Cyber Ninjas

(941) 3-NINJAS

Causes We Support

by

Cyber Ninjas’ believes strongly in actively giving back. This not only means that annually we donate a significant portion of company profits to support charitable causes, but we also actively volunteer to make the organizations a success. This has included providing teaching assistants and instructors for the US Cyber Challenge to train the next generation of cyber security professionals, as well as annually packing and helping hand deliver over 20,000 Christmas presents to children in Haiti with Hand To the Plow. As we entered the new year, we wanted to give a little briefing about some of the causes that we regularly support, and talk about why we support them.

Hand to the Plow

Hand to the Plow was founded in 1983 after a group of individuals took a work trip to Haiti, and had their lives forever changed. Since that first trip in 1983, they have traveled to Haiti regularly bringing clothes, food, gifts, and encouragement; and helping to both fund and build projects such as wells, water cistern’s, schools and churches. All the work in Haiti is done in partnership with Phyllis Newby, who is a long-term fellow servant and friend. Phyllis helps run a center in Haiti which includes an orphanage and medical center, and serves as an outpost to help support over 230 different schools and a similar number of churches; representing over 40,000 people. Every single year a small group of 20-30 Hand to the Plow volunteers purchase, package up, and deliver to Haiti over 20,000 Christmas gifts. These are delivered in schools across the country, complete with a telling of the Christmas story. They give to Haiti, because Christ first gave to us.

Cyber Ninjas® supports Hand to the Plow because we believe in their mission, and their works embodies many of the core principals that this company was founded on. We believe that all people were created equal, that true leadership is service to others, and that the best work is in building people. Hand to the Plow conducts all their work with their co-laborers in Haiti as equals, serving where requested and needed; while also helping educate and build people that can then serve others. This is done from a Christian worldview, which is at the center of both Hand to the Plow and Cyber Ninjas’ leadership. The demonstration of this worldview, however, is something that all faiths can appreciate; and Christians and non-Christians alike in Haiti benefit from.

Donations to Hand the Plow can be mailed or given on their website. Information about upcoming work camp trips can be found by contacting them.

The US Cyber Challenge

The US Cyber Challenge was founded in 2009 with the mission of finding America’s best and brightest, and connecting them to a career in Cyber Security; in order to help answer the workforce shortage in the industry. Annually a national competition is run where the high scorers are invited to a week-long cyber security boot camp that culminates in a four-hour Capture-The-Flag (CTF) competition. Winners from prior years are encouraged to come back as teacher’s assistance, and eventually as instructors.

Cyber Ninjas® supports US Cyber Challenge because we believe in the mission of the organization, and we know personally that what they’re doing is effective. As we attempt to attract and recruit talent we are constantly confronted with the shortage of qualified people in the field. The US Cyber Challenge helps solve this problem, while again also encouraging service and giving back. On a personal level, our CEO, Doug Logan; started in the US Cyber Challenge as a participant its first year in 2010; and through his involvement over the years he’s seen it propel his own and other’s careers.

Sponsorship information can be found on their website.

Cyber Security Career Resources

by

With the work we do with the US Cyber Challenge, we’re constantly asked about resources that might aid someone in their knowledge working towards a Cyber Security Career. To that end, we’ve assembled the following set of resources that other’s may found useful. This is a list we most commonly give out when recruiting at Career Fairs and anywhere else where someone is specifically interested in Application Security.

If you’re excited about Cyber Security, and find yourself working through a good part of this; please also take a look at our careers page. We’re constantly looking for good talent, and we believe strongly in hiring entry-level people and helping train them in the field.

Items in bold and italics are those resources we heavily recommend, and should be what you start with.

Books

The Web Application Hackers Handbook
The Tangled Web by Michal Zalewski

Purposely Vulnerable Applications

OWASP WebGoat
OWASP List of Deliberately Vulnerable Web Apps

Linux Distributions & Tools

Burp Suite
Samurai Web-Testing-Framework
Zed Attack Proxy
Kali Linux

Training & Competitions

Cyber Ninjas® Training Mailing List
US Cyber Challenge
CyberCompEx
CyberQuests
CTF Calendar

 

Other

Hacking HR: The art of getting hired
OWASP Top 10

Avoiding Car Crashes: An Information Security Overview

by

I’ve often had people ask me, “How can hackers be stopped?”, and immediately expect that there is a quick, succinct, list of items that is going to make an organization completely hack proof. This is simply not the case. Preventing an application or infrastructure from being hacked is like preventing a car crash. The car and the road can be checked for defects. The vehicle can be validated to have the correct configuration for the environment and the drivers can be trained in defensive driving techniques. Even with these precautions defects can be missed, the environment can change, and drivers can make mistakes. Any of these could result in a car crash. Accepting this risk is one of the requirements of being on the road. Likewise, it’s impossible to completely remove the risk of being hacked if your organization is on the information superhighway, but there are a lot of things you can do to reduce the likelihood and impact.

