@patrick-lathrop,

Not exactly sure how to be helpful here. For our community to be more helpful, what job role are you interviewing for would help. It is an administrator or support role? is it a management role? is it a project management role? or an analyst position?

Technical interviews usually are scenario based. They want to to know if you understand the process to handle situations with the topics they provide. Do you have the technical "chops" to do the role or do you have "affinity" to the the role...depending on what level (e.g., entry or more advanced positions).

Sorry, can't be very helpful besides very generically.

@Brian-Turney Hi Brian. Just to be clear, the practice exam that you are referring to, was it the one included in the ITPRO.TV course? or the one from SANS? Thank you.

@Morgan-Terveer thank you for the kind words, you can reach out to me at any time!

Sure do @Zachary-Mayers. Lab for PenTest+ is in progress; tracking to release in early September.
-Aima R, Product Team

@SRR said in Cisco security:

I need to find a way out of this help desk job. I am to old to begin on a degree so what should I do? When listening to the news I hear there is a lack of security people here in Norway but again the CompTIA certifications does not seem to be that attractive for some reason. They prefer a degree but may consider certifications in some cases. If they consider certifications it is mostly the vendor specific ones like Cisco, Microsoft, AWS and so on. Is it a good idea to go the route of Cisco CCNA then CCNP Security? I have watched videos on "how to get into the security field" here on ITProTV but they sell the CompTIA hard and I feel that is not an option for me.

So, path that we recommend is normally for people that do not have much experience beyond studying for the exam. CompTIA is an industry recognized vendor neutral certification.

If you already have a solid foundation in network technologies and TCP/IP networking. You can probably begin start with CCNA. There will be some network fundamentals for review but then it will be very Cisco technology and terminology centric.

Technically, you do not have to do the CCNA before you do the SCOR exam but I do recommend it but it is not a prerequisite you do so. But it may be a very steep learning curve for you.

Ah, nice to hear someone passing an exam, I never seem to get Cisco so here I am. What's the plan ahead?

If given the opportunity for a new, free certification, I would recommend it. The other certifications you listed are good to get, but why not do the free one first? Sounds like it will be an entry into (ISC)2 world. CCSP is more like the CISSP with a cloud focus.

Thanks @Adam-Gordon , I will start on your CASP+ course and look at SSCP once I am done with that. Or when I am back from work in January.

Thank you for the explanation.

Francesco

@Aaron-Surratt , I hope all is well. Please e-mail me directly... adam@itpro.tv I will send along the file.

Cheers,

Adam

@Jean-Marcel-Belmont great question, the Kali machine does not offer the clipboard or access to the local clipboard. This means that for the Kali exercises you will need to type out the commands. This can be cumbersome at times but will help with memorization of the concepts.

@Donald-Muncy , I hope all is well. The recent update to the NIST password standards (SP) 800-63-3 is all about simplifying password management for users by leaving out overly complex security requirements.

What are the NIST password requirements?

Set an 8-character minimum length.
Change passwords only if there is evidence of compromise.
Screen new passwords against a list of known compromised passwords.
Skip password hints and knowledge-based security questions.
Limit the number of failed authentication attempts.

What are the NIST password recommendations?

Set the maximum password length to at least 64 characters.
Skip character composition rules as they are an unnecessary burden for end-users.
Allow copy and paste functionality in password fields to facilitate the use of password managers.
Allow the use of all printable ASCII characters as well as all UNICODE characters (including emojis).

The idea is that if you are using the totality of the requirements list, then you should/would be implementing policy as part of the approach, as these would be driven via policy.

If an organization is not using policy to drive security practice, there are broader issues that have to be addressed vis-a-vis the risk posture of that organization.

It is not about how long the password may go unchanged; it is about the protective ecosystem taht surrounds the use and management of that password over its lifecycle.

Cheers,

Adam

@Scott-Fenn I do the same thing. It's always a great way to pick up a new technique, tool, or tactic. Again, I'm really glad that you're enjoying my stuff. Cheers!

Congrats! thats kind of a big deal. I suspect that exam will not be easy when I get to it.

@daniel-lowrie87 Thanks my friend, just know what you do everyday changes lives like mine. Many thanks brother..

Brian

I just wrote the beta exam after using the ISC2 materials. I was not that impressed. A good Security+ course (Like ITPro.TV) has better content and their actual video provider is not great either.

