Share this page!

Jan Schaumann Profile picture
Twitter logo
10 Jun, 50 tweets, 14 min read
An incomplete list of #infosec core competencies
-
A Twitter 🧵 in no particular order:
You should know...

How to read a CVE announcement and assess the impact based on its CWE / CVSS score and description. Understand that CVSS scores are relative and impact in your environment may be different.
How to read a hyped, name- and logo branded, corporation backed vulnerability announcement -- as well as the relevant RFCs and actual research paper, if any, instead of just the breathless webpage -- and distill the actual, realistic threat to your environment.
The difference between a vulnerability, a threat, risk, an exploit, and attack surface; the likelihood of an exploit based on an adversary's motivation, goals, and capabilities; being able to ballpark the cost of defense within a given scope.
The difference between authentication (authN) and authorization (authZ); between secrecy and authenticity; between authenticity and integrity. Be able to translate these concepts across different contexts.
The difference between symmetric or private and asymmetric or public key cryptography; between encryption and hashing; between a key-derivation function and an HMAC used for message authentication.
You don't need to be cryptographer, but you should know roughly what the cryptographic right answers for your developers' questions are -- and why.

latacora.micro.blog/2018/04/03/cry…
The difference between encryption in transit and encryption at rest.
Know to use TLS >= 1.2, but you don't need to know the details of all the ciphers and algorithms. But you should understand mTLS and client cert validation vs. server cert validation conceptually.
Understand the x509 PKI concepts, trusted CA bundles, cert chains, and common client behavior.

Know how to use 'openssl s_client' and 'openssl x509' to troubleshoot TLS connections, including STARTTLS.

madboa.com/geek/openssl/
HTTP basics: be able to make manual HTTP requests via telnet(1); HTTP headers developer.mozilla.org/en-US/docs/Web… & CSP concepts developer.mozilla.org/en-US/docs/Web….

Be able to use in-browser developer tools to troubleshoot, debug, and replay requests.
Enough of the JavaScript and HTML DOM to understand the different XSS attack types conceptually.

w3schools.com/js/js_htmldom.…
How to use curl(1) to post data to and pull information from an API; use jq(1) to manipulate JSON.

stedolan.github.io/jq/tutorial/
Be able to use tcpdump(1) to at least get the gist of what's going on on the wire. I.e., protocol, type, port, TCP S/R/P/F/., sequence numbers, payload...

See e.g., @DanielMiessler's tutorial: danielmiessler.com/study/tcpdump/
Be able to use e.g., Wireshark to drill down into specific flows, filter and pick outliers out of the noise, debug TLS with logged pre-master secret.
Be aware of the different ICMP types beyond echo request/reply: time exceeded, fragmentation required, destination unreachable...

shouldiblockicmp.com
Be able to spot certain CIDRs. E.g., for IPv4: 127/8, 169.254/16, 224/4, 240/4, RFC1918; for IPv6: ::1, fc00::/7, fe80::/10, ff00::/8

Understand that RFC1918 does not imply the host cannot be reached from the internet; internalize that NAT is not a security control.
How to send arbitrary packets between two hosts, e.g., via nc(1) or bash /dev/tcp.

The difference between "Connection refused" and "Connection timed out", and "Name or service not known/host not found".
Be able to use dig(1), nslookup(1) and host(1) and understand why they don't care about what you put into /etc/hosts.

Understand basic DNS resolution. I.e., lookups from client->stub resolver->resolver and resolvers<->auths.

Understand domain registration, NS records, TTLs, and zone delegation.

Grasp the difference in threat model between plain DNS, DoH, and DNSSEC.
netmeister.org/blog/doh-dot-d…
Understand cache poisoning as a concept and as applied to different protocols, such as ARP, DNS, HTTP Proxy, ...
Have a general awareness of the physical internet, peering, ASNs, BGP hijacking, and how (and when) governments can (and do) censor or intercept/inspect (parts of) the internet for their jurisdiction.

See e.g.: and
How to use ktrace(1) / strace(1) / dtrace(1) to figure out just what files or sockets a program is accessing.

