If you’re interested in cybersecurity or women in tech, you should catch this session! Register to attend, as well as to get details about how to view it online.
The panelists
Kelly Albrink (GCIH, GSEC, OSCP, GWAPT) is a Senior Security Consultant at Bishop Fox, where her areas of expertise are in network penetration testing, hardware security, and wireless technologies.
Courtney H. Jackson, MSISA, CISSP, CISM, CEH, CHFI is the Founder and CEO of Paragon Cyber Solutions, LLC, a woman, minority, veteran-owned small business headquartered in Tampa, FL. Courtney has more than 20 years of certified hands-on experience in Information Technology, encompassing both executive leadership and entrepreneurship. Through her work, she helps government agencies, startups, and commercial companies to protect the integrity of their business operations through specialized cybersecurity and risk management solutions.
Dr. Sunny Wear is a Web Security Architect and Penetration Tester. She provides secure coding classes, creates software, and performs penetration testing against web/API and mobile applications. Sunny has more than 25 years of hands-on software programming, architecture and security experience and holds a Doctor of Science in Cybersecurity. She is a published author, “Burp Suite Cookbook”, a developer of mobile apps, specifically, the “Burp Tool Buddy”, and is a Pluralsight content creator, “Burp Suite for Beginners/Advanced/Writing Plugins”. She regularly speaks and holds classes at security conferences such as Defcon, Hackfest, and BSides.
About The Neon Tample
The Neon Temple is Tampa Bay’s security guild.
Among their number are SOC analysts, penetration testers, programmers, ’80s Wardialers, CISOs, and even the occasional intelligence collector or federal agent. Their members vary from novices just getting started, to seasoned veterans who’ve been in the trenches since before the word “cyber” was invented. They care about cybersecurity, national security, and the right to privacy, and their aim is to spread their message and mentality globally.
One of the silver linings of my job evaporating due to the pandemic is that I suddenly had a lot of free time to try some new things. The best of those new things by far was my five weeks in The Undercroft’s inaugural UC Baseline cybersecurity course.
Over the past year, a number of notable out-of-state tech companies have chosen to open offices in or relocate to Tampa. Last December, Tampa beat out other up-and-coming tech hubs like Denver and Atlanta as the new home of Boston-based Drift, a marketing technology platform. Information technology training franchiser New Horizons moved its headquarters from Pennsylvania to Tampa in January. And that same month, D.C.-based technology company TheIncLab expanded to Ybor City. TheIncLab opened an “Artificial Intelligence Experience Lab” in The Undercroft, a cybersecurity incubator that launched last summer with the hopes of turning the historic Ybor into a tech industry hotspot.
“At The Undercroft, we’re focusing on the supply side of cybersecurity,” says CEO Adam Sheffield. “How do we support more talent in this community and more people who have passion for the field?”
Initially conceived as a co-working type space where startups and members could connect, The Undercroft launched a training program, UC Baseline, in response to layoffs during the coronavirus shutdown. The UC Baseline program is designed to help educate people moving into the cybersecurity workforce or transitioning from traditional IT roles. Ten participants have signed up for the six-week program that offers courses in networking, software, and hardware, according to Sheffield Incubators and accelerators are behind much of Tampa’s recent tech growth, as nonprofits like the Tampa Bay Wave and Embarc Collective offer resources and networking opportunities for local startups, including two recent programs that focus on boosting the representation of women and diversity in the tech industry.
To describe The Undercroft as Tampa Bay’s security guild and cybersecurity coworking space is fair, but that description doesn’t capture the spirit of the place.
A better way to paint the picture would be to call it the 21st-century cybersecurity counterpart of coffeehouses in 17th- and 18th-century England. Like those coffeehouses of old, The Undercroft is a place in a beautiful old building that functions as the home for the (often boisterous) exchange of ideas, the advancement of specialized fields of knowledge, a little deal-making, and if you pay attention, a great place to learn.
(Thankfully, The Undercroft departs from those old coffeehouses in one important way: Women are welcome in The Undercroft.)
