If you’re interested in cybersecurity or women in tech, you should catch this session! Register to attend, as well as to get details about how to view it online.
Kelly Albrink (GCIH, GSEC, OSCP, GWAPT) is a Senior Security Consultant at Bishop Fox, where her areas of expertise are in network penetration testing, hardware security, and wireless technologies.
Courtney H. Jackson, MSISA, CISSP, CISM, CEH, CHFI is the Founder and CEO of Paragon Cyber Solutions, LLC, a woman, minority, veteran-owned small business headquartered in Tampa, FL. Courtney has more than 20 years of certified hands-on experience in Information Technology, encompassing both executive leadership and entrepreneurship. Through her work, she helps government agencies, startups, and commercial companies to protect the integrity of their business operations through specialized cybersecurity and risk management solutions.
Dr. Sunny Wear is a Web Security Architect and Penetration Tester. She provides secure coding classes, creates software, and performs penetration testing against web/API and mobile applications. Sunny has more than 25 years of hands-on software programming, architecture and security experience and holds a Doctor of Science in Cybersecurity. She is a published author, “Burp Suite Cookbook”, a developer of mobile apps, specifically, the “Burp Tool Buddy”, and is a Pluralsight content creator, “Burp Suite for Beginners/Advanced/Writing Plugins”. She regularly speaks and holds classes at security conferences such as Defcon, Hackfest, and BSides.
About The Neon Tample
The Neon Temple is Tampa Bay’s security guild.
Among their number are SOC analysts, penetration testers, programmers, ’80s Wardialers, CISOs, and even the occasional intelligence collector or federal agent. Their members vary from novices just getting started, to seasoned veterans who’ve been in the trenches since before the word “cyber” was invented. They care about cybersecurity, national security, and the right to privacy, and their aim is to spread their message and mentality globally.
One of the silver linings of my job evaporating due to the pandemic is that I suddenly had a lot of free time to try some new things. The best of those new things by far was my five weeks in The Undercroft’s inaugural UC Baseline cybersecurity course.
Over the past year, a number of notable out-of-state tech companies have chosen to open offices in or relocate to Tampa. Last December, Tampa beat out other up-and-coming tech hubs like Denver and Atlanta as the new home of Boston-based Drift, a marketing technology platform. Information technology training franchiser New Horizons moved its headquarters from Pennsylvania to Tampa in January. And that same month, D.C.-based technology company TheIncLab expanded to Ybor City. TheIncLab opened an “Artificial Intelligence Experience Lab” in The Undercroft, a cybersecurity incubator that launched last summer with the hopes of turning the historic Ybor into a tech industry hotspot.
“At The Undercroft, we’re focusing on the supply side of cybersecurity,” says CEO Adam Sheffield. “How do we support more talent in this community and more people who have passion for the field?”
Initially conceived as a co-working type space where startups and members could connect, The Undercroft launched a training program, UC Baseline, in response to layoffs during the coronavirus shutdown. The UC Baseline program is designed to help educate people moving into the cybersecurity workforce or transitioning from traditional IT roles. Ten participants have signed up for the six-week program that offers courses in networking, software, and hardware, according to Sheffield Incubators and accelerators are behind much of Tampa’s recent tech growth, as nonprofits like the Tampa Bay Wave and Embarc Collective offer resources and networking opportunities for local startups, including two recent programs that focus on boosting the representation of women and diversity in the tech industry.
To describe The Undercroft as Tampa Bay’s security guild and cybersecurity coworking space is fair, but that description doesn’t capture the spirit of the place.
A better way to paint the picture would be to call it the 21st-century cybersecurity counterpart of coffeehouses in 17th- and 18th-century England. Like those coffeehouses of old, The Undercroft is a place in a beautiful old building that functions as the home for the (often boisterous) exchange of ideas, the advancement of specialized fields of knowledge, a little deal-making, and if you pay attention, a great place to learn.
(Thankfully, The Undercroft departs from those old coffeehouses in one important way: Women are welcome in The Undercroft.)
How I ended up in UC Baseline
Back in mid-July, I’d heard about scholarships for The Undercoft’s then-upcoming cybersecurity class. I posted an article about it, which ended with this quip:
(I’ll admit it: Although I’m not likely to qualify, I applied.)
