BlackGirlsHack partners with HyperQube to launch BGH Cloud Labs

BlackGirlsHack (BGH) is excited to announce its partnership with HyperQube.io to roll out our BGH Cloud Labs training program. BGH Cloud Labs is the brainchild of BGH’s Executive Director Tennisha Martin. It was envisioned as a way to provide Ethical Hacking (Red Team) and Security Operations (Blue Team) training in the cloud for people who did not have the physical resources or computing required necessary to do them on their home computers. When BlackGirlsHack started, Tennisha began teaching home lab workshops to show future cyber pros how they can build a home lab on their computers and be able to practice everything from network penetration testing, web application penetration testing, web application security testing and red and blue team skills. Many of those participants were not able to continue with the workshops after it became clear that their home laptops and computers did not have enough memory or ram available to support a virtual lab environments. From this, the idea of BGH Cloud Labs was born to provide a cloud-based laboratory environment that would allow anyone with an internet connection to be able to hone and grow their ethical hacking skills without the need for computer or laboratory upgrades. From there Tennisha began working with the BGH team to research affordable cloud based solutions that would allow us to be able host hands on lab workshops that would provide an interactive environment for people to learn. HyperQube’s CEO Craig Stevenson dropped into one of these Friday Night Labs sessions and reached out to the instructor about ethical hacking lab training re-envisioned. After seeing the HyperQube cyber range Tennisha knew that this would be the perfect platform to bring the BGH Cloud Labs project to life. BGH Cloud Labs powered by HyperQube is being unveiled at Friday Night Labs on Friday April 29, 2022. Join us at meetup.com/blackgirlshack

BlackGirlsHack partners with NowSecure

BlackGirlsHack is excited to announce our partnership with NowSecure, a leader in the mobile application security space. BlackGirlsHack’s founder and Executive Director Tennisha Martin was asked to speak to one of NowSecure’s employee resource groups a few months ago and talked to them about the importance of taking real action to increase diversity in cybersecurity. That action, could look like many things, but it was important that it was actually an action and not a discussion. NowSecure’s CEO Alan Snyder immediately took up the call to action and offered to donate mobile penetration testing training and vouchers for certification to the BlackGirlsHack squad. They also took the unprecedented step of not just providing a set number of licenses but making it available for everyone. BlackGirlsHack members started receiving their NowSecure Academy welcome messages and getting started on their training last week. Check out NowSecure and how they’re helping to secure the mobile space.

BlackGirlsHack partners with INE

INExBGH Logo

BlackGirlsHack is excited to partner with INE to bring premium training and discounted vouchers to the squad. INE stands out amongst other ethical hacking certification bodies as it provides hands-on labs and free training for its entry-level junior penetration testing (eJPT) certification. We can’t wait to start flooding the job market with certified penetration testers, and we are excited to see the impact to the greater IT community as the eJPT and Certified Professional Penetration Tester certifications become a leader in the hands-on certified penetration tester space. Find out more about BlackGirlsHack and INE’s partnership to help increase diversity in cybersecurity here and here.

BlackGirlsHack partners with Cloud Academy

BlackGirlsHack is excited to announce our strategic partnership with Cloud Academy, a leader in the cloud training space. Cloud Academy creates courses, exams and labs that bring its users practical skills with real-world applications. We’re excited to bring that training to the BGH squad. Cloud Academy provides Hands on labs, Lab challenges, Integrated Development Environments, and certification learning paths for some of the world’s biggest Cloud providers including AWS, Azure and Google Cloud. Their certification paths align closely with vendor certification exams to provide the squad with preparation and training for future careers in the cloud.

Budget Hacking by BGH

Budget Hacking

As a nonprofit that interfaces with a lot of people who are trying to obtain jobs in cybersecurity, I can tell you having done a gap analysis as a black woman in cybersecurity, that the financial barriers to entry into ethical hacking are high. We are in the middle of a pandemic and people are trying to take care of their family and don’t need the worry of an 1200 EC Council Exam, a 360 Comptia exam, or an over 8000 Sans exams. Those certs are all worth something in the industry but they’re not worth anything to you if they are outside of your reach. To help address this financial barrier to ethical hacking I’m going to discuss some ways that you can be able to practice real-world hands on skills free or low cost.