How I ended up in UC Baseline
Back in mid-July, I’d heard about scholarships for The Undercoft’s then-upcoming cybersecurity class. I posted an article about it, which ended with this quip:
(I’ll admit it: Although I’m not likely to qualify, I applied.)
I applied, and to my surprise, I qualified, which meant that I was in this classroom a couple of weeks later:
What I did in UC Baseline
And thus began five intense weeks, which comprised the following…
Hardware 101 — Gain a thorough understanding about the devices on which all our software runs and through which all our information flows:
Networking 101 — Learn how our systems are connected and the ways in which they communicate through these connections:
Tap to view at full size.
Linux 101 — Covers the foundations of security in Linux environments, the OS on which the internet runs:
Tap to view at full size.
Windows 101 — Here’s a big challenge — learn the foundations of security for Windows environments:
Tap to view at full size.
Information Security 101 — Covers everything from core IT concepts, to cybersecurity principles, methods, and practices:
Tap to view my set of links from Infosec Week at UC Baseline.
Python 101 — If you’re doing security, you should have some coding skills to automate your work and build tooling, and Python’s an excellent language for that task:
Tap to view at full size.
This is not for someone who’s casually curious about cybersecurity. It’s a lot of work. As I wrote midway through the course:
If you take The Undercroft’s five-week cybersecurity course, UC Baseline,you will have to absorb a lot of material.
After one particular day, I felt like the cat in this video:
The course was taught by a team of instructors who work in the security industry when they’re not teaching. They’re also a personable bunch, and all of them went above and beyond in their efforts to ensure that we students were getting the most out of our classes.
Did it pay off to devote 5 weeks, 5 days a week, 8 hours a day, to attend UC Baseline? I think it did.
I’m really a programmer and developer evangelist by training and experience. There’s a tendency in both these lines of work to think of security as an afterthought. Attending UC Baseline, learning from actual security professionals, getting my hands on the actual hardware and software used by the pros, and even just being in The Undercroft helped me refine my security mindset.
That in turn helped me bring my A-game when it was time to apply for a job at Auth0 and then go through their rigorous interview process (which I wrote about here).
I’m not alone — 8 out of 10 of the inaugural UC Baseline class got work around a month or so after completing the program.
And of course, special thanks to Team Undercroft, for making such a special place — the Tampa tech scene just wouldn’t be same without you: Joy Randels, Adam Sheffield, and Chris Machowski!
Another UC Baseline in 2021!
If UC Baseline sounds interesting to you, and if you think you’re up to the challenge, there’s another one taking place in early 2021. Visit the UC Baseline page to find out more!
During the Information Security week of the UC Baseline cybersecurity program, the instructors asked us a lot of questions whose answers we had to look up. As a way to maximize participation, we were encouraged to share lots of links of the class’ Slack channel, which also functioned as a backchannel, as well as a way to chat with the students who were taking the course online.
The links that we shared in class were valuable material that I thought would be worth keeping for later reference. I’ve been spending an hour here and there, gathering them up and even organizing them a little. The end result is the list below.
Since these are all publicly-available links and don’t link to any super-secret UC Baseline instructional material, I’m posting them here on Global Nerdy. Think of this list as a useful set of security-related links, something to read if you’re bored, or a peek into what gets discussed during the InfoSec week of the UC Baseline course!
Krebs on Security: Thinking of a Cybersecurity Career? Read This. Krebs is a good regular read for security news, and this article is a good guide: “Thousands of people graduate from colleges and universities each year with cybersecurity or computer science degrees only to find employers are less than thrilled about their hands-on, foundational skills. Here’s a look at a recent survey that identified some of the bigger skills gaps, and some thoughts about how those seeking a career in these fields can better stand out from the crowd.”
Student hacker plans for repl.it
repl.it is a web-based IDE/REPL that supports 50 programming languages and collaboration. Include tutorials, message boards and other “community” features.
GitHub student developer pack
Free subscriptions and software for students enrolled in an institution or program that they recognize. Loads of great offers; don’t miss this one.
