PenTest+ (PT0-001)

In April 2019, I took CompTIA’s PenTest+ exam. Along with CySA+, this bridges the gap between Security+ and CASP. As the name suggests, it’s all about penetration testing.

This is a relatively new exam, and it’s still on the first release (PT0-001). Because of that, it’s not very well known, so I haven’t seen any job adverts asking for it. Personally, I took the Security+ exam in November 2016, so that was due to expire in November 2019 (along with the A+ and Network+). Doing this exam was a good way to renew all of my existing CompTIA certifications, while learning some new skills, so I don’t regret it. However, I mainly see it as a stepping stone towards a more useful certification.

Pen testing exams generally fall into two categories: theory and practical. Like the other CompTIA exams, PenTest+ is (primarily) multiple choice. This has the advantage that it can be graded automatically by the testing software. However, it also has the downside that it’s less realistic, because it’s more fragmented. It’s entirely possible to pass this exam without ever actually doing a penetration test, which makes the certification less valuable to employers.

As an analogy, think of a driving test. Normally, you would drive around the area for a while to demonstrate your general ability, then the examiner would ask you to perform a few manoeuvres (e.g. parallel parking). Imagine instead that the examiner drove you to a suitable location, then you swapped seats so that you could do a manoeuvre, then you swapped seats again so that they could drive you to the next location. PenTest+ feels a bit like this, e.g. they might ask you how you would set up a reverse shell but you won’t need to choose when to do that.

Continue reading “PenTest+ (PT0-001)”

SSCP

In September 2018, I took the (ISC)2 SSCP exam (Systems Security Certified Practitioner). This was a bit different from any of the previous exams I’ve taken: normally I would sit the exam(s), then get a qualification if I passed. In this case, the exam is only one component: you also need to be endorsed by an (ISC)2 member who will vouch for you having suitable experience.

The name (ISC)2 is (or was) an abbreviation for International Information System Security Certification Consortium. If you think of a mathematical formula, (ISC)2 = IISSCC. They also offer the CISSP (Certified Information Systems Security Professional), which is aimed at higher level strategic roles and probably better known; that’s the type of certification that a CISO (Chief Information Security Officer) might have. By contrast, the SSCP is aimed at tactical (hands on) roles, and that interests me more than the management side of things.

The SSCP and CISSP both have a CBK (Common Body of Knowledge), spread across multiple domains (topics). Passing the SSCP or CISSP exam will qualify you to become an Associate of (ISC)2. However, to actually get the SSCP certification you need to have 1 year’s experience in at least 1 of the 7 domains. For the CISSP you need to have 5 years’ experience in at least 2 of the 8 domains.

So, if you’re trying to move from a general role (e.g. service desk) into a security role, this implies that you wouldn’t be eligible for either. However, if you have a relevant degree in a cybersecurity program then the ISC2 will accept that in lieu of a year’s experience for the SSCP.

In 2018, I was very enthusiastic about getting a more prestigious certification, and I thought that this would really open doors for me. However, reviewing it in 2020, I don’t think it’s really helped my career at all, and I don’t recall seeing any job adverts that mentioned the SSCP. Prices have also risen, so I don’t know whether I’ll maintain it long-term, and right now I wouldn’t recommend it to anyone else; my advice is to do the Security+ instead.

Continue reading “SSCP”

Security+ (SY0-401)

In November 2016, I took CompTIA’s Security+ exam.
NB I did the SY0-401 syllabus; CompTIA replaced it with SY0-501 in October 2017, so some of the info in this blog post will now be a bit out of date.

In brief, I think that this is a worthwhile certification. It emphasises breadth rather than depth, so if you want to specialise in IT security then it’s really just a starting point. However, if you’re doing general IT work then it covers a lot of topics that it’s useful for you to know. Similarly, from an employer’s point of view, someone with this certification should have a decent overview of security concepts.

Continue reading “Security+ (SY0-401)”

Sextortion

For the last couple of years (since July 2018), I’ve been receiving “sextortion” emails. There a few variations, but the basic gist is always the same:
“I’ve hacked your webcam and filmed you masturbating, now pay me money or I’ll send the video to everyone you know.”
They often include my password, in an attempt to prove that they’ve got access to my computer.

The ransom amount also varies, but they always ask for it to be paid in Bitcoin. The cheapest was €500, and the most expensive was $7,000.

