Tag: Security

I may not test often, but when I do it's in production

The thrill of testing in production 

if ($testing_in_production == true) {
RTFM();
}
else {
$Move=fast;
$Break=Shit;
}

 

I’ve been spending a lot of time hopefully making something better for a customer. They recently had an au

ditor c

ome in and tell them they were doing the most basic layers of security (i.e. Antivirus) all wrong and it needed to be redone. And the organization was given a deadline about a month away for 40 PCs and a dozen servers.

This is not a significant issue except the 13-hour timezone difference makes anything that gets messed up a little more precarious to go fix. My first

real sysadmin job allowed me the luxury of driving across town if I broke something.

In all cases I’m lucky that I have experience deploying the tools in a much larger environment. That environment was also under pressure. They had just been pwn’d and didn’t really know it until I stumbled across that. Really didn’t know what I was dealing with… at that time in 2008 I really had no clue what real information security was about. I learned quickly.

What I have also learned through many years of work, is that if you’re going to have to test in production, I recommend that you take a deep breath, slow down, and read the manual first. Knowing what the heck you are doing is only the first step. You really have to know *why* you are doing a thing. There’s no shortage of opportunity to move fast and break stuff, but with each instance there’s also an opportunity for learning and growth.

I may not test often, but when I do it's in production

With the amount of chaos in the world, inability for many OPSEC teams to focus on actually securing all the things, and the continual drive to still give customers what they want, there’s also no shortage of opportunities to learn-on-the-fly, be creative, and solve problems. Even in production.

Reading: Blackwater : The Rise of the World’s Most Powerful Mercenary Army

Blackwater
Jeremy Scahill; Blackstone Audio, Inc. 2007

 

There is a significant amount of detail that I don’t know regarding nearly everything in the known universe. As Silent Bob once said:

“Bitch, what you don’t know about me I can just about squeeze in the Grand fucking Canyon. Did you know I always wanted to be a dancer in Vegas?”

That’s how I feel about Blackwater. How little I knew about them before this book.

My #1 takeaway from this book:

Military contractor is the media-embraced term for a mercenary. Mercenaries are real, they are not a fantasy or only found as guards for villains in a James Bond film. Whenever I hear the terms civilian contractor or military contractor when referring to a position in a hostile space, I will replace the term in my head with the term mercenary.

 

The Wikipedia definition:

A mercenary[1] is a person who takes part in an armed conflict who is not a national or a party to the conflict and is “motivated to take part in the hostilities by the desire for private gain”.[2][3] In other words, a mercenary is a person who fights for personal gains of money or other recompense instead of fighting for the ideological interests of a country, whether they be for or against the existing government. In the last century, and as reflected in the Geneva Convention, mercenaries have increasingly come to be seen as less entitled to protections by rules of war than non-mercenaries. However, whether or not a person is a mercenary may be a matter of degree, as financial and national interests may overlap.

https://en.wikipedia.org/wiki/Mercenary