It has always been difficult for me to get a concrete idea of a job. Especially in the changing world in which we live.
In the 21st century, the importance of transversal skills as meta-skills is becoming apparent. In other words, in the world of cybersecurity, a job may contain different skills needed to be effective in its practice. In cyber professions, whether technical or non-technical, learning how to learn becomes essential to adapt to a rapidly changing environment.
This demand for flexibility encourages observation, evaluation and analysis, while sharing with your peers resources, expertise and vision for protecting citizens’ data and their way of life.
Living in the 21st century disrupts traditional learning through continuous learning, but how to transform information into knowledge?
In this article I will try to answer the questions: What are the different areas of cybersecurity?What skills are needed to work in cybersecurity? What careers are there?
Cybersecurity being a young field, degrees are not the only rule to get a job, the experience and motivation of the candidate remains what will make the difference for an employer. You can train yourself, pass certifications, engage with cyber security organizations to demonstrate this motivation.
CyberSecurity NonProfit (CSNP) is a 501(c)(3) nonprofit organization that provides free security education and resources to make cybersecurity more accessible, inclusive, and diverse.
I was invited to talk and i discussed what pentesters do, what skills are needed, and how to start a career in pentesting. I also demonstrated web application exploits such as SQL injection and cross-site scripting (XSS).
Six mois déjà et je n’ai pas vu le temps passer! Entre deux déménagements, la vie quotidienne, mes activités sportives, associatives et des balades en ville et dans la nature.
Ma passion pour la cybersécurité et sa démocratisation a pris la plus grande place.
Cet article va présenter ce que j’ai fait à Montréal ces six derniers mois.
Comment ai-je continué mon auto-formation? Comment se passe mon expérience de pentesteuse?
Mon travail chez Okiok est très varié et dépasse de loin mes attentes (voir ici l’article concernant Okiok).
J’ai eu différents mandats passionnants qui m’ont permis de m’améliorer en pentest Web et externes. J’ai découvert les pentests interne et WiFi et toute la variété de missions possibles dans ce métier.
Aussi, j’ai eu la possibilité de faire un pentest physique (voir mon article sur cette aventure ici).
Au delà des missions, j’ai eu l’opportunité d’animer un lunch and learn sur le pentest pour présenter le métier à nos collaborateurs.
En ce moment, je suis en clientèle pour une mission de Blue Team où je développe mes compétences en défense.
Avec Okiok j’ai également la possibilité d’assister à des conférences et de participer à des CTF.
J’ai notamment, peu après mon arrivée sur le sol canadien eu la chance de participer au fameux Hackfest de Québec City.
Passionnée par l’OSINT, je me suis inscrite au Missing Person CTF organisé par Tracelabs, une super initiative qui permet d’aider les autorités à trouver des personnes disparues.
Après avoir assisté à de passionnantes conférences je suis allée me fabriquer un badge au village de soudure, je me suis entraînée au lockpicking et j’ai hacké des badges RFID!
Côté démocratisation de la cybersécurité et promotion de la cyberpaix, je ne suis pas en reste non plus!
En effet, en arrivant au Canada, j’ai été chaleureusement accueillie par Véro, Fyscillia et Sabrine qui organisent des panels pour permettrent à des femmes de la cyber de débattre sur différents sujets dans le cadre de NousSommesCyber (aka WoSEC Montréal)
J’ai ainsi été panéliste chez Ubisoft Montréal (voir ici) pour une table ronde sur la sensibilisation à la cybersécurité.
Lors de mon arrivée, il était également question pour WoSEC Montréal d’organiser des workshops et Véro m’a proposé de les aider dans cette tâche.
Le premier workshop était celui de Diana Whitney qui nous a présenté comment exploiter eternal blue avec la box Blue de Hactkthebox. Ensuite, j’ai animé un atelier d’initiation au pentest web.
Avec la situation de pandémie actuelle nous avons décidé de maintenir les workshops en version 100% remote 😀 et nous aurons la chance d’avoir une introduction sur l’ingénierie inverse par Emma Spradbrow (Informations pour l’inscription dans l’image suivante ATTENTION réservé aux femmes).
Aussi, lors de mes activités pour NousSommesCyber, j’ai rencontré Masarah qui m’a proposé de participer au Outreach committee du NorthSec.
L’objectif, permettre à tous les publics d’assister au NorthSec et de bénéficier des formations proposées lors de la conférence.
Afin de continuer dans mes démarches de sensibilisation et de partage de mes connaissances, j’ai soumis plusieurs CFP. C’est ainsi que j’ai été selectionnée pour animer un talk à WomenTechMakers Montréal.
