The Return of PunkSpider

PunkSpider is a tool that automatically crawls the internet searching for vulnerable websites. It then lists those websites and their vulnerabilities in a public database with the intention of creating a more secure online world. It was originally launched by developer Alejandro Caceres and his company Hyperion Gray, but was eventually shut down. It is slated to return at Defcon in August of 2021. But what does this really mean for vulnerable websites?

When asked about his intentions with this tool, the developer said “wouldn’t it be cool if I could scan the entire web for vulnerabilities? And to make it even more fun, wouldn’t it be cool if I released all those vulnerabilities for free? I knew it was going to have some kind of implications. And after I started thinking about it, I really thought they might be good” (Caceres, WIRED article).

The other side of the argument comes down to timing. Regardless of the good intentions, “bad actors can exploit the vulnerabilities faster than administrators can plug them, leading to more breaches” (Karen Gullo, email to WIRED).

This raises the question: should a tool like PunkSpider exist? Should those vulnerabilities be made public? Will this lead to more ransomware attacks? Caceres responded to these concerns by saying “you know your customers can see [the vulnerabilities], your investors can see it, so you’re going to fix that s*** fast.”

What do you think about PunkSpider? Leave a comment below. Thanks for reading!

Get Started in I.T. with TryHackMe Pre-Security

Click on the image to visit TryHackMe.com and create an account!

Click on the image to visit TryHackMe.com and create an account!

TryHackMe is a cybersecurity learning platform used by over 500,000 people. In July of 2021, TryHackMe released a new training module called “Pre-Security.” This learning path is great for anyone getting started in I.T., offering interactive lessons with questions to test your knowledge as you learn.

What Does “Pre-Security” Cover?

These sections are available in the “Pre-Security” learning path.

These sections are available in the “Pre-Security” learning path.

After a brief introduction, the learning path breaks into four primary areas (as seen in the screenshot above). The first category, Network Fundamentals, breaks down the following concepts in five rooms:

  • What is Networking?

  • Intro to LAN

  • OSI Model

  • Packets & Frames

  • Extending Your Network

The next section titled How The Web Works covers these concepts in the next four rooms:

  • DNS in Detail

  • HTTP in Detail

  • How Websites Work

  • Putting it All Together

The path continues on to focus on Linux Fundamentals in three rooms, covering:

  • Basic commands in the terminal

  • Using SSH and interacting with the file system

  • Common utilities used in Linux

Finally, the path wraps up with two rooms focused on Windows Fundamentals, focused on:

  • Desktop, NTFS, UAC, and the Control Panel

  • System Configuration, UAC settings, Resource Monitoring, and the Windows Registry

Who is This Training For?

Here’s an example of the platform in action. This room is called “What is Networking” and is part of the “Pre-Security” path.

Here’s an example of the platform in action. This room is called “What is Networking” and is part of the “Pre-Security” path.

“This learning path will teach you the pre-requisite technical knowledge to get started in cyber security. To attack or defend any technology, you to first learn how this technology works. The Pre-Security learning path is a beginner friendly and fun way to learn the basics. Your cyber security learning journey starts here!”

- TryHackMe, Pre-Security

As stated on the website, this path is for anyone getting started in IT networking and/or security. It’s a great way to get hands-on with basic IT concepts. Sign up and try it out today!

What is the OSI Model?

The OSI Model describes how data travels across a network. (Photo credit: Thomas Jensen)

The OSI Model describes how data travels across a network. (Photo credit: Thomas Jensen)

The Open Systems Interconnection (OSI) Model is a framework describing how network devices transmit and use data. It consists of seven layers, as seen and briefly described here:

  • Layer 7: Application (a user interacts with the data)

  • Layer 6: Presentation (data is translated between application and the network)

  • Layer 5: Session (devices are synced up so they can communicate)

  • Layer 4: Transport (data is classified as segments via reliable TCP or as datagrams via fast UDP)

  • Layer 3: Network (logical routing is determined via the shortest and/or most reliable path using IP addresses)

  • Layer 2: Data link (physical addressing is determined using MAC addresses)

  • Layer 1: Physical (data is physically sent over binary via electrical signals)

How to Memorize the OSI Model

To memorize the order of the OSI layers, it can be helpful to use mnemonic devices such as:

  • Layers 7 to 1:

    • All people seem to need data processing.

