Palo Alto Networks Certified Cybersecurity Associate (PCCSA)

Palo Alto Networks make security products. In particular, they sell firewalls (physical and virtual), and their Panorama software will let you manage multiple firewalls centrally (e.g. for branch offices). Their certification program has 3 tiers:

  • Entry level
  • Administrator
  • Engineer

Palo Alto Networks offer free training for all of these, although you have to pay for the exam. Even if you don’t do the exam, the training might be worthwhile on its own merits.

In December 2019, I took the entry level exam. At the time, that was the Palo Alto Networks Certified Cybersecurity Associate (PCCSA). However, that exam is being retired at the end of this month (2021-01-31), to be replaced by the Palo Alto Networks Certified Cybersecurity Entry-level Technician (PCCET). This is basically a rebranding exercise; I assume that it was confusing to have “Associate” (PCCSA) and “Administrator” (PCNSA) certifications which both ended with an A. According to the FAQ: “PCCSA certified individuals will have their credentialing status grandfathered into the upgraded PCCET certification framework.” The syllabus has been revised at the same time, to keep it up to date, but it looks much the same as before.

In brief, this exam is “what” rather than “how”, i.e. it’s all about the concepts rather than the implementation. In that respect, it’s quite similar to Microsoft 365 Fundamentals, and both exams are a similar price ($100/£70). When I did the training, the videos were about 50% advertising for Palo Alto Networks products; the pdf (ebook) was a bit more restrained, but there was still quite a bit of marketing/advocacy in there. E.g. the course will describe what WildFire and GlobalProtect are used for, but not how to configure them. By contrast, the exam was much more general, so there was a lot of overlap between this, Security+, and the SSCP.

Continue reading “Palo Alto Networks Certified Cybersecurity Associate (PCCSA)”

CCNA R&S

Cisco have offered the CCNA (Cisco Certified Network Associate) since 1998, but it’s been through a few variations over the years. They’ve changed the syllabus and the number of exams:

Year Part 1 Part 2 Combined
1998 CCNA (640-407)
2000 CCNA (640-507)
2002 CCNA (640-607)
2003 INTRO (640-821) ICND (640-811) CCNA (640-801)
2007 ICND1 (640-822) ICND2 (640-816) CCNA (640-802)
2013 ICND1 (100-101) ICND2 (200-101) CCNA R&S (200-120)
2016 ICND1 (100-105) ICND2 (200-105) CCNA R&S (200-125)
2020 CCNA (200-301)

From 1998-2016, this all applied to Routing and Switching. Meanwhile, Cisco gradually offered a range of other certifications, e.g. “CCNA Wireless” and “CCNA Security”. In 2020, these all got merged together into a single CCNA certification (except for CyberOps). This blog post covers the old R&S syllabus (2013 and 2016), not the new 2020 syllabus.

Continue reading “CCNA R&S”

Offensive Security Wireless Professional (OSWP)

In April 2019, I took the Offensive Security Wireless Attacks (WiFu) course and the OSWP exam. (Along with PenTest+ and Microsoft 365 Fundamentials, this was my third exam in a month!)

In brief, I enjoyed this. I thought the content was interesting, and the exam was actually fun (similar to an escape room). However, the course material was written in 2014 and it could do with an overhaul; Offensive Security updated the OSCP in Feb 2020, so hopefully they will do the same for the OSWP at some point.

In particular, the course objectives include these:

  • The student will learn to implement attacks against WEP encrypted networks.
  • The student will learn to implement attacks against WPA encrypted networks.
  • The student will learn alternate WEP and WPA cracking techniques.

So, is this course/certification still relevant? How many people are actually using WEP/WPA rather than WPA2 (or open networks that don’t need cracking)? WiGLE (Wireless Geographic Logging Engine) has some stats on this. Here’s a snapshot from 2020-06-07:

In particular:

  • 5.26% on WEP
  • 5.01% on WPA

So, that’s about 10% of wireless networks. Based on that, I can see the skills being useful. However, when I scanned my local (residential) neighbourhood, I couldn’t find any WEP/WPA networks. Any new router from an ISP should come pre-configured with WPA2, and it’s been that way for several years now. I also wonder how up to date those stats are, i.e. whether the WEP networks still exist.