Setting up a Home Lab

Setting up a home lab in virtualbox or vmware can provide an easy environment within your computer to practice hands on skills. With a computer with access to a computer, you can set up a home lab that has a minimum of two virtual machines (VMs) One VM, Kali or Parrot, and one VM to be the victim machine called broken web app. All of the tools discussed here, virtualbox, vmware, kali, parrot, and the vms themselves are all free. They are also a one stop shop for learning authentication, authorization, network penetration testing, ethical hacking, scanning and enumeration, exploiting and privilege escalation and more. There is even a running webserver that is available on the victim VM that will allow you to practice your web hacking activities and learn how to spot and exploit things like the OWASP Top 10. As you can see, setting up a home lab give you a wide range of both red and blue team activities that you can perform to be able to practice your skills. The best part of this is that you don’t need access to the internet once your network is set up and you would not have to work about any legal repercussions from the practice of ethical Hacking. BlackGirlsHack has a new year, new lab workshop that walks you through how to set up a home lab so that you can practice these skills. There is also a New Year, New Lab Part Deux and Part Tree that show you other useful things you can do without spending any money. And once you level up your skills in penetration testing and web application penetration testing you can get intentionally vulnerable vms from vulnhub that will give you other types of boxes to “break into” such as windows and other flavors of Linux.

TryHackMe

No discussion on budget hacking would be complete without tryhackme. Tryhackme has a free tier of programs and a paid tier (10/mo) you can definitely do all types of rooms for free. What you will find in Tryhack me is rooms that are set up to teach a very specific subject. For example, you might go into the nmap room to learn how to use nmap, or into the wireshark room to learn how to use that. Tryhackme is a cloud based cyber training program that is available for free  for many types of rooms, and boxes. TryHackMe is a beginners level application although they do have some rooms that are more advanced.

Rangeforce

Rangeforce is an interactive and hands on team cyber readiness platform. They specialize in blue team things although they do have purple, yellow and some red team training. They are a cloud based cyber training platform that has a free community edition or if you’re a member of BlackGirlsHack, we have their higher content free through our BlackGirlsHackxRangeforce partnership.

Hack The Box

Hack the box is an online cybersecurity training platform that allows people to practice their ethical hacking skills breaking into boxes that they have staged which cover a wide variety of hosts. Hack the Box is probably more for mid to advanced level people as they do not provide step by step guidance line tryhackme and Rangeforce does. They have a wide range of boxes available for free but they also have a paid offering.

Portswigger Academy

Portswigger Academy aka Web Security Academin is a free online training center for web application security. It includes content related to the OWASP Top 10 and uses Burp Suite, a real world tool that is used for web application penetration testing. It is free and often neglected but if you are a future ethical hacker, penetration tester, or web security professional, this needs to be your new goto site.

Over the Wire

Over the Wire is a set of cyber wargames that are offered for free that provide you with a wide variety of skills. The over the wire Bandit series is a primer in Linux and is set up in a gamified way so that you have to hack your way to the highest levels. They also have other wargames including Natas which teaches the basis of web security, and Leviathan and Narnia are some of the other wargames that are general cyber skills, common sense and basic exploitation. You don’t need a lot to join this games and they’re lots of fun.

Amazon Smile

BGH is now on Amazon Smile

K-12 Cybersecurity issues. What can be done to protect our students and staff?

Imagine being a student watching your classmate present during YouTube live, and then all of a sudden, you hear someone interrupt your classmate’s presentation, to say your classmate’s name and then speak about how much he admires her.  Then how about this? The intruder then says, “You cannot mute me because I am a HACKER!”. I have to admit; this particular scene played out in real-time in front of me during a class I attended this past April.

            The Facilitator of the course, feeling comfortable to do so, inadvertently posted the class Zoom details to a live YouTube feed. The Facilitator was genuinely embarrassed and apologetic to my classmate and his students. I do not think he thought that we would experience an invasion like that ever. I mean, we were in class, and everyone there was trying to learn.  These types of cyber attacks are becoming increasingly common, especially now during this Covid-era.