Two useful tutorials:
baeldung.com/linux/strace-c…
opensource.com/article/19/10/…
Be able to use nmap(1) to identify a host's open ports and fingerprint them.

bytexd.com/how-to-use-nma…
yeahhub.com/top-30-basic-n…
Be able to use SSH port forwarding, SSH pubkey options (from=, command= / ForceCommand), ProxyCommand, and use of SSH agents.

See e.g., @nixCraft's cyberciti.biz/faq/linux-unix… or Steve Friedl's unixwiz.net/techtips/ssh-a…
Basic Unix skills, pipes and common tools: grep(1), sed(1), awk(1), sort(1), uniq(1), diff(1), comm(1), tr(1), ...

MIT's "Missing Semester" is quite good here:
missing.csail.mit.edu/2020/data-wran…
Know how to use screen(1) / tmux(1) to keep long sessions uninterrupted, to resume if needed, to juggle multiple remote terminals in a single window.


danielmiessler.com/study/tmux/
Really understand the Unix permissions model: owner, group, others; permissions on directories (e.g., 1777, 0711), Unix groups; su(1) and sudo(1); how setuid/setgid works.

Understand TOCTOU attacks, mktemp(3), and umask(2).

Be able to convert timestamps between formats and know to look for UTC offset when correlating log entries.
Enough shell scripting to automate the execution of repeated commands, including flow control using loops, functions, and variable expansion.

See e.g., bash.cyberciti.biz/guide/Main_Page
Enough Python, Perl, PHP, C, Go, Java, and JavaScript to be able to read all the random code you come across and at least make some sense of it.
Enough C to understand how a buffer overflow works and how to spot one. (90% of the time a sprintf(3) of a user-generated strings into a fixed-size buffer.)

aleph1's "Smashing The Stack For Fun And Profit" is seminal here: phrack.org/issues/49/14.h…
Enough SQL to be able to explain Little Bobby Tables and to pull records from multiple tables.

w3schools.com/sql/
Enough input- and shell meta-characters escaping to detect, abuse, and fix unsanitized system(3) / popen(3) command-injections (in the various languages).

owasp.org/www-community/…
cs.rutgers.edu/~pxk/419/notes…
Be able to efficiently use your preferred packaged manager to identify file/package ownership, dependencies, package integrity. Be able to create a package for a non-trivial piece of software to understand packaging, install scripts, signatures, validation etc.
Enough AWS to be able to spin up an instance when needed. Grok the difference between NACLs and Security Groups. Be able to manage simple IAM resources and to inspect and lock down an S3 bucket.

docs.aws.amazon.com/cli/latest/use…
securingthe.cloud/aws/how-to-sec…
Enough Kerberos to understand the concept of client authentication versus service authorization, replay attacks.

roguelynn.com/words/explain-…
web.mit.edu/kerberos/dialo…
Enough PGP to be able to send/receive, encrypt/decrypt, and sign/verify encrypted and signed messages.

gnupg.org/gph/en/manual.…
devdungeon.com/content/gpg-tu…
Understand SMTP basics, email headers, etc. Know enough about SPF/DKIM/DMARC to identify those headers and understand what they are telling you.

and
Shamir's 3 Laws of Cryptography:

Absolutely secure systems do not exist
To halve your vulnerability, you have to double your expenditure
Cryptography is typically bypassed, not penetrated
Schneier's Law (Any person can invent a security system so clever that she or he can't think of how to break it.) and not to attempt to invent your own cryptographic protocol.
Be able to explain core concepts like Zero Trust, Defense in Depth, Least Privilege, Failing Closed, and Kerckhoff's Principle vs. Security by Obscurity.
How containers are different from virtual machines, and what their respective trust- and control boundaries are.
How to file an actionable, useful bug report: infiniteundo.com/post/366780964…

Know how to manage your own ticket queue. (See also: )
When to seek input from others: there's not just domain specific, but plenty of general security expertise outside of the information security team.
Nothing, absolutely nothing about cryptocurrencies. "Crypto" means "Cryptosporidiosis". I mean: "cryptography". That's all you need to know.
Ok, now most of this overlaps with my own experiences, and you may do well without some of the above. Don't stress about any gaps you might have - I meant to provide these as a starting point for folks to pick a place to learn more.
Some people will disagree and point out other areas. That's all quite ok. It's a broad subject. Bring your own background, take your own path.
Oh, and if you notice that a lot of this overlaps with SysAdminning and general computering on the internet and isn't even all that infosec specific... that's not coincidence.