    • APS transports network data physically.

  • Layers 1 to 7:

    • Please do not throw sausage pizza away!

    • Please do not touch Steve’s pet alligator!

More Resources

This guide just scratches the surface of defining the OSI Model. For more in depth understanding, check out these resources!

Thanks for reading!

Common Port Numbers

I.T. security professionals need to have a solid understanding of common port numbers and the protocols associated with each one. The best way to learn about these ports is to get hands-on with the protocols listed below.

The following list doesn’t cover every port you will ever need to know, but instead is a list of the ports I studied when preparing to take the CompTIA Security+ exam. There might be a few missing here that you should in fact know, and there may be extra ports here that you wouldn’t really need to know for the Security+ exam, but it wouldn’t hurt to learn them as well! This isn’t meant to be an exhaustive list, but instead one resource among many that you can use to gain knowledge.

I recommend making physical flash cards and creating a “memory palace” that connects each port number to an idea that make sense for you. For example, I remember Telnet is TCP port 23 because Michael Jordan’s number was 23 and he always hits nothing but “net.” To someone who doesn’t like basketball, that might not help. This is why you should connect the protocols and ports to ideas that resonate with you!

All ports are TCP unless specified:

  • 20-21 FTP

  • 22 SSH and SFTP and SCP

  • 23 Telnet

  • 25 SMTP

  • 49 TACACS

  • 53 DNS

  • 67/68 DHCP (UDP)

  • 69 TFTP (UDP)

  • 80 HTTP

  • 88 Kerberos (TCP/UDP)

  • 110 POP3

  • 123 NTP (UDP)

  • 137 NetBIOS

  • 143 IMAP4

  • 161 SNMP (UDP)

  • 162 SNMP Trap (TCP/UDP)

  • 179 BGP

  • 389 LDAP (TCP/UDP)

  • 443 HTTPS (HTTP over SSL)

  • 500 ISAKMP VPN (UDP)

  • 514 Syslog (UDP)

  • 636 LDAPS (LDAP over SSL)

  • 989 FTP over SSL

  • 990 FTPS

  • 993 IMAP over SSL

  • 1701 L2TP (UDP)

  • 3389 RDAP (TCP/UDP)

MITRE D3FEND Explained

The MIRTE D3FEND Knowledge Graph lists common cybersecurity countermeasures. (Full size photo)

The MIRTE D3FEND Knowledge Graph lists common cybersecurity countermeasures. (Full size photo)

On June 22, 2021, the National Security Agency Cybersecurity division released details of a new project called D3FEND. “D3FEND, a MITRE research project funded by the NSA, improves the #cybersecurity of NSS, DoD, and the DIB by providing defensive countermeasures for common offensive techniques” (NSA Cyber, Twitter).

The MITRE Corporation is a federally funded organization that supports cybersecurity research and development. To better understand this D3FEND release, it is helpful to know about MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge), which was first developed in 2013. “The MITRE ATT&CK framework is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary's attack lifecycle and the platforms they are known to target” (McAfee, 2020). This framework allows individuals and organizations to better understand the tactics and techniques used by malicious attackers, and to better prepare for and defend against those attacks.

The 2021 release of MITRE D3FEND is a major tool that blue teams can use to protect against exploitation. This framework will allow cybersecurity professionals to fill the gaps in their coverage, comparing their current setup to the D3FEND framework. “These initial results show good promise, and we believe our research has demonstrated the feasibility of a countermeasure model built from real-world data sources” (MITRE, 2021).

For more information, check out the technical whitepaper released by MITRE here.

DarkSide Pipeline Ransomware Attack

The Colonial Pipeline delivers 45% of the fuel supply used by the eastern coast of the United States. Hackers disrupted it in May 2021 using DarkSide RaaS (Ransomware as a Service).

