Friday, August 26, 2016

Make Mistakes (In A Controlled Way)

I'm taking a SANS class this week.  I'm a Facilitator.  It's not part of my job to help students with questions.  I'm here to help SANS set up, distribute the badges and course material, help the instructor with any errands that he needs, and help take everything back down.  However, when I know something, I try to help when I can because the instructor has a lot to do.

I've noticed that many students are embarrassed to ask for help.  I saw a guy having trouble with a lab.  He said that he would do the labs later.  I told him what the problem was, but he couldn't remember exactly what to do because he hadn't taken Linux in like 10 years, and we were using a Linux image.  I asked if I could have control of his laptop for a minute, and showed him exactly what I did.

Not remembering a class that you took 10 years ago, in something that you don't use daily is nothing to be ashamed of.  I only remembered the commands I needed because I had made the same error and worked with Linux not long before then because I'm trying to learn some open source tools like Volatility.

We were working on a SQL Injection lab.  In the lab, we attacked a vulnerable web app that was running on our vm.  So, we attacked ourselves.  (My network adapter was turned completely off so that there was no chance that I could accidentally attack anyone else.  The loopback address 127.0.0.1 works regardless of whether the VM's network adapter is enabled or not.)  I probably looked like I didn't know much because I took a database class 10 years ago.  I used to know SQL fairly well, but when you don't use it daily, it's easy to forget.  It's also easy to pick back up, assuming that you knew it to begin with.  What is difficult is thinking in the way that an attacker might think.  So, I did the lab.  I still had time before class started up, so I tried attacking the vulnerable server in a different way.  I knew what I wanted to do, but I couldn't remember the syntax.  I looked up SQL.  I kept making mistakes until I figured it out.

Mistakes help you learn.  Will I be likely to make that mistake that I helped the lab guy with?  Probably not.  Why?  Because I learned from it.

Your peers are resources.  They may be strong in areas that you are not, and vice-versa.  Never be ashamed to make mistakes, ask for help, and provide help in return in a learning environment.

I say to make mistakes in a controlled way, because you want to make certain that you have something correct before trying it on a production environment.  After the lab, some guys were saying, "I want to try it on my work database."  Don't do that!   At least not until you are sure that you know exactly what you are doing.  Any information that you might pull down, you could be liable for, depending on your localities' laws.  You may be violating some of your work policies, opening up the chance that you could get fired.  Until you have permission from your manager, and lawyers, only test your knowledge against your database-a database belonging solely to you.

No comments:

Post a Comment