Preparing to become a CISSP

I've decided to pursue the CISSP certification!  The CISSP is considered the gold standard of Information Security credentials, and is required by some of the world's most security-conscious organizations.  It assures that InfoSec leaders possess the breadth of knowledge, skills and experience required to credibly build and manage the security posture of an organization.  It will be a great challenge to prepare for the exam and pass it, but the subject matter is something that I am exposed to every day at work, so hopefully that will give me an advantage.

Planning on using RDS Read Replica to offload some traffic from master DB instance

Today my team configured AWS CloudTrail to deliver log files to an S3 bucket.  This required us to attach a specific S3 bucket policy to the bucket:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AWSCloudTrailAclCheck20150319",
            "Effect": "Allow",
            "Principal": {"Service": "cloudtrail.amazonaws.com"},
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::myBucketName"
        },
        {
            "Sid": "AWSCloudTrailWrite20150319",
            "Effect": "Allow",
            "Principal": {"Service": "cloudtrail.amazonaws.com"},
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::myBucketName/[optional prefix]/AWSLogs/myAccountID/*",
            "Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}}
        }
    ]
}

Today I used Amazon Athena

Today I used Amazon Athena  to convert load balancer logs in an S3 bucket to a database table so I could write SQL queries against it and find specific HTTP requests that came in at a specific time! 

Passed the SysOps exam!

AWS SysOps Administrator Associate exam coming up

In a month I am scheduled to take the AWS SysOps Administrator Associate certification exam.  I hear that this cert is widely regarded as the most difficult of the associate-level AWS certs...so it's going to be a tough one!  I'm hoping that my 18 months of hands-on experience working in AWS and my ACG subscription will carry me through...😬

Using AWS to host a static site over SSL

If you have an S3 bucket configured to host a static website and you want users to access this website via a domain (hosted zone) you have procured in Route53, it's pretty straightforward. HOWEVER, if you want that website to be accessible over SSL, it gets way more complicated and have to correctly integrate 4 different AWS services!

S3 — for storing the static site
CloudFront — for serving the static site over SSL
AWS Certificate Manager — for generating the SSL certificates
Route53 — for routing the domain name to the correct location

It's way more difficult than I initially thought and it took much longer than expected to get it working.

Creating SAML test SP and IdP using free online tools

This week I found free, online SAML Service Provider (SP) and Identity Provider (IdP) tools  and integrated them together to get a working, SP-initiated SAML authentication workflow for us to test SSO in our mobile apps.

SP: https://sptest.iamshowcase.com/

IdP: https://samltest.id/

Cybersecurity: Read Team vs. Blue Team

Should a company investing in building an offensive security "Red Team" so they can skillfully discover vulnerabilities in their systems, or a "Blue Team" so they can skillfully react and even prevent those vulnerabilities?

From https://securitytrails.com/blog/cybersecurity-red-blue-team :

There is no “red team is better than blue,” no benefit to picking sides or investing in only one. The important thing is remembering that the goal of both sides is to prevent cyber crimes.

One idea born out of trying to reconcile red and blue teams is the creation of purple teams. Purple teaming is a concept that does not truly describe the existence of a brand new team, it’s rather a combination of both the red team and blue team. It engages both teams to work together.

Automated deployment of IDS/IPS agent via Ansible

Today I automated the deployment of an IDS/IPS agent to several AWS intances using Ansible's script module

Today I hosted a static website in S3, enabled CORS, served a publicly-accessible widget and accompanying JSON-LD for SEO indexing, and embedded these in some existing websites using AJAX

 

Image credit: https://jvns.ca/ (awesome site with lots of great content!)

Today I integrated a healthcare data engine, API gateway, and a lambda function

Using AWS SNS to send SMS directly to phone number

Implemented "server-side texting" today using Amazon SNS.  To get this working, I had to set up a new IAM policy which allows a particular IAM role to publish anything (allow sns:Publish on "*").  This was the key to enabling SNS messages to be published directly to a phone number instead of a topic.  Also learned that in the U.S. it's not possible to set a meaningful "sender ID" instead of a random code like "788-98".  Other countries allow automated SMS senders to specify a meaningful value like a company name.

