Final Reflection

These past 4 weeks, I undertook the Summer Studio, Cyber Security an Offensive Mindset. The Studio method was proposed a means too incorporate intensive self-learning, collaboration and research to reach the 5 learning outcomes as indicated below. This studio focused on developing the ‘offensive’ from the security perspective. It introduced students to the ins and outs of the security world especially its lack in modern systems which was exemplified by the inclusion of industry professionals from well renowned firms. These professionals shared valuable experience and knowledge on a variety of topics, which allowed students to broaden their horizons.

I decided to take the subject as I believed it was a means to at least achieve a core foundation in the security industry. Previously I’ve attended several seminars hosted by the Cyber Security Society which were a useful introduction, however at that stage, my understanding wasn’t entirely set in stone. Luckily, having a background in networking helped a lot in enumeration as I was able to understand basic addressing and protocols. At the beginning of the Studio, we had to come up with a list of objectives that we wanted to achieve by the end of the studio. These objectives were to ensure the work we put in would evolve into something that could be taken away, whether you passed or not. Mine were the followng:

  • Clearer job path
  • Portfolio for future employment
  • In depth technical knowledge
  • Improved research skills
  • Insight from the CSEC members
  • Enhanced time management

SLO 1 - Engage with stakeholders to identify a problem

Throughout the studio, we have had the opportunity for industry professionals to give a talk on particular topics. The topic is aimed at identifying a particulat issue in cyber security whether it be technical or human-oriented. The following is a list of the professionals that graced us with their presence:

  • Week 1: Rob Mitchell - Gitlab
  • Week 2: Luke Fuehrer - UTS CSEC - Security Consultant
  • Week 3: Deloitte Cyber Security Team
  • Week 4: Ruben Thijssen - Symantec

Rob stressed the notion of social engineering. Essentially, humans are the weakest link to a firms infrastructure. This is due to the fact that as emotional beings, we tend to fall quite easily for phishing attacks, which involves impersonating another entity in order to maliciously capture the details of the victim. An example he gave us was the ILOVEYOU email.

Luke gave the studio a lecture on the XSS vulnerabilites in web application security. He gave some background to such applications as well as explaining what XSS is and how it works. We had to research an XSS attack and common mitigation strategies. However, a common theme was the confusion between them and so he provided us with a neat diagram as displayed below:

The Deloitte team offered an interactive aspect to their talk by inviting us to break a box that they have developed themselves known as Piper. At that time, I wasn’t able to complete it as I wasn’t comfortable with my skill level. Apart from that, they covered several vulnerabilities including social engineering, XSS, database vulnerabilities alongside a Red Teaming engagement.

Ruben’s talk focussed on reverse engineering using a tool called Binary Ninja. He didn’t give a lecture per se but directed us to a website that hosted several challenges with increasing difficulty. These challenges would reveal certain software vulnerabilites to reveal the flag. Below are my notes from the talk:


https://imgur.com/JUzxK25


https://imgur.com/NsqnJeo

SLO 2 - Apply design thinking to respond to a defined or newly identified problem

Creative thinking is not only important in traversing a system but also demonstrating how you got into that system in the first place as well as the theory behind cyber security attack vectors. Throughout the studio we had to make several presentations. This was to improve our ability to educate our audience in a professional and creative manner and respond to an identified problem. They also ensure that our communication skills were up to scratch by the time the Final Expo came around. The presentations that we gave was on the OWASP top 10, John the Ripper as well as the final at the expo.


https://imgur.com/3k8V2W0


https://imgur.com/0z7tMpZ


https://imgur.com/GzNPI54

This problem was in the form of a statement that we indiviudally articulated at the beginning of the studio. My initial draft of the statement wasn’t taken very well as it was too broad and not defined properly. In response to the feedback I adjusted it to “How can we educate security staff in a corporate environment?”. The design thinking undergone to satisfy this SLO is used to respond to this statement.

Unlike other studio’s where the portfolio was maintained in a document format, we developed our own statically generated websites where we would maintain blog posts of weekly sprints. This blog was a creative means of noting everything we did including how we were solving our problem statement as the weeks progressed.


