Starting a Security Tools Lab at Home

I recently realised that although I've worked in the information security space for almost 13 years, my hands-on work has decreased over the last few years. When my last full-time employer switched to a fully outsourced IT stack, the need for a security analyst to work directly with technology diminished. The team transitioned to a governance, risk, and compliance (GRC) model, with my role evolving into more of an internal security consultant. I was no longer responsible for day-to-day tasks like vulnerability assessment, network intrusion detection, and log management.

This didn't mean I lacked skills. It just means that my skill set was better suited to building or advising on information security architectures, critical controls, policies, procedures, and standards. I have good to great presentation skills. I've practised my writing over the years and written a few internal white papers. I could confidently discuss business strategy in front of senior managers and directors and collaborate across multiple business units to achieve shared goals. I can navigate both the language of technology and business.

When my role was eliminated in 2013, I returned to working as an independent security consultant. I realised how much my hands-on skill set had atrophied. I found myself struggling to remember how to use NMAP and wasn't up-to-date on the latest open-source security tools. I wasn't even aware that OpenVAS was essentially Nessus. I panicked, thinking, "I'm over the hill now!".

However, these hands-on technical skills are not what my current client finds valuable. Most of my achievements in consulting over the last two years have involved helping to build an information security architecture to meet certain business compliance objectives. My client appreciates my efforts and the results.

Nevertheless, I want to expand what I can offer future clients. There's an uptick in demand for experienced information security professionals, and I want to position my skills and services to take full advantage. I asked myself, "How can I dust off my technical skills and polish them?"

There are two strategies I am pursuing simultaneously:

  • Training
  • Building a lab

I aim to develop my penetration testing and vulnerability assessment skills. Perhaps due to the large number of highly public security breaches in 2013 and 2014, many organisations realise they need to do more to find and fix flaws in their systems. Attackers have become very adept at exploiting weaknesses — some of which have been around for decades — in some core services of operating systems and networks. I believe penetration and vulnerability testing is one area where demand will continue to grow. However, pursuing training is the toughest challenge.

Many of the training classes I want to take are expensive. A single SANS course is about $5000. The cost of the course, plus the loss of income during the week I am attending, makes the overall cost difficult to swallow. But... if I want to be successful, I have to find a way.

The other option is to do all the training online. This would allow me the flexibility to work during the day and study at night. Online courses tend to be cheaper as well. Some courses provide a lab for students to practice the techniques taught in the course. I haven't made any decisions on training yet, but I have put some thought into building a lab where I can experiment with some open-source security tools.

At first, I thought I might build the lab using OS X. I could use my iMac for assessment and monitoring and my MacBook Air for pen-testing. I could certainly find OS X ports of most, if not all, the tools. But I use these two machines for other purposes. The iMac is for photo editing and writing, and the MacBook Air is my minimal viable mobile office and presentation device. I really want devices dedicated to security-related tasks.

To build a test lab, I bought a used Dell Blade Server on eBay. It has enough CPU, memory, and storage for this purpose. I plan on installing a Linux distro. I'm not sure if it would be better to install Ubuntu Server and then install or build the security tools or just install a Linux distro like Kali Linux that's geared toward pen-testers. I'm not sure yet.

I plan on installing and configuring the following assessment tools:

  • OpenVAS for network and system vulnerability assessment
  • ZMap for network scanning
  • Nmap for network discovery and server profiling
  • Nikto for application security assessment
  • WhatWeb for application profiling

In addition to the tools mentioned, I want to try network and system monitoring tools such as Snort, OpenSCAP, Open Source Trip wire, and Splunk. It will be nice to re-familiarise myself with tools like Snort and Splunk.

My home network has 19 IP-enabled devices. I have iOS devices, a few Macs, two Raspberry Pi, and some embedded Linux devices. I think these will give me enough traffic to test these tools.

So far, progress has been slow. I have my blade server sitting in the basement, but I have yet to install the OS and connect it to the network. Many years ago (circa 2008?), I got rid of all the superfluous PC-style machines in my basement and bought an iMac and MacBook. I've bought only Macs since then. Part of the delay is that I have no power cables, display, or keyboards for the server. I may have to search eBay for a small used display and keyboard. I only need them to install the OS and set up SSH. After that, I can connect to it remotely.

In the meantime, I installed Kali Linux on one of my Raspberry Pi machines. I still can't use it since Kali Linux defaults to having no running services. I can't log in to turn on the service without a display. I am also hoping to repurpose an old Mac mini G4 to run Linux. Again, the lack of a display hinders those efforts.

So... I'm off to eBay. I need a minimum of a 14” monitor and a keyboard to get started.

Author: Khürt Williams

A human who works in information security and enjoys photography, Formula 1 and craft ale. #nobridge