I applied, and to my surprise, I qualified, which meant that I was in this classroom a couple of weeks later:
What I did in UC Baseline
And thus began five intense weeks, which comprised the following…
Hardware 101 — Gain a thorough understanding about the devices on which all our software runs and through which all our information flows:
Networking 101 — Learn how our systems are connected and the ways in which they communicate through these connections:
Linux 101 — Covers the foundations of security in Linux environments, the OS on which the internet runs:
Windows 101 — Here’s a big challenge — learn the foundations of security for Windows environments:
Information Security 101 — Covers everything from core IT concepts, to cybersecurity principles, methods, and practices:
Python 101 — If you’re doing security, you should have some coding skills to automate your work and build tooling, and Python’s an excellent language for that task:
This is not for someone who’s casually curious about cybersecurity. It’s a lot of work. As I wrote midway through the course:
After one particular day, I felt like the cat in this video:
The course was taught by a team of instructors who work in the security industry when they’re not teaching. They’re also a personable bunch, and all of them went above and beyond in their efforts to ensure that we students were getting the most out of our classes.
Did it pay off to devote 5 weeks, 5 days a week, 8 hours a day, to attend UC Baseline? I think it did.
I’m really a programmer and developer evangelist by training and experience. There’s a tendency in both these lines of work to think of security as an afterthought. Attending UC Baseline, learning from actual security professionals, getting my hands on the actual hardware and software used by the pros, and even just being in The Undercroft helped me refine my security mindset.
That in turn helped me bring my A-game when it was time to apply for a job at Auth0 and then go through their rigorous interview process (which I wrote about here).
I’m not alone — 8 out of 10 of the inaugural UC Baseline class got work around a month or so after completing the program.
During the Information Security week of the UC Baseline cybersecurity program, the instructors asked us a lot of questions whose answers we had to look up. As a way to maximize participation, we were encouraged to share lots of links of the class’ Slack channel, which also functioned as a backchannel, as well as a way to chat with the students who were taking the course online.
The links that we shared in class were valuable material that I thought would be worth keeping for later reference. I’ve been spending an hour here and there, gathering them up and even organizing them a little. The end result is the list below.
Since these are all publicly-available links and don’t link to any super-secret UC Baseline instructional material, I’m posting them here on Global Nerdy. Think of this list as a useful set of security-related links, something to read if you’re bored, or a peek into what gets discussed during the InfoSec week of the UC Baseline course!
Krebs on Security: Thinking of a Cybersecurity Career? Read This. Krebs is a good regular read for security news, and this article is a good guide: “Thousands of people graduate from colleges and universities each year with cybersecurity or computer science degrees only to find employers are less than thrilled about their hands-on, foundational skills. Here’s a look at a recent survey that identified some of the bigger skills gaps, and some thoughts about how those seeking a career in these fields can better stand out from the crowd.”
Wired: The Garmin Hack Was a Warning
“Ransomware continues to affect the usual suspects; the hospitals and cities and homeowners who click on a bad link haven’t gotten any sort of reprieve. But as hacking groups add both to their coffers and tool sets, it seems likely that Garmin is hardly an outlier—and only a matter of time before the next big target takes a big fall.”
The O.MG cable
It looks, feels, and acts like an ordinary USB cable, but it also has a processor, web server, and 802.11 radio, which can help you sneak your way into a system.
GRC: Governance, Risk, and Compliance
“The acronym GRC was invented by the OCEG (originally called the ‘Open Compliance and Ethics Group’) membership as a shorthand reference to the critical capabilities that must work together to achieve Principled Performance — the capabilities that integrate the governance, management and assurance of performance, risk, and compliance activities.”
The eJPT — eLearnSecurity Junior Penetration Tester certification “The eJPT designation stands for eLearnSecurity Junior Penetration Tester. eJPT is a 100% practical certification on penetration testing and information security essentials. By passing the challenging exam and obtaining the eJPT certificate, a penetration tester can prove their skills in the fastest growing area of information security.”
NIST Cybersecurity Framework
“The Framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.”
NIST Special Publication 800-series General Information “Publications in NIST’s Special Publication (SP) 800 series present information of interest to the computer security community. The series comprises guidelines, recommendations, technical specifications, and annual reports of NIST’s cybersecurity activities.SP 800 publications are developed to address and support the security and privacy needs of U.S. Federal Government information and information systems. NIST develops SP 800-series publications in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283.”
