One can never be fully prepared. There is always more that a person can do to prepare themselves. I wish that before starting this internship that I would have had a better understanding of the basic concepts of cyber security (e.g. passive and active defense, vulnerability factors, etc.). I also wish that I had prior experience with all the tools and software I used. If you can find out the tools used at an internship, then it’s a good idea to try and learn some of those tools. Your internship will require less training and more application which will make the experience more productive for you. If you cannot find out what tools your internship will use, then it isn’t a bad idea to browse freeware related to that field (e.g. Maltego and Zed Attack Proxy for digital forensics and pen testing respectively). Most places are trying to save money, so they probably use freeware to some capacity. The most popular freeware is your best bet and even if they don’t use it, the...
On Thursday we covered network mapping. The process of network mapping usually consists of four phases: identify the space of IP addresses you are monitoring and partition the space into different categories (1). Examine the IP space (2), identify blind and confusing traffic (3), and identify clients and servers (4). During phase one the mapping of the inventory is undetermined and remains to be IP space. A security inventory should monitor every resource's address (that it is able to) on the network (i.e. anything within or on the network an attacker can access), what resources a service is running on, at the very minimum. During phase two cyber security personal should also consider enumerating roles to make searching easier; identifying VPNs, NATs, DHCP, and proxies; keep centrality or volume metrics (e.g. monthly ephemeral summaries); per-host white lists; and monitoring the versions of all services on a particular resource. Ask what addresses make up the network?...
On Wednesday we covered prioritization. What is the most important thing to respond to first? How do we determine what is and what isn't more important? How do we assess the risk being taken? How much risk is too much risk? While some matters may be more general, a lot of prioritization will be based upon what the establishment is doing, who would target them, what resources does the establishment have for defense, etc. The effectiveness of cyber response teams is determined by how appropriate the prioritization of incidents is. Randomly responding and less formalized response protocols/orders (e.g. stacks/LIFO or queues/FIFO) will hinder the potential security capabilities of an establishment. One cannot prioritize for random or abstract orders and expect any type of long-term success. It is best to make decision making and risk taking as formalized as possible. What you do is just as important as what you do first. Basically, some things are more important to attend to ri...
Comments
Post a Comment