Group Details Private

administrators

Member List

  • The infosec recruitment process is broken..

    There's something very wrong with the recruitment and selection process these days for information security / technology. Data collected from various institutions and the profession in general would indicate that there is a shortage of staff to fill the ever increasing void of infosec professionals - yet we only have ourselves and the incumbent recruitment methodology to blame. In this article, I'll address the current situation, and provide my take on what needs to be done in order to rectify the situation. A quick disclaimer. I'm no Human Resources expert, and I'm not trying to be. However, I am an individual that has sat on both the potential employer / employee sides of the fence over my career, and to my mind, the recruitment process was flawed then - and still is now. But why is this ?

    Let's take the market from, say, 2003. At this point of my career, I'd just been made redundant and was looking for work. Admittedly, the market was flooded with potential candidates looking for a job. This was during a particular slump in the market, and where several companies either went broke, or made huge redundancies as a method of scaling back their operations to in order to maximise efficiency and reduce cost. The market became a huge sea of talent, all drawn into the same current headed towards the recruiter's nets. In essence, this was an employer's market - a term used to describe the ratio between available jobs and suitable candidates - and they knew it. Here's a classic example of a flawed process. Having been made redundant, I applied for the position of IT Manager for a large trading and investment house in the city.

    They were in fact a main competitor of the firm I was working for previously, had exactly the same technology and associated processes, and I had the experience they wanted. Great. I submitted my CV and was called by a recruiter around 30 minutes later. After allowing the recruiter to provide the usual rundown of what the job entailed, and deciding I was a suitable match, she then arranged an interview for me. I was full of optimism for this particular role, as on paper, I was the missing piece of their unfinished jigsaw they were looking for. To my mind, I had a superb chance of being successful. Or so I thought.

    An unexpected reality ?

    On arrival, I (and several other people) were rounded up like sheep and herded into a small conference room where we were asked to take a seat. At each chair position was a pencil, pen, and around 5 sheets of paper facing downwards. A technical test, perhaps ? These guys seem to know what they are looking for. How wrong was I. Sitting at the table with everyone else in equal anticipation felt like a lifetime when in sashayed the HR director (note that I'm using the phrase "sashayed" loosely and in good humour, as this is probably the best way I could describe this particular individual). She introduced herself, and then set about detailing how this particular session would work. Suddenly, my positive mental thinking degraded into complete disbelief - and at the same time, dismay.

    This wasn't a technical test. It was an aptitude test ! And to make it worse, the chosen measurement for this pointless (in my view) exercise was to arrange the CEO's diary for the day. Now, I'm no HR expert as I alluded to at the start of this article, but can someone please explain to me why I need PA skills to run an IT department ?

    When asked to start the test, I wrote my name and contact details on the first page, followed by "Could you please give me a call when you have a moment and explain how the technical position I applied for requires me to sit an aptitude test of this nature ? You are wasting your time, my time, and everyone else’s in this room - and insulting their intelligence in the process. Thank you."

    At that point, I downed the pencil, got up, grabbed my coat, and left the room. Nobody said a word. You could hear the tumbleweed rolling, and it suddenly dawned on me that I potentially could have just made a complete fool of myself. It was too late to turn back, so I followed through with my original instinct. Expecting to be the only one taking this stance, I took a casual glimpse back at the corridor - just me as I thought - for about 30 seconds. As I signed out at security, 5 others who were in the room were right behind me. The ironic thing is, that despite all of us clearly leaving for the same reason, no conversation was exchanged. They simply scattered in different directions upon exit. Did I ever get a call from this company ? No. And I wasn't expecting it either. But to me, this serves as the classic example of a flawed recruitment process.

    How does this align with the problem I originally set out to describe ? Perfectly, in fact. Here's the point. By wasting time and effort on a pointless aptitude test (if you can call it that), this particular organisation missed out on an opportunity to get access to some of the best candidates in the room in terms of experience, and what they could bring to the table. That same principle still applies to today's information security and technology recruitment process. A model that which, by definition, is badly broken and needs urgent attention.

    Why is the model broken ?