            I recently read an article by The K-12 Cybersecurity Resource Center and The K12 Security Information Exchange (K12 SIX), which provide information regarding school-related cyber issues, and are dedicated to helping protect K-12 schools from cyber threats. It is worth mentioning that the U.S. public K-12 is a $760 billion sector managing and storing data for 50 million students. However, in some situations, IT system infrastructure is stored on-premise or shared with other districts, which increases the risk of protecting student and staff confidential information.

            In 2020, K-12 saw a staggering increase in publicly disclosed cyber attacks. Examples of K-12 Cyber attacks include Denial of Service attacks, Phishing, and Ransomware, to name a few. With these cyber attacks, data retrieved by an adversary and, in most cases, sold. This situation then becomes detrimental to parents’ livelihood but more specifically to their children and School Staff. For example, children under 18 receive mail telling that tells them they have been denied credit, or sometimes the information the adversary has obtained is used to Bully children or School staff online. Also, the article spoke about that Wealthier, more prominent, and suburban school districts were more likely to have a reported breach, with Ransomware being an example of an attack method. The Ransomware attack is successful when an unsuspecting person opens an email which then activates the malicious software.

            With remote learning being the norm, a secure and safe environment must be created for students and School Staff. School districts with student and School Staff data still on-premise should look for ways to encrypt data-in-rest and store it in locked storage. School districts can implement at least basic security awareness training and security hygiene practices to maintain a high level of security controls in place for all facets of their IT infrastructure.

   If you are interested in learning more about K-12 Cyber incidents, feel free to visit k12cybersecure.com.

References :

https://k12cybersecure.com/wp-content/uploads/2021/03/StateofK12Cybersecurity-2020.pdf

Leveling up with RangeForce

How many times have you applied for a Cybersecurity job to receive a day or weeks later a rejection letter that you have not been considered for the role? Or maybe you have been shortlisted for a role because you met the minimum qualifications, transferrable skills, even hold Cybersecurity certifications, and have an evident passion for the role? According to (ISC)2, the number of unfilled cybersecurity positions now stands at 4.07 million, up from 2.93 million this time last year. The unfilled positions include 561,000 in North America. The shortage of skilled workers in the industry in Europe has soared by more than 100 percent over the same period, from 142,000 to 291,000.

            Ok, so now you finally land the interview; the interview went well, and yet you are still rejected, and your chance to finally land that Cybersecurity role appears to diminish right in front of you. You may feel defeated. You may feel like you are not cut out to be a Cybersecurity Professional, and then you decide to give up on your dream. I know the feeling. However, if there are so many unfilled Cybersecurity roles worldwide, why can we not land the

Cyber role? I have often heard that if you want to get into Cybersecurity, you have to show that you have the skills, like command-line skills and more.

            So in 2018, I decided to transition to a career in Cybersecurity and to develop my skill-set.  I started by searching online for Cybersecurity boot camps, certificate, and degree programs. However, since I already held a master’s degree in information science, the thought of going into debt again was not an option for me. So I decided to try online Cybersecurity and IT workforce development platforms. I did not have a great experience with the platforms I tried. For example, I would get stuck at a step in a challenge, and there were no tips provided to help me understand how to complete the task and move forward. Sometimes my VM instance session would have an error and then shut down as I was completing a challenge. These roadblocks were very frustrating because  I would have to refresh my browser and then re-start a module from the beginning. After those experiences, I gave up on using any online Cybersecurity and IT workforce development platforms, essentially placing the development of my skills on hold until BlackGirlsHack introduced me to RangeForce in February 2021.

            Founded in 2015, RangeForce was created to provide impactful training experiences to individuals and teams throughout the cybersecurity industry. They improve a learner’s ability to detect and respond to the latest cyber threats while identifying skills gaps and providing the training needed to upskill learners quickly. I have been using RangeForce since February 2021, and I can say it is the best platform I have used. RangeForce’s user experience is excellent, with it being easy to navigate between pages. Each module contains clear and concise content for the topic or instructions for an assessment. They also offer tips within each assessment to help a Learner if they find difficulty completing an assessment alone. RangeForce is also very concerned with their Learners’ experience with each module and asks for general feedback after each of them.

