Black Girls Hack is offering a free CEH study group which will be an immersive 15 week program that will be covering the 7 domains of the CEH Ethical Hacking Exam currently at version 10. We will be using the Shawn Walker All In 1 and RicMessier CEHv10 Study Guide books. Week 1 will be covering the following:
I did my first National Cyber League, which also happened to be my first real Capture the Flag (CTF) type event and I learned a lot from the experience so I thought i’d share. First, before you get started with any CTF type event it is important that you set up your attack machine or VM and install all the tools that you might need. There was definitely a difference between the tools I thought I might need and the tools I needed. Let me explain. NCL told us off the break that the categories for the capture the flag were as follows:
Cryptography Password Cracking Log Analysis Network Traffic Analysis Forensics Web Application Exploitation Scanning Enumeration and Exploitation
What I appreciated about this they tie the skills back to the NIST NICE framework by letting you know the value that the skills you are exhibiting and how it ties back to NICE cybersecurity workforce skills (Have you checked out the What Can I Do Series? on our blog). Even knowing the categories that the challenges were in did not prepare you for the challenges. For example, there were tools that I didn’t have downloaded on my machine which I found valuable for the competition. For example, DIIT (Digital Invisible Ink Toolkit) was invaluable to me for the Steganography related challenges. This is a good tool to have to solve those types of challenges. There are other tools that are native to Kali such as OpenStego, but it turned out that this tool didn’t work for the images I was provided. For other challenges while I had the available tools, I wasn’t familiar with how to use them. This was the case for john the ripper. John is a common password cracking tool which is great if you’re handing it a password or two to crack and a list. It is less great when you’re told that the password has a specific format and its long enough that brute forcing it and trying to hit all the combinations will not serve you any good. Another lesson learned from the experience is to use various browsers. For one of the challenges the answer was in the html code and was updated each time the page was refreshed. You could only see the information in specific browsers though so its good to have a backup handy. This is also the case for search engines. While I call myself relatively skilled in the art of google-fu, my yandex, my bing, my yahoo fu-s need work. I don’t use the other ones but google doesn’t always have the answer. Another lesson learned i’d give to anyone who is trying their hand at this type of event is “sometimes the answer is right in front of you” and “don’t overthink it.” We were provided a picture in one of the challenges and asked for some information and while I approached the problem by looking at meta-data and gps data and all the data, the solution to the problem was just found in looking at the picture. Another challenge involving a picture I did the same thing. In the challenge they gave you a screen shot of a twitter feed and the key, the key was in the comments on twitter. Me though? your girl looked at all the data, zoomed in, scanned the picture with a QR reader and everything. I went to the twitter page to get the og picture because the screenshot wouldn’t have metadata. The flag was comments on the twitter page.
Random file names check! NCL was full of surprises. They had a BSON file that had data in it. It was a database dump. Don’t know what BSON is… Neither did I. Crash course on mongodb on a Saturday night… why not? When I tell yall that I had like 100 browsers open across 2 different computers and 4 different VMS…. and of course no one has all the information on one page. Install the software, restore the database, read the database… I know SQL… TOO BAD it doesn’t use sql. learn how to query, count records, look for information. UGHHHHH. If you see me in these cyber streets with bald spots, you know what happened.
I also ended up needed random tools and programs for example a PDF cracker tool and tool that allows you to map gps coordinates and radii on a map to determine the location of a obscure airfield. I might have been amused if I wasn’t sick and stressed out and severely lacking on TIME.
Preseason lasted a week and the Individual competition lasted for 72 hours. For the preseason portion of the competition I found that you were given plenty of time. For the Individual competition I found there were not enough hours in the day. I was sick for most of the competition and my backup computer decided mid challenge to throw a temper tantrum and restart mid keystroke. MID TYPING. NO WARNING. (talk about big mad)
But i’ll tell you what, NCL was a great experience and I decided that once my papers go through for my nonprofit that i’ll be sponsoring a team. Be on the look out for the BlackGirlsHack Team in the team competition in early November but hopefully you’ll see us around for years to come. See y’all in these cyber streets
While security conferences typically host capture the flag competitions where you are tasks with completing a set of tasks in order to find hidden treasures or flags within their systems, traditional businesses model their security with colored teams where each team is responsible for a certain aspect of the organization’s security. Blue Teams for example are white hat defenders; they are the people who work for the company and is responsible for defending the organization’s assets. While Intrusion Detection systems are typically responsible for identifying attacks on an organization’s assets, it is the Blue team that takes actionable steps to mitigate the attack and prevent further damage. To help ensure that the Blue team stays ready, many companies also employ the services of a Red Team. Red teams are independent groups that determine the effectiveness of an organization’s security by assuming the role of the attacker. They use the same tools and techniques as hackers and are considered ethical hackers. With the organization’s permission, Red teams spend several weeks to months performing security testing with specific objectives and reporting on any issues or findings with the Blue team. Red teams are often mistaken for Penetration testers whose job it is to provide a security assessment of an organizations network and report on flaws or vulnerabilities. Penetration testers, red teams, and blue teams all are trained like adversarial attackers but are provided permission and do so within the scope of their duties.
