Bo Weaver, a Kali Linux expert shares his thoughts on the security landscape in the cloud. He also talks about the skills gap in the current industry and why hiring is a tedious process. He explains the pitfalls in software development and where the tech is heading currently.
Bo, along with another Kali Linux expert Wolf Halton were also interviewed on why Kali Linux is the premier platform for testing and maintaining Windows security. They talked about advantages and disadvantages for using Kali Linux for pentesting. We also asked them about what they think about pentesting in cybersecurity, in general. They have also talked about their stance about the role of pentesting in cybersecurity in their interview titled, “Security experts, Wolf Halton and Bo Weaver, discuss pentesting and cybersecurity”
First is “The Cloud”.
I laugh and cry at this term. I have a sticker on my laptop that says “There is no Cloud…. Only other people’s computers.” Your data is sitting on someone else’s system along with other people’s data. These other people also have access to this system. Sure security controls are in place but the security of “physical access” has been bypassed.
[box type=”shadow” align=”” class=”” width=””]You’re “in the box”. One layer of security is now gone. [/box]
Also, your vendor has “FULL ACCESS” to your data in some cases. How can you be sure what is going on with your data when it is in an unknown box in an unknown data center? The first rule of security is “Trust No One”. Do you really trust Microsoft, Amazon, or Google? I sure don’t!!! Having your data physically out of your company’s control is not a good idea. Yes, it is cheaper but what are your company and its digital property worth?
The ‘real’ skills and hiring gap in tech
For the knowledge and skills gap, I see the hiring process in this industry as the biggest gap. The knowledge is out there. We now have schools that teach this field. When I started, there were no school courses. You learned on your own. Since there is training, there are a lot of skilled people out there. But go looking for a job, and it is a nightmare. IT doesn’t do the actual hiring these days. Either HR or a headhunting agency does the hiring.
[box type=”shadow” align=”” class=”” width=””]The people you talk to have no clue of what you really do. They have a list of acronyms to look for that they have no clue about to match to your resume. If you don’t have the complete list, you’re booted.[/box]
If you don’t have a certain certification, you’re booted even if you’ve worked with the technology for 10 years. Once, with my skill level, it took sending out over a thousand resumes and took over a year for me to find a job in the security field.
The people you talk to have no clue of what you really do. They have a list of acronyms to look for that they have no clue about to match to your resume. If you don’t have the complete list, you’re booted.
Also, when working in security, you can’t really talk about what you exactly did in your last job due to the NDA agreements with HR or a headhunter. Writing these books is the first time I have been able to talk about what I do in detail since the network being breached is a lab network owned by myself. XYZ bank would be really mad if I published their vulnerabilities and rightly so.
In the US, most major networks are not managed by actual engineers but are managed by people with an MBA degree. The manager has no clue of what they are actually managing. These managers are more worried about their department’s P&L statement than the security of the network. In Europe, you find that the IT managers are older engineers that WORKED for years in IT and then moved to management. They fully understand the needs of a network and security.
The trouble with software development
In software development, I see a dumbing down of user interfaces. This may be good for my 6-year-old grandson, but someone like me may want more access to the system. I see developers change things just for the reason of “change”. Take Microsoft’s Ribbon in Office. Even after all these years, I find the ribbon confusing and hard to use. At least, with Libre Office, they give you a choice between a ribbon and an old school menu bar. The changes in Gnome 3 from Gnome 2. This dumbing down and attempting to make a desktop usable for a tablet and a mouse totally destroyed the usability of their desktop. What used to take 1 click now takes 4 clicks to do.
[box type=”shadow” align=”” class=”” width=””] A lot of developers these days have an “I am God and you are an idiot” complex. Developers should remember that without an engineer, there would be no system for their code to run on. Listen and work with engineers.[/box]
Where do I see tech going?
Well, it is in everything these days and I don’t see this changing. I never thought I would see a Linux box running a refrigerator or controlling my car, yet we do have them today. Today, we can buy a system the size of a pack of cigarettes for less than $30.00 (Raspberry Pi) that can do more than a full-size server could do 10 years ago. This is amazing. However, this is a two-edged sword when it comes to small, “cheap” devices. When you build a cheap device, you have to keep the costs down. For most companies building these devices, security is either non-existent or is an afterthought. Yes, your whole network can be owned by first accessing that $30.00 IP camera with no security and moving on from there to eventually your Domain Controller. I know this works; I’ve done it several times.
If you wish to further learn about tools which can improve your average in password acquisition, from hash cracking, online attacks, offline attacks, and rainbow tables to social engineering, the book Kali Linux 2018: Windows Penetration Testing – Second Edition is the go-to option for you.
Bo Weaver is an old school, ponytailed geek. His first involvement with networks was in 1972 while in the US Navy working on an R&D project called ARPA NET. Bo has been working with and using Linux daily since the 1990s and a promoter of Open Source. (Yes, Bo runs on Linux.) He now works as the senior penetration tester and security researcher for CompliancePoint an Atlanta based security consulting company.