            I am always excited about using RangeForce, and I think you would be if you tried it too. If you want to level up your Cybersecurity skills, when you have a chance, please feel to visit RangeForce for more information.

Sources:

1. https://www.rangeforce.com/blog/founding-story-rangeforce-cyber-attack-cyber-range-simulation

2. https://dataconomy.com/2021/01/cyber-attacks-increase-threefold-4m-unfilled-cybersecurity-positions/

Cyber Attack on Water Plant Facility

Last month, dangerous winter storms rolled into the South, creating a challenging situation for thousands of residences in the area, and most were left to survive in the cold with little to no power or running water. People I know were forced to stand in lines to obtain their ration of water for the day.  Water is an essential part of our very existence, and every cell in our body needs it to grow and function. Per Worldometers.info, 657million+ liters of water have been used so far in 2021. Now, think about non-developed countries that lack quality water supply. Per UNESCO, one in nine people worldwide uses drinking water from unimproved, unsafe, untreated sources.

In the United States, we are fortunate to have access to treated water. Also, drinking from US Water Supplies is considered safe. However, on Friday, Feb. 5, 2021, two days before the Superbowl, a cyber attempt was made against a small water facility in Oldsmar, Florida. Using the internet, the adversary managed to connect to software called TeamViewer. It was installed on the workstation used to control the water treatment process. TeamViewer is a popular tool used by technicians, and it allows personnel to gain remote access to a computer and use it as if they were physically in front of it. Once in the network, the adversaries tried to increase the sodium hydroxide levels or lye.

However, thankfully a Supervisor on duty was alerted by an Indicator of Compromise (IoC), a cursor moved across his computer screen. Due to his alertness, he was able to prevent a catastrophe from occurring. Think about it for a second – what if the Supervisor had not seen the cursor move — many unsuspecting customers, travelers, or residents could have been poisoned.  Unfortunately, this type of situation is not uncommon. Operations staff and equipment vendors need to remote access into industrial machines and to utilize software such as TeamViewer to manage our critical infrastructures such as our water supply.

How can this type of incident be prevented in the future? Prioritize installing a firewall in your network like a Network Intrusion Detection System (NIDS)/Network Intrusion Prevention System(NIPS) or even a Host Intrusion Detection System (HIDS)/ Host Intrusion Detection System(HIPS). This way, you can be alerted about, or the system can prevent suspicious or malicious events. Consider placing industrial networks in DMZs to prevent external IP addresses from accessing your internal networks. Do not use default credentials on servers or applications and conduct a vulnerability assessment every six months.

Sources: https://www.hstoday.us/subject-matter-areas/infrastructure-security/perspective-cyber-attack-on-water-supply-is-a-wake-up-call-for-state-and-local-governments/

Sources: https://en.unesco.org/waterquality-iiwq/wq-challenge Sources: https://www.worldometers.info/water/

Help A Hacker Fundraiser

BlackGirlsHack is kicking off its Help-a-Hacker Fundraiser! As a newly formed non-profit organization; waiting on our 501c3 designation, we are caught between rapid growth and reality. The reality is that we are growing much faster than we anticipated, and the squad is getting sooooo big. What that means is, we’ve got hundreds of future cybersecurity professionals who are trying to get their foot into the door of cyber. To do this, they need TRAINING, HANDS-ON SKILLS, and CERTIFICATIONS. For our future K-12 students, we are providing exposure to cybersecurity and ethical hacking as a profession. There are many financial barriers to entry for these professionals. This includes the cost of certifications, resources for a home lab (we plan to remedy this issue by implementing a BGH Cloud Labs program), and hands-on skills to help prepare qualified workers for the vast number of open cybersecurity jobs. To help fulfill our mission of increasing diversity in cybersecurity, we need YOU to help us level up. Donate now using the QR code above or on our website at blackgirlshack.org/donate.