En raison du COVID-19 l’évènement s’est fait 100% en ligne, vous pouvez donc voir mon talk ici:
Dans le cadre de MeetCyber, Enkelada Ibrahimi m’a contactée via Linkedin et j’ai ainsi été interviewée pour relater mon parcours, mon travail et mes projets. Pour les personnes qui sont sur Crowdcast, c’est disponible ici
Être interviewée ne m’a pas empêché de continuer mes interviews!
Leurs parcours sont passionnants et inspirants! Je vous invite à les découvrir ici avec les précédents podcasts.
Pour améliorer mon aisance à l’oral et continuer à faire de nombreux talks, j’ai rejoint un club Toastmasters. C’est une expérience très enrichissante, le club se réunit une fois par semaine et propose différents format de participation. Par exemple, il y a un rôle d’évaluateur de la langue, qui consiste à faire un retour sur les termes et expressions utilisées par les divers intervenants. Nous faisons également des improvisations et bien sur des présentations orales.
Pour continuer à apprendre et affiner mes compétences, j’ai également continué mes formations en ligne. J’ai notamment validé le Mooc problem Solving qui m’a permis de développer une méthodologie face aux challenges de la vie professionnelle.
D’ailleurs si vous êtes une femme intéressée par la cybersécurité le Mossé institute offre une formation gratuite et certifiante. Vous pouvez me contacter via Linkedin pour en savoir plus.
Retrouvez la suite de cette aventure dans un prochain article!…
I have spent six month in Montreal already! Between two moves, daily life, sports, associative activities and walks in the city and in nature.
My passion for cybersecurity and its democratization has taken the greatest place. This article will present what I have been doing during these past six months… How did I continue my self-study? How is my experience as a pentester going?
My work at Okiok is very varied and exceeds by far my expectations (see here my article about Okiok).
I’ve had various exciting mandates that have allowed me to improve my skills in Web and external pentest. I discovered internal and WiFi pentests and all the variety of possible missions in this position.
Also, I had the opportunity to do a physical pentest (see my article about it here).
Beyond these missions, I had the opportunity to host a lunch and learn about pentest to present it to our collaborators.
At the moment, I am on a Blue Team mission where I am developing my skills in defence.
With Okiok, I also have the opportunity to attend conferences and participate in CTFs. In particular, shortly after my arrival in Canada, I had the chance to participate in the famous Hackfest in Quebec City. Passionate about OSINT, I signed up for the Missing Person CTF organized by Tracelabs, a great initiative that helps authorities find missing persons. After attending exciting conferences, I went to the soldering village to make myself a badge, practiced lockpicking and hacked RFID badges!
As for democratizing cyber security and promoting cyberpeace, I have plenty of opportunities either! Indeed, when I arrived in Canada, I was warmly welcomed by Véro, Fyscillia and Sabrine who organize panels to allow women from the cyber world to debate on different subjects about cybersecurity with WeAreCyber (aka WoSEC Montreal).
I was a panelist at Ubisoft Montreal (see here) with a theme on cybersecurity awareness.
When I arrived, WoSEC Montreal was also talking about organizing workshops and Véro offered me to help them in this task.
The first workshop was with Diana Whitney who demonstrate how to exploit eternal blue with Hactkthebox’s « Blue » box.
Then, I animated an initiation workshop to web pentest
With the current pandemic situation we decided to keep the workshops but in a 100% remote 😀 version and we will have the chance to have an introduction on reverse engineering by Emma Spradbrow (Registrations info in the image below. WARNING only for women).
Also, during my activities for WeAreCyber, I met Masarah who offered me to participate to the Outreach committee of NorthSec.
The goal: to allow all audiences to attend NorthSec and benefit from the training offered at the conference.
Their backgrounds are exciting and inspiring! I invite you to discover them here among other interviewees.
To improve my public speaking skills and continue to do many talks, I joined a Toastmasters club. It’s a very enriching experience, the club meets once a week and offers different participation formats. For example, there is a role of language assessor, which consists of reviewing the terms and expressions used by the various speakers. We also do improvisations and of course oral presentations.
To continue to learn and refine my skills, I also continued my online training. In particular, I validated the Mooc problem Solving, which allowed me to develop a methodology for dealing with the challenges of professional life.
In the end of august i participated to ICSSS 2019 in The Hague (Netherlands). We had different lectures about cybersecurity in various places such as Leiden University, NCI Agency, Europol, The Hague Security Delta, Dutch innovation factory. We also had the full week to work on different challenges in groups. My challenge was about Cyber resilience for The Hague Center for Strategic Studies.
What is ICSSS 2019?
« The International Cyber Security Summer School (ICSSS) is an annual summer school, originally organised by NATO C&I Agency, Europol, the Netherlands Ministry of Defence Cyber Command, Leiden University and The Hague Security Delta. «
The afternoon was animated by Ákos Wetters. Akos offered an app for an Ice Breaker game called SpotYet. We had to take a selfie and answer questions about ourselves. Then, the app showed us the picture of the person we had to talk to and after finding the person, we could talk about our answers or about anything else we fancied. It gave us the possibility to have one on one conversation instead of having to introduce ourselves in front of 60 other persons. Here is a map of our interconnection during the event made by SpotYet.
