Problems and Solutions

There are lots of problems in this line of work, however, let me get specific. I have a problem with my career path, and the poor direction it seems to have taken. You see, I have been working as a DF analyst for quite a while (8 years) performing mostly corporate investigations involving policy violations, legal matters, ethics cases, code of conduct matters, employee fraud, commodity malware, corporate security matters and HR matters. These are important concerns to protect the company, no doubt.

After years of performing these types of investigations, I feel the work has become stale and no longer challenging. With that said, my concern is that I am becoming stale, and that bothers me. So what am I doing about this dilemma?  Well, in one of my previous posts here, I listed several things I do to remain current as best as I can when the work is stale and training budgets are a shoe string. My last two training sessions were SANS Fire 2012 FOR 508 and EnCase 7 transitions. In my opinion, that is not sufficient to keep an analyst current. 80 Hrs. a year of classroom training should be the bare minimum with trips to conferences for good measure.

The title of this post is “Problems and Solutions”. I am going to start posting on problems I encounter and then list my attempts at finding solutions to them. The latest problem I find myself encountering, aside from the above concerns, is responding to matters that involve UNIX servers. This may not seem like a big deal to a lot of DF analysts, however, for me, seeing as I spend 99.99% of my time in the Windows User Land environment, it is a big deal. Thats because I have no previous exposure, or experience to UNIX. Aside from SIFT and MAC OSX if you will.

So what am I doing about it? That’s the solution part.

Responding to matters where you have no knowledge or experience in that particular area (UNIX) is not a pleasant feeling. I was very nervous and at a complete loss when asked, or pushed, into responding to issues involving UNIX. That was a few weeks ago. I do not like not knowing and feeling inadequate. So, to address that issue, I decided to tackle it the best way I could in the quickest way possible. I refused to continue on like this as I knew it would just be a matter of time before I am asked again to look at another UNIX server.

Here is what I did, or continue to do, to address the problem.

1. I Bought a NAS (QNAP) with UNIX embedded and started SSH terminal into the device to start learning about the OS and its layout, in addition learning about the the applications/services it has installed.

2. Placed the device on the Internet and watched the logs fill up as it was being attacked. Within 60 minutes it was being attacked from China and Eastern Europe. Amazingly fun.

3. Purchased “SAMS teach yourself UNIX in 24Hrs”. Banged through 5 Hrs. in one day. Love the “w” command. Feeling like a pro already. Continue through the lessons.

4. Got access to a UNIX server at work to understand the environment.

5. Engaged a UNIX engineer to hold meetings to discuss logs. It seems it’s all about logs in UNIX. Access logs, http logs, terminal history logs, SUlog, cron jobs, Proc Acct log.

These are the most active steps I am taking to address this problem. Now I am actually really enjoying UNIX. Why I did not start using and learning UNIX years ago is beyond me.

My point to this post is nicely summed up in the below quote.

Regards,

Mr.Orinoco