Thanks for another wonderful week of submissions to my “Ask Lesley” advice form. Today, we’ll discuss digital forensics methodology, security awareness, career paths, and hostile workplaces.
Dear Lesley,
I’m a recent female college graduate that didn’t study computer science but is working in technical support at a software company. The more I learn about infosec, the more curious and interested I get about if this is the field for me. What do you resources/videos/courses/ANYTHING you recommend for people who want to make a serious stab at learning infosec?
– Curious Noob
Dear Curious,
I’m really glad to hear you’re discovering a passion for infosec, because curiosity is really the most fundamental requirement for becoming a good hacker. I wrote a long blog series about information security careers which I hope you may find helpful in discovering niches and planning self-study. For brevity’s sake, here are some options for you.
- Study up on any fundamental computer science area you’re underexposed to in your current work – that means Windows administration, Linux administration, TCP/IP, or system architecture. You need to have a good base understanding of each.
- Get involved in your local CitySec, DEF CON local, or 2600 meet up group. They are great networking opportunities and a fabulous place to find a mentor or people to study with. There are meet ups all over the world in surprising places.
- Consider attending an infosec / hacking conference. The BSides security conference in the nearest major city to you is a great option and should be very affordable (if not free). Attend some talks and see what speaks to you. Consider playing in the CTFs or other security challenges offered there, or at least observing.
- Security Tube and Irongeek.com are your friends, with massive repositories of conference talk videos you can watch for free. Nearly any security topic that piques your interest has probably been spoken about at some point. I would favor those sites over random YouTube hacking tutorials which really vary in quality (and legality).
- Consider building your own home lab to practice with basic tools and techniques. Networked VMs are adequate as long as you keep them segregated: Kali Linux and a Windows XP VM are a great place to start. You need to take stuff apart to learn about hacking.
These are only some brief suggestions – there’s no streamlined approach to becoming a great hacker. Get involved, ask questions, and don’t be afraid to break stuff (legally)!
Dear Lesley,
What do you do when you provide security awareness training to your employees, but they still click on phishing links!
– Mr. Phrustrated
Dear Phrustrated,
Beyond generally poor quality “death by PowerPoint” training, one of the biggest problems I see in corporate security awareness programs is poor, unsustainable measures of success. For instance, it’s become really trendy to conduct internal phishing tests to identify how many people click on a phish. It’s incredibly tempting to show off to executives that this number is trending down, but that metric is really pretty worthless.
No matter how ruthlessly trained, somebody (and anybody) will click on a well-enough crafted phish, and it only takes one compromise to breach a network’s defenses. What we should be measuring is the reporting of phishing messages and good communication between employees and the security team. The faster we know an attack is underway, the faster we can respond and mitigate the threat.
In conclusion, you should be less concerned if “somebody is still clicking” phishing messages than if nobody is telling you they clicked, and they resist or lie in embarrassment when asked.
Dear Lesley,
Is there a mental checklist while doing digital forensics to not make your evidence point to your quick conclusions, even if you think you have seen a similar case?
– Jack Reacher Jr.
Dear Jack,
Identifying that this is a problem is a great first step. While intuition is an important part of being a good investigator, sound methodology is even more important. The checklist you use to collect evidence and perform an investigation is going to vary by where you work and what types of things you investigate, but you should always have and follow a checklist – and I recommend it be a paper checklist, not mental.
Don’t ever shortcut or skip steps, even when you’re in a high pressure situation. Shortcuts and assumptions are incredibly dangerous to the legal and technical validity of investigations. Gather all the facts available to you at the time, and document ever step you take so that a colleague (or a legal professional) can follow your work even far in the future.
Finally, always remember that in a digital forensic investigation we are generally providing evidence to reach conclusions about “what, when and how”. “Who” is shaky ground, because in most cases it involves context outside the digital device. “Why” is almost never the business of a forensic analyst (and is indeed often not within the capacity of a company to responsibly answer). If you find yourself looking for evidence to fit a presumed “why” scenario, you have a big problem and you need to step back.
Dear Lesley,
I’m this girl like I said, who just started working in the field, and for the past 4 months, I worked at this huge corporation, who has, among other services, an information security related one, offering technical security (pen testing, …) and non-technical security services. At that time, I had little information about advanced hacking techniques as well as the good practices that should be followed to secure our systems.
During the first weeks I got hacked by someone who’s working with me, and I was harassed and shamed by them since then. I knew it because this person would talk about their findings to everyone, even to non-technical people, in the corporation. People would look at me and laugh, smile, smirk, or look at me pathetically, in addition of other situations.
Knowing that this person is an expert (12 or more years working in information security) and that I don’t have any proofs on their actions, what should I do in your opinion ? What kind of advice would you give to girls and women like me, who want to work in the field but get harassed by their experienced co-workers instead of being encouraged by them ?