What they do: They are responsible for the cybersecurity of a program, organization, system, or enclave. They are responsible for the planning, coordination and the direction of computer related activities in an organization.
Where do they fall in the NIST – Information Systems Security Managers work in the Cybersecurity Management specialty area.
Where do I start: Information Security Managers typically have advanced level certifications such as the CISSP, PMP, or GIAC. Because they are managing organizations they typically have 5 or more years of experience.
What they do: Trainers lead training activities and design and develop training or education of personnel within the cyber domain.
Where do they fall in the NIST – Trainers fall under the Training, Education and Awareness (TEA) Specialty area and they can have jobs such as Cyber Instructor, or Cyber Instructional Curriculum Developers.
Where do I start: Learn something new and teach someone. In addition to a bachelor’s degree, training specialists need work experience in teaching, tutoring, or educating others.
Happy National Cybersecurity Awareness Month! In its 17th year of existence, National Cybersecurity Awareness Month (NCSAM) is continuing to raise awareness about the importance of cybersecurity across the nation. In an age where almost every week we are being notified of breaches of digital information, NCSAM offers the opportunity to continue to educate Americans and corporations about the importance of their cybersecurity teams, their software, and the importance of securing their customer’s information online. The NCSAM’s theme this year is “Do Your Part. #BeCyberSmart” and in supporting that theme, Black Girls Hack is doing our part to highlight the impact of the lack of diversity in Cybersecurity.
While Cybersecurity has many diversity problems, none are more glaring than the lack of women, and the lack of African Americans. In 2019, the Bureau of Labor Statistics performed a survey of employed persons detailed by occupation, gender, race and ethnicity. In that survey, African Americans represented 7.6% of Information Security Analyst positions and women represented 17.1% of those roles. Similar statistics exist for all the Professional and Related Occupations including Systems Analysts, Programmers, Software Developers and Network and System Administrators to name a few. The lack of diversity in Science, Technology, Engineering and Mathematic (STEM) roles, is a direct reflection of the amount of diversity in STEM undergraduate and STEM graduate programs and in STEM programs in high school, and middle school and elementary school. *Insert infinity mirror*
More than just lacking representation, and role models, the lack of diversity in Cybersecurity has many unintended side effects such as adding bias to artificial intelligence, signature analysis and definition, and systems themselves. Malicious actors are creative and diverse in their way of thinking and to stay ahead of the game, cybersecurity professionals must be reflective of that trend and of society.
Organizations are using artificial intelligence to do everything from deciding what to watch next, to driving, to interviewing and determining the best candidate, and criminal justice. Analysis has shown that the over-representation of men in the design of artificial intelligence leads to both cultural and gender bias in the developed systems. Machine learning, which is how systems gain their “intelligence” is built off the data that it is provided with and if that data, and the design and development of the algorithms are biased, the resulting application of the technology will perpetuate that bias (Leavy, 2015).
More advanced intrusion detection systems for example use Artificial Neural Network based Intrusion Detection Systems (IDS) to help detect attacks. These Artificial Neural Network IDS systems analyze large volumes of data and use that data to help predict attacks and learn from its mistakes (Garzia, Lombardi, & Ramalingam, 2017). Recent studies have shown that examination of facial analysis software shows an 0.8 percent error rate for light skinned men, and a 34.7% error rate for dark-skinned women (Hardesty, 2018). Three reviewed commercially released facial analysis programs from major technology companies showed both skin color/skin type and gender related biases. What that means for us, as consumers of these systems, is that these systems, having learned how to respond based on the data it was provided will have difficulty in identifying the way women make decisions, and differentiating black faces in video footage, and determining if a Black woman is a good fit for a job when it can’t accurately interpret her facial expressions. Some companies are replacing first round interviews with AI assisted technology. Applicants are asked to use a webcam to respond to interview questions on video. The employers can then use AI to “review” the interviews to evaluate if the candidate matches in demeanor, enthusiasm, facial expressions, or word choice (Burke, 2019). Based on this evaluation the candidate is then recommended (or not) for the next round of interviews. When AI cannot properly analyze darker skin or gender based differences, and is built from data and developers with inherent biases, this serves the purpose of both eliminating diverse applicants from the hiring process, and reducing the number of diverse employees within the companies.