Testing for Defects

Within the information security field testing for defects is usually referred to as a “Vulnerability Assessment”, “Ethical Hacking”, “Penetration Testing (aka Pen Testing)”, or “Red Teaming”. What is involved in each of these terms is different, but all seek to discover defects that could potentially allow attackers to do bad things. We more commonly refer to these as “security vulnerabilities”.

What should be tested for defects?

Within the car example; defects in the vehicle, tire configuration, road, stop-lights, or signs could all result in a car crash. Likewise in the information security arena almost any defect in anything running on your network (Routers, Servers, Databases, Applications, Facilities, wires, processes, and people) could result in your organization being hacked. What should be tested is generally broken into four categories: Network, Application, Social and Physical.

Network assessments focus on the “roads”, “stop-lights” and “signs” that make up the environment. This includes firewall configurations, server ports, and known problems with common applications that make up the infrastructure (Router Software, Web Server, Application Server, etc.).

Application assessments focus on the “cars” that use the roads. This includes each one of the individual applications that is used by the business (Web Sites, mobile applications, desktop application, etc.).

Social assessments focus on the “drivers” that use the applications. This includes anyone that uses any of the applications anywhere within the organization, and involves trying to get them to do things that they should not.

Physical assessments also focus on the “roads”, and “cars”, but from a physical standpoint. This includes seeing if a person can physically get to sensitive locations within your office building to gain access to network, servers, or other sensitive data.

Testing all four areas gives a reasonable assurance that it would be difficult to get hacked. Focusing on only one of these areas could be a formula for disaster. Consider the situation where there is a newly paved road, with an old clunker driving down it with bald tires, leaking gasoline, with a bumper dragging causing sparks. What is the probability that the vehicle will be in an accident if it’s used frequently? The information security equivalent of this happens all the time. An organization will get a network assessment of their infrastructure, and thereby assume the applications on their network are also secure. This is rarely true, and this thinking can be attributed at least a handful of the large data breaches.

Who should test for defects?

Within the car industry the expectation is that the manufacturer is going to test any new vehicle for safety issues and create a secure product. This is regulated by the government, and there is clear legal precedent holding the manufacturer accountable when it has not been done. This allows consumers to feel confident that they need not know much about vehicles to validate that a vehicle is reasonably safe when purchased new. Within the Information Security field this is a completely different story.

There aren’t currently any regulations which require manufacturers of software to create software which is up to a clearly defined security standard. In addition, the legal precedent is still being established to determine how much, if at all, software manufactures can be held accountable for security defects. As a result, while the software manufacturer *SHOULD* test for security vulnerabilities, there isn’t typically a huge incentive for it to be done. Add in the fact that there is a wide range of levels of experience among individuals creating software, and that even among Computer Science college graduates only a small percentage have taken even a single class which contained a single section on secure programming, and it seems that most anyone who uses an application should at least kick the tires.

How thoroughly should defects be tested?

Determining what level defects should be tested for is directly associated with the impact a flaw would cause. For example, if a car was only going to be driven for 1 mile, at 15 mph, once a month, on a completely straight road, which has almost no traffic, a defect with the car that could pop the tire would not be as big of a deal. Likewise if an application is only used by a handful of users, and a full compromise of the machine would not reveal any sensitive data, or prevent business form being done, then it may make sense to do little or no testing. If on the other hand the application allowed the transfer of millions of dollars’ worth of money, or controlled the life-support of an individual, it would probably be advisable to have at least one pretty extensive ethical hacking engagement performed on the software. This would probably make sense even if the manufacturer of that software stated they had their own assessment done.

Conclusion

The risk of being hacked can never be completely eliminated, but it can be greatly reduced. The important thing is that you take a look at the risks to your organization present in the four different areas of information security, and be sure that your organization is doing something in all four areas appropriate for the level of risk. This may mean requiring your vendors to go through 3rd party security audits, having your own min-assessments conducted, or having an extensive assessment conducted. If you need help determining what your risks are, what to ask your vendors to do, or to have actual work performed, please feel free to reach out to us. We offer a free 1-hr initial consultation for new customers, and can refer you to other organizations if what you require is not in our area of expertise. The information superhighway would be a much safer place if a more organizations did some tire kicking.