My name is Damaris Ola-Foluwe and I’m a cybersecurity enthusiast. I attended an exclusive all female free two-day interesting and amazing cybersecurity boot-camp organized by SheSecures that held on the 7th and 8th of April, 2018 in Lagos, Nigeria.
SheSecures is an organization registered in Lagos, Nigeria for female professionals and enthusiasts in cybersecurity. Through this initiative, SheSecures strives to build awareness in cybersecurity and information security, engage existing professionals in knowledge sharing and mentoring to guide ladies interested in being a part of this amazing field, as well as building Cyber Savvy Kids all around Africa. This article would briefly summarize my experience at the Bootcamp, highlighting each session, the skills gained from them and appreciate the facilitators of the boot-camp.
Application for the boot-camp was thrown open to the public with the requirements specifically for young African women in Lagos interested in building careers in cybersecurity.
I applied and was selected to go the next stage which was an online Skype interview/chat. My interview was done was done by Ms Hamdalah Adetunji. Thank God I passed that stage!!! What followed afterwards was an invite to the boot-camp with instructions, location, time and a schedule of the boot-camp.
The boot-camp commenced with an introductory session. Everyone was asked to introduce themselves and what sparked our interests in cybersecurity. There were various responses but the ones that stood out for me where ladies deciding to change/switch careers; some wanting to advance their careers and take up more technical skills/roles and some people like me just starting out after graduation and willing to give cybersecurity a trial. This session was anchored by the lovely co-founder of SheSecures Ms Lilian Douglas Ezeugo. It actually set us all at ease and made the atmosphere less conventional or official 🙂
The first session was titled Understanding and Breaking into Cybersecurity – The African Woman’s Guide: Wakanda Way. First of all, if you have not watched Black Panther, Kindly go and do so, you need the inspiration and backdrop. This session was facilitated by Ms Sophina Kio-Lawson, SheSecures co-founder. She told us about fundamentals in cybersecurity such as the CIA (Confidentiality, Integrity and Availability) – the two cornerstones; technical (forensics, malware analysis, network security, social engineering etc.) and managerial (audit, governance, risk and compliance, technical writing, journalism,etc.) paths in cybersecurity;
We were introduced to some free online resources for cybersecurity – cybrary, securitytube and more; the importance of conferences and meet-ups and the importance of connecting and following cybersecurity industry experts on LinkedIn and Twitter. She talked about some steps such as having some basic knowledge about fundamental concepts, tools used and the importance of getting an internship or entry-level position to aid/advance your career in cybersecurity. She explained that practice was important to starting and building your skills and everyone should have a virtual security lab with some essential tools.
Ms Veronica Ikpa facilitated the second session titled Governance, Risk and Compliance (GRC) in Cybersecurity. She introduced us to the GRC framework, the role of authority/management in cybersecurity; risk management – identify, analyse, respond and report; compliance with international standards such as ISO/IEC 2700, PCI DSS, ITIL etc. She made us to understand that for information security (cybersecurity) best practices to be effective in an organisation, it has to come from “top” to “bottom”. This implies that the management has to be cyber aware, security conscious and well informed of the need and importance of cybersecurity to their organisation. Click To Tweet We concluded this session with an online practical demo on https://www.eramba.com.
The Setup Process
Before the third session, we all had to install Virtualbox/VMware, Kali Linux and Metasploitable. The facilitators provided the resources and guidance on how to install these tools and set up the virtual lab.
In between the afternoon sessions on both days, we had our lunch!! And it was the famous Nigerian jollof rice/fried rice, drinks, salad/moin-moin. We were given SheSecures T-shirts at the end of the first day of the boot-camp (white, black and turquoise blue).
The third session was titled Forensics – Introduction to Steganography (Hiding Secret Messages with Examples) and facilitated by Ms Hamdalah Adetunji. Steganography is the art and science of hiding information in plain sight. It is different from cryptography. This was the first technical session using Kali Linux – an operating system built for ethical hacking and anything and everything cybersecurity related. We installed Steghide via the terminal and used the CLI commands to embed and extract data from picture files. Some concepts such as payload, cover medium, key, carrier, channel cover text were briefly explained. Data can be hidden in almost anything, From video, image and audio files. Digital forensics is about recovering lost data from exploits and breaches, finding that important extra bit of knowledge in an otherwise “normal” file or just using digital tools to find lost evidence in a crime scene. Click To Tweet
Ms Lilian Ezeugo Douglas facilitated the fourth session titled Introduction to Dark Web, Anonymous Call, Email and Browsing. As a security professional, you have to be discreet while gathering information (reconnaissance) on your clients, performing exploits or just doing research to gain new skills. We used the website emkei.cz to send fake emails to ourselves posing as other people. She taught us how to check email headers to detect fake emails. The Dark Web is that part of the World Wide Web not indexed by normal search engines such as Google, Bing etc. The Deep Net is the infrastructure (the part/section of the internet) that powers the Dark Web. She introduced us to Duckduckgo and Tor – the onion browser for anonymous browsing. The Deep Net is a dangerous place so be careful while exploring. It should be noted that hacking has to be ethical for it to be legal.