So why isn’t this being shouted from the mountain tops? It’s because research has shown that the people who often address gender and racial bias in Artificial Intelligence and developed software are often those affected by the bias (Leavy, 2015). Susan Leavy in her white paper on Gender Bias in Artificial Intelligence argues that by recognizing the bias, women are more likely to understand its impact and attempt to resolve it (Leavy, 2015). The problem? While women represent 47% of the occupational workforce, they represent 27% of Chief Executives, 28% of Computer and Information Systems Managers, 20% of computer programmers, 18% of software developers, and 17% of information security analysts. African Americans fare far worse representing 4% of Chief Executives, 9.6% of Computer and Information Systems Managers, 8.5% of computer programmers, 5.8% of software developers, and 16.6% of information security analysts (BLS.gov, 2020).
Cybersecurity has a diversity problem and until minority and gender discrepancies in hiring, education, and access to resources are resolved, America and its citizens will be worse off in every aspect of the industry.
BLS.gov. (2020, January 2020). Labor Force Statistics from the Current Population Survey. Retrieved from BLS.gov: https://www.bls.gov/cps/cpsaat11.htm
Burke, L. (2019, November 4). Your Interview With AI. Retrieved from insidehirered.com: https://www.insidehighered.com/news/2019/11/04/ai-assessed-job-interviewing-grows-colleges-try-prepare-students
CISA.gov. (2020, October). National Cybersecurity Awareness Month. Retrieved from CISA.gov: https://www.cisa.gov/national-cyber-security-awareness-month
Garzia, F., Lombardi, M., & Ramalingam, S. (2017). An integrated internet of everything — Genetic algorithms controller — Artificial neural networks framework for security/safety systems management and support. International Carnahan Conference on Security Technology (ICCST).
Hardesty, L. (2018, February 11). Study finds gender and skin-type bias in commercial artificial-intelligence systems. Retrieved from MIT News: https://news.mit.edu/2018/study-finds-gender-skin-type-bias-artificial-intelligence-systems-0212
Leavy, S. (2015, May 28). Gender Bias in Artificial Intelligence: The Need for Diversity and Gender Theory in Machine Learning. Retrieved from https://ame-association.fr/wp-content/uploads/2018/11/17.188_gender_bias_in_artifical_intelligence_the_need_for_diversity_and_gender_theory_in_machine_learning.pdf
Whereas my Infrastructure plan is moreso focused on learning the infrastructure as a code principles to be able to develop and destroy servers and hosts in the cloud, my Cloud study is learning more so about the different cloud providers and the way they offer their services. For this I am looking specifically at Cloud based certifications such as those offered by Azure and AWS and Comptia’s Cloud+.
Cloud + (Wiley)
Udemy Cloud Computing for Beginners with Microsoft Azure
YouTube Cloud Computing Course (There’s one by Simplilearn)
My world domination plan includes cloud infrastructure because most of the world’s Fortune companies are running their infrastructures from the cloud. Whereas traditional networks included server farms, and physical infrastructures, cloud computing infrastructure includes all of the networking, storage, power, and virtualized resources that an organization needs. There are currently 3 main companies in the Cloud Computing market Amazon Web Services, Azure, and Google Cloud. Each providing Infrastructure as a Service (IaaS) models where they serve as third party hosts offering core infrastructure for their customers.
While each of the cloud computing companies offers the ability to for example create a Virtual Machine (VM) or a Virtual Network in the cloud, at a large scale companies such as Netflix, Hulu, Amazon, and others need their infrastructures created and destroyed in a much more efficient way. To do that the provisioning, modifications and removal of virtual servers, some organizations use infrastructure as code services such as Terraform and Kubernetes. Terraform is a vendor neutral service that allows you to develop code to provision servers on AWS, Azure, VMware and a number of other cloud services providers in the market. Kubernetes on the other hand takes a container management approach to infrastructure as code to manage system servers and networking. These are both very important to big tech companies and therefore very important areas that are needed for my world domination plan.
Resources I have for my study of Infrastructure include
Terraform training (available from their website)
Kubernetes training videos (available from their website and youtube)
Network and computer systems administrators are responsible for the day-to-day operation of computer networks.
Entry Level Education – Bachelor’s degree
2019 Median Pay – $83,510 ($40.15/hour)
Job outlook – 4%
What they do: Network and computer systems administrators are responsible for the day-to-day operation of computer networks. Network and computer systems administrators work with the physical computer networks of a variety of organizations and therefore are employed in many industries.
Where do I start:
Certifications: Network+, CCNA
Where do they fall in the NIST – Network systems administration fall under the Network Services Specialty area. They most closely align to the Network Operations Specialist in the NICE Framework.
Web developers design, create and maintain websites .
Entry Level Education – Associate’s degree
2019 Median Pay – $73,760 ($35.46/hr)
Job outlook 8%
What they do: Web developers design, create and maintain websites. They can work in design, publishing, management consulting or advertising to name a few.
Where do they fall in the NIST – T0195 Provide a managed flow of relevant information (via web-based portals) , T0380 Plan instructional strategies such as web-based courses T0601 Collaborate with other team members to develop a diverse program of information materials (e.g web pages) are all tasks identified in the NICE Framework. These skills can be used by Cyber Instructional Curriculum Developers