A blue team vs red team workshop
The red team versus blue team game was made by Leila Taghizadeh. The read team is suppose to hack the blue team. The red team had to explain the process they would use to hack the company. The blue team had to explain how they would protect themselves.
Useful to know about Day 2:
The lecture of the morning by Professor Bibi Van Den Berg was a broad overview of cyberspace. The following subjects were tackled: Human error and cybersecurity incidents, Law as an incentive to prevent human error, alternative way of steering human behavior.
The workshop of the afternoon was made by Els de Busser. It was an exercise about NotPetya. We were divided in groups some represented the Russian and the others, the Ukrainian. We had to build an argumentation to defend the team we were in so that we could give our point of view in front of the International court of law.
Useful to know about Day 3:
The subject tackles in the keynotes were as follow: Introduction to the NCI Agency, Cyber Security at the NCI Agency, Career opportunities at the NCI Agency.
Useful to know about Day 4:
The keynotes were made by Maia Spilman and Michael Payne.
In the first workshop of the afternoon we saw how to transform a Raspberry Pi into a hacking tool. It was lead by Niels Vonk and Ramon Janssen
In the second workshop of the afternoon we worked on a home made version of OWASP Juice shop. It was lead by Wout Debaenst and Ricardo Sanchez Marchand.
Useful to know about Day 5:
The subjects tackled in the morning lecture by Jarek Jakubcek were : Introduction to Europol EC3 and latest cybercrime trends and threats, Use and abuse of cryptocurrencies, Cryptocurrency investigations and strategic investigations, Blockchain, OSINT and the Europol on-the-job experience.
Useful to know about day 6:
The subject tackled in the keynotes of the morning were the following: short briefing on the concept of the Dutch Innovation Factory, Cyber Security activities within an international context. Also, Dr Rutger Leukfeld made a lecture about The Human factor in cybercrime and Peter Janssen presented Cybersprint.
Summary of ICSSS 2019 in pictures
Why should you attend ICSSS ?
ICSSS gives a holistic point of view of cybersecurity. We had ethical hacking workshops and also tackled subjects as various as: laws, policies, cyber resilience, crypto currencies, …
Meet people from all over the world (this year 22 different countries). But also a great panel of different backgrounds from technical to legal.
The lectures were made by renowned University professors but also by experienced professionals from different fields (private and public sector).
Don’t hesitate to apply your motivation will lead you the way! This experience is a once in a lifetime.
After having an opportunity to go in Israël for a first learning expedition in 2015, i went back last july (2019). Israël is known to be one of the best startup nation. I am going to share with you my experiences: one in the field computer science and the other in cybersecurity.
SheCodes, Tel Aviv (2015)
The first time i went in Israël i was able to attend one of SheCodes meetup. They presented the different workshops: from basics of web programming to more advanced programming. In these workshops everyone is welcome no matter which level. You will get to learn by doing and be able to ask questions to other attendes or to the mentors.
If you have the opportunity to attend an event made by SheCodes, you definitely should do it, and if you live in Israël you should attend all of them. Since 2015 they even grew they are not only in Tel Aviv anymore but also in Jerusalem, Herzliya, Netanya, … Click here to get more info on their website.
Technion University (2015)
During this learning expedition, i scheduled a visit of Technion University. If you want to do the same, you will have to contact them and provide them a short bio and a brief explanation of why you want to visit. Then, they will help you schedule a guided tour of the University.
Technion is among the world top ten science and technology research University. You can read the full history of this University here. Also, by going to Technion you will have the opportunity to visit the breath taking city of Haifa. Why not taking a snack break at Fattoush?
For the first day of the Cyber Week of Tel Aviv I attended a workshop hosted by BSides Tel Aviv: Ethical Hacking 101 by Telspace Systems.
After a brief introduction on Ethical Hacking, we were able to practice a little. We used different scanners and tools. There were different environments set up just for us to hack them. We got the opportunity to practice SQL injections, vulnerability scanning, vulnerability exploitations. We saw the full process of pentesting, from looking for vulnerabilities to exploiting them with tips and tricks to stay stealthy while doing so. They also presented a very useful tool, really worth mentioning here: CherryTree. With this you can take notes about your process, this will make the pentest report easier to produce in the end.
This class was an awesome introduction to ethical hacking. The instructors were very clear and passionate. If you have the opportunity to attend a BSides meetup you should totally do it.
