The joys and wonders of security evaluations

Why I Love My Job

Rosie Hall

Software EngineerReleased: June 12, 2015

2© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Goals

1. Help you determine if security evaluations are the right career for you

2. Point you to some useful resources

3. Life Lessons highlighted in green

3© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

My Background

4© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• Went to Beech High School in Hendersonville, TN

• Majored in Computer Engineering at UT

• Internship in Reliability Engineering in a Michelin tire plant in Opelika, AL• Internships are a great way to figure out your job preferences

before you invest in a job

• Internship doing research on neural-based circuits at UT on an NSF grant

• Internship at Cisco in Knoxville for 2 years

• Masters in Computer Engineering

• Hired Full Time at Cisco• Internships are also a great way to get a job!

5© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

About Cisco

6© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Core Business is routers and switches

7© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Data center – routing and servers, management automation, firewalls

8© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cloud – Infrastructure, Platform, and Software as a Service offerings

9© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Collaboration – IP phones, WebEx, Telepresence

10© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Security – Firewalls, IPS, Network Traffic Analytics

11© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• Both Products and Services in these areas

• Growth through acquisitions

What Does Cisco Do?

12© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

ASIG – Advanced Security Initiatives Group

13© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• Offices in Knoxville and Austin, plus ~10 remote workers

• Primarily perform security evaluations on Cisco products

• Security research / tool creation• Hardware & Forensics Teams

ASIG

14© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• We are the Breakers

• We try to keep Cisco out of the news by finding vulnerabilities first

• 3 years to 2 weeks, 3 month average

• Evaluate many different products, technologies, languages• Learning never ceases

• Sometimes black box, usually white box

What are Security Evaluations?

15© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• Major component of our evaluations• Exploit a system as far as you can, just as an attacker would

• Demonstrates the impact of vulnerabilities to management

• Often several low severity bugs can be chained together to completely compromise a system

Penetration Testing

16© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• Research the product• Prioritize the attack surfaces

• Authentication• Authorization• Sensitive Data or Actions• Encryption, especially home-rolled

• Manual testing• Fuzzing• Source code inspection

How do we do it?

17© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• Privilege escalations• Command Injection• Inadequate input validation

• Buffer overflows• XSS

• Logic Errors• Information exposure

What do we look for?

18© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• BurpSuite• IDA pro• Gdb• Nessus• Metasploit• Scapy• Peach

Commonly Used Tools

19© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• C• A scripting language (ruby or python)• Network protocols (CCNA a big plus)• Security• Encryption

Useful Skills

20© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Perspective from a new hire.

21© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• B.S. in Computer Science from Stony Brook University, NY

• Worked as a Java Developer for Fortune 500 company.

• Hated development. Loved breaking stuff.

• Took steps to teach myself about security.

• Got hired as a Security Engineer for Cisco

About Me

22© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• B.S. in Computer Science from Stony Brook University, NY

• Worked as a Java Developer for Fortune 500 company.

• Hated development. Loved breaking stuff.

• Took steps to teach myself about security.

• Got hired as a Security Engineer for Cisco

About Me

What did I do to teach myself enough to get hired?

23© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• College degree is simply not enough.

• Practice on your own time. Often!

• Find an area of study you can be passionate about.

• Get involved in the community. Contacts are valuable.

How to get an InfoSec job.

• Web Application Penetration Testing

• Malware Research / Reverse Engineering

• Network Security and Monitoring

• And much much more……..

Possible Areas of Interest

24© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

SecurityTube

• http://www.securitytube.net/

• Free training videos. Recordings from conferences.

• Paid security certifications in metasploit, aircrack, python, and more.

Courses

Coursera

• https://www.coursera.org/

• Free courses. Only pay for certificates.

• Cybersecurity specialization from Univ of Maryland.

25© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

DerbyCon

• September @ Louisville, KY

• $175.00 for 3 days.

• Beginner to advanced. Friendly community.

Conferences

B-Sides Knoxville

• May @ Knoxville, TN

• $10.00 for 1 day.

• Brand new. Super cheap. Local hackers.

26© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Matasano Challenges

• Cryptopals @ https://cryptopals.com

• Microcorruption @ https://microcorruption.com

• Starfighter @ http://starfighters.io/

Training Grounds

Capture the Flags / Wargames

• CTF Time @ https://ctftime.org

• Smash The Stack @ http://io.smashthestack.org/

• Over The Wire @ http://overthewire.org/

27© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Vulnerable VM’s

• PentesterLab @ https://pentesterlab.com/

• VulnHub @ https://www.vulnhub.com/

• Exploit Exercises @ https://exploit-exercises.com/

Training Grounds (cont.)

Vulnerable Web Applications

• WebGoat @ https://code.google.com/p/webgoat/

• Gruyere @ https://google-gruyere.appspot.com/

• DVWA @ http://www.dvwa.co.uk/

28© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Podcasts

• Risky Business

• Paul’s Security Weekly

• SecurityNow! w/ Paul Gibson

Staying Current

Reading

• Books: No Starch Press, O’Reilly

• Blogs: Krebs On Security, Project Zero

• Twitter: @SwiftOnSecurity, @thegrugq

29© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Interested in doing security evaluations?

30© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• Frequently have openings for full time positions• Computer Science• Computer Engineering• Electrical Engineering

• Currently interviewing for summer internships• Typically have 4 summer interns

Openings

31© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Send your resume to roswest@cisco.com

Or check out

www.cisco.com/jobs

32© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Questions?