Burp Suite

I've been wanting to use Portswigger's Burp Suite app for a while and finally had a reason to today so I could pass this root-me challenge.  The key to this challenge was to do a MITM attack and intercept an HTTP POST request sent by a browser and modify the request body.  I did this by configuring Burp Suite to serve as a proxy on 127.0.0.1:8080 and then I configured my Macbook's network settings to route all network traffic through this proxy address.  Burp suite allows easy modification of http headers and body just like Telerik's Fiddler app , so it was very straightforward!

Simplified instructions for updating an SSL certificate for Tomcat:

Part 1 - Generating the artifacts (.jks, .csr, .cer/.crt)

1. Use Java's keytool -genkey program to generate a new private key and store it in a keystore (.jks file)
1. This is where you'll be asked for the information that your future Certificate Signing Request (CSR) should contain, such as domain name, company name, city, state, etc.
2. Use Java's keytool program to generate a Certificate Signing Request (CSR) referencing the private key created in the previous step.
3. Go to the domain registrar's website to purchase the new SSL certificate from the partnering Certificate Authority (CA) and use their web UI to start the activation process.
4. During the activation process, you'll be asked to paste the contents of the CSR file created in a previous step.  The CA will review this and decide whether or not to issue you an SSL Certificate file (.crt or .cer file).
5. Upon approval, you will be emailed the SSL Certificate file and must upload this to the web server.

Part 2 - Installation

1. Use Java's keytool -import program to import the SSL Certificate file (.crt or .cer file) into the previously created keystore (.jks file)
2. Use Java's keytool -list program to validate the imported certificate
3. Modify Tomcat's server.xml to reference the new keystore (.jks file)
4. Restart Tomcat and use Digicert's SSL Certificate Checker tool to validate the SSL cert from a third party
1. https://www.digicert.com/help/

Just finished the "Backup file" challenge on root-me.org.  It took me a long time to figure this one out, but I learned a great deal about different backup file extensions while I was guessing wrongly hundreds of times!  Used this "guessing attack" script from OWASP to assist me:

    #!/bin/bash
      
    server=challenge01.root-me.org
    port=80
    
    while read url
    do
    echo -ne "$url\t"
    echo -e "GET /$url HTTP/1.0\nHost: $server\n" | netcat $server $port | head -1
    done | tee outputfile

Becoming a hacker to prevent getting hacked

I've been doing some of the web server hacking challenges on root-me.org.  It's teaching me about different kinds of vulnerabilities such as Open Redirect and Command Injection.  I'm also learning about brute forcing tools such as nmap and hydra which are instrumental in cracking weak username/password combinations.

Turns out AWS is very persistent about delivering your push notifications!  If the mobile endpoint is not available, SNS will retry 2 times immediately, 5 times at 20 seconds apart, then 31 times exponentially backing off from 20 seconds to 20 minutes and finally 12 times every 20 minutes for a total 50 attempts over more than 4 hours before the message is discarded from SNS.  Damn!

I made some 8-bit wall art for my office! Took forever to cut those shapes out of foam board but it turned out nice.

Going to find out which Android devices are most affected by this memory leak I'm battling.

For anyone who is considering building a mobile app using a cross-platform or hybrid framework such as React Native, Ionic, or Kony, keep in mind that debugging a memory leak can be very difficult!  I've been tracking down the source of a slow memory leak that's causing the Android version of our Kony app to crash if the user camps out on a particular screen for an hour or two.  The logcat backtrace and tombstone info really just tells me "something went wrong when the Kony API was called".  One of many tradeoffs with cross-platform frameworks.

I’ve decided to start quoting spiritual teachings to PMs who are pushing for unrealistic deadlines. 😂