The day after the workshops, BSides had organized different talks. They were presented by Keren Elazari, Security Analyst, Author and TED Speaker. There was also a special tent for BSides where you could see their partners. There was an area if you were looking for a job and one just to chill out. I need to add a special mention to the decorations of the stage and the posters. They were awesome! You can see the picture below.
Eva Galperin: Where do we go from here, fighting Spouseware and Stalkerware
They presented different vulnerabilities they found in Cortana and Alexa on windows operated devices.
In the « To go further section » you will find the youtube Channel of Yuval Ron in which you can find some demos.
Sofia Belikovetsky: The Butterfly Effect Actively manipulating VW through hypervisor introspection
Sofia Belikovetsky took the challenge to create a virtual router in order to find anomalies in the network. In this talk she explained how she proceeded to do this: How she was able to find what was going on in the VMs from the outside (from a list of running processes to a monitor of every new processes).
Yossi Sassi shared many tips to get the best of PowerShell as a hacking tool. In the « To go further » section you can find a link to his slides and… a link to Yossi Sassi & The Oriental Rock Ochestra.
Omri Misgav is the team leader of the security research team of Ensilo. In this talk he explained hooking and user-mode hooks.
Yaron King: Low hanging (blue) fruit, Hacking and defending yourself using open-source tools
Yaron King explained how he got confronted to password spraying and what he did about it.
Eyal Itkin: Karta Source code assisted Geographic-based binary matching
Eyal Itkin is a vulnerability researcher at Check Point Research. In this talk he explained how Karta works. In the « To go further » section you can find Karta Source code.
Danny Grander and Yuval Ofir from Pasten CTF Team: Capture the Flag
In their talk Danny Grander and Yuval Ofir explained what a CTF is and their experience with them. They also presented how they resolve hard challenges.
Other events of the Cyberweek 2019 in Tel Aviv
Besides BSides (yeah i know xD ), there were plenty of events during the cyberweek. I went to some of them that i will present here.
Women in Cybersecurity: How to attract more diverse talent
Leading Cyber ladies invited inspiring women in. Firstly, Keren Elazari interviewed some of them. They shared their experience and gave some advices :
Hila Meller, VP Security Europe British Telecom. Her advice: if you want it don’t let anyone stop you. Believe in yourself
Helen Dixon, Comissioner, DataProtection Comission, Ireland. Her advice: Don’t listen to any advice you are perfect as you are
Maria Thompson, Chief Risk Officer State of North Carolina. Her advice: Learn foundations of IT if you are able to achieve and do that you will be more successful.
After those interview Eva Galperin, Director of Cybersecurity and Head of Threat Lab, Electronic Frontier Foundation, presented herself and her career in a brief talk.
Finally, there was a panel moderated by Reut Menashe, co founder of BSides TLV.
Each person from the panel presented their background. Then they shared what and why in their opinion companies should do more to attract more talent.
For Limor Kessem, mono culture has a bad effect. She also said that there is an impact on diversity with the « bring a friend policy ». In fact, with this kind of policy companies tend to hire the same kind of people.
For Mary McGinley, companies need to have an extremly diverse team to see all aspects of a problem. She reminded the study that said that women won’t apply to a job if they do not fit 100% of the criterias. She advises that even if many people tell you that you should not apply, apply anyway. She added « do something you love and make it work for yourself ».
Karine Ben-Simhon, said that it’s important to encourage private and public sector to make equal opportunities. She also said that there is also a problem with women because most of HR staff are women.
For Moran Weber, the best way to make a difference is by combining top down and bottom up approach. It’s also important to revise the job description and understand why women don’t apply. In her opinion those descriptions should avoid terms like « ninja code », « superstar », « rockstar », etc. She shared that her best decision was to start putting herself out there and to decide that her imposter syndrom would not decide for her. She used it to help her learn more.
Plenary talk CyberWar is the continuation of politics by other means: interview of Stevan Bernard by Keren Elazari
In this interview Stevan Bernard explained how the attack on Sony Pictures of november 2014 was handled. Here are the main points he shared:
Never underestimate your enemy.
Decisions made on Day 1 are the decisions that saved the company. This day was all about global and big decisions. This is when they decided to call the FBI and cyber security companies.
The human link is the weakest link: the attack started with spear phishing.
With twelve thousand employees all over the world, in such attack, you need to find alternative ways to communicate: Sony used old blackberry phones.
You can’t prepare enough: hire the right people, make the right decisions, get every one on the same page and define roles and responsibilities.
This event was a full day event. All along the day awards for « Legends of fraud fighting » were given and the winners shared their experience. I am going to present some talks of the day.
Limor Kessem, executive security advisor at IBM opened the day. She made an iventory of the last few years in terms of malwares and presented some of them. After her introduction different talks were given.
