Metal Guitarist Forums banner

1 - 20 of 21 Posts

·
Mutes the Meat
Joined
·
10,236 Posts
Discussion Starter · #1 ·
Those of you who are friends with me on facebook may know that I have been studying for the CompTIA Security+ certification in order to specialize into this field. It's growing, and apparently qualified people are in demand. As far as the multiple-choice questions on the exam I am sure I won't have much difficulty regurgitating the information. But apparently there are "Performance Based" questions on the exam now, and while I am not unfamiliar with public/private keys and checksums and the like my experience is mainly derived from verifying linux package files and things like registering my certificate with Ubuntu's Launchpad service.

There is also the issue of being a guy with a certification but no skills. I fucking hate those guys, and I do not wish to be one. Therefore I want to create an environment to test these skills, I want to be able to build and test a secure environment. Real-world skills + the studying + the certifications = a good candidate for a job.

Current OS for me is Windows 7. Thanks in advance, I hope to take the exam soon. I have been affected by the government shutdown and need to hit up the job market...
 

·
(╯°□°)╯︵ ┻━&#
Joined
·
1,986 Posts
So, start out spending a lot of time with unix.

Buy and read Amazon.com: Applied Cryptography: Protocols, Algorithms, and Source Code in C eBook: Bruce Schneier: Kindle Store and just about any other book by Bruce Schneier.

Follow the research of people and companeis like Matasano Security - Research at Matasano Security, http://cr.yp.to/crypto.html, and daemonology.net

Also, if you know security stuff, can get around in unix and windows and osx, and are competent at software engineering skills - you can have a VERY well paid job
 

·
Mutes the Meat
Joined
·
10,236 Posts
Discussion Starter · #3 ·
Thank you sir. I have spent a lot of time in GNU/Linux mostly in Arch Linux and in Ubuntu. GNU/Linux is a derivative of Unix of course, but should I have more experience in *actual* Unix to be useful or would my experience in GNU/Linux be sufficient?

EDIT: Posted before your edit.

I can get around in all OS's mentioned, and I have a handle on computer programming. The sparser space for me is knowing exactly how security technologies are implemented in a real environment.

I didn't think I would be interested in crypto, but I really am. Cool stuff.
 

·
(╯°□°)╯︵ ┻━&#
Joined
·
1,986 Posts
it's helpful to be familiar with the differences between bsd and sys V, but knowing only one really well is absolutely fine.

Also, a list of books to read by one of the founders of Matasano, one of the most respected security people around - Amazon.com: An Application Security Reading List

And just note, this list is strongly focused on the intersection of security/programmer but there are some very good books there. I've read about 80% of them and they're all great.
 

·
I am Groot
Joined
·
32,450 Posts
90% of the professional world uses RedHat/CentOS. You need to know that, or you need to not even bother. :2c:
 

·
Mutes the Meat
Joined
·
10,236 Posts
Discussion Starter · #7 ·
Wirelessly posted (boobies)

noodles said:
90% of the professional world uses RedHat/CentOS. You need to know that, or you need to not even bother. :2c:
Downloaded the CentOS live image earlier. Played with it a bit last year, I'll refresh.
 

·
Mutes the Meat
Joined
·
10,236 Posts
Discussion Starter · #8 ·
Forgive me, I have a lack of real-world experience on this topic, but as I am understanding familiarizing myself with how things work in SELinux will give me all of the practical knowledge I need for this field? Cryptography is my blank point in real-world experience. I have done user account management and the like before, and honestly the physical security aspects are obvious.
 

·
I am Groot
Joined
·
32,450 Posts
Wirelessly posted :)dio:)

No one uses SELinux. Piece of shit. :lol:
 

·
Mutes the Meat
Joined
·
10,236 Posts
Discussion Starter · #10 ·
Wirelessly posted :)dio:)

No one uses SELinux. Piece of shit. :lol:
I thought SELinux provided the core/base for secure linux environments? Does Red Hat not employ SELinux?

