Browse Tag

Security

A Review of my Bug Hunting Journey

This post is a review of my bug hunting journey so far, from when I just started, to the point where I made it into the Top 200 bug hunters on Bugcrowd recently, after two years on the platform.

My profile statistics as of 30 December 2018

The Beginning Phase

Like anything else in life, you must start somewhere, or you will never make it. The worse way to fail is to never even get started.

Keep Reading
CyberSec First Responder (Exam CFR-210) certification

My Review for CyberSec First Responder (Exam CFR-210)

I am happy to share that I have passed the CyberSec First Responder (Exam CFR-210) certification!

The CyberSec First Responder (Exam CFR-210) certification is designed for security professionals who are interested in pursuing a career in the defensive aspect of security. For example, to work on tasks such as to perform an analysis of threats, to design a secure network environment, to defend a network or to investigate a security incident.

CyberSec First Responder (Exam CFR-210) certification
Official Badge for CyberSec First Responder (Exam CFR-210) certification

Check out the official website of the CyberSec First Responder (Exam CFR-210) certification to read more about their official introduction.

My Background before taking the exams

My current job as a penetration tester is focused on the offensive aspect of security, which is also the first area where I started my career in the information security industry. Now, I still enjoy the offensive side of security very much.

As a penetration tester, it is almost mandatory to have the Offensive Security Certified Professional (OSCP) certification, so if you like the offensive side of security, go for their Penetration Testing with Kali (PWK) course and “try harder”, the examination is hands-on and the number of things you get to learn from it is enormous. If you’re interested, check out My OSCP / PWK Course Review where I share my OSCP journey and also some tips to pass the exams and also to get started more effectively.

I have been working in the IT industry for over 5 years now, of which over 2 years were in the information security industry. I hold the following security certifications before I passed my CyberSec First Responder (Exam CFR-210) certification: OSCP, CREST CRT, CPSA, CEH.

Keep Reading

RSA Conference 2016 Asia Pacific & Japan

My Thoughts on RSA Conference 2016 APAC

Last week, I attended the RSA Conference 2016 Asia Pacific & Japan which was held at Marina Bay Sands (MBS), Singapore. It was a pretty enriching experience as I get to not only hear directly from various security vendors about how their products are beneficial to the industry, but also get to attend keynote sessions with top-rated speakers in the information security industry.

RSA Conference 2016 Asia Pacific & Japan

RSA Conference 2016 Asia Pacific & Japan

There were many security vendors in the Sands Grand Ballroom level 5 with their respective booths being setup with their newest products. Each booths run their own product demonstration in every 1 or 2 hours intervals. Can see that most of the presenters are pretty enthusiastic in sharing their products’ new features.

RSA Conference 2016 Asia Pacific & Japan

To see the full list of exhibitors which have setup a product demonstration booth to share about their products, you can check out this link.

There were also some companies which also gotten a place to share about their products in an open area called the Demo Theatre. It is like a mini stage with a number of chairs. Unfortunately, there were not many attendees. I’m glad I attended a few sessions though and learnt quite a bit about how an enterprise can incorporate various types of products to improve on their security defenses to protect their company’s information and data.

RSA Conference 2016 Asia Pacific & Japan

Check out the full list of sessions at the Demo Theatre on this link.

Moving on to the best part of the event, the keynote sessions. Having attended the session on 21 July 2016, I sat in for all 4 of the keynote sessions.

RSA Conference 2016 Asia Pacific & Japan

First off is the “Security in the World-Sized Web” by Bruce Schneier. He came to raise the awareness to the information security experts in the industry about the uprising of IoT (Internet of Things) world-wide robots. These IoT devices are collecting information for a purpose, just like what robots are doing. These increased usage and coverage of IoT devices will not only give power to defenders, but also the attackers. He is suggesting for smart government involvement in this area, as he believe that regardless of whether we desire for it, government are going to be part of this. Therefore, the better way of involvement is to be involved “smartly”. And lastly, policy makers need to know about the technology, which is probably, not necessarily the case in today’s industry, and this have to be changed.

Next up is the “Business Defence – Managing the Insider Threat with Security Analytics” by Alex Taverner. He talks about how insider threat has always been an issue with companies, but it is remained largely neglected in the defensive security industry. He proposed a solution from his company (or any other company, if any) which could allow an enterprise to make use of various data sources to identify insider threats, such as the social media and the behavior of the employees. I feel that while this is something interesting and definitely helpful to a large company, the collection of data is something very difficult to be implemented. Even if it is implemented forcefully, it may not be enforced and thus, practical. Without accurate data, given the best formula and analytic tools, the results would not be beneficial, do you not agree?

RSA Conference 2016 Asia Pacific & Japan

Moving on to “Maximize the Value of Your Threat Intelligence” by Jason Rolleston. He discussed about the topic of effective protection, which is something I strongly agreed. A large company can definitely invest in all the newest technologies and software, but how well do they truly integrates? Check out the image above, this is a very true situation in many companies which I have come across either personally or understood through my contacts. Allow me to put them into text,

Emerging challenge will lead to an isolated tactical mode, where the challenge overwhelm the security teams of a large corporation. The management team will then invest in the procurement of a new technology or products without proper evaluation on how well they could integrate with the existing systems. After much struggling and a long time taken, they finally managed to complete the integration with various implementation design flaws here and there, which lead to a short-lived efficiency. After a number of such scenarios have taken place in the company, it will lead to technology sprawl where once again, the vicious cycle of security team being overwhelmed will take place again. Management need to have the far sight and try to understand the technology instead of blindly follow the trend and keep investing without planning.

RSA Conference 2016 Asia Pacific & Japan

Lastly, we have the “How to Build a World-Class Network Defence Organization” by Chris Coryea. This man gives an aura of confidence, the entire speech really leaves a strong impression to me. He shared a lot of real life examples on how a corporation can build a strong network defense through various key areas. The only complaint that I have is that he focuses too strongly on his company’s product, other than that, I really like his session. In fact, allow me to share one of the statements which he shared during his session, which I like the most, and fully agreed upon (with both hands),

Technology can be taught, the framework can be integrated – but focusing on the analytical mindset is the common thread for building an effective team.

In short, to build the best security defense team, you don’t necessarily need people who have “computer science” background or “master in forensics” in their CV or resume, what you need is people with a strong passion and hunger to solve tough problems.

InfoSec Institute: Capture the Flag (CTF)

Following up from my previous post regarding the InfoSec Institute: Capture the Flag (CTF), I hope the resources are helpful to you. There are many more resources out there, thanks to the very supportive community of information security professionals and enthusiasts who enjoy sharing their knowledge to help one another.

Today, I would like to introduce the CTF challenges created by Infosec Institute – they provides entry-level CTF challenges for beginners to learn and play. To make things even better, they also giveaway some small token of monetary appreciation to participants who are able to complete all the challenges AND do a write up on the solutions or helpful instructions to help other participants whom are stuck.

InfoSec Institute: Capture the Flag Challenges
InfoSec Institute: Capture the Flag Challenges

I find that this is a very smart way of getting people to contribute to the information security community, to get them started. A write up can be simple, just provide some steps to help people get through and learn something along the process. In fact, you learn more when you start writing (it keeps you thinking!).

In case you missed the link above, you can try out the challenges here: http://ctf.infosecinstitute.com/