Sunday, 23 March 2014

Cyber Security - Passion vs Training

Recently i went to a cyber security seminar in Singapore where the target audience were from the financial industry. During one of the Q&A sessions, one of the audience asked a speaker how did he get into this (security) field and what is important for a cyber security professional to have to ensure that the person is right for the job. He replied that while the technicalities of products, tools and techniques are important, they can easily be trained.

I do not quite agree with the reply as the answer seems to assume anyone can be trained easily to become a knowledgeable cyber security professional. From what i've been through and seen, training is just a small part of being a well equipped security professional. Unlike some other professions, cyber security is a faculty where continuous learning is essential, needed and mandatory. Those who believed that having a qualification or certification certifies themselves as a security guru is actually making themselves fall into a well of delusion. The security risks, cyber attacks, viruses and trojans, processes and even methodologies are constantly changing over time. Those who fail to follow or fail to educate themselves with the latest security news or trends will be left out of the playing field.

Training is important but without passion in the field, then one can only hope you are prepared for the attacks that you are not trained to handle. Let's ask ourselves. Why the bad guys are winning? And why are they still winning despite having many security professionals in the organization trained to subdue or to protect from the bad guys? Take a recent example of a hacking incident where the website of EC-Council, the organization that provide Ethical Hacking training and certifications was hacked and defaced. Some even called it 'Hacking the Ethical Hackers'. And if we look at the profiles of these bad guys, hackers, script kiddies, black hats or whatever we decide to call, some were college students, some were jobless, some were not even working in the IT industry let alone being sent for expensive professional training yet they were and are still able to successfully hack and attack critical infrastructures of well known organizations. So the question is why even being professionally trained, do we still fail?

Passion. Merriam Webster defined it as 'a strong feeling of enthusiasm or excitement for something or about doing something'. If we learned one thing about these hackers, they are passionate about hacking. With such a strong sense of passion, comes the dedication they put into in training themselves to attack and educating themselves with the latest attacking tools and techniques from free courses/manuals online (God bless the Internet). If one thing that majority of the security professionals are lacking is this: PASSION.

Recently, my department head interviewed a candidate for a position to work with the ethical hacking team. The candidate had a degree and a CEH (Certified Ethical Hacker) certification but what initially seemed to be a prospect eventually was not. The reason shared was simple. The candidate did not seemed to know what's going on in the cyber security world for the past 5 years and basic penetration testing question couldn't be confidently answered let alone correct. Hence the reason why hiring a security professional is not as easy as simply by looking at the credentials.  


If we, the security professionals are as passionate as the bad guys out there, keep up with the latest news on cyber attacks, defense and protection technologies, then we may have a chance to level the playing field with the skillful hackers out there. 

Wednesday, 19 March 2014

Defcon Kerala, India

Earlier this month, we were given the honor to present our paper with my colleague (Vikneshwaran Veeran) at Defcon Kerala. I was surprised and happy when our paper was accepted by the Defcon Kerala team. Coincidentally, i presented a similar demo at two security seminars in Singapore. But the difference was this, Defcon Kerala is a group of security enthusiasts, programmers, bug bounty hunters, application and tool developers and of course HACKERS! Unlike the seminars i presented in Singapore where the audience were geared towards business users and IT professionals, conferences like Defcon are more techie and how should i put it: subject matter experts!

During the day of the conference, we were warmly welcomed by the team. It wasn't as big as the Defcon conference in Vegas (thank God!) but it was a great experience. We get to meet the creator and founder of Xenotix (Ajin Abraham), the creator of Mandiant OS, the creator of IronWasp (Lava Kumar), the WatsApp hacker (Anto Joseph), a hardware hacker (Yasheen) who was only 19 and many other talented individuals. We were humbled by both the speakers as well as the audience who possessed such great knowledge and enthusiasm for security. Throughout the presentations before ours, the speakers were speaking and demonstrating the latest tools and techniques pertaining to applications and source codes. My colleague and i were dumbstruck-ed as we asked ourselves "Are we in the right place to present something different?" especially when our presentation was geared towards the web application and network penetration.  

Alas, when it was our turn to present, the hall was quiet. We felt a sudden silence and quickly set up the laptop to the projectors as my colleague starts to introduce ourselves to do the ice breaker. So ideally, this was how we prepared for the demo: For the introduction, my colleague will speak and when it comes to the demo, i will speak and when i started to run the demo, my colleague will continue the motion as to keep the presentation alive and not create any form of awkward silence in between.

During the demo, it was smooth but we encountered a small 2 minutes hiccup/delay. The 2 minutes delay was caused by the process of creating the payload. Usually it should be done within 30 seconds but at that point of time, it was not. After 1 minute, i started to look at my colleague and started to show signs of desperation. My colleague coolly told the audience about Murphy's Law. Well, i did prepare backups of the payload in case that doesn't work but after 2minutes, it did. Phewww!! Continue to the demo and when it finally completes, i was delighted. Sheesh, i stammered most of the time and even one of the audience jokingly commented that my 'accent' was funny. Argh! 

After the presentation, we came up to some of the other speakers and complimented them on their great work and tools. A big RESPECT to them all. One of the speakers, the creator of IronWasp complimented our demo saying it was one of the most complicated demos he had seen and he was nervous and glad when it managed to pull it off. (imagine how nervous we were on stage!) That was such an awesome feedback. 

After the conference ended we were swarmed by the members of the audience who spoke to us and took pictures with us. It was a great feeling. I also didnt miss the opportunity to take the photos with them as well. Whenever they took my pic, i will tell them "hang on, its my camera's turn to take". We managed to exchange contacts with them either via namecards or linkedin or facebook. 

Overall, it was a great experience and i really thank the Defcon Kerala Team for organizing this event. I believed it was a fruitful event that everyone could take away, learning something new or at least spurn them into wanting to go deeper into security. Although this was the second year of this conference, i believed that this will go into something bigger, perhaps in a few years time, it will garner a much larger audience possible rivaling conferences such as Hacker Halted. 

Here are some of the pictures of the event.




















Wednesday, 5 March 2014

Websense Security Seminar - A Presentation

So after our presentation at the ABS-FITA Cyber Security Seminar, we were invited to present our demo in another seminar organized by Websense.


It wasn't as big as the ABS-FITA seminar but it was still exciting nonetheless. The crowd was about 100-120 people from different backgrounds. It was great to see my brief bio on the speaker's website. 



Felt more confident this time round especially after the stressful pressure on the previous demo. Good thing was, we nailed it smoothly. Everything went smooth and we managed to put the 'WOW' look on some of the audience. After the demo, we were greeted by some of the audience who asked more about the capabilities of our team and pretty much the sales representatives from BT took over the conversation. 

Here are some of the photos taken by one of the attendees:

A Brief Bio

The Layout 

 The Finale

Bringing it all together

Notice the 'BT EHCOE' on Kali Wallpaper?

 Command and Commands


NEXT STOP: Presenting in DEFCON KERALA!!!!