NHS (Healthcare) Defense in Depth
A detailed chart showing the many layers of defense that are required for systems containing healthcare information.
Wired: The Garmin Hack Was a Warning
“Ransomware continues to affect the usual suspects; the hospitals and cities and homeowners who click on a bad link haven’t gotten any sort of reprieve. But as hacking groups add both to their coffers and tool sets, it seems likely that Garmin is hardly an outlier—and only a matter of time before the next big target takes a big fall.”
The O.MG cable
It looks, feels, and acts like an ordinary USB cable, but it also has a processor, web server, and 802.11 radio, which can help you sneak your way into a system.
GRC: Governance, Risk, and Compliance
“The acronym GRC was invented by the OCEG (originally called the ‘Open Compliance and Ethics Group’) membership as a shorthand reference to the critical capabilities that must work together to achieve Principled Performance — the capabilities that integrate the governance, management and assurance of performance, risk, and compliance activities.”
The eJPT — eLearnSecurity Junior Penetration Tester certification “The eJPT designation stands for eLearnSecurity Junior Penetration Tester. eJPT is a 100% practical certification on penetration testing and information security essentials. By passing the challenging exam and obtaining the eJPT certificate, a penetration tester can prove their skills in the fastest growing area of information security.”
NIST Cybersecurity Framework
“The Framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders.”
NIST Special Publication 800-series General Information “Publications in NIST’s Special Publication (SP) 800 series present information of interest to the computer security community. The series comprises guidelines, recommendations, technical specifications, and annual reports of NIST’s cybersecurity activities.SP 800 publications are developed to address and support the security and privacy needs of U.S. Federal Government information and information systems. NIST develops SP 800-series publications in accordance with its statutory responsibilities under the Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283.”
NIST Compliance FAQs: Federal Information Processing Standards (FIPS) “FIPS are standards and guidelines for federal computer systems that are developed by National Institute of Standards and Technology (NIST) in accordance with the Federal Information Security Management Act (FISMA) and approved by the Secretary of Commerce. These standards and guidelines are developed when there are no acceptable industry standards or solutions for a particular government requirement. Although FIPS are developed for use by the federal government, many in the private sector voluntarily use these standards.”
VISA: PCI DSS Compliance
“Learn about Payment Card Industry Data Security Standard (PCI DSS) with Visa. Keep your cardholders safe with the latest security standards.”
OASIS
“One of the most respected, non-profit standards bodies in the world, OASIS Open offers projects—including open source projects—a path to standardization and de jure approval for reference in international policy and procurement.OASIS has a broad technical agenda encompassing cybersecurity, blockchain, privacy, cryptography, cloud computing, IoT, urban mobility, emergency management, content technologies. In fact, any initiative for developing code, APIs, specifications, or reference implementations can find a home at OASIS.”
OWASP Foundation “The Open Web Application Security Project® (OWASP) is a nonprofit foundation that works to improve the security of software. Through community-led open source software projects, hundreds of local chapters worldwide, tens of thousands of members, and leading educational and training conferences, the OWASP Foundation is the source for developers and technologists to secure the web.”
How Unix Works: Become a Better Software Engineer
“Unix is beautiful. Allow me to paint some happy little trees for you. I’m not going to explain a bunch of commands – that’s boring, and there’s a million tutorials on the web doing that already. I’m going to leave you with the ability to reason about the system.Every fancy thing you want done is one google search away.
But understanding why the solution does what you want is not the same.That’s what gives you real power, the power to not be afraid. And since it rhymes, it must be true.”
Kaspersky: What is a honeypot?
“In computer security terms, a cyber honeypot works in a similar way, baiting a trap for hackers. It’s a sacrificial computer system that’s intended to attract cyberattacks, like a decoy. It mimics a target for hackers, and uses their intrusion attempts to gain information about cybercriminals and the way they are operating or to distract them from other targets.”