Let me rephrase my original question then. If I use CentOS to familiarize myself with security will that provide adequate enough practical understanding for the job?
 

·
(╯°□°)╯︵ ┻━&#
Joined
·
1,986 Posts
SELinux is frequently disabled, but I would most certainly assume that you have to know it.

It is a pain in the ass, but it's getting much better and a properly configured box running selinux is quite simply more secure than the same box not running selinux.

and yes, centos does support SE. almost all server version of linux do.


One thing to note about centos or rhel, a painfully large percentage of production environments that use centos run disgustingly ancient versions. This, more than anything causes me to absolutely LOATH centos and any linux that uses yum/rpm... fucking heathens :lol:
 

·
I am Groot
Joined
·
32,450 Posts
Wirelessly posted :)dio:)

I HATE that CentOS/RH won't let you upgrade from 5.x to 6.x. It makes it a royal pain to migrate older production servers. However, auditors like the name, hardware companies develop for it, and it works for most of what you wanna do out of the box. Besides, I run a Spacewalk server and maintain exactly the package set that I want.
 

·
Mutes the Meat
Joined
·
10,236 Posts
Discussion Starter · #13 ·
Well I guess I am building some CentOS VMs tomorrow :lol:

Implementing PKI with a bunch of CentOS VMs for practice is a sane idea yes?

I have my Security+ study materials, but a book is a book. Other than implementing and testing PKI, are there some other on-the-job tasks related to security that I should be able to perform in a lab? OS wise of course.
 

·
MG.ORG Irregular
Joined
·
9,747 Posts
The last time I looked at it it seemed like most of the things SELINUX would be useful for you wouldn't really do on a linux box anyway. That or there were other ways of securing things which were easier.

So the security+ actually has computer questions now? The one I took had just about nothing to do with computers and just general security concepts.

CentOS is literally unbranded RHEL source code compiled and distributed. It's not like Oracle Enterprise Linux, etc. where they "add bits and bobs" and "change some things."

I'd familiarize with Debian too if you've not used it. Chances are if it's not RHEL or CentOS it's Debian.
 

·
(╯°□°)╯︵ ┻━&#
Joined
·
1,986 Posts
SELinux is great if you have application specific servers. at work we have thousands and thousands of (virtual) machines in production and each machine is dedicated to exactly one thing. SELinux is fantastic in that kind of environment. But if you have a server that is a shared login server running 30 different services, good fucking luck.

And for servers, centos is FAR more common in my experience. Debian/ubuntu is growing fast, and absolutely no one uses arch or gentoo or any other distro.
 

·
I am Groot
Joined
·
32,450 Posts
SELinux is great if you have application specific servers. at work we have thousands and thousands of (virtual) machines in production and each machine is dedicated to exactly one thing. SELinux is fantastic in that kind of environment. But if you have a server that is a shared login server running 30 different services, good fucking luck.
I'm supporting a ton of dev work, since we're moving from Solaris to Linux. Spending any amount of effort locking that stuff down is a complete waste of time.

On the production side, I've got a bunch of CAs that are under two-party control for physical access, requiring a smart card inserted into a HSM to do ANYTHING, and BSM used to log file writes, login/logouts, and process starts/stops/hups. They're rotated and internally audited weekly. You can only admin the machine on the console; my pam.conf is a fucking desert.

On the Linux side, I'm effectively duplicating that. I really, really hate auditd, but it satisfies the audit requirement. SELinux doesn't really matter so much when you're at the point of ripping sshd off a server.

And for servers, centos is FAR more common in my experience. Debian/ubuntu is growing fast, and absolutely no one uses arch or gentoo or any other distro.
For some fucking reason, several places around here are looking for SUSE admins. Poor, dumb bastards. :lol:

Well I guess I am building some CentOS VMs tomorrow :lol:

Implementing PKI with a bunch of CentOS VMs for practice is a sane idea yes?

