Crazy Adventures in Cyber Security

Right, which book is number one on Amazon in the programming category?

Some fancy Java guide the size of a small house? A Python book to make PhD computer scientists cry? Some new language you must learn but have never heard of?

No, it’s Get Coding from Walker Books. A kid’s & everyone guide to HTML, CSS & Javascript. And you know what, it’s brilliant.

Why am I reviewing a kid’s book? Long answer follows. Application security & best practice programming is vital in cyber security. I don’t know a lot about programming – I’m covering that off at university next year. Plus, I like the web & want to focus on it.

Enter this book. It’s a colourful work book, with a tonne of explanations, illustrations & exercises. It’s clear, concise & the story is very funny.

HTML, CSS & javascript are essential skills to have. Basically, you need to know them. If you don’t – this is a great place to start. It answers all the questions you were too shy to ask. There’s explanations on everything from HTML tags to how to tell your browser you’re now writing javascript.

I was stunned by the scope of this book & how it effortlessly introduces the core skills any web developer needs.

You got all the tag stuff of course. You got the style sheet madness – in a good level of detail. And, a great introduction to javascript itself.

But, on top of that you have talk of iframes, APIs & wireframing….what more could you ask? Plus, the exercises are fun & part of a funny little story that carries on through the book.

I can’t recommend this enough. If you’re worried about picking up kid’s book – forget it – we all learn in different ways & sometimes approaching like a kid is perfect. For them, learning needs to be interesting & fun. This cool book is both. It’s also backed up by a snazzy website.

Check it out if you’re interested!

Get Coding Book

Recently, my ambition to work in the field of cyber security has been under a bit of pressure. I’ve been struggling as just how to connect the dots and make it really happen.

Changes at work have developed my role but I’m no closer to any formal cyber security brief. Sometimes it feels like a fortress I just can’t break into.

So, I thought this skills list might be useful.

Firstly, I want to introduce you to the unsavoury reality that I’ve come across when trying to answer the question – how do I get into cyber security?

The Established Path – join an established network team as a small child and get through all your Cisco qualifications around networking. Bugger around with corporate firewalls. Have an in-depth and practical knowledge of the OSI model, packet-switching and ports.

If you know the guy below from the TV series The Office – you ‘ll know what I mean.

Job done.

You are now the kinda candidate everyone seems to be looking for. (Women, career-changers and anyone who didn’t follow the networking route need not apply).

Apologies if that all sounds very gloomy but that’s just sometimes how it feels – as I said when I started this blog – they don’t make it easier.

And, talk of new digital apprenticeships won’t mean much to the many career-changers I’ve spoken to. Being super-cynical, I’d say they’re just enough to enable the industry to say ‘we’re doing something’ but not enough to threaten the premier status of many in the industry establishment.

Enough of this gloom – following my career research – here are 5 key skills I’ve come across. If you are looking to get into cyber security, if you don’t where or how, then focusing on these will give you a good start…well, that’s the plan at least. These are presented in no order

• Application Security – I remember reading somewhere, might have been on CBeebies, that 90% of vulnerabilities are within applications themselves. With that in mind, I suggest a grasp of a least one programming language a good starting point. You need to understand the critical structures in object orientated programming. Add to this the software development cycle and testing. Me, I’m learning Java on my course next year.

• Web Stuff – Scripting languages – we all love them – HTML, CSS and Javascript. Building blocks of the world wide web. Plus, how web services are deployed and provisioned. For me, getting to grips with these areas in 2018-2019 is going to be a key challenge. Like it or not, the web is at the centre of many security challenges.

• Stay Awake in Your Network Classes – you don’t need to be able to work out a subnet mask or an IP address in binary but the bit around the OSI model and that dusty MS networking book you were given are far more powerful and important that you might have realised. They underpin pretty much everything in modern computing. I’ve studied this stuff – I will be revisiting it. Virtual ports and all that jazz – a critical area in my opinion. Remember, you don’t need to be able to program in machine code but you do need to have a good understanding of what goes where in networking.

• Talking Cyber Security in Business – now, I’m not expert but I kinda the feeling that the rule of the network teams is coming to end. The industry is going to need a broad sweep of tech-savvy business folks. Training and education are going to be challenges – us career changers can help there. We know that jungle.

