A quick note on Consulting

A chat with a great guy i met at the GOVIS meet up, and he gave me a lesson on how to market thyself and understanding what the public wants to hear.

Thank you sir for the greatest advice given for the year 2015.

If you can understand the process flow, then u would understand the great idea. Otherwise too bad 🙂

PCI DSS v3.0 Basics

Why is PCI DSS standards relevant to you? Yes, you, the person who runs financial transactions over the world wide web for your company. Well it is relevant because it pretty much protects the sensitive data of users using the card payment transaction services at your site from misuse by dirty operators or black hat aficionado.

With all those breaches you hear about in the news, maybe it is time for you to invest on some proper standards compliance so the potential breach can be avoided

There are six points that make up the standard. The points are:
1. A secure network must be maintained in which transactions can be performed.
2. Card-holders information should be stored security. Basically upholding the privacy of the card-holder.
3. All solutions that make up the secure network must be updated and upgraded to current security standards, to prevent malicious perpetrators from gaining access/hacking
4. The use of sound access control methodologies and proper document handling procedures in place for user data.
5. Network monitoring is a must. Assets that uphold the secure network should be well maintained.
6. The company should have a information security policy in place. This should be constantly audited and the policy must be practiced all the time.

If your site is running credit card transactions, are you PCI DSS compliant? If you are not, it is about time you are!

For more information on PCI DSS standards, check out
https://www.pcisecuritystandards.org/security_standards/index.php

And currently it is version 3: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

Short Notes on Penetration Testing Methodologies

There are many flavors to run a pen test across platforms but this would be the best way to approach it; step by step. This is basically cherry picked steps from SANS.

For Web applications:
1. Recon
2. Mapping
3. Exploitation
4. Post-Exploitation
5. Reporting

Mobile Device pentesting:
1. Recon
2. Scanning
3. Exploitation
4. Post-Exploitation

Exploit Development
1. Recon
2. Scanning
3. Exploitation
4. Post-Exploitation
5. Notable Techniques

Network Penetration Testing
1. Recon
2. Scanning
3. Exploitation
4. Post-Exploitation
5. Reporting

Wireless Penetration Testing
1. Recon
2. Scanning
3. Exploitation
4. Post-Exploitation
5. Reporting

Any further notes or queries, feel free to post 🙂

Safe practices looking after your personal computer.

A little mishap happened to my moms computer. I believe it was related to some shortcut virus going around. Not having my moms computer in front of me, disables me from checking or isolating the virus. Anyways, this is a good practice one should adopt all the time. 

1. Update your computers antivirus and OS system. This is to be done once a week at most. It is crucial. Viruses are nasty nowadays. 

2. Dont be curious by opening unwarranted emails or pop-ups from facebook, and various sites out there(porn included) as remember this sites are designed to get your information and infect you more than testing your capabilities etc. Its a form of social engineering as they know what interests you. 

3. Upgrade always to the latest OS. Especially Microsoft. Its a nasty piece of OS and everyone loves attacking it. Microsoft makes up for the huge marketshare of computers now. The latest i know, MAC only makes up 7-8% of the population. 

4. In case of a virus attack, first update your virus software, then scan it. If you are not sure how, be curious, go around the buttons and see what it does. It is a computer, not a NASA rocket. Learn it well, like your cars. It is very important.  No excuses here. 

5. Keep your contacts always ready, the same way your car breaks down, you will have to prepare for the worst for your computer. Keep the contacts and dont be nervous about it. It is normal to have an attack.  Just treat it like any other sympton. 


6. And like a car breakdown, keep some spare kitty cash for computer breakdowns. It can be expensive and when its crucial, you need it done urgently. Spend. 

7. Always have a back up computer like a ipad etc to run your emails. and go on cloud. At least you have not lost your data in regards to failure of the real computer systems. Heavy compliant standards have to be met to run cloud out there, so its safer to use it. 

Rules in becoming a Consultant

My journey in security starts, and I have already learnt a few lessons which are critical in learning. This is a ever growing process and this list would be denoted as the cardinal rules of living as a security consultant.

Rules can differ depending on the job you do, and therefore if the job is high level, be very clear with your fundamentals and if you are not; admit you do not have a strong base in the subject matter.

So there we go; my rule book; like Agent Gibbs of NCIS.

Rule#1: Trust. Learn to trust your team, and believe that a solution can be met as a team. You are never alone.

Rule#2: Admitting you do not know. Yes admitting can be a dent to your ego, but listen; might as well be honest than to lie all the way and your reputation goes down the drain if you cant deliver.

Rule#3: Strip the ego. We, men have lots of ego and pride. In some cultures, it is great, in some, it is not. This is a precursor to #2. Ego is built hence you hate admitting the truth. Get over it, and be a stronger person.

Rule#4: Teamwork. We have our niche, and strengths. We cant know everything. Develop the strength and work towards it. Understand your weaknesses, talk to your team about it.

Rule#5: Listen. Listening is not hearing. Listening is understanding what is needed in a job. Listening plays an integral part in #1. It can inadvertently make or break a relationship or a team. Learn to listen.

Rule#6 Follow instructions. Following instructions is important to building ones capability to learn. Instructions are often an experience or a job that needs to be undertaken and if not followed, it leads to  failure of the team.

Rule#7 Believe in your ability. Believe in your ability always to deliver a project or undertaking. Never be overwhelmed by others, You have your own strengths. Excel in it.

More to come..