Ori Wainshtein is Head of Risk Research and Intelligence at Intuit. After a presentation of Intuit, he explained that in his opinion we need to be able to educate our children about this. He presented different aspects of fraud prevention and some scams. To conclude he gave key advices: Invest in customer safety, optimize for brand protection and develop holistic point of view on fraud.
Panel: news from the kingdom
In this panel participants shared the lancaspe of UK in terms of fraud. Some figures were presented: reported fraud increased by 6% since 2009. Indentity fraud has been the biggest issue for a while and in 2018 it is more than ever, 85% of it is perpetrated online. They also tackled the issue of fraud detection and how to detect it.
Panel: tales from the colonies
In this panel, they started to talk about mobile attacks saying that the minute something is patched, something new is out. Companies have to make things safer without changing too much the customer experience.
Nadav Katzenell: Remote overlay trojans attack and detection
Nadav Katzenell is head of ecurity researcher at IBM Security. In this talk he explained Remote overlay trojan attack. It is an attack that originated in Brazil and then quickly expended in South America and to new industries. Then he explained how his team set up a solution to detect this kind of attack.
Yehonatan Bar-Lev: The power of fusion center
Yehonatan Bar Lev is head of Cyber Center at the Bank Hapoalim. Yehonatan Bar Lev showed us the organization of a drug ring from the inside. What skills they have, how they work, how they hire staff and what type of attack they launch.
Mirko Manske: A sunday in hell
Mirko Manske is a federal criminal police officer in Germany. In this talk he explained how his team and him confronted an internet « provider from hell » to collaborate with them on a special case. He gave us an inside view of how german police and prosecutors work on such cases.
Panel ecommerce fraud, the next generation
In this panel, Noa Kind started to explain what Ad Fraud is and how it was countered. Then, other persons from the panel explained how consulting works.
Karisse Hendrick is an eCommerce Chargebacks & Fraud Consultant. In this talk she explained how online fraud evolved and her insights as a consultant. She also co-host a podcast that you can find in the « to go further » section.
Spencer McLain: Fighting fraud with collaboration
Spencer McLain is Vice President at Ekata. In this talk he first explained that online sales are increasing in order to tackle the authorization rate and fraud problem. He showed how fraud and solutions to fraud evolved, he gave a holistic approach to fraud prevention.
Sergey Shykevich: Even idiots can do fraud
Sergey Shykevich is cyber threat intelligence team manager at Q6 Cyber. In this talk, Sergey Shykevich explained that even with very basic knowledge anyone could do fraud. To prove his point he even showed an example.
Raymond King: Robbing the digital train
Raymond King is a product manager at TransferWise. In this talk, firstly he presented TransferWise. Then he explained to what kind of fraud TransferWise is confronted and the consequences it has and how they prevented them.
Ethan Ram: Fraudulent App installs
Ethan Ram is VP R&D at ZoomD. In this talk he explains what is App Install Fraud, how it works and how to fight it.
Panel: What’s new in marketplace fraud
In this panel, they all shared their insights from their different companies. Firstly they shared the kind of fraud they are confronted to. Then they gave their opinions about machine learning and artificial intelligence to detect fraud. They talked about the collaborations they have with other platforms in the marketplace. Finally they shared some advice to fraud fighting teams.
To hapilly finish the day at FraudCon we did a fun little game in which we had to define if the case presented to us was « friendly fraud » or « true fraud ».
Learning expeditions are a really good way to learn. You get to see different things and discover the world at the same time. The CyberWeek was an awesome experience, i really enjoyed the talks and got to learn a lot. If you have the opportunity to go to the CyberWeek you definitely have to go to BSides TLV and FraudCon.
Anouk Vos is founder of Revnext, a strategy consultancy firm in Technology Driven Strategies in Netherlands and chairman of Cyberworkplace a non-profit initiative that helps reduce the current shortage of cyber security experts in the labor market (see my article about it here).
If you want to know more about:
Cyberworkplace and how to help reduce the shortage of cybersecurity expert
Cybersecurity from a former diplomat point of view
Listen to this podcast! (you can download the file in mp3)
One of my goal in this ethical hacker challenge was to volunteer for a GREAT organization. This is what i did with Radically Open Security who welcomed me as an intern for six months.
How did i get this opportunity?
When i started to work in the IT I quickly had concerns about the lack of safety on the Internet.
Therefore, my curiosity and thirst for learning led me to wonder about the construction of a safer cyberspace.
This quest has shaped the type of company I wanted to be involved with. This is when I discovered the existence of ROS (Amsterdam, Netherlands) and Melanie Rieback in a press article.
This initiative was an evidence and in line with the values I want to promote.
Transparency is the central point of this company and its business model is a promise of a better social future.
What is Radically Open Security?