• Cyber Security in Your Pants – well, not literally, I’m just making the point that it is becoming part of so many jobs from access management through to vulnerabilities to new websites. Be curious in your current role. Find areas where you can put your cyber-sec hat on and start investigating. I’ve found vulnerabilities in websites, applications – all sorts of places. It might not be in your job title but make that effort to support yourself and your company by being an extra pair of eyes. Read widely so you know what to look for you. I’ve also found that you don’t need to understand all of the technical details to be able to expose vulnerability. Just think a bit differently, dig in a different area – look to prove that something could be done. For example, if you’re looking at injecting hostile code – it could just be pseudo-code – doesn’t have to be real, just proving that you can get it onto another machine will prove your point.

OK so that’s my take. I’m going to continue working on my dream now. I’m officially half-way through my computing degree, I’m building the kind of experience I need to, I just need a bit a luck to get to where I want to be…..

Cheers

Sean

I’m an experienced book reviewer but to date pretty much everything I’ve done has been related to zombies & horror(!). Well, time for a change. As I build up my own security library, I’m going to review the best books I find. Now we’re all different so maybe they won’t float your boat but I’ve found them useful on my path….

So, here we go….something in here for most people I think:

With the full title of: Internet Security Made Easy: Take Control of Your Online World, author Richard Williams dons a superman cape to try to gather together everything ‘most users’ need to know about being safe online & all that jazz….an impossible task you say?

Now, I must confess, no matter how bold the claim, I love this kind of book. I grabbed a copy of the paperback in a discount book shop – costs around £4 on amazon (links below). It’s a pretty glossy volume, good quality & well-laid out.

First things first – it says ‘straightforward’ on the cover & the book stays true to that mantra. So, even if you are a budding ‘security’ fanatic like me, there is plenty in there for everyone – be it a recap or some new stuff for you.

I knew much of the content on the history of the Internet, the web & virus types but it was great to get this refresher to make sure everything was straight in my own mind. Equally, I think this would be an ideal primer for anyone who wants to get to grips with ‘security’.

Considering it was published in 2015, it’s all dated pretty well – perhaps with the exception of the anti-virus software providers section – which to be honest, isn’t a million miles out. The mobile content probably needs a bit of an update but again, it’s pretty close to the mark.

The author is not a technical expert & I think this helps his quest. He basically takes everything floating out there & gets it into a format we can all understand. I liked his style & the pages were laid out specifically to make things easy to get a handle on.

Contents include an introduction to the Internet & web, some general bumpf on online security, a section on anti-virus software, browsers & some more advanced trouble shooting content.

My only slight criticism of the book is when it addresses dealing with some of the more troublesome malware that can both hide in your system & dodge many virus-checkers. This is the kind of threat that sometimes involves delving in the registry of your operating system & the book includes some detail on what to delete once you’re in this Aladdin’s Cave. To be fair, the author does warn you to back up your system & it is perhaps advice intended folks on the more advanced side of the user spectrum but still, I felt I should point it out. Messing around in your registry can cause you some serious headaches, that’s all I’d say. It’s one of those areas where a little knowledge is very dangerous. Just a small point really.

I’ve had this book around 6 months now. I’ve not read it from cover to cover but I’ve read chunks of it on an on-going basis & found it to be a really useful volume. By now, I reckon I’ve pawed over every page at least once!

It really sets out what it plans to do. There’s something in there for everyone & it’s a good recap of what we should all know about staying safe & secure online. Thoroughly recommended & well-worth the price.

Linky to the Booky on Amazony

Back in the summer of 2015, I started to study for my BSc in computing. The Open University was my choice – the decision seemed pretty obvious at the time – I was planning to study remotely, I was doing it part-time & working at the same time…

I’m nowalmost half-way through – that’s right – it takes around 6 years if you’re doing it part-time – it’s no quick fix.

My motivation is clear – I wanted to work in & have a much better grasp of technology.

Simples as the meerkats would say.

I started with some basic introductory modules & mathematics in my first year, I’m now on to specialise in digital technologies & the web. Next year brings me face to face with more web, Java & my final modules are around cloud computing & all that jazz.

Anyway, here are my 5 top tips, moans, whinges & useful pointers about studying computing with the OU in no priority order:

Number 1# Me + Degree = Success

You do not need to do mathematics to realise that the above it not necessarily true. See your degree as a foundation. If you are working, you need to get as much as experience in related projects as you can. Getting experience & developing a portfolio is essential. You’re in it for the long-haul so develop as you go along – link in your studies where you can. Above all, remember that a degree doesn’t guarantee anything – it’s not a Willy Wonka Golden ticket….