DFIR — Digital Forensics and Incident Response “Digital forensics and incident response is an important part of business and law enforcement operations. It is a philosophy supported by today’s advanced technology to offer a comprehensive solution for IT security professionals who seek to provide fully secure coverage of a corporation’s internal systems.”
Understanding RPO and RTO “Recovery Point Objective (RPO) and Recovery Time Objective (RTO) are two of the most important parameters of a disaster recovery or data protection plan. These are objectives which can guide enterprises to choose an optimal data backup plan.”
The 3-2-1 backup rule “For a one-computer user, the VMware backup strategy can be as simple as copying all important files to another device – or, ideally, several devices – and keeping them in a safe place. However, for multiple computer systems, things can be (and usually are) much more complicated, especially when it comes to virtual environments containing thousands of virtual machines. To protect physical machines, you would need to perform Windows Server backup or Linux Server backup, which might be difficult without effective backup tools. In these cases, a comprehensive data protection plan should include the 3-2-1 backup rule.”
What is BCDR? Business continuity and disaster recovery guide
“In this climate, business continuity and disaster recovery (BCDR) has a higher profile than ever before. Every organization, from small operations to the largest enterprises, is increasingly dependent on digital technologies to generate revenue, provide services and support customers who always expect applications and data to be available.”
How to Set Up an AI R&D Lab “The moment a hyped-up new technology garners mainstream attention, many businesses will scramble to incorporate it into their enterprise. The majority of these trends will splutter and die out by Q4. Artificial intelligence (AI) is unlikely to be one of them.AI is a transformative series of tools that can accelerate productivity, drive insight, and open up unexplored revenue streams. It’s poised to revolutionize the way we do business and everyone in a leadership role should be thinking about it.But few organizations are set up to do AI properly.”
ZDNet: FBI and NSA expose new Linux malware Drovorub, used by Russian state hackers
“The FBI and NSA have published today a joint security alert containing details about a new strain of Linux malware that the two agencies say was developed and deployed in real-world attacks by Russia’s military hackers.The two agencies say Russian hackers used the malware, named Drovorub, was to plant backdoors inside hacked networks.”
Military Cyber Professionals Association (MCPA)
“Military Cyber Professionals Association (MCPA) are a team of Soldiers, Sailors, Airmen, Marines, Veterans and others interested in the development of the American military cyber profession.Our members are interdisciplinary, as such a diverse set of perspectives is needed to develop cyberspace as an entire domain. Also included in our ranks are other government employees, contractors, academics, industry leaders, foreign allies, and private citizens.”
Mean Time to Recovery (MTR)
Mean time to recovery (MTTR) is the average time that a device will take to recover from any failure.
Why the fuck was I breached?
“Did you just lose 100m customer SSNs because your root password was ‘password’, you set an S3 bucket to public or you didn’t patch a well known vulnerability for 8 months? Is the media and government chewing you out because of it? Worry not! Our free excuse generator will help you develop an air-tight breach statement in no time!”
Evaluating Risks Using Quantitative Risk Analysis “Project managers should be prepared to perform different types of risk analysis. For many projects, the quicker qualitative risk assessment is all you need. But there are occasions when you will benefit from a quantitative risk analysis.Let’s take a look at this type of analysis: What is it? Why should we perform it? When should it be performed? And how do we quantify risks?”
What is CMMI? A model for optimizing development processes
“The Capability Maturity Model Integration (CMMI) is a process and behavioral model that helps organizations streamline process improvement and encourage productive, efficient behaviors that decrease risks in software, product and service development.”
Common Vulnerability Scoring System The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities.
How Many Email Accounts Do You Need? “With all this need for email accounts, the question obviously arises: how many email accounts should you have? In theory, you could use a single email address for everything, but that could leave you with thousands upon thousands of emails from hundreds of sources in a single account; even with an account that allows you to easily sort everything, you’ll quickly be overwhelmed. It’s all but required that you have multiple email addresses nowadays.”
