, and standards. I have good to great presentation skills. I had practised my writing over the years and written a few internal white papers. I could stand in front of a room of senior managers and directors and discuss business strategy and collaborate across multiple business units to achieve shared goals. I can talk and walk in the language of technology and business.
When my role was eliminated in 2013, I went back to working as an independent security consultant, I realised how much my hands-on skill set had atrophied. I found myself stumbling to remember how to use NMAP and wasn’t up to date on the latest open source security tools. I wasn’t even aware that OpenVAS was really Nessus. I panicked, thinking “I’m over the hill now!”.
These hands-on technical skills are not what my current client finds valuable. Most of what I’ve accomplished in my projects over the last two years of consulting has been to help build an information security architecture to achieve certain business compliance objectives. It’s what my client's wants/needs and they are very appreciative of my efforts and the results.
However, I want to expand on what I can offer future clients. There is an uptick in demand for experienced information security professionals and I want to position my skill-set and service offering to take full advantage. The question I asked myself was “how can I brush the dust from my technical skills and polish them”.
There are two strategies I am pursuing simultaneously.
- Building a lab
I want to develop my penetration testing and vulnerability assessment skills. Perhaps due to a large number of highly public security breaches in 2013 and 2014, many organisations are realising that they need to do more find and fix the flaws in their systems. The attackers have become very good at exploring weakness — some of which have been around for decades — in some of the core services of operating systems and networks. I think penetration and vulnerability testing is one area where demand will continue to grow. However, pursuing training is the toughest one to deal with.
Many of the training classes I want to take are expensive. A single SANS course is about $5000. The cost of the course plus the loss of income during the week I am attending the courses makes the overall cost difficult to swallow. But … if I want to be successful I have to find a way.
The other option is for me to do all the training online. This would allow me the flexibility of working during the day and studying at night. Online courses tend to be cheaper as well. Some of the courses provide a lab for students to test out the techniques taught in the course. I haven’t made any decisions on training as yet but I have put some thought into building a lab where I can play around with some of the open-source security tools.
At first, I thought that perhaps I would build out the lab using OS X. I could use my iMac for assessment and monitoring and my MacBook Air for the pen-testing machine. I could certainly find OS X ports of most of (if not all) the tools. But I use these two machines for other purposes. The iMac is for photo editing and writing and the MacBook Air is my minimal viable mobile office and presentation device. I really want to have devices dedicated to security related tasks.
To build a test lab I bought a used Dell Blade Server on eBay. It has enough CPU, memory and storage for this purpose. I plan on installing a Linux distort. I’m not sure if it would be better to install Ubuntu Server and then install or build the security tools or just install a Linux distro like Kali Linux that’s geared toward pen testers. I’m not sure as yet.
I plan on installing and configuring the following assessment tools.
- OpenVAS for network and system vulnerability assessment
- ZMap for network scanning
- Nmap for network discovery and server profiling
- Nikto for application security assessment
- WhatWeb for application profiling
In addition to the tools mentioned I want to try network and system monitoring tools such as Snort, OpenSCAP, Open Source Tripwire and Splunk. It will be nice to re-familiarize myself with tools such as Snort and Splunk.
My home network has 19 IP-enabled devices. I have iOS devices, a few Macs, two Raspberry Pi, and some embedded Linux devices. I think these will give me enough traffic to test these tools out.
So far progress has been slow. I have my blade server sitting in the basement but I have yet to install the OS and connect it to the network. Many years ago (circa 2008?) I got rid of all the superfluous PC style machines in my basement and bought an iMac and MacBook. I’ve bought only Macs since then. Part of the reason for the delay is that I have no power cables, display, or keyboards to attach to the server. I may have to do another search on eBay for a small used display and keyboard. I only need it to install the OS and setup SSH. After that, I can connect to it remotely.
In the meantime I installed Kali Linux on one of my Raspberry Pi machines. I still can’t use it since Kali Linux defaults to having no running services. I can’t login to turn on the service without a display. I am also hoping to repurpose and old Mac mini G4 to run Linux. Again, the lack of a display hinders those efforts.
So … I’m off to eBay. I need a minimum of a 14” monitor and a keyboard to get started.