The good news (as a pen tester) is that the same attacks will work on WPA-PSK and WPA2-PSK. According to WiGLE’s stats, 67.5% of networks use WPA2, although unfortunately they don’t show a breakdown of Personal vs. Enterprise. If you’re using WPA2-Enterprise (802.1X authentication) then you’re safe against these attacks. However, in my anecdotal experience there are a lot of WPA2-PSK networks out there.

So, that’s a roundabout way of saying that yes, this exam is still relevant.

If you run a wireless network (at home or at work), how worried should you be? Before I did this course, I’d already heard that WEP is essentially worthless; now that I’ve experienced this from the attacker’s perspective, I can confirm that’s true. WPA2-PSK can be cracked, but it relies on a dictionary attack; if you’ve got a random passphrase then you’re pretty safe, e.g.
~*TJ8H|^u@<)Fk05Uq}t;5?N\v(bv<4s-nT`H””yA$(ha.bEP”+jEg)”&y({Fr

Continue reading “Offensive Security Wireless Professional (OSWP)”

Microsoft 365 Fundamentals (MS-900)

In April 2019, I took the Microsoft 365 Fundamentals (MS-900) exam.

Microsoft offer free training; they say that this will take 4 hours 11 minutes, although you might find that you need to repeat some of the videos if you didn’t fully understand it the first time through (e.g. if you got distracted). It would also be useful to supplement this training with hands-on experience; if you don’t have access to Microsoft 365 already, you can get a single user subscription to Exchange Online (plan 1) for £3/month (+VAT), which won’t break the bank.

You might also find these blog posts useful:

The actual exam costs £69 (+VAT) which is definitely at the cheaper end of the spectrum, and I took it from home via online proctoring. According to the FAQ, the actual exam lasts 60 minutes, but the total “seat time” is 90 minutes (allowing for time to read the NDA etc). Unusually, they don’t specify how many questions there will be:
The number of questions on an exam is subject to change as we update it over time to keep current changes in the technology and job role. Most Microsoft Certification exams contain between 40-60 questions; however, the number can vary depending on the exam.
My exam had 36 questions, and some of those had multiple parts (e.g. a list of statements where you had to mark each statement as true or false). However, the content has changed since then (most recently on 2020-04-14), so your experience might be different. As another example, @Microsoft365Pro said:
“I passed this exam on 31/01/2019 the day of the release. I had 63 questions in this particular paper.”
Either “63” is a typo for “36” or we had significantly different exams! The whole thing took me about an hour; I wasn’t pushed for time, but I didn’t have loads of time left over, so I think they got it about right.

Continue reading “Microsoft 365 Fundamentals (MS-900)”

PenTest+ (PT0-001)

In April 2019, I took CompTIA’s PenTest+ exam. Along with CySA+, this bridges the gap between Security+ and CASP. As the name suggests, it’s all about penetration testing.

This is a relatively new exam, and it’s still on the first release (PT0-001). Because of that, it’s not very well known, so I haven’t seen any job adverts asking for it. Personally, I took the Security+ exam in November 2016, so that was due to expire in November 2019 (along with the A+ and Network+). Doing this exam was a good way to renew all of my existing CompTIA certifications, while learning some new skills, so I don’t regret it. However, I mainly see it as a stepping stone towards a more useful certification.

Pen testing exams generally fall into two categories: theory and practical. Like the other CompTIA exams, PenTest+ is (primarily) multiple choice. This has the advantage that it can be graded automatically by the testing software. However, it also has the downside that it’s less realistic, because it’s more fragmented. It’s entirely possible to pass this exam without ever actually doing a penetration test, which makes the certification less valuable to employers.

As an analogy, think of a driving test. Normally, you would drive around the area for a while to demonstrate your general ability, then the examiner would ask you to perform a few manoeuvres (e.g. parallel parking). Imagine instead that the examiner drove you to a suitable location, then you swapped seats so that you could do a manoeuvre, then you swapped seats again so that they could drive you to the next location. PenTest+ feels a bit like this, e.g. they might ask you how you would set up a reverse shell but you won’t need to choose when to do that.