Number 2# Modules Madness

I’m 50/50 on the OU’s module mix. In several cases, the material is out of date or at least dated. The fundamentals are fine but after all you are paying for this – or at least someone is. There are some solid enough courses but it does all feel a bit old-fashioned. I suspect the OU are slow at updating content & a number of those I’ve done are ‘being replaced’. My advice – choose carefully. There are a number of streams including a general one but I suspect other providers offer more ‘modern’ selections’. For example, there is no cyber security module – when I asked, they answered that it was ‘part of every module’. Fair enough a few years ago but times have changed & how can I go through my entire degree & not do a module called ‘Cyber Security for Idiots’ – seriously, I would do that course….

Number 3# Skimming Students

The students – you get a mix. You get some trying to do 90 units (in other words a full-time course) whilst working & with kids. These folks tend to be pre-occupied with getting through it – they just want to get the qualification & to pass. Fair enough. My advice is don’t follow this path. Take your time & make best use of the materials. Many of the obvious things like the TCP/IP model will come back time & time again in your career & studies. Don’t be a skimmer! Be more Zen about the whole experience…

Number 4# Cliché about Marathons

Six years right? When people ask me how long it will take, I just don’t say anything. Many won’t understand this kinda planning. See it as a journey & build your experience along the road. Manage your workload carefully & my advice is don’t take on too much, stay ahead of the study schedule & try not to listen too much to moaning fellow students on Facebook. I haven’t got the figures but I suspect many drop out – they like the idea of the degree but it’s a long road (more cliches at no extra charge).

Number 5# Studying Alone

OK – they say there’s nothing remote about the OU – for example, there are some day schools & tutorials but on the whole, it is about studying alone. I don’t think many students get a social life out of the OU – might be obvious but I thought I’d mention it. You get books, websites, DVD’s & there is ‘support’ out there from various student support type people but for the most part, you’re on your own. Does that sound a bit gloomy? Maybe but I reckon at least 90% of your effort will be a solo affair. If you don’t like that then check out some other options – there are plenty out there….

Here’s an interesting graph from a really interesting blog. There could be loads of reasons why the trend is there such as funding but I also suspect the OU has fallen behind other providers because of it’s dated content & module mix:

Source: Coolio Intelligent Guy’s Blog

—

That’s quite enough of that. I hope this has given a flavour of studying at the OU. It’s not an easy path. There are some alternatives that maybe if I had my time again, I’d look at.

I do think the OU is changing but not fast enough & I suspect there will be far more slicker new options out there for remote & part-timers like us in the next few years.

I did mention when I started this blog that I’d be learning on the job. Well, here are a few bits I’ve recently learnt. Things that I think every computer should now. Things most of us have heard of but few really know what they are.

What is a Cookie?

Not the chocolate variety – I mean the cryptic collection of information that is placed on your hard drive without you really knowing. What’s worse is that they are not actually that easy to find. Below is cookie picture:

(I know – the power of graphics makes the blog come alive. Shit, it’s just a crappy text file with a load of code & perhaps a sneaky clue as to what the hell it is…)

How about that? Back in 2014 I had a thing for Fort Boyard. I watched loads of episodes; I also used to watch it in France. So, I checked it out online. Brilliant show but I had no idea the website had stored information on my hard drive. Here’s a picture of the real castle – good isn’t it.

Luckily, we now all get that lovely warning which pops up warning you that the website use cookies. Also, of course, they can be useful for making browsing your favourite sites quicker.

So, where’s the problem? Well, some people think they’re intrusive. For me, it was just the surprise of not knowing they were there. It was simply learning that others had stored information on my computer without my knowledge (or least without my educated knowledge).

What’s in the Cookie Jar?

A quick search on your Windows 10 PC will not yield instant results when searching for your cookie jar. You can google how to find them – here’s how I did it:

• Type ‘run in the ‘Type here to search box’
• Into the pop up run box type ‘shell:cookies’
• Hey presto, the cookies will appear in Windows Explorer – to be reviewing

Sure, there are easier ways to delete or clear your cookie history but it’s interesting to have a look through these mysterious text files. Your octane-fuelled browser will have some cunning options to help you manage cookies including blocking them completely.

What is a Firewall?

OK we pretty much all know that one right? For most of us, it’s software that examines communication traffic, blocking or permitting according to a set of user-defined rules. In most cases, our crafty anti-virus software helps us decide on these rules.

But what’s it actually protecting us from? Well, just have a look at this:

Hang on wrong picture. That’s my good pal Adam Pulman shooting himself rather than being converted into a zombie. That’s the kind of guy he is. Anyway, back to the picture I wanted to post:

That’s ‘much more better’ as my young daughter likes to say.