    The main issue every infosec professional faces today is the interview selection process itself. In virtually all circumstances, hiring managers will defer the research to Human Resources. Whilst this in itself isn't a bad thing (after all, that is a function of HR), the methodology or approach is. Hiring managers usually set a baseline of what they are looking for along with various "essentials" and "nice to haves", then HR will align this with the current industry trends in order to determine pay scale etc. As a nation, we've fallen into the trap of adopting the (often senseless) notion that certification is essential for InfoSec professionals. This is where the process falls down in my view. For example, take an IT professional who has been in the industry for 25 years plus, who holds no formal certification in the form of CISSP (which seems to be the mandatory requirement these days), yet has been breaking into and securing technology since they were tall enough to sit in front of a pc.

    For a CISSP, you need at least 5 years of industry experience - that should clearly tell you something. Experience however, enables any competent individual to use their skillset to its full potential in order to either leverage a vulnerability to its full extent in order to prove successful as a penetration test, or use the same level of experience to effectively harden the environment thus reducing the attack vector and space. However, the CISSP isn't a technical exam in the sense that it requires you to prove your ability to resolve an issue or break into a secured network via an undisclosed vulnerability. It's a technical exam in the sense of theory. Call me a cynic, but anyone who can read a book and has a good memory can pass the CISSP with brain dumps and practice questions. This isn't meant as a derogatory statement; it's an observation which unfortunately rings true in most cases - very much like the MCSE of times past. And so, the inevitable conclusion.

    As soon as the acronym "CISSP" is added to any job description or requirement, you eliminate a significant chunk of the talent pool from any potential selection process. By being under the clearly false illusion that the CISSP is the holy grail in information security, we ourselves have actually created a void in the industry that everyone seems to complain about.

    An individual with 10+ years experience in IT is going to be a very strong candidate - particularly if their core focus is around networking and operating system security and its associated technologies. Admittedly, my view could be seen as somewhat biased. Anyone who follows this site and I as a technology and information security professional will know I'm no fan of certification mills. Passing your driving test doesn't mean you are the safest driver on the road, the same as having a CISSP doesn't mean you can secure a network from external (or perhaps worse), an internal attack. Being able to secure a network and understand the vast array of complexities that allows a vulnerability to exist in the first place comes with experience. No book is going to teach you to do this without some form of constant exposure.

    To excel at something like technology and information security takes passion - fire in your belly, and a strong desire to understand what's under the hood of something rather than just watching it fly past. Finally, all veterans in this industry are familiar with the term "Paper MCSE". If you think this doesn't apply to the CISSP, then think again. Let's not tar the infosec or technology community with the same brush, and instead:

    • Insist on including those with the relevant experience instead of simply dismissing them.
    • Make the process much fairer with a technical test that is scenario based.
    • Measure how the individual responds and adapts to the situation presented to them
    • Evaluate how they use their experience and acumen to eliminate issues and resolve problems.
    • If you really want an analytical approach, leverage self learning AI and other established techniques to really put that candidate under pressure.

    Now there's an idea for a startup if I ever had one…..you heard it here first, right 🙂 I fully expect to be "burned at the stake" for my take on why this industry has shot itself in the foot. However, there is a small chance that others will actually agree. Let's see.

    posted in Blog
  • Hacked because you didn't listen ?

    I've been a veteran of the infosec industry for several years, and during that time, I've been exposed to a wide range of technology and situations alike. Over this period, I've amassed a wealth of experience around information security, physical security, and systems. 18 years of that experience has been gained within the financial sector - the remaining spread across manufacturing, retail, and several other areas. I've always classed myself as a jack of all trades, and a master of none. The real reason for this is that I wanted to gain as much exposure to the world of technology without effectively "shoehorning" myself - pigeon holing my career and restricting my overall scope.

    I learned how to both hack and protect 8086 / Z80 systems back in 1984, and was using “POKE” well before Facebook coined the phrase and made it trendy (one of the actual commands I still remember to this day that rendered the CTRL, SHIFT, ESC break sequence useless was

     POKE &bdee, &c9
    

    I spent my youth dissecting systems and software alike, understanding how they worked, and more importantly, how easily they could be bypassed or modified.

    Was I a hacker in my youth ?
    If you understand the true meaning of the word, then yes - I most definitely was.

    If you think a hacker is a criminal, then absolutely not. I took my various skills I obtained over the years, honed them, and made them into a walking information source - a living, breathing technology encyclopedia that could be queried simply by asking a question (but not vulnerable to SQL injection).