Continue reading “PenTest+ (PT0-001)”

SSCP

In September 2018, I took the (ISC)2 SSCP exam (Systems Security Certified Practitioner). This was a bit different from any of the previous exams I’ve taken: normally I would sit the exam(s), then get a qualification if I passed. In this case, the exam is only one component: you also need to be endorsed by an (ISC)2 member who will vouch for you having suitable experience.

The name (ISC)2 is (or was) an abbreviation for International Information System Security Certification Consortium. If you think of a mathematical formula, (ISC)2 = IISSCC. They also offer the CISSP (Certified Information Systems Security Professional), which is aimed at higher level strategic roles and probably better known; that’s the type of certification that a CISO (Chief Information Security Officer) might have. By contrast, the SSCP is aimed at tactical (hands on) roles, and that interests me more than the management side of things.

The SSCP and CISSP both have a CBK (Common Body of Knowledge), spread across multiple domains (topics). Passing the SSCP or CISSP exam will qualify you to become an Associate of (ISC)2. However, to actually get the SSCP certification you need to have 1 year’s experience in at least 1 of the 7 domains. For the CISSP you need to have 5 years’ experience in at least 2 of the 8 domains.

So, if you’re trying to move from a general role (e.g. service desk) into a security role, this implies that you wouldn’t be eligible for either. However, if you have a relevant degree in a cybersecurity program then the ISC2 will accept that in lieu of a year’s experience for the SSCP.

In 2018, I was very enthusiastic about getting a more prestigious certification, and I thought that this would really open doors for me. However, reviewing it in 2020, I don’t think it’s really helped my career at all, and I don’t recall seeing any job adverts that mentioned the SSCP. Prices have also risen, so I don’t know whether I’ll maintain it long-term, and right now I wouldn’t recommend it to anyone else; my advice is to do the Security+ instead.

Continue reading “SSCP”

Security+ (SY0-401)

In November 2016, I took CompTIA’s Security+ exam.
NB I did the SY0-401 syllabus; CompTIA replaced it with SY0-501 in October 2017, so some of the info in this blog post will now be a bit out of date.

In brief, I think that this is a worthwhile certification. It emphasises breadth rather than depth, so if you want to specialise in IT security then it’s really just a starting point. However, if you’re doing general IT work then it covers a lot of topics that it’s useful for you to know. Similarly, from an employer’s point of view, someone with this certification should have a decent overview of security concepts.

Continue reading “Security+ (SY0-401)”

Sextortion

For the last couple of years (since July 2018), I’ve been receiving “sextortion” emails. There a few variations, but the basic gist is always the same:
“I’ve hacked your webcam and filmed you masturbating, now pay me money or I’ll send the video to everyone you know.”
They often include my password, in an attempt to prove that they’ve got access to my computer.

The ransom amount also varies, but they always ask for it to be paid in Bitcoin. The cheapest was €500, and the most expensive was $7,000.

First things first: this is an empty threat. I’ve received thousands of these emails, but I’ve never replied to the sender or paid any money, and there have been zero consequences. In fact, I don’t believe that the alleged video or malware actually exists at all. However, there are a few things you can do to protect yourself.

Continue reading “Sextortion”

Active Directory lockouts

A lot of organisations set up security policies so that users will be locked out if they enter the wrong password too many times. The idea is to prevent brute force attacks, where an attacker could sit there all day running through the dictionary until they guess the correct password. The downside is that this can lead to Denial of Service attacks, i.e. someone could deliberately enter the wrong password in order to stop other people from logging in. A better solution is to have a throttle, e.g. if you enter the wrong password then you have to wait 30 seconds until your next attempt. That would slow down an attacker without being a major inconvenience to legitimate users. Unfortunately, Windows domain controllers don’t support this natively, and I haven’t come across any third party software that does the same thing.

Leaving aside deliberate attacks, sometimes this can happen by accident. A common cause is that someone changes their password, but their mobile device still has the old password (to access email), and it automatically makes enough attempts to lock the account. There are some other common causes linked to a recent password change, e.g. if there is a scheduled task or a service running under a user’s account, or if they have mapped drives or cached credentials for websites.

A while back, I came across a case that was a bit more interesting. The root cause turned out to be a mismatch in authentication protocols, so the error messages were misleading: there was never actually an incorrect password! Read on for the technical details.

Continue reading “Active Directory lockouts”