https://imgur.com/d3FVbc9

SLO 3 - Apply technical skills to develop, model and/or evaluate design

Coming into the studio, my techincal skill was very little to almost nothing, especially in comparison to the guys from the Cyber Security Society. The way in which the studio went about teaching us was to simply guide us in the right direction to undergo our own research in vulnerabilities and exploiting them in order to build the foundation of breaking into vulnerable machines. Since I wasn’t the only one in that position, we were first introduced to the basics via OvertheWire, a beginners platform for learning a gamified version of hacking. By week 3, we were tasked with reaching Bandit 30 and Natas 15, substantial enough to continue to further research. Below are some of my handwritten notes:


https://imgur.com/WRmxoEp


https://imgur.com/MAKa5yN

The conecept of breaking into boxes wasn’t brought about until Darshil’s demo of Pentester 1, a boot2root machine hosted on Vulnhub. That demo essentially secured the foundational mindset to the tools and avenues to take to traverse the box. From there, I continued to research walkthroughs of other Vulnhub boxes such as Matrix and Necromancer. From there, I pivoted to Hack the Box walkthroughs most notably by the Youtuber known as Ippsec. The boxes I looked at were Blocky and Popcorn, which were basic enough so that I could understand the methodology. The OWASP Juice Box was an extra vulnerable machine that was given to play around with to test where we were at with our knowledge.

SLO 4 - Demonstrate effective collaboration and communication skills

As a security professional, technical knowledge is only one side of the coin. The skill to communicate the impact of security issues on a business level is highly sought after. This was highlighted with great importance in the Studio through formal, high level writeups that mirror that seen in security certifications such as the OSCP. This industry skill is further highlighted in the Engineers Australia Competency Standard where a key skill of competent engineers is highly developed communication.


https://imgur.com/TYYAaAt

Another method of collaboration was the use of Microsoft Teams . This tool was introduced at the beginning of the Studio in order to connect that the entire class in a chatroom. It also allowed the creation of individual teams. Each team can take advantage of the planner which can be used to organise tasks and completion times.


https://imgur.com/qmJKvMR

One of the core components of the Studio was the Scrum and Free-for-all sessions. During these sessions we would communicate with different members of the class and ask each other about the work we’ve undertaken since the previous session as well as any challenges that faced, how we overcame them and what to expect in the future. This was a valuable means of collaboration as it allowed the perspectives of others to be shared. Many students I felt at some point would’ve experienced some degree of imposter syndrome, where they feel that their skill is far inferior to that of their peers. These sessions would’ve helped to calm the nerves and reinforce the notion that the majority started from nothing, as seen at the very start.

SLO 5 - Conduct critical self and peer review and performance evaluation

Self review is a core concept of this Summer Studio as it emphasises the progress made throughout. After each week, we are required to give an evaluation of our own performance, good or bad and give pointers on any possible imrovements. We also benefit from the the weekly feedback given to us by our tutors. Each week, they will post the result of the previous week’s submission followed by some feedback to help improve the submission for next week, below is an example of my feedback from sprint 3:


https://imgur.com/F4yEvuB

Similarly, we engaged in Scrum and Free-for-all sessions for peer review. This way we are able to compare the the progress of other students and from their be able to reevaluate our own. I feel these sessions really helped in doing so.

Conclusion

In essence the Summer Studio has been an absolute roller coaster for me. However, possibly the some of the best time I’ve enjoyed at UTS thusfar. It meant striving towards the goals I had initially set for myself:

  • Clearer job path
  • Portfolio for future employment
  • In depth technical knowledge
  • Improved research skills
  • Insight from the CSEC members
  • Enhanced time management

Whilst these weren’t necessarily polished by the end of the Studio, they definitely saw improvement.

The lack of knowledge in security at the start had be doubtful that such a path would interest me in the future. A further developed foundation has meant that I can comfortably perform basic enumeration and exploitation of a vulnerable system. This new found knowledge has given me the confidence and the courage to explore further opportunity for self-learning as well as heading into Cyber Security roles that require such knowledge as a basis for the application process.

The website that I had developed of the course of the Studio as quoted by Larry a “resume on steroids”. It is most definitely the most valuable asset to be pulled away from the studio.

Time management was a major issue for me during the Studio, unfortunately it hasn’t improved all that much. I strive my best to do as much work in little time in order to maximise efficiency where I can. The intense nature helped with that and enforced good organisation to stay on top of a hectic workload in such a short period of time.

Reflective Statement

The learning journey undergone over the Summer Studio has been second to none. As a group, we have had the profound opportunity to meet industry professionals that shared their insights to look at differing vulnerabilitie in Cyber Security. We have applied design thinking through the use of creative presentations and blog entries in order to solve our own problem statement, “How can educate security staff in a corporate environment”. This was highlighted by covering topics such as the OWASP top 10 and tools such as John the Ripper. We have applied diligent self-learning alongside demonstrations to development the technical knowldge to begin rooting our first vulnerable machines. Collaboration and communication were incorporated via scrum and free-for-all sessions to share the learning journeys with others as the weeks progressed to help reevaluate our own methods of study. Finally, self and peer review through the weekly scrums/free-for-alls as well as the feedback from the sprints allowed each of us to reevaluate our own progress and improve on our learning journeys in developing a true “offensive mindset”.