The exam was very similar to the Security+, but without the simulation questions, it was just multiple choice.

I now have to wait 8 to 12 weeks to find out how I did :(

Thanks so much, Adam!

I appreciate the information!

Best,
Rahul

@Cassandra-Turner another thing to consider is that CentOS 7 is the last of the traditional CentOS distributions. Moving forward it will be known as CentOS stream and will be closer to the bleeding edge of features (more like Fedora), however, if you would like to download a distribution that allows you to continue to use the RHEL-like features in CentOS, then I would recommend moving over to Alma Linux. You can find this distro here: https://almalinux.org/

Hi Ronnie,

Great question – IMO this one is more of an art than a science, you have to recon the target organisation and tailor your approach based on your best estimation of the tech they’re going to have up against you!
Basically though, you’ve made the key point - less scanning = less noise… here’s some benefit of my experience, I'm sure Dan will also have some great ideas!

I’m assuming you’re talking more about an internal assessment here, so - once you’re inside a target network, one of the best ways to minimise the number of actual connections we make is to thoroughly enumerate the hosts on the network before we start port scanning – by default Nmap will run a ping (ICMP) scan to determine which hosts exist on the network before starting a more intense port scan against the hosts which are then known to exist. If you don’t have nmap on the box (likely) or don’t want to put any of your own binaries on to the machine (sensible) you can also run a simple ping scan from within bash itself.

This does reduce the amount of “noise” on the network and gives you a lot of useful information, but it only works if the hosts respond to pings! By default, windows boxes don’t – but Linux ones do. If we happen to know the environment is all Nix it’s a fair guess that well get a response from most of the machines on the network (of course, they might be configured not to respond)… if it's a mixed or windows environment you could use a tool like hping3, or even better if we have access to a network device perhaps we can listen on the wire and see who’s “talking”. Checking the arp tables on any box you have compromised will also provide you with information on some “live” IP’s on the network. Gathering this information first helps you to establish possible targets, and then use more selective port scanning to reduce “noise” overall.

Once you are as far along as actually doing some port scanning, there’s a few options to make things less obvious – firstly, you can again use a targeted approach. By default, Nmap scans the top 1000 ports (that is to say the top 1000 most used ports, not ports 0-999) but we could be even more selective than this… which services are the most likely to provide an attack vector? HTTP(S)… SMB…FTP… and so on, so you can begin by running a small port scan against only those services – then broaden out from there.

Of course, there’s nothing to say a crafty admin did not bind FTP to another port… but let’s say he did, admins don’t want to make their life harder than it needs to be, so perhaps it’s not on 21… how about on 2121?... SSH on 222 ohhhh, I see what you did there 😉
Working like this takes longer than just running a full blown -p – to scan every port on the machine but it’s also much stealthier.

In theory, using a syn scan, rather than a connect scan is also stealthier (since the syn scan does not complete the TCP handshake, some (very crude) logging systems might not note the connection) – however today this isn’t really true anymore. You’ll also need sudo rights to run nmap in syn scan mode, so you’ll find that in practice you’re often forced into using a connect scan anyway. Options like the FIN scan could also work, perhaps some logging or monitoring software will miss that..might get through a simpler firewall… but against a half way modern IDS/IPS/SIEM system you need to assume the more you do, the greater your chance of getting noticed no matter how crafty you get with your nmap options.

Ultimately, if you have to scan off of a “normal” host inside a network which does not normally run those kinds of scans you are always going to be doing something unusual which should be picked up - simply keeping your scanning as minimal as possible, and going “low and slow” (so, let’s not use -T5) is your best bet of staying below the threshold at which some kind of alert triggers. Getting logged is not always a problem - getting logged enough that someone gets an alert is a problem.

It comes back to enumeration, enumeration and enumeration though because perhaps you aren’t operating from a “normal” workstation, web server etc… if you manage to compromise a system which is actually used for something like network administration, it might be totally normal for nmap to be run on that system – windows system with zenmap installed… non security focused linux distro with nmap installed – there’s a good chance that’s there for a reason and a good chance that scanning from that system won’t be unusual. Take it further - If nmap is there for a purpose there’s also a reasonable chance that there are copies of scans already stored on that host somewhere, so perhaps you don’t even need to scan now 😉

Hope at least some of that is helpful – it’s a great question, keep hacking! 😊