Moving in to the PCI-QSA realm

Working on moving from being a penetration tester (pentester) into a risk and compliance, specifically PCI-QSA position. Several people have asked me if I have gone crazy, but the answer would be no (well I do not think I am going crazy at least). While I do enjoy being a pentester, I am just looking at moving into a position that will allow me to move into a management position somewhere later on. I figure with the experience of being a pentester and a QSA will give me a broader perspective.

Took the PCI fundamentals course the other day, and completed the exam at the end to allow me to sit for the actual QSA course/exam. I was actually surprised at the content that was needed to go over to take the fundamentals test. Scheduled to go to Boston on June 18 to take the course, and will sit for the exam at the end of the course. Hope I am a little more prepared to take the exam than I was for the fundamentals course.

 

Share via email Share
Posted in 2015, Certifications, PCI, Security, Work | Comments Off on Moving in to the PCI-QSA realm

Passed the GWAPT cert

I took the SANS GIAC Web Application Penetration Tester (GWAPT) class back in December of 2014 in Washington DC with Eric Conrad. Have been procrastinating for several months before I had to finally break down and take the certification before my time expired in late April 2015.

Spent a few days going over the books to refresh me on the content that we went over, and took one of the practice exams and actually did not do too well on it. Never taking a SANS cert before I was not sure what to expect, and probably should have actually allowed for the 2 hours to sit the practice test. Rushed though it and guessed a lot of the questions, and did not remember going of half of the info. (Note to self actually read the questions and each answer and not just say that looks good.) Overall I was a little frustrated after the first  practice exam, since I have been doing this for about 3 years now, and many of the questions seemed to be based on opinion, and not actual facts. Several of the questions had more to do with general penetration testing then actually web application testing, like needing to know the TTL from a DNS request for a domain name.

So read the books a few more days before taking the second practice test, which I did much better on, since I had some idea on what to expect on the test.Did rush though it again actually did the entire test in 48 minutes. Which is really not that great, but I just wanted to make sure I had some idea what they real test would be like. Two days later I sat for the actual GWAPT test, and planned to take my time and read every question throughly.

Sat for the exam on April 9, 2015. Finished the test and passed it fairly easily, but was some what perplexed that it had nothing similar to the practice tests. It seemed the the practice exams had nothing to do with the the actual exam. Many of the questions were topics that were in the books, but never brought up in the practice tests. Which frustrated me a little, since I had to spend a little more time looking for some of the answers, that I had not really gone over previously.

So anyone planning on sitting the exam, and that has not taken a SANS cert before, plan accordingly to make sure you know all of the content in the books. Do not expect that the practice exams will actually prepare you for the real test, it might actually make you study information that is never asked on the exam.

 

Share via email Share
Posted in Certifications, Rants, Security, Work | Comments Off on Passed the GWAPT cert

Moving to Google Domains from 1and1.com

Well I am moving some of my domains to the Beta Google Domains, away from 1and1.com hosting. It has not been completely the easiest thing to do, I have unlocked my domains and disabled private registration. However, I have several sites that were still be locked an hour of changing their status. All of them finally were released to allow me to request the transfer to Google.

One main reason I am moving from 1and1.com is they continually raise their prices, and I am not a business so I do not make money from any of my sites. The other is that their mail services have become awful, unless you want move to their newer exchange mail service for a $5 per account/per month fee.

I have used them for about eight years, and originally started with their beginner package for $2.99 per month, but it is now up to $4.99 per month. While They do add some features, it seems that they make others worse for the older subscribers who do not upgrade to a better package.

The new MyWebsite package is $6.99 a month, with a few more options then I currently have, and I am guessing that my account will soon receive a price update to be closer to that price. Along with the price updates to all domain names I have registered, they use to cost me between $6.99 to $8.99, and are now all $14.99 per domain. Since I have 17 domains, that has made a drastic price increase to my costs to host websites. Another thing they pissed me off about was they sent a notice that they were discontinuing the use of PHP 5.2, so I migrated all of my systems to 5.4 or 5.5. They forgot to mention that I needed to discontinue the support for 5.2 in my billing, and billed me $4.99 for a month of support. They never mentioned that I had to do this or that it was added to my billing and I have to remove it.