NIST NVD (National Vulnerability Database) — Vulnerability Metrics
“The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities. CVSS consists of three metric groups: Base, Temporal, and Environmental. The Base metrics produce a score ranging from 0 to 10, which can then be modified by scoring the Temporal and Environmental metrics. A CVSS score is also represented as a vector string, a compressed textual representation of the values used to derive the score. Thus, CVSS is well suited as a standard measurement system for industries, organizations, and governments that need accurate and consistent vulnerability severity scores. Two common uses of CVSS are calculating the severity of vulnerabilities discovered on one’s systems and as a factor in prioritization of vulnerability remediation activities. The National Vulnerability Database (NVD) provides CVSS scores for almost all known vulnerabilities.”
Tampa Bay UX Group
The Tampa Bay User Experience Group is one of the largest volunteer led user experience professional organizations in south central Florida. Krissy Scoufis created the group in August, 2013 with the goal of providing a network of design practitioners, product owners, web developers and product strategists who could share UX methodologies, principles and techniques. Mike Gallers and Beth Galambos joined the leadership team shortly after the group started and together they have hosted over 73 events. The group’s foundational pillars are to provide free mentorship, education and community to evangelize the User Experience discipline. Frequently partnering with other regional technology meetups, the Tampa Bay UX Meetup group has fostered a cross functional network of professionals dedicated to putting users at the center of product strategy and design.
The Five Steps of Incident Response “Incident response is a process, not an isolated event. In order for incident response to be successful, teams should take a coordinated and organized approach to any incident. There are five important steps that every response program should cover in order to effectively address the wide range of security incidents that a company could experience.”
What Are Security Controls?
“At the most fundamental level, IT security is about protecting things that are of value to an organization. That generally includes people, property, and data—in other words, the organization’s assets.Security controls exist to reduce or mitigate the risk to those assets. They include any type of policy, procedure, technique, method, solution, plan, action, or device designed to help accomplish that goal. Recognizable examples include firewalls, surveillance systems, and antivirus software.”
110 Must-Know Cybersecurity Statistics for 2020 “In order to give you a better idea of the current state of overall security, we’ve compiled the 110 must-know cybersecurity statistics for 2020. Hopefully, this will help you paint a picture of how potentially dire leaving your company insecure can be as well as show the prevalence and need for cybersecurity in business. This includes data breaches, hacking stats, different types of cybercrime, industry-specific stats, spending, costs and the cybersecurity career field.”
How to Restore Deleted Files Even After Emptying the Recycle Bin
“So you’ve emptied your recycle bin and then realized that you’ve deleted a file that you still need. If you act fast enough, you may be able to recover the files before the computer overwrites them with something else.Read on below for how to restore deleted files and for recycle bin recovery steps even when emptied.”
OWASP Top Ten
The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.
Here are six basic human tendencies that are exploited in social engineering attacks:
Authority: An attacker may call you pretending to be an executive in order to exploit your tendency to comply with authority figures.
Liking: An attacker may try to build rapport with you by finding common interests, and then ask you for a “favor”.
Reciprocation: An attacker may try to do something for you, or convince you that he or she has, before asking you for something in return.
Consistency: An attacker might first get your verbal commitment to abide by a fake security policy, knowing that once you agree to do so, you will likely follow through with his next request in order to keep your word.
Social Validation: An attacker may try to convince you to participate in a fake survey by telling you that others in your department already have. He or she may have even gotten some of their names and use them to gain your trust.
Scarcity: An attacker may tell you that the first 10 people to complete a survey will automatically win a prize and that since some of your co-workers have already taken the survey, you might as well too.
Social Studies – A Lesson in Social Engineering Basics
As we have become more and more vigilant against clicking on malicious links in suspicious emails, some social engineers have gone back to the classic person-to-person approach. Their basic strategy is to prey on vulnerabilities in human nature.
This event will provide you with an intro level understanding of containers and how to work with containers using the Docker platform. All skill levels are welcome, but the target audience is those who have no prior exposure to Docker. We look forward to the opportunity to share this knowledge with you!
