Captain's Log (August 01, 2021)
It’s been a busy month…
The first annual >Shark Week was held July 11-17! It was a bit hectic getting everything out on time given everything else I had going on (work, fitness challenge and training) but I had a lot of fun and met some new people in the community! Reddit was okay on it. I’ll be trying to do this every year for sure. However, next time I will have some things prepared leading up to it. True Story: I literally thought of the idea the day before >Shark Week began - so I was a bit rushed.
I hosted a (non-Shellsharks-related) AMA on Reddit and the response was pretty great!
I’ve been thinking of making some Shellsharks-themed shirts… have some ideas but no final design.
I was invited to join the “Introduction to Coding/Hacking and CyberSecurity Discord” as a community mentor. So I did. You can find me in there!
I’ve got a pretty exciting project in the works. Can’t say much else but stay tuned!
- I dropped two new episodes of the podcast. Check ‘em out!
- I’ve been thinking of introducing the idea of “seasons” into the podcast. Each season would have a theme. Season one’s theme, (for example) could be something like “Getting Into Information Security”. Then, throughout that season, I would have a lot of podcast content focused on that subject. Just a nugget of an idea at this point…
What I’m Learning
I served as a moderator for SANS SEC460: Enterprise and Cloud | Threat and Vulnerability Assessment @ SANSFIRE (Virtual Edition 2021). The course was really (and I can’t stress this enough), really good. I consider myself a bit of a Vulnerability Management/Assessment expert and I still learned so much. The instructor (and course author), Matt Toussain did a fantastic job. I definitely recommend this course. Prepping for the certification exam (GEVA) now!
- I’ve been interested in getting more experience in Threat Modeling. If you didn’t know, there are a ton of methodologies…
- STRIDE : Spoofing, Tampering, Repudiation, Information Disclosure, Denial-of-Service, Elevation of Privilege
- DREAD : Damage, Reproducibility, Exploitability, Affected users, Discoverability
- PASTA (Process for Attack Simulation and Threat Analysis)
- LINDDUN : Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance
- hTMM : Combines Security Cards, Persona non Grata and STRIDE.
- VAST (Visual, Agile and Simple Threat modeling)
- OCTAVE (Operationally Critical Threat, Asset and Vulnerability Evaluation)
- …to name a few…
A long time ago, I purchased the eLearnSecurity, “All Access Pass”. Shortly after purchasing, I managed to complete their Penetration Testing Student (PTS) and Penetration Testing Professional (PTP) courses/certifications - but for the last 5 years, have not really touched any of the other bundled content. After all this time, I’ve re-opened the legacy console and have started hacking away at the Web Application Penetration Testing course yet again. Once I (hopefully) obtain my eWPT cert, I can then proceed to the more advanced Web Application Penetration Testing eXtreme course, WAPTX!
- I’ve just finished up moderating the SANS course, SEC450: Blue Team Fundamentals: Security Operations and Analysis @ SANS Cyber Security East. Though I don’t consider myself a “blue-teamer”, and this course is a 400-level course, I found the material to be incredibly high-value and immensely thorough. The instructor, John Hubbard, is really top-notch. I recommend you check out his podcast, Blueprint.
In addition to all my other AppSec-ing, I am eyeing the Offensive Security WEB-300 course, Advanced Web Attacks and Exploitation (AWAE/OSWE). I’m hoping to start (and finish) it sometime before the end of the year. The OSWE would be the first in my pursuit of the epic (and new) OSCE3 certification from OffSec.
- As part of all this AppSec learning, I am working on a web security compendium of sorts. What form it will ultimately take and its release date is TBD.
- There are rumors of a refreshed Mac Pro w/ Intel Ice Lake. I’ve been wanting to pick up a Mac Pro for a while now… Who knows!
Picked up a gym membership. I’m fortunate to have work pay for it so why not? Typically, I just play bball at the gym but have been trying my hand at weight-lifting.
Never really been a coffee person but I’ve been drinking some home-made iced coffee recently. Just not a fan of warm drinks…