Most anti-virus software comes packaged up with a neat firewall – something better than the basic supplied with your operating system. Just have a look at the blocked intrusions from my firewall history. There are pages & pages of content. Tracing the IP addresses, I can see these are from all over the world. It kinda feels like everyone wants to get on my PC. In reality, it’s pretty typical. It’s why you need a firewall.

Now, not all blocked attempts are sneaky villains. Some were blocked accidentally but it does prove a point I hope.

There you go. Two simple things – cookies & firewalls. No great point to make. No test for readers. Just a note to myself not to forget these tiny but super-powered features in computing.

Here’s another needless picture – it’s me & a girl I met when I was down in the bunker……

Right, this is about the time in most blogs when you realise that you have only a few readers & you begin to wonder whether the whole thing is a pointless exercise…

(Incidentally, that piccie is me during my time in the bunker, see previous blogs but I thought the piccie summed it all up pretty well!)

Well, I’m using this point to checkpoint where I’m up to in my career plans, with particularly reference to technology & cyber security. Here are a couple of things I’ve learnt so far:

They don’t make it easy. You will read loads of articles reporting on massive gaps in the sector & from experts saying that it needs x thousand people by 2020. But, transitioning is very difficult. Routes are not clear. It typically comes down to that old adage; if you’re not already doing to the role then it’s hard to break into the area…

Cyber security does not just mean network security & firewalls. There’s a lot more to it but it sometimes feels like not everyone got the memo. I have a feeling the software development cycle & human factor will become increasing important. What route should I take? Should I just have swallowed the pill & done the CISCO networking qualifications?

You can find cyber security in your current role (probably). Unless you’re a goat-herder in Sinai, there are aspects of IT security in most roles. As I’ve done a lot of software testing I’ve had great fun with the following:

1. Finding a web form which leaves the organisation open to an SQL injection attack (success)
2. Discovering that a display screen for orders could be viewed by any user over the web with no credentials (great success)
3. Checking whether IP addresses can be faked as discovered that communications from a server to our mail server did not have any credentials other than the IP address. Turns out it’s very hard (impossible for me) to fake an IP address to get through the firewall (kinda success)

I think I’ve got the mustard for penetration testing. I’m irritating & I think that helps. I just need to develop my technical skills on par with my ‘gitness’ skills.

So, where does that leave me?

Well, I’m half-way through my computing degree with the OU. I’m not happy with my current module as it reads like it was written in 2006. The book on nuclear war wasn’t on the reading list.

Next year I move onto Java & web technologies. Believe it or not, there is no cyber security track. I did ask & was told ‘it’s part of every module’. Kinda true but also not that helpful.

Hence my remarks about flaky. I’ve learnt stacks so far but there’s still so far to go…that should be a song…My mind is awash with courses, certifications, entry level jobs, challenges & virtual ports….

I’m going to be revisiting my career plans in the next few weeks but am facing a few changes at work. I’m not really sure where this is going to end up so stay tuned. Let’s just hope I don’t go totally crazy with all this adventure…

As buzzwords go they don’t come much buzzier than blockchain. It’s used in every other article about digital business or cyber-security.

But, my own straw poll tells me that most people don’t know what the blazes it’s all about.  My ad-hoc survey work also tells me that people like The Muppets but are surprisingly ill-informed about the character Fozzie Bear. So, I thought I’d combine the two.

Blockchain is complicated enough to need explaining more than once. So, even if you’ve read an article or seen a presentation on it, the central concepts can still be vague and nebulous. You know it’s something to do with Bitcoins. Something to do with managing currencies or payments online….that’s about where most of us check out.

Fozzie Bear from the Muppets never gives up. He keeps coming back no matter how bad the joke so using that tenuous link I’ve created facts about both blockchain and Fozzie Bear.

(Please note in the real world, Fozzie Bear had no involvement with the creation or development of blockchain technology. If you’re interested check out Satoshi Nakamoto – he’s certainly no muppet.)

