This month’s quick three:
- The Offensive Security (OffSec) Penetration Testing With Kali Linux (PWK) course materials are far more dense than I had anticipated. Students who take the Offensive Security Certified Professional (OSCP) exam may include in their final writeup a post-mortem of their work with the PWK for extra credit. Since 2017, this writeup has included a detailed summary of the student’s work through the PWK course exercises. I thought these exercises would be trivial - most of the testimonials regarding the PWK revolve around pwning the practice machines, not the exercises. But in working my way through the PWK’s 800+ pages of coursework, I am stunned by how much there is to do. This is proving to be a multi-month learning experience.
- The Cyber Security profession is more closely affiliated to Information Technology (IT) than software development. Lately, I’ve been trying to reconcile discrepancies between what I’ve been doing professionally in Cyber Security against what I’ve been studying in an effort to refine what kind of career I’d like to pursue. While cyber security is an incredibly broad domain that covers a range of skillsets, the work that I’ve been exposed to leans more towards policy implementation and compliance with standards. This in turn has led me to learn more about network engineering and system administration rather than development and algorithm comprehension (which is what my academics have emphasized as a software engineer). There is some intersection between software engineering and cyber security, to be sure: the areas of secure code analysis, web application penetration testing, malware analysis, and the development of products such as Firewalls come to mind. However, I have not found this work to be as prominently available as clients seeking an Authorization to Operate their systems.
- Port forwarding and tunneling is a devious way of pivoting within a target network. The act of pivoting is undertaken post-exploitation - that is to say, once an attacker has already compromised their targeted network and has gained some level of access; when an attacker “pivots” they are using the host that they have already accessed as a launching point to attack other machines within the network (or other networks that connect to the compromised machine). Port forwarding and tunneling is devious in that it can redirect and disguise connections that would ordinarily not be permitted. For example, an attacker could configure a particular port (say, 8080) on the “pivot” such that any traffic it receives on said port gets redirected to a different port. This enables an attacker to get around a firewall’s rules.
At this point, here are some topics that I’m interested in learning more about:
- Cloud computing: what’s the deal with that? In looking very briefly into the matter, the use of “the cloud” (at least from an enterprise-level) is about outsourcing the need for resources - servers and storage, for example - to third-parties. By doing this, companies can save money by proportionally paying for the resources they use (rather than investing in the resources themselves); this avoids over-spending - in the case where not enough users end up engaging with their product/service - or under-spending - and thus being too small to support an influx of users. I don’t quite know how this quite adjoins to programming or cyber security at this point. In the case of the former, there’s something going on with Kubernetes, Docker, and containerization; in the case of the latter, I’m not sure how the attack surface would change or how you would harden a system that uses the cloud.
- What is it like to code professionally? At this point, my programming experience has been done either as an academic or a hobbyist. I think I should be investing some more time into learning about the Software Development Lifecycle (SDLC): how code is created and maintained. I’m aware of methodologies such as Agile and Waterfall, but have never applied those concepts in practice.
- Is a background in Computer Science viable in a career with Robotics? Having worked with space contracts, I am increasingly interested in exploring more opportunities to develop in this domain, to include spacecraft and robotics. Historically, I’ve considered these areas to belong to Mechanical and Electrical engineers. However, it appears that there is plenty of work to be had as a software engineer, according to folks who work at NASA’s Jet Propulsion Laboratory. I will continue to explore this in studying for my Masters Degree.