I have my Security+ study materials, but a book is a book. Other than implementing and testing PKI, are there some other on-the-job tasks related to security that I should be able to perform in a lab? OS wise of course.
Have you read the CIS security hardening paper for your OS of choice? You learn a ton of shit right there. That's an excellent general start towards not just how to secure a box, but at gaining that mindset of the only methods you wish to allow people access, and how limited that access can be to allow the server to function. That is what elq was getting at with using SELinux aimed at servers performing singular functions; he approaches is it from this mindset.

Later, you'll start picturing how physical security and network security (firewalls, IDS/IPS, etc) can refine your overall approach. I'm a big fan of right tool for the job, rather than running an inferior piece of software on the local server.
 

·
Mutes the Meat
Joined
·
10,236 Posts
Discussion Starter · #17 ·
So the security+ actually has computer questions now? The one I took had just about nothing to do with computers and just general security concepts.
Apparently they have incorporate some set of questions that requires you to complete a certain task: rat, find cheese. But yeah, the study material is mostly concepts. You learn about best practices, types of attacks, what is out there for security, etc. As far as actually knowing how to do any of it is apparently out of the scope of Security+ :lol:

But hey, lots of companies want it. Guess is just the baseline "you have vocabulary" deal...

I'm supporting a ton of dev work, since we're moving from Solaris to Linux. Spending any amount of effort locking that stuff down is a complete waste of time.

On the production side, I've got a bunch of CAs that are under two-party control for physical access, requiring a smart card inserted into a HSM to do ANYTHING, and BSM used to log file writes, login/logouts, and process starts/stops/hups. They're rotated and internally audited weekly. You can only admin the machine on the console; my pam.conf is a fucking desert.

On the Linux side, I'm effectively duplicating that. I really, really hate auditd, but it satisfies the audit requirement. SELinux doesn't really matter so much when you're at the point of ripping sshd off a server.

For some fucking reason, several places around here are looking for SUSE admins. Poor, dumb bastards. :lol:

Have you read the CIS security hardening paper for your OS of choice? You learn a ton of shit right there. That's an excellent general start towards not just how to secure a box, but at gaining that mindset of the only methods you wish to allow people access, and how limited that access can be to allow the server to function. That is what elq was getting at with using SELinux aimed at servers performing singular functions; he approaches is it from this mindset.

Later, you'll start picturing how physical security and network security (firewalls, IDS/IPS, etc) can refine your overall approach. I'm a big fan of right tool for the job, rather than running an inferior piece of software on the local server.
I haven't read the CIS paper, I'll seek it out.

Are you talking about the resources listed here?

https://benchmarks.cisecurity.org/downloads/multiform/index.cfm

In your approach are you hardening the OS and handling crypto through an HSM? At your job are you ever required to be competent at configuring network gear or designing a network, or is that handled by the network guys exclusively?
 

·
I am Groot
Joined
·
32,450 Posts

·
Banned
Joined
·
21,673 Posts
SELinux is frequently disabled, but I would most certainly assume that you have to know it.

It is a pain in the ass, but it's getting much better and a properly configured box running selinux is quite simply more secure than the same box not running selinux.

and yes, centos does support SE. almost all server version of linux do.

One thing to note about centos or rhel, a painfully large percentage of production environments that use centos run disgustingly ancient versions. This, more than anything causes me to absolutely LOATH centos and any linux that uses yum/rpm... fucking heathens :lol:
I fucking loath CentOS as well. Out of all the production servers in our environment, the only one that's still CentOS is our licensing server for an engineering app. Otherwise it's all Ubuntu now. It used to be Suse. :puke:
 

·
Mutes the Meat
Joined
·
10,236 Posts
Discussion Starter · #20 ·
We're a special case, since CAs have unique security requirements. I basically work hand in hand with our firewall/network guy.
Ah cool. Managing and securing CAs is basically your gig at work then?

I know Stu loves being a networking guy...but...that shit is boring. I set up a little Cisco lab years back thinking I might want to be a CCNA, but I just couldn't get into it.
 
1 - 20 of 21 Posts
Top