The Colonial Pipeline delivers 45% of the fuel supply used by the eastern coast of the United States. Hackers disrupted it in May 2021 using DarkSide RaaS (Ransomware as a Service).

On May 11, 2021, the Cybersecurity & Infrastructure Security Agency (CISA) published an article describing the DarkSide ransomware attack on the Colonial Pipeline. This pipeline delivers 45% of the fuel supply used by the eastern coast of the United States.

When Colonial learned of the cyber attack, “they proactively disconnected certain OT (operational technology) systems to ensure the systems’ safety” (CISA report). In other words, while only the company’s IT network was hacked, the OT systems were unaffected but still taken offline deliberately by Colonial as a precaution.

What is DarkSide and how did they hack the pipeline?

Social engineering is a common way for attackers to gain access to unauthorized systems.

Social engineering is a common way for attackers to gain access to unauthorized systems.

DarkSide is a hacking group with ties to Russia. They liken themselves to Robin Hood, claiming to steal money from large companies and redistribute it to smaller organizations through charitable donations. “This Robin Hood mentality is more of a PR stunt” according to Jon DiMaggio, chief security strategist for threat intelligence firm Analyst1, interviewed in an article by TechRepublic. "When they made the donations (two donations at $10,000 each), it was reported across cyber news organizations all over the world," DiMaggio said. "It was essentially a $20K marketing cost that got their name out there. All of these guys seem to have big egos, which is why they have press releases and will talk to the media and researchers. So this donation was likely an attempt to increase their visibility."

So how was the attack carried out? “According to open-source reporting, DarkSide actors have previously been observed gaining access through phishing and exploiting remotely accessible accounts and systems and Virtual Desktop Infrastructure (VDI)” (CISA report). A phishing attack is when an attacker pretends to be someone trustworthy and convinces the victim to share login credentials or other vital system information. A VDI is defined as “the hosting of desktop environments on a central server. It is a form of desktop virtualization, as the specific desktop images run within virtual machines (VMs) and are delivered to end clients over a network” (Citrix).

While the exact details of this attack are still under investigation, it is likely that social engineering and unauthorized VDI access were involved at some level.

How to mitigate ransomware attacks

The Colonial Pipeline attack triggered panic, causing long lines and gas shortages across the east coast.

The Colonial Pipeline attack triggered panic, causing long lines and gas shortages across the east coast.

The CISA report lists many steps to take to help prevent ransomware attacks at your organization. Here is an abbreviated version of some of the steps they describe (see the full article for more details):

  • Require multi-factor authentication

  • Enable strong spam filters

  • Implement a user training program

  • Filter network traffic to prohibit malicious IP addresses

  • Update software in a timely manner.

  • Limit access to resources over networks.

  • Set antivirus/antimalware programs to conduct regular scans

  • Implement unauthorized execution prevention by:

    • Disabling macro scripts from Microsoft Office files

    • Implementing application allowlisting

    • Monitor and/or block inbound connections from Tor

    • Deploy signatures to detect and/or block inbound connection from Cobalt Strike servers

  • Implement and ensure robust network segmentation

  • Organize OT assets into logical zones

  • Identify OT and IT network inter-dependencies and develop workarounds or manual controls

  • Regularly test manual controls

  • Implement regular data backup procedures

    • Ensure that backups are regularly tested

    • Store your backups separately

    • Maintain regularly updated “gold images” of critical systems

    • Retain backup hardware

    • Store source code or executables

  • Ensure user and process account access rights are given based on the principles of least privilege and separation of duties.

For more information on how to defend against ransomware attacks, check out this webcast by John Strand, Owner and Security Analyst at Black Hills Information Security. He explains that there are many simple and free/inexpensive measures that companies can take to protect themselves. The content with John starts at the 29:15 mark and is definitely worth investigating.

Thanks for reading!