Good ops is good security.
But enough for tonight.

This thread as a single HTML page here: netmeister.org/blog/infosec-c…

🔐 ✌️

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jan Schaumann

Jan Schaumann Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @jschauma

Jan Schaumann Profile picture
3 Apr
Look, your email validation logic is very, very likely wrong.

A few examples:
Email addresses can contain multiple '@'s.

Well, SMTP "RCPT TO" anyway, where this is valid:

@1st.relay,@2nd.relay:user@final.domain

MTAs generally don't relay them any more, but most seem to accept and deliver to user@final.domain.
Bang paths may be accepted.

No, not what you think, you pig. UUCP. This is valid:

relay.domain!user@domain

Your MTA will probably reject this as an attempt to relay, but, hey, it's valid, although RFC5321 does not tell you to treat "!" special.
Read 17 tweets
Jan Schaumann Profile picture
1 Apr
Oh, lol, looks like Azure DNS is busted right now. That's... gotta hurt.
How’d I notice? I didn’t receive an email to my @FollowStevens address, because my mail server doesn’t talk to MTAs that it can’t reverse the IP address for, which is a great lesson for my students, since we _just_ discussed SMTP and spam protections. 😂

So yeah, “there is no cloud, only other people’s computers” once again.
Read 4 tweets
Jan Schaumann Profile picture
10 Feb
10 Software Engineering Laws Everybody Loves to Ignore

A Twitter 🧵
1. Conway's Law

Also known as: "You will ship your org chart."

"Any organization that designs a system will produce a design whose structure is a copy of the organization's communication structure."
You may _think_ you can avoid it via cross-functional standup meetings and stakeholder updates and decision matrices, but eventually and inevitably conflicting or diverging priorities will lead to equally conflicting or divergent processes and outcomes.
Read 19 tweets
Jan Schaumann Profile picture
6 Aug 20
7 battles #infosec has lost but we keep wasting efforts on trying to fight again and again nonetheless:
1) Users will always click on links in emails.

Stop trying to teach them to distinguish "bad" and "good" links. Instead, focus on ensuring their computer cannot be compromised by visiting a website and phished credentials are time-limited or otherwise useless to the attacker.
2) Users will pick bad passwords that they then reuse.

You can get _some_ users to use a password manager, but you can't enforce good passwords and practices. The only real solution is multi-factor auth, preferably via FIDO U2F and/or biometrics.
Read 10 tweets
Jan Schaumann Profile picture
1 Apr 20
A Few Simple* Rules To Build Scalable Tools

🧵 👇

* "simple", yes, in nature; consistently applying them requires discipline
Don't assume you can write intermediate data to a temporary file. Avoid I/O where possible. Avoid state.

Don't try to read all input into memory. Process as a stream.

When implementing e.g., an HTTP API, don't generate all data in one go. Paginate results.
Don't hardcode assumptions and user- or environment- specific settings. Separate code and config.

Don't leak tokens or passwords. Separate config from secrets.

Don't trust input outside of your control. Assume a hostile environment.
Read 8 tweets
Jan Schaumann Profile picture
11 Mar 20
So You Have A Jira Queue...

A brief Twitter r̶a̶n̶t̶ 🧵 on responsible ticket management, born out of years of frustration:
There's few things as frustrating in a large organization as diligently filing a ticket or reporting a problem only for it to sit there without anybody looking at it until it's closed by some automated job marking it as stale because it hasn't seen any updates in a year.
If you have a product that warrants a ticket queue, then you owe it to your users to manage it just as you owe it to your team to manage their workload.

Proper ticket management helps you set expectations, drive metrics, gain insights, and allow others to rely on you.
Read 19 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @jschauma has new unrolls!

Check out other threads from @jschauma!

Read all threads by @jschauma

:(