« Radically Open Security is the world’s first not-for-profit computer security consultancy company. We are prototyping an innovative new business model – using a Dutch « Fiscaal Fondswervende Instelling » (Fiscal Fundraising Institution) to provide a commercial front-end that sends 90% of our profits tax-free to a backend foundation (Stichting NLnet) that has supported open-source, Internet research, and digital rights organizations for almost 20 years. The other 10% of our profits will go to an employee profit-sharing scheme, in which the secretary accumulates profit-sharing rights as quickly as the CEO. Additionally, due to our low management/overhead costs, we can afford to pay competitive wages to our computer security consultants. »
At ROS everybody works remotely.
Wait! Not for profit?
Yes not for profit! Let Melanie Rieback co-founder and CEO explain this to you:
What service do they offer?
Penetration testing, ethical hacks and social engineering
Participation in the creation of a Capture-The-Flag (CTF) game
ROS helped to build a CTF for the CyberHeroes week of the non profit organization Cyberworkplace (see my article about the CyberHeroes week here).
The theme of the week was Heroes in cyber, I build a list with many heroes from the cybersecurity world, cryptography and cybersecurity resources.
Observation of pentests
I was added to some pentesting channels on RocketChat a chatroom that was used for communication for work purposes. This way, i was able to peek over the shoulders of pentester and see how they work, how they communicate with the client as the pentests are completely available to the clients from the begining to the end (this is one of the core principle of ROS).
Review of pentest reports
I was able to read and review some pentests reports. This really helped me to see how proper pentest reports are build, what pentesters look for while pentesting and which tools they use.
Improvement of the onboarding manual for new staff members
When i onboarded i was provided with an onboarding manual. As i encountered some little problems to set up my work environment i added some entrees in the onboarding manual in order to help future onboarders who had the same configuration i had.
Creation of a wiki page with relevant onboarding information for new staff members
ROS wanted to improve the onboarding process and provide the onboarders resources and useful informations.
This is why i created a wiki page with many resources for every type of positions (project management, software development, pentesting, …). I also added a section for general informations about ROS.
After the set up of this wiki i invited everyone to contribute and share their knowledge with relevant links like their favorite tools that help them in their tasks, great articles they’ve read, anything they would find relevant.
Submission of a process for improving internal training
We wanted to improve the internal training that is why i created a documentation to propose some ideas on the subject.
Helping a coworker with the use of Gitlabs (Radically Open Security’s file storage system)
One of the other intern was new to Gitlabs. As i had previously encountered Git and worked with it, i was able to provide my help.
Organizing folders in Gitlabs
ROS puts their projects and documentation on an internal Gitlabs system. I updated the organization of the folders.
Use of Pentext and XML
« The OWASP PenText XML documentation project can help your software security company produce offers, reports, invoices and generic documents by offering a well-structured and easy to maintain documenting system you can modify to your liking. »
This tool was created by ROS they open sourced it and made it available on Github.
In order to use Pentext you need to know XML.
I really enjoyed using pentext. XML is really useful and you get to generate great looking documents. This saves a lot of work mainly for pentesting reports but it can also be use to save time on other types of reports.
What did i get from this experience
As I plan to build a company, ROS was an inspiring and innovative model for tomorrow’s companies.
More specifically, I learned how a holocratic system works in a company. This system in which everyone has a place and a voice has been a beautiful discovery.
On a more technical aspect I have used many tools such as Pentext.
Finally, I have appreciated working remotely because it requires a personal work organization that invites to be autonomous and rigorous.
During my internship at Radically Open Security, i had the opportunity to help with the building of a CTF made for the CyberHeroes week of Cyberworkplace. I found Cyberworkplace’s initiative so great that i asked if i could volunteer for the CyberHeroes week. They did not only accepted that i volunteered, but also invited me to come as a participant.
What is Cyberworkplace?
Cyberworkplace is a dutch initiative based in Rotterdam. It « is a non-profit initiative that helps reduce the current shortage of cyber security experts in the labor market and provides much-needed 21st-century skills to vulnerable young people (dropouts/ gamers/students, who lack practical experience in their study programs).
The training/lessons given at Cyberworkplace are inspired by modern teaching methods such as peer-to-peer techniques and project-based learning. » (source: https://cyberworkplace.tech/wat-is/)
What is CyberHeroes ?
« CyberHeroes is a one-week training program that brings together twenty talented youngsters from The Netherlands and New Mexico, USA. Together they will be trained in ethical hacking skills to address current security threats. Over the course of one week they will take on hacker battles, work on CSI-type cyber challenges with local police, study the history of cryptography, learn to fight cyber crime alongside international hackers, and much more. » (source: Cyberheroes booklet)
Day 1: Cryptography and Lockpicking
Philip Zimmerman made a great talk about cryptography and data protection.
He exposed the evolution of the Internet and the impact it had on privacy.