The fifth session titled Google Dorking was facilitated by Ms. Mosimiloluwa Omotoyosi. Google Dorking is the act of using Google search parameters to exploit web applications and find otherwise hidden information on the internet. With this knowledge, you are powerful and can manipulate Google Search Engine to find virtually anything on the internet that has been indexed by Google. She introduced us to Google Hack Database (GHDB). We used search parameters such as insite, intitle, inurl etc. during the practice session.
The second day of the boot-camp started with the participants taking group and personal pictures with the facilitators. We were given a steg challenge and nobody was able to extract the hidden file. One of us Ms Chioma Amaechi got the key “Congratulations!” and explained to the early comers on the second day of the Bootcamp. I am of the opinion that Social Media (Twitter in particular) compressing uploaded files was a major factor why nobody was able to extract the secret file from the steganography challenge.
Trivia!
Caesar came to the bootcamp,he left a message on the 5th seat.The first 16 characters is what you need.
`Htslwfyzqfyntsx!Dtz xtqaji dtzw knwxy hfjxfw hnumjw.
Uwjyyd gfxnh wnlmy!
Mjwj’x yt rtwj ijhnumjwnsl.
Pjju ymj lwnsi ts fsi its’y xytu.#Gjxfkj#Gjxjhzwji#XmjXjhzwjx.’ pic.twitter.com/7GFgEbPgsu— SheSecures (@she_secures) April 7, 2018
Amazingly, we had some male facilitators who came forth to show their support for SheSecures and the women cyber security community. One of such people that came out was Mr Eyitemi Egbejule who facilitated the sixth session titled Information Gathering – Reconnaissance. He gave us the six steps in Penetration testing and introduced us to WhoIs both the web-based and terminal tool. WhoIs is a security tool used tool that can be used to gather information about target organizations.
For demonstration purposes we used a Nigerian school’s website and found lots of information which should not be so. He explained how such information could be used during exploits and attacks. He also introduced us to Nmap (Network Mapper)/Zenmap (GUI application of Nmap) which can be used to determine the network footprint of an organization. Using our virtual lab with our attacker machine being Kali and victim (target) machine being Metasploitable, we searched for open ports and vulnerable services which can be used for exploits on our target machine. He explained the essence of reconaissance and why it is an important stage in pentesting. He told us security researchers maintains lists of publicly known vulnerable services to aid in exploits such as Exploit DB.
The seventh session titled Introduction to Web Application Pen testing was facilitated by Ms Kessianna Obajuwna. She explained what SQL injection was all about and how it can be used to exploit vulnerable web apps. SQL Injection is the manipulation of SQL syntax to gain unauthorised access to an application. Default usernames and passwords of frameworks, routers and other technology based devices and applications should be changed as those are the first credentials a pen tester would most likely try Click To Tweet. In the practical session, we hacked into Multillidae, a vulnerable web app on Metasploitable using SQL injection.
Mr Folajimi Falusi facilitated a session on Cross Site Scripting (XSS). Cross Site Scripting is a client side attack which is the ability to run scripts (JavaScript codes) in a web app. In this session, we used Damn Vulnerable Web App (DVWA), another web app in Metasploitable. XSS could be stored or reflected and reflected is more dangerous. XSS vulnerability can be tested by injecting JS code into any and every textbox in a web app. XSS cheat codes are available on the internet.Dear developers, please develop SECURE applications, our online and sometimes offline lives depend on them. Click To Tweet
Mr Abiodun Dabiri started his session by showing us a client’s web app that was hacked, defaced and the hacker was demanding for bitcoin. This example sent shivers down my spine as I realised security was a life and death affair and security professionals were needed in their numbers to prevent and reduce cyber-attacks and exploits. The hacker used SQL Injection to hack into the client’s web app. He told us about SQLMap, a tool that can be used to exploit databases. He also told us about insecurities of a popular web framework especially those frameworks that uses environment variables. We did a lab pen test on a vulnerable web app he developed years and surprised him by being able to guess the SQL syntax to bypass authorization. In web apps, files such as .env and gitignore should not be accessible to random people/users.
The final session titled Career Paths in Cybersecurity was facilitated by Mr. Seun Oyelude. He explained the various career paths and skills needed in each path. The career paths include network security, application security, cloud security, forensics, IT audit, risk and compliance. There was a discussion session for participants to make comments, ask questions etc. Finally, we each got a certificate of participation, took more pictures and networked with ourselves and the facilitators.
In conclusion, STAY WHITE! This means never use your knowledge for illegal, immoral and/or evil purposes. Click To Tweet As a participant in the maiden edition of this all female Cybersecurity boot-camp, I was exposed to women in cybersecurity, encouraged to pursue a career as a network security personnel and given a platform to acquire and develop skills in cybersecurity. For this reasons and many more, I am grateful to SheSecures for this opportunity and pray God takes them to greater heights.
