Tampa Bay What I’m Up To

UC Baseline report: It’s week 4, and now it REALLY begins

Now begins the fourth week out of five weeks at Tampa Bay security guild The Undercroft, where I’ve been taking part in UC Baseline, their cybersecurity course. This is their inaugural class, and I’ve been documenting my experiences as part of that cohort.

Me outside The Undercroft during one of our breaks.

This week is the heart of the course — Information Security 101. The previous three weeks, as instructor Gabrial “Tremere” Hartnett put it, was background material. It’s going to be the most information-dense week of the course — in fact, there’s so much material that class time has been extended by an hour each day. This week, we’re in class from 8 to 5.

(This will be a double-challenge for me as I have to teach two more Python classes on Monday and Wednesday evening, from 6 to 10.)

This should be an interesting week!

In preparation for this week, I’ve been absorbing material from  Jayson E. Street, VP of InfoSec at SphereNY, and expert at getting into places that he is absolutely not allowed to be in.

Steal Everything, Kill Everyone, Cause Total Financial Ruin!
(DEF CON 19, 2011)

Why you should watch this talk: It’s a pretty good intro to getting access to places and systems that you shouldn’t be able to access, and with skills that you probably already have. Street says that he doesn’t have amazing programming, lockpicking, or hypnotism skills — all his tricks are about exploiting human weaknesses or making use of tools that you can easily find or purchase. This talk includes the line “The best way to get management about a disaster plan is to burn down the building across the street,” which captures its essence perfectly.

Here’s the abstract for this talk:

This is not a presentation where I talk about how I would get in or the things I might be able to do. This is a talk where I am already in and I show you pictures from actual engagements that I have been on. They say one picture is worth a thousand words I show you how one picture cost a company a million dollars and maybe even a few lives. In a community where we focus so much on the offensive I also make sure with every attack I highlight. I spend time discussing what would have stopped me. We need to know the problems but we need more talks providing solutions and that is what I hope people will get from this. I show the dangers of Social engineering and how even an employee with no SE experience can be an eBay James Bond which can cause total financial ruin to a company. These Security threats are real. So are these stories!

I PWN thee; I PWN thee not
(DEF CON 27, 2019)

Here’s the abstract for this talk:

Attackers love it when defenses fail. Implementing defenses without properly understanding the risks and threats is usually a waste of money and resources. This is a frank discussion of what control failures an attacker looks for when attempting to breach an enterprise, as well as how an effective control can help prevent an attacker from being successful. Jayson will walk through real-world scenarios that have led to successful compromise of different companies through control failures. He will also give detailed analysis of controls that led to his attacks being effectively thwarted. Learn how to understand and assess real-world risks, as well as simple defenses which can be implemented to better protect your organization.

Dissecting the Hack: The F0rbi1dd3n Network  /
Dissecting the Hack: The V3rbOt3n Network
(2010 / 2016)

I’ve only started reading the first of these two books, which are probably best described as “hacker spy thriller fiction.” These books are in two parts; the first part is a story in which infosec principles play a key part, and the second part is a great infosec reference.

2 replies on “UC Baseline report: It’s week 4, and now it REALLY begins”

Leave a Reply

Your email address will not be published. Required fields are marked *