NIST Compliance FAQs: Federal Information Processing Standards (FIPS) “FIPS are standards and guidelines for federal computer systems that are developed by National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA) and approved by the Secretary of Commerce. These standards and guidelines are developed when there are no acceptable industry standards or solutions for a particular government requirement. Although FIPS are developed for use by the federal government, many in the private sector voluntarily use these standards.”
VISA: PCI DSS Compliance
“Learn about Payment Card Industry Data Security Standard (PCI DSS) with Visa. Keep your cardholders safe with the latest security standards.”
“One of the most respected, non-profit standards bodies in the world, OASIS Open offers projects—including open source projects—a path to standardization and de jure approval for reference in international policy and procurement.OASIS has a broad technical agenda encompassing cybersecurity, blockchain, privacy, cryptography, cloud computing, IoT, urban mobility, emergency management, content technologies. In fact, any initiative for developing code, APIs, specifications, or reference implementations can find a home at OASIS.”
OWASP Foundation “The Open Web Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.”
How Unix Works: Become a Better Software Engineer
“Unix is beautiful. Allow me to paint some happy little trees for you. I’m not going to explain a bunch of commands – that’s boring, and there’s a million tutorials on the web doing that already. I’m going to leave you with the ability to reason about the system.Every fancy thing you want done is one google search away.
But understanding why the solution does what you want is not the same.That’s what gives you real power, the power to not be afraid. And since it rhymes, it must be true.”
Kaspersky: What is a honeypot?
“In computer security terms, a cyber honeypot works in a similar way, baiting a trap for hackers. It’s a sacrificial computer system that’s intended to attract cyberattacks, like a decoy. It mimics a target for hackers, and uses their intrusion attempts to gain information about cybercriminals and the way they are operating or to distract them from other targets.”
DFIR — Digital Forensics and Incident Response “Digital forensics and incident response is an important part of business and law enforcement operations. It is a philosophy supported by today’s advanced technology to offer a comprehensive solution for IT security professionals who seek to provide fully secure coverage of a corporation’s internal systems.”
Understanding RPO and RTO “Recovery Point Objective (RPO) and Recovery Time Objective (RTO) are two of the most important parameters of a disaster recovery or data protection plan. These are objectives which can guide enterprises to choose an optimal data backup plan.”
The 3-2-1 backup rule “For a one-computer user, the VMware backup strategy can be as simple as copying all important files to another device – or, ideally, several devices – and keeping them in a safe place. However, for multiple computer systems, things can be (and usually are) much more complicated, especially when it comes to virtual environments containing thousands of virtual machines. To protect physical machines, you would need to perform Windows Server backup or Linux Server backup, which might be difficult without effective backup tools. In these cases, a comprehensive data protection plan should include the 3-2-1 backup rule.”
How to Set Up an AI R&D Lab “The moment a hyped-up new technology garners mainstream attention, many businesses will scramble to incorporate it into their enterprise. The majority of these trends will splutter and die out by Q4. Artificial intelligence (AI) is unlikely to be one of them.AI is a transformative series of tools that can accelerate productivity, drive insight, and open up unexplored revenue streams. It’s poised to revolutionize the way we do business and everyone in a leadership role should be thinking about it.But few organizations are set up to do AI properly.”
ZDNet: FBI and NSA expose new Linux malware Drovorub, used by Russian state hackers
“The FBI and NSA have published today a joint security alert containing details about a new strain of Linux malware that the two agencies say was developed and deployed in real-world attacks by Russia’s military hackers.The two agencies say Russian hackers used the malware, named Drovorub, was to plant backdoors inside hacked networks.”
Military Cyber Professionals Association (MCPA)
“Military Cyber Professionals Association (MCPA) are a team of Soldiers, Sailors, Airmen, Marines, Veterans and others interested in the development of the American military cyber profession.Our members are interdisciplinary, as such a diverse set of perspectives is needed to develop cyberspace as an entire domain. Also included in our ranks are other government employees, contractors, academics, industry leaders, foreign allies, and private citizens.”
Why the fuck was I breached?
“Did you just lose 100m customer SSNs because your root password was ‘password’, you set an S3 bucket to public or you didn’t patch a well known vulnerability for 8 months? Is the media and government chewing you out because of it? Worry not! Our free excuse generator will help you develop an air-tight breach statement in no time!”