Oscar Koeroo started his workshop by a talk about his work at KPN and how they handled security.
On 2012 KPN got hacked, this year they decided to set up a Security Operation Center to handle better such incidents.
KPN CISO Strategy and policy is made available for everyone here
After this introduction, he started explaining cryptography concepts.
He then detailed RSA encryption.
Finally we practiced RSA encryption and encrypted with our own messages and numbers.
He mentioned a very good tool to help us for the assignments: Wolframalpha.
We ended the day with lockpicking, now i really want to buy my own lockpicking set! 😀 It reminded me of the video game called Skyrim, except it is much easier with a joystick^^
Day 2: CTF with Radically Open Security
In the morning, Daan Spitz was introduced and the CTF started.
Daan works for Radically Open Security who sponsored the event and gave a CTF that he made.
In the afternoon, Melanie Rieback CEO of Radically Open Security was introduced she presented ROS and gave a great demo talk about cracking passwords.
We cracked the password « TreeHouse1234 » in less than 33 seconds!
Demo and slides can be found on ROS’s github.
Day 3: On a boat with the dutch Police
On day 3, we spent all day at the Seaport Police of Rotterdam.
We had the opportunity to meet Dirk-Jan Grootenboer, Peter Duin and other great police officers. They presented the Seaport Police and their work.
The Cyber Resilience unit has different goals:
Awareness of cyber threats and risks by citizens, corporations and other organisations
Know how to act: reactive, preventive, pro-active
Work together to share knowledge and new opportunities offered by technology
Resulting in continuous growth of cyber resiliency
From cyber security to cyber resilience
From reactive to pro active thinking and acting
Catching the advantages of cyber with an open eye for the risks
(source: Police officers talk)
Then, we had a CSI like challenge and a Police Patrol Boat Adventure. We were able to work on our social engineering skills and see the huge port of Rotterdam (largest in Europe).
On the afternoon, Floor Jansen and Marinus Boekelo joined us to present the Hack_Right initiative and explain the amazing take over of Hansa Market a dark web marketplace.
Hack Right is an initiative to help young hackers who commited a small crime, to get back in the right path and use their skills for ethical hacking.
It consists of 4 modules
Restorative justice: if you commit a crime you break your connection with the victim to repair this boundary you have to do something for the community. In this module, cyber criminals are confronted with the damage and possibly even with the victims.
Training: ethical and legal boundaries
Coaching: personal connection between coach and offender. This involves providing longer guidance to the offender, linking them to someone from the community.
Alternative: indicates the opportunities on the labour market and teaches young people where to develop their talents
(source: Floor Jansen’s talk and Mediawijzer’s article)
Day 4: Cybersprint at The Hague Security Delta and US Ambassador residence
In the morning, we worked on « Make it Smart » Maarten van Duivenbode introduced us to smart objects and how to use them. We were able to program lights and their colors.
In the afternoon, we visited Cybersprint at The Hague Security Delta.
Cynthia Schouten made an introductive talk and gave us a tour of the campus. We visited: Hogeschool Leiden’s IOT lab, we were introduced to a mixed reality tool that aims to train student in forensics with simulated crime scenes
Then, we visited Splendo that introduced us their smart bikelock project for X-bike.
After the tour, Peter van Eijk who works at the municipality of the Hague presented the Hack Den Haag CTF. A CTF to help the city of the Hague to be more secure.
Finally, Soufian El Yadmani made an amazing talk about his adventure to cybersecurity. He explained that he was hired as a cybersecurity analyst at Cybersprint by winning a CTF. His team and him travel to many CTF competitions.
His secret to be a good ethical hacker? Practice, practice, practice!
After our visit to The Hague Security Delta Campus we went to the US Ambassador’s residence for a reception for the Cyberheroes program. There, Peter Hoekstra the Ambassador of the US, Anouk Vos from Cyberworkplace and Charles Ashley III from Cultivating Coders talked.
The Ambassador, is now a proud hacker in a beautiful Cyberworkplace hoodie and the owner of a CyberHeroes medal!
Day 5 and 6: Trip to Leeuwarden, no escape possible 😀
On the last two days of CyberHeroes, we were invited to Leeuwarden for a CTF at the amazing Hacklab.
Leeuwarden is a beautiful historical city in the north of Netherlands that has been European Capital of 2018.
The CTF gave us the opportunity to learn a lot.
After all this hacking we did we had to go to jail… joking we just spent the night in a former prison: Alibi Hostel
But before going to sleep, we took part in a great escape game made by Henk Van Ee founder of Cybersafety4u in which we had to unlock a hacker’s phone.
To conclude this awesome week, we all got a certificate and a CyberHeroes medal.
Needless to way i was very proud to participate and help for this great adventure.