,

Study for I.T. Certifications in Five Steps

,
What can you do today to learn more and get that certification tomorrow? (Photo credit: XPS)

What can you do today to learn more and get that certification tomorrow? (Photo credit: XPS)

There are five main steps to studying for I.T. certifications. Some people don’t use all of these resources and are still able to pass, but it is best to give yourself a wide variety of study materials to help you learn the content as thoroughly as possible. These steps don’t necessarily need to be taken in this particular order, but some combination of all of them should help you succeed. Lets dive right into the concepts:

Step 1: Download the Exam Objectives

Begin by downloading the exam objectives so you know exactly which topics are covered on the test. (Photo credit: Austin Distel)

Begin by downloading the exam objectives so you know exactly which topics are covered on the test. (Photo credit: Austin Distel)

Once you choose an IT exam to take, you should start by downloading the list of exam objectives. This list shows every concept that will be on the test, so you know what to study (and what NOT to study). Save the objectives either as a PDF in a prominent location on your computer, or better yet: print them out and put them in a binder. You will want to check back into these objectives often to see if you are on track. Some people like to put checkmarks next to each topic that they understand thoroughly, and this can be a good method to visually track your progress.

Step 2: Watch Video Lessons

Video lessons are a great way to be exposed to new material for the first time. (Photo credit: Sergey Zolkin)

Video lessons are a great way to be exposed to new material for the first time. (Photo credit: Sergey Zolkin)

Many people are visual learners; they would much rather watch someone demonstrate a concept than read about it in a textbook. Video lessons are a great way to expose yourself to new material for the first time.

For entry level IT certifications such as A+, Network+, and Security+, one of the best resources for video lessons is Professor Messer. He offers comprehensive playlists of free YouTube videos that completely cover all of the exam topics.

For other certifications, paid options are available through multiple vendors such as Udemy, LinkedIn Learning, and more. Find a highly rated video series that fits your budget and start watching!

Note: “IT bootcamps” are often very expensive, and while they can be immersive, you could gain that same knowledge through independent study (while saving a bunch of cash). But to each their own…

Step 3: Read a Good Textbook

A good textbook can help you dive deeper into each exam topic and really understand the details. (Photo credit: Sharon McCutcheon)

A good textbook can help you dive deeper into each exam topic and really understand the details. (Photo credit: Sharon McCutcheon)

While videos can be a great way to introduce new topics, reading good books about the exam topics is one of the best ways to get a more thorough understanding of the material. Even if you consider yourself more of a hands-on or visual learner, if you can push yourself to read through an entire textbook on the subject, you will definitely pick up some new knowledge.

Depending on your exam, there are many different textbooks by many different authors. Read reviews and ask around to find the best book for your topic.

Step 4: Get Hands-On Practice

Hands-on practice is the best way to really connect with the material. (Photo credit: Caspar Camille Rubin)

Hands-on practice is the best way to really connect with the material. (Photo credit: Caspar Camille Rubin)

If you are studying for an IT exam, you will eventually need hands-on experience with the hardware and software covered in the test. Companies such as Practice Labs and Boson offer labs that give you step-by-step walkthroughs, giving you hands-on practical experience from anywhere with an internet connection.

While most software can be downloaded and installed fairly easily, it is important to note that hardware can be virtualized, which can save you money. For example, if you own a PC with Windows but want to get some practice using macOS or a version of Linux, you can download hypervisor software like VirtualBox or VMware to create a simulated, virtualized version of that other operating system right on your Windows desktop.

Step 5: Take Practice Tests

Practice quizzes and tests are how you check your knowledge. (Photo credit: Green Chameleon)

Practice quizzes and tests are how you check your knowledge. (Photo credit: Green Chameleon)

After you’ve done the work to learn the material, it is important that you take the time to test your knowledge and ensure that you have truly learned the content. Some of the best practice tests are the ones that not only give you the correct answers at the end, but also explain why each right answer is correct, and why each wrong answer is wrong. This turns the testing process into that final piece of the learning cycle, which spins you back up to steps 2-4 for more detailed learning on the questions you get wrong.

As you take practice tests, try to avoid getting discouraged! Any questions that you get wrong are simply opportunities to make corrections and re-learn the material in a new way.

Get Certified!

