Hippocratic Hackers

[Libra Monkee]

This conversation came up at work and I wanted to see what you all thought.

We were talking about certification exams (CEH, CISSP, Sec+, etc.) and Cyber Security degrees and the topic came up of if information security professionals should have a hippocratic oath like doctors do. Since most of y'all are in the biz or atleast have knowledge of it, I wanted to get your take.

Disqus.

[PGT]

Absolutely. It gets tricky when doing certain types or work for certain types of companies in certain types of settings, however.

[Sabre]

Two sites/orgs to check out:
https://www.nbise.org/
http://www.crest-approved.org/

A guy up at BSides Pittsburgh presented both organizations last week These are not your average certs either, they are very difficult. I'd put them above a CCIE as far as difficulty.

[complacent]

above a CCIE?!? sweet jeebus!

that's only a two day exam where the second day lab is dependent upon passing the written exam...

[Sabre]

above a CCIE?!? sweet jeebus!

that's only a two day exam where the second day lab is dependent upon passing the written exam...

From what I understand, very few people posses it in the US and they retest you every year. If a company has one examiner and they loose their credentials, then the company looses the ability to do CREST work. Considering it's global, there are very few companies, although maybe that's because it was UK centric for so long.

Example: (one that we probably would all get)

5.2.1 Question
During a penetration test, you have discovered an IPsec VPN server at IP address 10.0.0.1, and have
determined that it supports the following transform attribute sets for IKE Phase-1:
Encryption Algorithm Hash Algorithm Authentication Method Diffie-Hellman Group
DES SHA1 RSA Signature 1
AES/256 SHA1 RSA Signature 2
3DES SHA1 RSA Signature 2
a) Identify the issue and write an issue description for the customer. The issue description should contain a
risk level, detail of the issue, implications and recommendations for ways to mitigate the risk.
[9 marks]

b) After presenting your findings to the customer, you conduct a de-brief with the customer and their IT
supplier. During the de-brief, they mention that the VPN is used for remote access and they only use one
VPN client. During IKE Phase-1 negotiations, this client sends a single proposal containing the following six
transforms in the order shown:
1 3DES SHA1 RSA Signature 2
2 3DES MD5 RSA Signature 2
3 AES/256 SHA1 RSA Signature 2
4 AES/256 MD5 RSA Signature 2
5 AES/128 SHA1 RSA Signature 2
6 AES/128 MD5 RSA Signature 2

b) What IKE Phase-1 transform attributes will be negotiated when this client initiates a connection to the VPN
server that you discovered? Describe why these particular attributes will be chosen.
[4 marks]

c) Assuming that only this VPN client is used, and the client transform set cannot be altered by the user,
does this affect the risk level in practice? Does it make the risk higher or lower?
[2 marks]

5.2.2 Model answer
a) Issue: VPN Server supports weak encryption
Risk Level: Low or Medium
The VPN Server at address 10.0.0.1 supports both strong and weak encryption algorithms for IKE Phase-1.
This could allow the VPN to use a weak encryption method for the ISAKMP SA, which could permit an
attacker with access to the VPN traffic to crack the encryption and observe the clear-text traffic passing over
this SA.

The weak encryption algorithms are DES, which uses a 56-bit symmetric key, and Diffie-Hellman group 1,
which uses a 768-bit prime. Best practice dictates that you should use at least 128 bits for symmetric keys,
and 1024 bits for Diffie-Hellman prime moduli.

You should disable both DES and Diffie-Hellman group 1 on the server, so that there is no possibility of them
being used. However, before doing so, you should check that they are not required by connecting VPN
peers, as some older clients only support weak encryption.

b) The transform attributes that would be negotiated are:
Encryption: 3DES
Hash: SHA1
Authentication: RSA Signature
Diffie Hellman Group: 2
These attributes will be chosen because during IKE Phase-1 negotiation, the transform chosen is the first
transform in the initiator’s proposal that is acceptable to the responder. In this situation, the VPN client is
acting as the initiator, and the VPN server as the responder. The first acceptable client transform is number
1, which has the attributes shown above.
c) Using only this VPN client will reduce the risk level, because it will ensure that the weak encryption
algorithms that are supported by the server are not used in practice.Marking scheme
Each long form question is worth a total of fifteen (15) marks

[PGT]

checks list. yep, we're on it.

[Sabre]

checks list. yep, we're on it.

Ya, I noticed that Do you know the guys that passed the exam/s? Just curious if it is as hard as they say...

[PGT]

I don't. legacy Cybertrust people

[Raven]

So where would we draw the line at "harm"?

[gsx-lex]

My $.02
While we may not have a hippocratic oath in the literal sense, we do have ethics which are derived from the typical engineering ethics (obligation to society, blah blah blah) that most are taught when studying a technical field. In my opinion, this is the benefit of going through the traditional college education route as opposed to just getting certs. Of course, there are other factors that motivate one's intent and I don't want to start a debate about the value of certs versus degree. Personally, I don't think malicious intent can be mitigated by a certification, I think this takes a long time of soul searching and persuasion in order to fine tune one's moral compass. It becomes much more tricky in our field because "doing the right thing" is subjective to you specific views and beliefs.

Sorry gentlemen, while I do absolutely believe that there is ethics involved in the this type of work, I think that a non-technical, ethical certification misses that mark, and incorrectly implies that who lack said cert, unethical.