– I
Dear I,
Your story gave me pause enough to discuss it substantially with several colleagues in information technology who have also worked in extremely hostile environments.
This is a horrific situation. I want to make it crystal clear that this is utterly shameful on the part of your employer, your infosec colleagues, and your organizations’ corporate culture. I truly hope it does not drive you from our field. The most important thing I can tell you is that this is not your fault. and this is not normal.
The first thing I recommend you do is document everything that’s happening in as much detail as possible, even if you don’t feel you have evidence right now. The activity you’re talking about may not only be harassment, but violate hacking laws. Since device compromise is a concern, please maintain this documentation offline.
What you do next depends on factors you don’t mention in your note. First of all, if you have a trusted supervisor, manager outside your team, or senior mentor in your organization, please turn to them for assistance and ensure they are corroborating what has been happening to you on paper. It’s their responsibility to assist you in resolving the issue at a work center or corporate level, even if they’re not directly in your reporting chain.
If there’s nobody at all you can go to in confidence, the situation becomes substantially more unpleasant. Your options are to ignore the behavior to stick out the requisite ~2 years of entry level security at the organization(obviously the worst option), seek employment elsewhere, or contact an HR representative (with the risk of retribution and legal battles that can bring). Obviously, my personal recommendation is taking you and your computer straight to HR. As a wise colleague of mine pointed out, this is most likely not an isolated incident – the behavior and dismal culture will continue for you and others. Sadly, in some places in the world with less employment protections, this can carry the risk of termination. Keep in mind that it is okay to confidentially consult a lawyer within the terms of your employment contract, and pro bono options may be available.
If HR / legal action is not an option, you can’t find employment elsewhere, and you’re toughing it out to build entry level experience, please network and find a local mentor and support structure outside of your company as soon as possible. As well as much needed emotional support, these people could help you study, network, bite back, and explore other recourse against the employer. Feel free to reach out to me anonymously and we’ll try to connect you with somebody in your area.
Best,
Lesley
tisiphone.net 
For I:
If you are still working in the company (ie you have not been laid off) despite what other colleagues say, I’d probably take it as a somewhat good signal because you are still there..
Short term strategy:
1. Sign up to do certifications, sign up to get more experience, sign up to get more visibility in the company doing something that you have a strenght in. You have been hired because the company saw something in you that has made you worth being hired.
2. Try to find someone in the company that’s going to be on your side or your ally.
3. Change the topic. Next time someone mentions it say something like “yes, I am still learning, and signing up to get more experience and certification” and then try to change the conversation about how some other team got hacked themselves to put the pressure off your personally. Change the conversation to Trump-Russia, DNC, the Phineas Fisher, how a hack has impacted 23K in a Texas School District… talk about incidents of how people and teams more knowledgable than you have been hacked… because it shows that people/teams make mistakes… and it will take the personal spotlight off you when these conversations come up and it shows that people and teams are not infallible.
4. Fight back. To me, putting the negative spotlight on someone probably means that there is something about them that they don’t want others to know. You try to do the whole office politics game by finding out what the guy/team’s weak spots are and being visible with it to their boss but in a passive-agressive way that can’t be traced to me individually or can only be traced to my team. There is usually a weak spot. I’ve done this, to show that it’s better having me working wtih someone rather having me working against them. But it might not work for you..
If going down the legal road, take a look at any HR/employee guidance/IT policy there is available in the organization about these types of situations. Bring any paperwork or documents you have once there is a consultation confirmed. The thing with lawyers is that the scummy ones will have an interest in pursuing in going to court because that is where they make the most of their income. And once a lawyer sends one of those ‘legal letters’ that is when the knives are out. But still you should see a lawyer to see if there is some case here and make sure any indiciation of doing so remains secret. Even if you don’t go down this road, I think that pursuing a lawyer consultation is an option.
I don’t know how things work in the US but non-disparagement clauses and guaranteed letter of reference is part of severance packages but it won’t be something that you have access to being entry level. So if you are very certain about leaving, try to navigate the situation so that there is a guaranteed letter of reference from a supportive coworker and if possible, try to ask something being signed with the HR/company also including a non-disparagement clause from both parties (you and your previous employer). Having those two I think are optional but they are insurance on the event of a reference check.
LikeLike
[…] Lesley Carhart answers readers questions. Regarding DFIR, she advises that a physical checklist is useful in avoiding coming to conclusions because one case is similar to another. “Shortcuts and assumptions are incredibly dangerous to the legal and technical validity of investigations. Gather all the facts available to you at the time, and document every step you take so that a colleague (or a legal professional) can follow your work even far in the future”. Ask Lesley InfoSec Advice Column: 2017-01-30 […]
LikeLike