CYBERWAR: Advanced Offensive Cyber Operations

CYBERWAR: Advanced Offensive Cyber Operations

I’m writing this post to let you know that the new night class version of CyberWar: Advanced Offensive Cyber Operations course which is ready to go. I’d l love if you’d signup for this class – This is one superb class! Offensive Cyber Operations Here is the CyberWar: Advanced Offensive Cyber Operations course outline.

Advanced Scanning & Enumeration

Attack Methodology

Identifying vulnerabilities

Using NMap NSE scripts

Writing your own NMap NSE scripts

Advanced Metasploit

Auxiliary modules

Post modules

Writing your own Auxiliary modules

Writing your own Post modules

Attacking Web Apps & Databases

Attacking Web Apps (ASPX, and PHP)

Web App – Tricky SQL Injections

Dealing with Web Application Firewalls

Attacking Big Data Solutions


Final Mission:

Students will attack the servers in the lab environment. These servers are much harder to penetrate than standard servers in the typical production environment. Similarly, these vulnerabilities are difficult to exploit (on purpose) – this particular class is designed with several complex targets to help students prepare for the OSCP exam network challenge certification.

Lab Network Access

Strategic Security now has a penetration tester’s target practice lab environment. Targets in the lab network will change on the 1st of every month. Students have the option to purchase 1 or 3 months access to the lab environment. Offensive Cyber Operations Students will receive

  • 30 hours of CPEs
  • Several virtual machines
  • Courseware slides
  • Lab Manual
  • Lab access

Class Videos

Students will receive all class recordings via their emails. This will help them keep up with the class even if they have to miss time or even a whole day.


Each student will have access to an InfoSec Addicts Group ( for the class. Groups are where students can ask questions outside of the regular class hours. Additionally, this is where they can work with other students on lab exercises, homework, and challenges. A Strategic Security class mentor will be assigned to the InfoSec Addicts Group to answer questions (allow one day for responses). Likewise, a Customer Relationship Manager will get assigned to the class to manage questions and support issues.

Class Schedule

4th and 6th of June 2018 from 7pm to 9pm EST


Class Cost

The class cost is $200 with 1 month of lab access.


Register to attend the class:

Fill out this form to sign up for the class.

$200.00Select options

Unlimited classes:

If you know that you are interested in this class as well as other InfoSec classes then you should consider the unlimited classes package for $49.99 per month. You can find out more about it by clicking on the link below:


NOTE: Due to Joe McCray’s travel and work schedule (ex: short notice consulting/training engagements or changes to those engagements) classes may reschedule or cancel. In these situations a refund will NOT be granted as the class will re-run the following week, or additional days will be added to the class schedule to make up for this.

PCI and MFA – what it means to you

PCI and MFA – what it means to you


I just finished reading the PCI Guru blog post about Multi-Factor Authentication. This is found in the Payment Card Industry Data Security Standard (PCI DSS). PCI Guru Jeffrey Hall explains that requirement 8.3.1 doesn’t go into effect until February 1st, 2018. However, it states that you should:

“Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access”

CDE stands for Cardholder Data Environment. Jeffrey in his blog post states that several organizations already have MFA implemented across the entire network. Therefore, they believe that they are already compliant. Furthermore, Jeffery cites a more particular snippet of requirement 8.3.1:

“If the CDE is segmented from the rest of the entity’s network, then an administrator needs to use multi-factor authentication when connecting to a CDE system from a non-CDE network. Multi-factor authentication is moreover implementable at the network level or at system/application level; therefore it does not have to be both. If the administrator uses MFA when logging into the CDE network, then, they do not also need to use MFA to log into a particular system or application within the CDE.”

Jeffrey further makes his point by saying:

“We need to remember what drove the development of requirement 8.3.1 was a lesson learned from the Target and similar breaches. In all of these breaches, system administrators were spear phished allowing the attackers to access the CDE in one way or another. Requirement 8.3.1 minimizes this threat by requiring MFA to gain access to the CDE. So even if an attacker obtains an administrator’s credentials or compromises an administrator’s system, that fact in and of itself would not compromise the CDE.

This is why the guidance for 8.3.1 puts the MFA border at the CDE. If you have MFA implemented in order to gain access to your network, how does that stop the threat of phishing? It does not. A spear phishing attack against such an MFA implementation defeats the MFA because it is already applied. The MFA in this scenario does not stop access to the CDE.”



Ok, as much as I’m someone that heavily uses 2-factor authentication as well as recommends it to customers please don’t think that it’s a silver bullet. Yes, attackers have bypassed 2-factor/MFA solutions for quite some time now.

Jeffrey, your recommendation isn’t wrong. However, the logic of the explanation on why to use it for the CDE is. Yes, especially relevant, tell the customer to implement MFA for the cardholder data environment.

Rather, explain and insist to the customer to use MFA to access the cardholder environment. We need not go knee deep explaining that if the attacker uses a spear-phishing attack against the MFA implementation, which, in addition, is applied to your entire network – that somehow, spear phishing will not affect the MFA implementation that is applied to the cardholder data environment


Besides, the council has released some guidance on MFA, and you can look at it here:

I certainly liked this article from a technical perspective:

Similarly, I liked this article most from an Assessor/Security professional’s point of view:

Particularly, I love how Adam Gaydosh finishes the blog post

“While the PCI Community meeting is always good for keeping up on the latest issues, we find that now more than ever, the PCI-DSS needs pragmatism. The debates over MFA are interesting from an academic perspective but offered little practical insight, other than the fact that folks are quite to argue a position without understanding the details. MFA is still one of the best ways to shrink an attack surface area and increase security.

This debate also shows how PCI, like any complex standard, quickly devolves into nitpicking debates over minutiae. This is particularly why hands-on technology experience is such an important skill for any PCI assessor. Finally, your auditor must have the ability to translate the intent of the standard into the operational realities of your environment.”