When you are ready, go pass your test and grab that certification! (Photo credit: Lewis Keegan)

When you are ready, go pass your test and grab that certification! (Photo credit: Lewis Keegan)

If you scoring above an 85-90% on practice tests, you are most likely ready to attempt the real exam. If you are still below 85%, go back through steps 1-5, determining your areas of weakness and focusing your study on those specific areas. Find the topics that you enjoy the LEAST and work on them in new ways until you actually start to like them!

Once you take the test and get the certification, it’s time to celebrate, relax for a bit, and then make your next plan. Is it time to start applying for jobs? Is it time to go for another certification? Take the momentum from your success and apply it to your next project, and you will be unstoppable.

Thanks for reading! Good luck!

Which I.T. Certifications Should You Get First?

A+, Network+, and Security+ are some of the best entry-level certifications for a career in IT! (Photo credit: Yu Hai)

A+, Network+, and Security+ are some of the best entry-level certifications for a career in IT! (Photo credit: Yu Hai)

One of the most exciting things about a career in IT is the sheer amount of opportunities for advancement. Depending on your interests, you can find a job doing just about anything with computers. To prove your level of knowledge to potential employers, certifications can be very useful. With so many certifications out there, it can be difficult to know where to start. Here is some information that might help:

CompTIA A+

The A+ certification shows that you understand the fundamentals of IT.

The A+ certification shows that you understand the fundamentals of IT.

Establishing a career in IT often starts by studying for and obtaining the CompTIA A+ certification. “CompTIA A+ certified professionals are proven problem solvers. They support today’s core technologies from security to cloud to data management and more” (CompTIA website). CompTIA lists the objectives for A+ qualified individuals as having the ability to:

  • Demonstrate baseline security skills for IT support professionals

  • Configure device operating systems, including Windows, Mac, Linux, Chrome OS, Android and iOS and administer client-based as well as cloud-based (SaaS) software

  • Troubleshoot and problem solve core service and support challenges while applying best practices for documentation, change management, and scripting

  • Support basic IT infrastructure and networking

  • Configure and support PC, mobile and IoT device hardware

  • Implement basic data backup and recovery methods and apply data storage and management best practices

CompTIA Network+

Network+ is a good foundational certification for any career in IT.

Network+ is a good foundational certification for any career in IT.

“CompTIA Network+ helps develop a career in IT infrastructure covering troubleshooting, configuring, and managing networks” (CompTIA website). Network+ qualified individuals should be able to:

  • Design and implement functional networks

  • Configure, manage, and maintain essential network devices

  • Use devices such as switches and routers to segment network traffic and create resilient networks

  • Identify benefits and drawbacks of existing network configurations

  • Implement network security, standards, and protocols

  • Troubleshoot network problems

  • Support the creation of virtualized networks

CompTIA Security+

Security+ is a great entry-level certification for those who want a career in cybersecurity!

Security+ is a great entry-level certification for those who want a career in cybersecurity!

“CompTIA Security+ is a global certification that validates the baseline skills necessary to perform core security functions and pursue an IT security career” (CompTIA website) CompTIA describes the following objectives for Security+ individuals:

  • Assess the security posture of an enterprise environment and recommend and implement appropriate security solutions

  • Monitor and secure hybrid environments, including cloud, mobile, and IoT

  • Operate with an awareness of applicable laws and policies, including principles of governance, risk, and compliance

  • Identify, analyze, and respond to security events and incidents

“The CompTIA Triad”

Obtaining all three of the above certifications can make you very marketable to prospective employers.

Obtaining all three of the above certifications can make you very marketable to prospective employers.

As far as certifications go, starting with A+, Network+, and Security+ can be a good idea for many individuals. These foundational certifications are known as “The CompTIA Triad,” and along with other things, can help you land that first job in IT. While it is not required to get all three (or even one for some jobs), many employers screen applicants based on whether or not they have one or all of these certifications. The best thing you can do is look for IT jobs in your area that you are interested in, and see for yourself which certifications are the most requested near you.

Once you have chosen the certification(s) you want to earn, it is time to start studying. Good luck!