So the group I am working with is more fledgling than we would like to be. Granted I work with some really brilliant folks. They honestly make me feel stupid with the amount of knowledge they have, but one thing we are lacking is a good memory analysis technique. We spend countless hours pouring through the process dumps off of a box and then I'm not sure that it does any good. Let's face it, after multiple hours of looking at useless lines of code/commands/garbage you may miss the important stuff. Fortunately we always have an idea of what we are looking for. When will our luck run out?
So I have been looking at Volatility. I'm impressed and I'm disappointed.
The first disappointment that I have is with the connections command. I've dealt with numerous pieces of Malware that beacon, establish a connection as needed and then drop off to only connect again if the beacon returns a specific reply. It doesn't establish a connection nor does it listen on a port. I've found no way for Volatility to give me information on any connection attempts or IPs that the Malware is trying to talk to on an irregular basis.
The second disappointment is I haven't found a way to find any commands issued to a program. Many times memory will retain the list of commands and at times the passwords to specific encryption that was typed from a terminal and executed on the software. If would be very helpful if there were a way for Volatility to gather this information and which commands were executed on which pieces of Malware. Now this becomes an issue with privacy. Not sure how to get around that.
Now what impresses me is that amount of information that you can recover from memory by issuing a few commands. Many of the items that you would usually need SysInternals for you can now get from memory. Many times if there is a rootkit or a hidden piece of malware then you won't get any return from the SysInternals tools.
Example: There are ways to configure a secondary route. Possibly VPN subversion or just a forced route to a malicious site. SysInternals does not always show this location. Using Volatility you have a possibility to pull this information back. Does it always? No. This is where it's not always best to just rely on this tool to do the work for you.
Definitely has potential and I'll continue to watch, but I can't rely on it just yet.
Wednesday, September 9, 2009
Wednesday, September 2, 2009
Certifications in IT and Security specifically
Over the past 10 years or maybe a little less I have held a handful of different certifications. I only place CISSP on my business cards and email block simply for the fact it's considered the "Number One" security certification and lends a little credibility to those people who are not familiar. Let's face it how many times have you had to talk to someone and they act like you are the most incompetent person because you tell them they need to fix something. Having a little credibility helps...a little.
That being said I was listening to a podcast this morning on my drive to work and the speaker made a joke out of "at least he's not a CISSP". Interesting. Is it he's not a CISSP because he doesn't want to be? Or is it he's not a CISSP because he hasn't taken the test?
I know there are plenty of people who hold their certifications like some badge that suddenly gives them access to all the knowledge that could possibly be possessed. I am truly ashamed to be grouped with those people.
But in the same token there are tons of people who are jealous of those people who are certified or scared to take the test and make every effort to mock the people who were successful enough to pass the test. After I passed my CISSP I told some people who were genuinely interested in my results. One of them decided to announce it to the office. Interestingly enough out of the blue someone walks up to me and states "just because you have the CISSP doesn't mean you know anything". At no point have I declared "I am supreme commander of all security knowledge", but I was a challenge to this person and basically told where my place was.
When I as a more junior network engineer I completed my CCNA, CCDA and started on my CCNP. I was only about 3 years into working with Cisco, but I considered myself decent for what I had accomplished. After passing my first CCNP exam a project manager approached me and told me "congrats, now we just need to get you some skill to go with the certifications". At the time I was the only one on the team who could spell Cisco, but I had rubbed this guy the wrong way and it was later proven in a court case (that I wasn't involved in) that this man had some 'racial' issues. However it definitely put a chip in my confidence. I passed one more and never advanced any further.
The reason I go for certifications is plain and simple. My own personal challenge. If I have to study say Encase (my current project) then why shouldn't I attempt the EnCe? It's not to rub it in someone's face. I'm currently the most versed person on EnCase in my office. So what does it accomplish? Nothing, but my own personal satisfaction. I can put it on my resume. It may give someone who asks my advice a little confidence in my answer, but it doesn't prove I have the right to hold my nose in the air and piss in someone's grapenuts. I can do that without a cert. Just means I know enough to pass the test and can retain the information I have read/heard/learned.