Evaluating Risks Using Quantitative Risk Analysis “Project managers should be prepared to perform different types of risk analysis. For many projects, the quicker qualitative risk assessment is all you need. But there are occasions when you will benefit from a quantitative risk analysis.Let’s take a look at this type of analysis: What is it? Why should we perform it? When should it be performed? And how do we quantify risks?”
What is CMMI? A model for optimizing development processes
“The Capability Maturity Model Integration (CMMI) is a process and behavioral model that helps organizations streamline process improvement and encourage productive, efficient behaviors that decrease risks in software, product and service development.”
How Many Email Accounts Do You Need? “With all this need for email accounts, the question obviously arises: how many email accounts should you have? In theory, you could use a single email address for everything, but that could leave you with thousands upon thousands of emails from hundreds of sources in a single account; even with an account that allows you to easily sort everything, you’ll quickly be overwhelmed. It’s all but required that you have multiple email addresses nowadays.”
NIST NVD (National Vulnerability Database) — Vulnerability Metrics
“The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. A CVSS score is also represented as a vector string, a compressed textual representation of the values used to derive the score. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability severity scores. Two common uses of CVSS are calculating the severity of vulnerabilities discovered on one’s systems and as a factor in prioritization of vulnerability remediation activities. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities.”
Tampa Bay UX Group
The Tampa Bay User Experience Group is one of the largest volunteer led user experience professional organizations in south central Florida. Krissy Scoufis created the group in August, 2013 with the goal of providing a network of design practitioners, product owners, web developers and product strategists who could share UX methodologies, principles and techniques. Mike Gallers and Beth Galambos joined the leadership team shortly after the group started and together they have hosted over 73 events. The group’s foundational pillars are to provide free mentorship, education and community to evangelize the User Experience discipline. Frequently partnering with other regional technology meetups, the Tampa Bay UX Meetup group has fostered a cross functional network of professionals dedicated to putting users at the center of product strategy and design.
The Five Steps of Incident Response “Incident response is a process, not an isolated event. In order for incident response to be successful, teams should take a coordinated and organized approach to any incident. There are five important steps that every response program should cover in order to effectively address the wide range of security incidents that a company could experience.”
What Are Security Controls?
“At the most fundamental level, IT security is about protecting things that are of value to an organization. That generally includes people, property, and data—in other words, the organization’s assets.Security controls exist to reduce or mitigate the risk to those assets. They include any type of policy, procedure, technique, method, solution, plan, action, or device designed to help accomplish that goal. Recognizable examples include firewalls, surveillance systems, and antivirus software.”
110 Must-Know Cybersecurity Statistics for 2020 “In order to give you a better idea of the current state of overall security, we’ve compiled the 110 must-know cybersecurity statistics for 2020. Hopefully, this will help you paint a picture of how potentially dire leaving your company insecure can be as well as show the prevalence and need for cybersecurity in business. This includes data breaches, hacking stats, different types of cybercrime, industry-specific stats, spending, costs and the cybersecurity career field.”
How to Restore Deleted Files Even After Emptying the Recycle Bin
“So you’ve emptied your recycle bin and then realized that you’ve deleted a file that you still need. If you act fast enough, you may be able to recover the files before the computer overwrites them with something else.Read on below for how to restore deleted files and for recycle bin recovery steps even when emptied.”
Here are six basic human tendencies that are exploited in social engineering attacks:
Authority: An attacker may call you pretending to be an executive in order to exploit your tendency to comply with authority figures.
Liking: An attacker may try to build rapport with you by finding common interests, and then ask you for a “favor”.
Reciprocation: An attacker may try to do something for you, or convince you that he or she has, before asking you for something in return.
Consistency: An attacker might first get your verbal commitment to abide by a fake security policy, knowing that once you agree to do so, you will likely follow through with his next request in order to keep your word.
Social Validation: An attacker may try to convince you to participate in a fake survey by telling you that others in your department already have. He or she may have even gotten some of their names and use them to gain your trust.
Scarcity: An attacker may tell you that the first 10 people to complete a survey will automatically win a prize and that since some of your co-workers have already taken the survey, you might as well too.
Social Studies – A Lesson in Social Engineering Basics
As we have become more and more vigilant against clicking on malicious links in suspicious emails, some social engineers have gone back to the classic person-to-person approach. Their basic strategy is to prey on vulnerabilities in human nature.