    Over the years, I took an interest in all forms of technology, and was deeply immersed in the “virus era” of the 2000’s. I already understood how viruses worked (after dissecting hundreds of them in a home lab), and the level of damage that could be inflicted by one paved the way for a natural progression to early and somewhat infantile malware. In its earliest form, this malware was easily spotted and removed. Today's campaigns see code that will self delete itself post successful execution, leaving little to no trace of its activity on a system. Once the APT (Advanced Persistent Threat) acronym became mainstream, the world and its brother realised they had a significant problem in their hands, and needed to respond accordingly. I'd realised early on that one of the best defences against the ever advancing malware was containment. If you “stem the flow”, you reduce the overall impact - essentially, restricting the malicious activity to a small subset rather than your entire estate.

    I began collaborating with various stakeholders in the organisations I worked for over the years, carefully explaining how modern threats worked, the level of damage they could inflict initially from an information and financial perspective, extending to reputation damage and a variety of others as campaigns increased in their complexity). I recall one incident during a tenure within the manufacturing industry where I provided a proof of concept. At the time, I was working as a pro bono consultant for a small company, and I don't think they took me too seriously.

    Using an existing and shockingly vulnerable Windows 2003 server (it was still using the original settings in terms of configuration - they had no patching regime, meaning all systems were effectively vanilla) I exhibited how simple it would be to gain access first to this server, then steal the hash - effortlessly using that token to gain full access to other systems without even knowing the password (pass the hash). A very primitive exercise by today's standards, but effective nonetheless. I explained every step of what I was doing along the way, and then explained how to mitigate this simple exploit - I even provided a step by step guide on how to reproduce the vulnerability, how to remediate it, and even provided my recommendations for the necessary steps to enhance security across their estate. Their response was, frankly, shocking. Not only did they attempt to refute my findings, but at the same time, dismissed it as trivial - effectively brushing it under the carpet so to speak. This wasn't a high profile entity, but the firm in question was AIM listed, and by definition, were duty bound - they had a responsibility to shareholders and stakeholders to resolve this issue. Instead, they remained silent.

    Being Pro Bono meant that my role was an advisory one, and I wasn’t charging for my work. The firm had asked me to perform a security posture review, yet somehow, didn't like the result when it was presented to them. I informed them that they were more than welcome to obtain another opinion, and should process my findings as they saw fit. I later found out through a mutual contact that my findings had been dismissed as ""unrealistic", and another consultant had certified their infrastructure as “safe”. I almost choked on my coffee, but wrote this off as a bad experience. 2 months later, I got a call from the same mutual contact telling me that my findings were indeed correct. He had been contacted by the same firm asking him to provide consultancy for what on the face of it, looked like a compromised network.

    Then came the next line which I'll never forget.

    “I don't suppose you'd be interested in…..”

    I politely refused, saying I was busy on another project. I actually wasn't, but refused out of principle. And so, without further ado, here’s my synopsis

    ".....if you choose not to listen to the advice a security expert gives you, then you are leaving yourself and your organisation unnecessarily vulnerable. Ignorance is not bliss when it comes to security......"

    Think about what you’ve read for a moment, and be honest with me - say so if you think this statement is harsh given the previous content.

    The point I am trying to make here is that despite sustained effort, valiant attempts to raise awareness, and constantly telling people they have gaping holes in systems for them to ignore the advice (and the fix I've handed to them on a plate) is extremely frustrating. Those in the InfoSec community are duty bound to responsibly disclose, inform, educate, raise awareness, and help protect, but that doesn't extend to wiping people's noses and telling them it wasn't their fault that they failed to follow simple advice that probably could have prevented their inevitable breach. My response here is that if you bury your head in the sand, you won't see the guy running up behind you intent on kicking you up the ass.

    Security situations can easily be avoided if people are prepared to actually listen and heed advice. I'm willing to help anyone, but they in return have to be equally willing to listen, understand, and react.

    posted in Blog
  • Where did the news feeds go ?

    Hi All. if you were following the news feed, or no longer see it listed in the recent view, then this is because we have chosen to isolate it from the rest of the posts. This keeps some form of sanity :), although if you'd like the news feed to re-appear in your recent list, and to be notified via the unread icon in the toolbar, then follow these steps

    Click the "Categories" icon (represented by a hamburger menu located in the top navigation as below

    02673c20-fb09-4579-bd0f-04782b9cea59-image.png

    Now select the "News" category

    7f8e8e26-f693-4038-a720-de811e71a786-image.png

    Now locate the "Ignoring" dropdown in the top right menu, and change this to "Watching"

    74993f62-79f1-479b-b426-846442ec91f4-image.png

    You'll now be notified of updated news, plus you'll see the unread icon flashing to indicate a new post - you'll also see the news posts in your "Recent" feed.