Had always had an issue with the 1and1.com limited MySQL DB support, only allowing 100MB of data in one database is a little crappy. Especially when I can have a bunch of DB instances but only 100MB on each one, it makes it a pain to have to program to use multiple DB instances on a web site.

Transferred nine domains and was notified that it takes 5 days for 1and1.com to transfer the domain to the new provider, they stat that: “1&1 will release the domain after five(5) days as required by ICANN if there are no restrictions, disputes, etc.” I guess I will have to wait and see how things will be at Google, and will give me sometime to figure out what I want to point the domain names to. I have moved one to Bitbucket repo already, and will just keep it pointed there once it is moved.

Will see how things go, and will need to move six more domains, but they are all used for email, and am not sure how long the outage will be on them. I will have to test one to see how things go, and what the outage on email will be. Then I have one that is tied to the main account for 1and1.com, and not sure how that will work to transfer it since it is tied to the hosting package. It is also the domain that is hosting this blog, so I will need to figure out where to host this site that will have access to PHP and MySQL, to allow me to host a couple web applications.

Share via email Share
Posted in 1and1, 2014, Google, MySQL, Rants, Web | Comments Off on Moving to Google Domains from 1and1.com

SANS SEC 542 – Washington DC CDI

Attended SANS SEC 542 Web App Penetration Testing and Ethical Hacking class in Washington DC at the Grand Hyatt from December 12 – 17 2014.

The instructor was Eric Conrad, and the class was fairly decent, and is a good start for anyone wanting to learn web application pentesting. I already had some extensive knowledge of web app testing, but decide to take the course anyways to see what SANS course were like.

Learned a few things, but primarily new most of the course material, most of the new things I learned are tool related. I do not usually use ZAP or W3AF, and since we used them in class I learned a few things about them and their capabilities.

There was a wide variety of people in the class, with about 30 students in the class room and about 15 online students. We had some that had no pentesting abilities, and some with a couple years experience.

The class was a six day course:

    DAY 1 : Attacker’s View, Pentesting and Scoping
    DAY 2 : Recon & Mapping
    DAY 3 : Discovery
    DAY 4 : Discovery Continued
    DAY 5 : Exploitation
    DAY 6 : Capture the Flag

My team completed the CTF first, but Eric Conrad could not decide who yelled out first so he called it a tie with the team sitting just behind us.

The biggest things I learned from the class was actually not taught in the class room, it was talking to the people there who are doing pentesting and works in the security community. Plus the additional talks that were held after classes were well worth staying up late and not going sight seeing around DC.

Now I just need to figure out how to get my boss to allow me to attend another one next year.

Share via email Share
Posted in 2014, Certifications, Conference, SANS, Security, Web | Comments Off on SANS SEC 542 – Washington DC CDI

Derbycon 4.0

Well Derbycon 4.0 is over, and now things have to go back to normal.
My boss has already scheduled me 3 new projects, and I have not finished last weeks projects because I was too excited to get to Derbycon.

Completed the Urban Bourbon Trail (all in half a day, which I do not recommend unless you have the full day). Started at 2pm on Thursday after arriving at the Hyatt in Louisville KY. and was done by 8pm that night. Felt terrible most of Friday morning but did not stop me from getting in on the CTF.

Had a blast at Derbycon, spent most of my time playing CTF and hanging out with friends.
Team nanerpwn came in 2nd place in the CTF, and we had a good lead for most of the time on Friday and Saturday. Could not hold on to the lead towards the end, had a few people drop off to head back home early. So maybe next year we will come in 1st, if we can get everyone to stay until Sunday afternoon.

Ready for Derbycon 5.0

Share via email Share
Posted in 2014, Conference, Derbycon, Family, Fun, Security | Comments Off on Derbycon 4.0