Very often, people hear “SSH” and “two factor authentication” and assume you’re talking about an SSH keypair that’s got the private key protected with a passphrase. And while this is a reasonable approximation of a two factor system, it’s not actually two factor authentication because the server is not using two separate factors to authenticate the user. The only factor is the SSH keypair, and there’s no way for the server to know if that key was protected with a passphrase. However, OpenSSH has supported true two factor authentication for nearly 5 years now, so it’s quite possible to build even more robust security.

The Penetration Testing with Kali Linux (PWK) course is one of the most popular information security courses, culminating in a hands-on exam for the Offensive Security Certified Professional certification. It provides a hands-on learning experience for those looking to get into penetration testing or other areas of offensive security. These are some of the things you might want to know before attempting the PWK class or the OSCP exam.

Red Team: How to Succeed By Thinking Like the Enemy by Micah Zenko focuses on the role that red teaming plays in a variety of institutions, ranging from the Department of Defense to cybersecurity. It’s an excellent book that describes the thought process behind red teaming, when red teaming is a success and when it can be a failure, and the way a red team can best fit into an organization and provide value. If you’re looking for a book that’s highly technical or focused entirely on information security engineering, this book may disappoint. There’s only a single chapter covering the application of red teaming in the information security space (particularly “vulnerability probes” as Zenko refers to many of the tests), but that doesn’t make the rest of the content any less useful – or interesting – to the Red Team practitioner.

If there’s one thing I wish people from outside the security industry knew when dealing with information security, it’s that Security is not an absolute. Most of the time, it’s not even quantifiable. Even in the case of particular threat models, it’s often impossible to make statements about the security of a system with certainty.

A few months ago, I was shopping on woot.com and discovered the Gigastone Media Streamer Plus for about $25. I figured this might be something occassionally useful, or at least fun to look at for security vulnerabilities. When it arrived, I didn't get around to it for quite a while, and then when I finally did, I was terribly disappointed in it as a security research target -- it was just too easy.