I would like to take the time to thank Radically Open Security (Melanie and Anh) without whom i would not have heard about Cyberworkplace.
Thanks also to Anouk, Nasya and Maria from Cyberworkplace that welcomed me for this week.
They all made an amazing work and i would definetely recommend everyone who has the opportunity to take part in a week like this. Volunteer or help Cyberworkplace any way you can, they do such an amazing work for students and cybersecurity lovers.
Note: Le forum n’ayant pas attiré beaucoup de monde, je réfléchis à une autre façon de proposer un échange de connaissances et une entraide ouvert à tou.te.s.
Note: As the forum did not attract many people, I am thinking about another way to offer an exchange of knowledge and a mutual support open to all.
Faire défiler le texte pour lire la version française
A Forum to self-study cybersecurity collectively
A few days ago I published my article in peerlyst about how to create an open education degree for free in cybersecurity. In a comment, someone tackled a very important issue : how stay focused when you study alone online?
you can easily be distracted,
We tend to scatter ourselves,
It is not always easy to learn alone.
To answer to these questions, i first suggested this very good Mooc by Dr Barbara Oakley (McMaster University, University of California San Diego): Learning how to learn on Coursera.
This Mooc is really helpful to understand the process of learning. You get tips and tricks to learn more efficiently.
I also answered that what helps a lot is to make lists of objectives. For instance you can make a list of things to achieve for the day, the week or the month.
The most important thing is to define what you want to learn and where you want to go. Then write it down as objectives you’ll like to fulfill in the end at a certain time pace.
And to break the loneliness while self-studying, I decided to create a forum to gather people who want to learn collectively. It is a place open to everyone who want to learn and share knowledge no matter your age, gender, level, country and so on.
In brief it is a forum that can be use to learn a specific subject or lookup for an answer when you tackle an issue.
Here is a picture of the forum as it currently is. It is not it’s final look, it will evolve with users and their needs.
As you can see there is an english and a french part for now.
If you speak another language you can ask me to add a category. This would open the forum even more to everyone no matter where they live and which language they speak.
This part is only for women or people who identify as women to feel more comfortable learning together. This part is private and you need to ask me the access for it.
Feel free to make this forum a place where learning is free and open to everyone. Learning with peers and meeting for a specific topic or Mooc would be easier to achieve.
Finally, people from the industry and experts are welcome to share their experiences and build a community for open education in cybersecurity.
So let’s build a safe internet by learning together cybersecurity.
Un forum d’auto-apprentissage collectif pour la cybersécurité
Il y a quelques jours, j’ai publié un article sur peerlyst pour décrire le processus de création d’une formation complète en cybersécurité. Dans un commentaire, une personne a évoqué un point important: comment rester concentré lorsque l’on apprend seul?
Ce Mooc est vraiment très intéressant pour comprendre le processus d’apprentissage. Vous repartirez avec des outils et des astuces pour apprendre de façon plus efficace.
J’ai ajouté qu’il était utile de faire des listes d’objectifs. Par exemple, vous pouvez lister vos objectifs pour la journée, la semaine ou même le mois.
Le plus important, c’est de bien identifier ce que vous voulez apprendre et vers quoi vous souhaitez vous diriger. Ecrivez ensuite cela sous forme d’objectif à accomplir dans un délai prédéfini.
Aussi pour casser la solitude que peut parfois apporter l’auto-apprentissage, j’ai décidé de créer un forum pour réunir les personnes qui souhaiteraient apprendre collectivement. Il s’agit d’un espace ouvert à tous ceux qui veulent apprendre et partager leur connaissances quels que soit leur niveau, leur âge, leur genre, leur pays, etc.
En bref, c’est un forum qui peut être utilisé pour apprendre un sujet spécifique ou répondre à une question lorsque l’on rencontre un problème.
Voici une photo du forum tel qu’il est. Ce n’est pas son aspect final, il évoluera en fonction des utilisateurs et de leurs besoins et envies.
Comme vous pouvez le voir il y a pour le moment une partie en français et une partie en anglais.
Si vous parlez une autre langue vous pouvez me contacter pour ajouter une catégorie pour cette langue. Ceci permettra d’ouvrir le forum plus largement.
Cette partie est pour les femmes ou les personnes s’identifiant au genre féminin afin de se sentir plus à l’aise et d’apprendre ensemble. C’est une partie privée pour laquelle il faut me demander un accès.
N’hésitez pas à faire de ce forum un endroit ou l’apprentissage est gratuit et ouvert à tous. Apprendre avec ses pairs ou se rencontrer pour échanger sur certains sujets sera facilité.
Pour finir, les professionnels et experts sont les bienvenus pour partager leur expérience et construire une communauté d’apprentissage ouverte pour la cybersécurité.
Allez, construisons un internet sécurisé en apprenant ensemble la cybersécurité!