    Finally, if you want a quick way to view your feed, you can do that here

    Enjoy...

    posted in Announcements
  • Securing your webserver against common attacks

    It surprises me (well, actually, dismays me in most cases) that new websites appear online all the time who have clearly spent an inordinate amount of time on cosmetics / appearance, and decent hosting, yet failed to address the elephant in the room when it comes to actually securing the site itself. Almost all the time, when I perform a quick security audit using something simple like https://securityheaders.io, I see this

    1617012754-453055-image.png

    Not a pretty sight. Not only does this expose your site to unprecedented risk, but also looks bad when others decide to perform a simple (and very public) check. Worse still is the sheer number of so called "security experts" who claim to solve all of your security issues with their "silver bullet" solution (sarcasm intended), yet have neglected to get their own house in order. So that can you do to resolve this issue ? It's actually much easier than it seems. Dependant on the web server you are running, you can include these headers.

    Apache

    <IfModule mod_headers.c>
    Header set X-Frame-Options "SAMEORIGIN"
    header set X-XSS-Protection "1; mode=block"
    Header set X-Download-Options "noopen"
    Header set X-Content-Type-Options "nosniff"
    Header set Content-Security-Policy "upgrade-insecure-requests"
    Header set Referrer-Policy 'no-referrer' add
    Header set Feature-Policy "geolocation 'self' https://yourdomain.com"
    Header set Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()"
    Header set X-Powered-By "Whatever text you want to appear here"
    Header set Access-Control-Allow-Origin "https://yourdomain.com"
    Header set X-Permitted-Cross-Domain-Policies "none"
    Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    </IfModule>
    

    NGINX

    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Download-Options "noopen" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Content-Security-Policy "upgrade-insecure-requests" always;
    add_header Referrer-Policy 'no-referrer' always;
    add_header Feature-Policy "geolocation 'self' https://yourdomain.com" always;
    add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=();";
    add_header X-Powered-By "Whatever text you want to appear here" always;
    add_header Access-Control-Allow-Origin "https://yourdomain.com" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;" always;
    

    Note, that https://yourdomain.com should be changed to reflect your actual domain. This is just a placeholder to demonstrate how the headers need to be structured.

    Restart Apache or NGINX, and then perform the test again.

    1617013248-55340-image.png

    That's better !

    More detail around these headers can be found here

    posted in Blog
  • RE: First-ever ‘Identity Management Day’ is April 13, 2021

    @cerberus Nothing like a bit of warning - that's today ? 😕

    posted in News
  • RE: Clubhouse API allows everyone to scrape public user data

    @cerberus Wow.... 😲

    posted in News
  • RE: 500m LinkedIn accounts leaked

    @cerberus What's not immediately clear here is just how much of this data came from LinkedIn themsevles, and not harvested from the usual unsecured S3 bucket.

    posted in News
  • RE: Swarmshop breach: 600K+ payment card records leaked

    @cerberus said in Swarmshop breach: 600K+ payment card records leaked:

    Swarmshop

    A bit more detail can be found here

    posted in News
  • RE: Coding interviews are terrible. Can we make them better?

    @cerberus Isn't this is the entire point of the exercise - to effectively whittle down those who cannot walk the walk but can talk the talk ??

    posted in News
  • RE: What's the point of open source without contributors? Turns out, there are several

    Interesting topic. However, let’s look at the flip-side of the coin. Those open source projects with one sole developer carry inherent risks in the sense that same sole developer may suffer burnout, dwindling enthusiasm, boredom, or a lack of desire to continue without some form of incentive - usually financial, or sponsorship from a larger entity. In this sense, adopting open source for long term usage based on these principles can be dangerous, and leave you “high and dry” without solutions to any issues that arise.

    However, the possibilities here are distinct in the sense that you can fork the project yourself, and assume the role of maintainer, or fork and bring in other resources to contribute / assist in future development. The overall point here is that organisations who may rely on open source software and are then faced with the project being abandoned, or worse still, no resources to assume responsibility could find themselves in a difficult situation.

    posted in News