With all that being said a certification means as much as anything else. I know people with EE degrees, Masters and a couple borderline PhD's that are complete and utter morons. I know people who haven't finished 9th grade who are sharper than most Doctors.
So if you know of someone that is studying for a certification do one of two things: help them/support them or shut the hell up. If it isn't worth anything let the market decide. If it's on DoD 8570.1 it will only help them find a job. If they pass and get a big head on their shoulders, give them a difficult task. If they complete it well again shut the hell up or prove you're better. If they fail explain why they failed, show them how much they have to learn and help them learn it.
So to summarize if you are not helping someone advance their knowledge, but only complaining about someone elses achievements you're the problem. Not the certification. If you don't want to take the test, fine. I don't judge on what alphabet soup you have behind your name. But if you only look better when you someone else falls on their face perhaps you're the reason IT is beginning to look more like the office politics that everyone goes to IT to avoid.
That being said I was listening to a podcast this morning on my drive to work and the speaker made a joke out of "at least he's not a CISSP". Interesting. Is it he's not a CISSP because he doesn't want to be? Or is it he's not a CISSP because he hasn't taken the test?
I know there are plenty of people who hold their certifications like some badge that suddenly gives them access to all the knowledge that could possibly be possessed. I am truly ashamed to be grouped with those people.
But in the same token there are tons of people who are jealous of those people who are certified or scared to take the test and make every effort to mock the people who were successful enough to pass the test. After I passed my CISSP I told some people who were genuinely interested in my results. One of them decided to announce it to the office. Interestingly enough out of the blue someone walks up to me and states "just because you have the CISSP doesn't mean you know anything". At no point have I declared "I am supreme commander of all security knowledge", but I was a challenge to this person and basically told where my place was.
When I as a more junior network engineer I completed my CCNA, CCDA and started on my CCNP. I was only about 3 years into working with Cisco, but I considered myself decent for what I had accomplished. After passing my first CCNP exam a project manager approached me and told me "congrats, now we just need to get you some skill to go with the certifications". At the time I was the only one on the team who could spell Cisco, but I had rubbed this guy the wrong way and it was later proven in a court case (that I wasn't involved in) that this man had some 'racial' issues. However it definitely put a chip in my confidence. I passed one more and never advanced any further.
The reason I go for certifications is plain and simple. My own personal challenge. If I have to study say Encase (my current project) then why shouldn't I attempt the EnCe? It's not to rub it in someone's face. I'm currently the most versed person on EnCase in my office. So what does it accomplish? Nothing, but my own personal satisfaction. I can put it on my resume. It may give someone who asks my advice a little confidence in my answer, but it doesn't prove I have the right to hold my nose in the air and piss in someone's grapenuts. I can do that without a cert. Just means I know enough to pass the test and can retain the information I have read/heard/learned.
With all that being said a certification means as much as anything else. I know people with EE degrees, Masters and a couple borderline PhD's that are complete and utter morons. I know people who haven't finished 9th grade who are sharper than most Doctors.
So if you know of someone that is studying for a certification do one of two things: help them/support them or shut the hell up. If it isn't worth anything let the market decide. If it's on DoD 8570.1 it will only help them find a job. If they pass and get a big head on their shoulders, give them a difficult task. If they complete it well again shut the hell up or prove you're better. If they fail explain why they failed, show them how much they have to learn and help them learn it.
So to summarize if you are not helping someone advance their knowledge, but only complaining about someone elses achievements you're the problem. Not the certification. If you don't want to take the test, fine. I don't judge on what alphabet soup you have behind your name. But if you only look better when you someone else falls on their face perhaps you're the reason IT is beginning to look more like the office politics that everyone goes to IT to avoid.
Subscribe to:
Posts (Atom)