Random Facts About Blockchain and Fozzie Bear

• A blockchain is a digital & decentralised or distributed database. Importantly, data is added in blocks and that each block is linked to the previous one. As well as data, each block contains a hash pointer (or secret code) which to verifies that nothing has been changed. Soooo, it’s a super thing for keeping track of digital currency transactions.
• Fozzie Bear was created by Frank Oz & is a key member of the Muppet team. He’s best known for his naff joke-telling skills. He is no use as a distributed database with no central authority. But, he’s a skilful light entertainer.
• It was back in 2008 that Japanese uber-geek Satoshi Nakamoto published his paper on blockchain technology & introduced the world to a newly proposed crypto-currency. It went on to be a vital technology behind the success of Bitcoin.
• According to Muppet legend, Fozzie Bear grew up right next door to his best friend Kermit. Fozzie always wanted to be a comedian. Also, for years I thought it was ‘Fuzzy Bear’.
• Each block is a permanent part of the blockchain & records transactions. The chain is designed so that transactions cannot be tampered with or removed. As a distributed database system, it’s an open digital ledger which needs no central authority & keeps an open record of transactions.
• In later Muppet Shows, Fozzie teamed up with some chickens to create routines of every increasingly hilarity. However, by the 1990s the laughs were drying up & he had to resort to wearing a wig to get a giggle. He made a cameo appearance in The Muppet Christmas Carol as Scrooge’s kind employer Fozziwig. Rumours of onsite arguments with Kermit & the Chickens abounded. Fozzie was seen as a washed up diva with a honey drinking problem.

• Blockchain works. Bitcoin is the best example but how to you change your virtual bitcoins into ‘real cash’. Simple. Look for a Bitcoin exchange that is offering a reasonable price. Check the currency you want. You’ll need an account but beyond that it’s like cashing in chips at a casino. They may be virtual but they have real value.
• Fozzie Bear has many catchphrases but his most famous is ‘Wocka wocka wocka’ – which he often employs after one of his disastrous gags.
• Blockchain technology is perfect for the digital space & cross-border activity due to the lack of human involvement,  it’s speed & efficiency. There is no single blockchain & there are various blockchain technologies which look at various aspect of the solution.
• There is not that much information on Fozzie Bear on the web. When selecting a Muppet to brighten up a serious blog, it would be far easier to go for Kermit. Also, select the right Muppet at the start or things such drying up when you get half-way through.
• Blockchain technology will be a buzzword for years to come. The potential is significant. Some banks & institutions are cautious. The anonymity & state-less nature of blockchains is perfect for the dark forces of this world to use to move their money around. Blockchains will become everyday in the next few years so just as well you got to the end of this article. Seriously, there is a stack of information out there online, just check your sources as always.

Right, that’s it. I’m sure mixing up Muppet facts help to confuse things further but if you picked up only a snippet about blockchain technology then my work here is done (poorly).

Very smart people at organisations like the ISF (Information Security Forum) & Gartner consulting produce some excellent predictions of terror for everyone to be scared of.

They help by projecting forward to look at the kind of threats we’re going to face in cyber security in the next 5 years.

My diagram provides a good overview of the ones I suspect will cause a few sleepless nights (No I haven’t employed a professional graphic designer – it’s all my own work, scanned in.):

Automated Misinformation

Pretty much every point on this list is underpinned by smarter AI capability. Think deliberate, automated & targeted false information – targeting organizations & corporates. This could be anything from a sea of misinformation to false profit warnings, artificially created scandals & fake board level announcements. We can do much of this at the moment but think how powerful it would be with evolving AI personas driving it at a relentless pace. Are the PR & Comms team ready for this?

Unexpected Outcomes

No knows the future – not even Mystic Meg but the experts see a headlong rush into AI projects leading to new vulnerabilities. In science terms, ‘unexpected outcomes’ is a terrifying phrase which could mean anything from a button you didn’t know about to thermonuclear war & the eradication of life on Earth. Realistically, cyber criminals will quickly exploit any gaps or vulnerabilities in AI decision-making. This we can be sure of.

Opaque Algorithms

Mmm….I was going to put legacy systems collapsing, as few people realize how much institutions like the Stock Exchange rely on old code. Still, imagine you’re turned down for some form of insurance – you query it – who knows how the algorithm works – the business probably won’t. Who knows what could happen? My point is they are getting ever more complex mathematically & the pool of those who understand them is already small. People on Facebook are already blaming the algorithm for things going wrong. Will we see forms of discrimination we don’t even know about? How important is that that we understand how important decisions about us are made?

Robot Takeover

We all know it’s coming but maybe not in the way we imagine. People get excited about robot waiters but the real challenge will come as AI replaces thousands of ‘middle’ jobs. We’re not the first generation to face disruption but if we fail to plan for this, I’m convincved we’ll face serious civil unrest. One option is to offer everyone a basic universal income – regardless of whether they work or not. If you want to earn more, you can apply for one of the few jobs open to humans. (I’ll cover this in more detail later.)