First things first: this is an empty threat. I’ve received thousands of these emails, but I’ve never replied to the sender or paid any money, and there have been zero consequences. In fact, I don’t believe that the alleged video or malware actually exists at all. However, there are a few things you can do to protect yourself.

Continue reading “Sextortion”

Active Directory lockouts

A lot of organisations set up security policies so that users will be locked out if they enter the wrong password too many times. The idea is to prevent brute force attacks, where an attacker could sit there all day running through the dictionary until they guess the correct password. The downside is that this can lead to Denial of Service attacks, i.e. someone could deliberately enter the wrong password in order to stop other people from logging in. A better solution is to have a throttle, e.g. if you enter the wrong password then you have to wait 30 seconds until your next attempt. That would slow down an attacker without being a major inconvenience to legitimate users. Unfortunately, Windows domain controllers don’t support this natively, and I haven’t come across any third party software that does the same thing.

Leaving aside deliberate attacks, sometimes this can happen by accident. A common cause is that someone changes their password, but their mobile device still has the old password (to access email), and it automatically makes enough attempts to lock the account. There are some other common causes linked to a recent password change, e.g. if there is a scheduled task or a service running under a user’s account, or if they have mapped drives or cached credentials for websites.

A while back, I came across a case that was a bit more interesting. The root cause turned out to be a mismatch in authentication protocols, so the error messages were misleading: there was never actually an incorrect password! Read on for the technical details.

Continue reading “Active Directory lockouts”

ITIL Foundation (2011)

I recently earned the ITIL Foundation Certificate in IT Service Management, after about a week of study. I’m currently job hunting, and I’ve noticed that a lot of adverts list this as essential. It won’t get you a job on its own, but not having the qualification might exclude you from certain jobs, if the employer treats this as a deal breaker.

My exam was based on version 3 of the syllabus (updated in 2011), but Axelos have announced that they will release version 4 next year. Quoting from that page:

“The first release of ITIL 4 will be the Foundation level, currently scheduled to be launched in Q1 2019, with the following levels due for release in H2 2019.
[..]
If a candidate has taken ITIL v3 Foundation, then the recommended approach is to take ITIL 4 Foundation in order to be able to transition to the new scheme. There is a large amount of new material in ITIL 4 Foundation therefore a new single exam is required to assess end-learner’s knowledge of the new ITIL 4 Foundation guidance.”

Based on that, if you haven’t started studying for ITIL yet then I recommend waiting a few months. However, circumstances forced my hand. Based on that, I looked for training that’s specifically focussed on this exam, rather than going into more depth.

Continue reading “ITIL Foundation (2011)”

Ethernet cables: solid vs. stranded

When you set up a wired network using Ethernet cables (e.g. Cat5e or Cat6), there are 2 types: solid and stranded. The rule of thumb is that you use solid cables when they’re not going to move, e.g. between a wall socket and a patch panel. You use stranded cables when they will move, e.g. between a desktop PC and a wall socket. Solid cables are better over long distances, while stranded cables are a bit more flexible and they’ll probably survive being run over by an office chair.

However, what’s the actual difference between those types? Arguably, they’re both solid, in the sense that they’re not liquid or gas. They also both contain thinner wires inside (twisted pairs). The difference applies to the copper wire once you remove all the plastic sheaths.

Continue reading “Ethernet cables: solid vs. stranded”

Definition Update for Windows Defender – infinite loop

I recently came across an odd situation involving Windows Server 2016 and WSUS updates.

On the WSUS server, I typically see several new Definition Updates for Windows Defender (KB2267602) every day. E.g. on 2017-11-26, Microsoft released:

  • 1.257.995.0
  • 1.257.996.0
  • 1.257.998.0
  • 1.257.1001.0
  • 1.257.1003.0
  • 1.257.1005.0

The update with the highest number will supersede the others, so I only approve that one. I then install this update on my other servers, and verify that they’re all up to date with patches (0 needed).
NB Windows Defender only runs on Windows Server 2016, not Windows Server 2012 R2 (or older). I’ve only tested this on core server, not the GUI edition.

Continue reading “Definition Update for Windows Defender – infinite loop”

Windows FTP clients

I’ve recently been setting up a new FTP server, and I wanted it to support FTPS. However, I ran into a few problems when I tested it, which turned out to be partly due to the client software I was using. I’ve been using CuteFTP for several years: I registered for version 1.0 back in 2001, and I’ve been using version 8 since 2007. However, I’m now abandoning that in favour of FileZilla.

Continue reading “Windows FTP clients”