In another occurrence of terrible people weaponizing the internet, a number of assholes posted strobing images to Twitter with the intent of inducing seizures in people with the photosensitive variety of epilepsy. In order to ensure that their intended victims viewed the images, they @-mentioned the Epilepsy Foundation’s Twitter username and included epilepsy-related hashtags in their tweets. Worse still, they did this in November — National Epilepsy Awareness Month — when a larger than usual number of people would be following the Epilepsy Foundation’s Twitter account.
This isn’t the first time that someone has tried this sort of attack against a person with epilepsy. In December of 2016, John Rayne Rivello, who didn’t agree with journalist Kurt Eichenwald’s negative takes on Donald Trump, tweeted a seizure-inducing animated GIF to Eichenwald from an account named @jew-goldstein. The GIF included the text “YOU DESERVE A SEIZURE FOR YOUR POSTS”.
According to a federal civil suit filed by Eichenwald against Rivello in Maryland, that seizure left him vulnerable to additional ones; he had another a week later. The second one forced him to increase the dosage of his anti-convulsive medication, despite profoundly debilitating side effects, and he spent Christmas of 2016 in a sedated haze.
Unsurprisingly, Rivello’s defense in the suit is based on the First Amendment, but as the Outline article says in a pull quote:
PUNCHING SOMEONE IN THE FACE COMMUNICATES A MESSAGE, BUT IT ISN’T ONE PROTECTED BY THE FIRST AMENDMENT.
The proceeding has been delayed until January 31, and Rivello is expected to plead guilty.
William Gibson wrote about this in Neuromancer
The idea of deliberately using strobing images on screens to induce epileptic seizures isn’t new. It most prominent use in science fiction that I’m aware of dates from 1984, in a heist executed on the Sense/Net broadcasting corporation by the protagonists and a gang called the Panther Moderns in William Gibson’s cyberpunk novel, Neuromancer:
The Panther Moderns allowed four minutes for their first move to take effect, then injected a second carefully prepared dose of misinformation. This time, they shot it directly into the Sense/Net building’s internal video system.
At 12:04:03, every screen in the building strobed for eighteen seconds in a frequency that produced seizures in a susceptible segment of Sense/Net employees. Then something only vaguely like a human face filled the screens, its features stretched across asymmetrical expanses of bone like some obscene Mercator projection. Blue lips parted wetly as the twisted, elongated jaw moved. Something, perhaps a hand, a thing like a reddish clump of gnarled roots, fumbled toward the camera, blurred, and vanished. Subliminally rapid images of contamination: graphics of the building’s water supply system, gloved hands manipulating laboratory glassware, something tumbling down into darkness, a pale splash… The audio track, its pitch adjusted to run at just less than twice the standard playback speed, was part of a month-old newscast detailing potential military uses of a substance known as HsG, a biochemical governing the human skeletal growth factor. Overdoses of HsG threw certain bone cells into overdrive, accelerating growth by factors as high as one thousand percent.
If you have the ability, write applications like Epilepsy Blocker, which detects potentially seizure-inducing images and videos. Otherwise, help susceptible people install it on their devices, and help spread the word about it!
And finally, if you see people using these kinds of attacks on social media, report and block them. If Gamergate taught us only one thing, it’s that the “ignore the bullies” tactic doesn’t work against online harassment campaigns.
Kelly Albrink (GCIH, GSEC, OSCP, GWAPT) is a Senior Security Consultant at Bishop Fox, where her areas of expertise are in network penetration testing, hardware security, and wireless technologies.
Dr. Sunny Wear is a Web Security Architect and Penetration Tester. She provides secure coding classes, creates software, and performs penetration testing against web/API and mobile applications. Sunny has more than 25 years of hands-on software programming, architecture and security experience and holds a Doctor of Science in Cybersecurity. She is a published author, “Burp Suite Cookbook”, a developer of mobile apps, specifically, the “Burp Tool Buddy”, and is a Pluralsight content creator, “Burp Suite for Beginners/Advanced/Writing Plugins”. She regularly speaks and holds classes at security conferences such as Defcon, Hackfest, and BSides.
