Slide 1
Slide 1 text
Penetration Testing
is stupid
Slide 2
Slide 2 text
Brett Hardin
@miscsecurity
Slide 3
Slide 3 text
No content
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
pentesters
Slide 6
Slide 6 text
Why
Who
Where
When
What
PENETRATION
TESTING
Why
Who
Where
When
What
Slide 7
Slide 7 text
Why
Who
Where
When
What
PENETRATION
TESTING
What
Slide 8
Slide 8 text
Audience Participation
Educated Guess?
Slide 9
Slide 9 text
A live test of the
effectiveness of security
defenses through
mimicking the actions of
real-life attackers.
ISACA
Slide 10
Slide 10 text
test security defenses
Slide 11
Slide 11 text
mimicking
real-life
attackers
Slide 12
Slide 12 text
MIMIC
THE REAL
Slide 13
Slide 13 text
Gunter Ollmann
of Damballa
on Real Attacks
Slide 14
Slide 14 text
Submit CV
2000
Slide 15
Slide 15 text
USB Keys
2005
2000
Slide 16
Slide 16 text
Buy the machine
2009+
2005
2000
Slide 17
Slide 17 text
Penetration tests
are unique
Slide 18
Slide 18 text
Penetration testers
are friendly
Slide 19
Slide 19 text
Penetration tests
don’t simulate attacks
Slide 20
Slide 20 text
Why
Who
Where
When
What
PENETRATION
TESTING
Who
Slide 21
Slide 21 text
The Average
Penetration tester
Slide 22
Slide 22 text
performed by
Slide 23
Slide 23 text
Jack Nicholson
Slide 24
Slide 24 text
I’M A PROFESSIONAL
TRUST ME.
Slide 25
Slide 25 text
I’LL TRY
‘PASSWORD’
Slide 26
Slide 26 text
I’LL TRY
‘PA55WORD’
Slide 27
Slide 27 text
LET
ME
IN.
PLEASE.
Slide 28
Slide 28 text
YOU WILL
LET ME IN.
Slide 29
Slide 29 text
WE’RE
FRIENDS
Slide 30
Slide 30 text
WHY
CAN’T
I GET
IN?
Slide 31
Slide 31 text
LOOK,
A
WAY
IN.
Slide 32
Slide 32 text
THEY
WERE
SO
DUMB
Slide 33
Slide 33 text
I’M GONNA
REDRUM HIM
Slide 34
Slide 34 text
pentesters
Slide 35
Slide 35 text
The average
penetration tester
Slide 36
Slide 36 text
The average
are common
Slide 37
Slide 37 text
The average
are necessary
Slide 38
Slide 38 text
The average
are cheap
Slide 39
Slide 39 text
The average
are simple to copy
Slide 40
Slide 40 text
The average
follow methodologies
Slide 41
Slide 41 text
The best
penetration testers
Slide 42
Slide 42 text
The best
are rare
Slide 43
Slide 43 text
The best
invent new attacks
Slide 44
Slide 44 text
The best
are expensive
Slide 45
Slide 45 text
The best
are overkill
Slide 46
Slide 46 text
The best
mimic the real
Slide 47
Slide 47 text
The average
mimic tools
Slide 48
Slide 48 text
MIMIC
THE REAL
Slide 49
Slide 49 text
MIMIC
THE REAL
Slide 50
Slide 50 text
Why
Who
Where
When
What
PENETRATION
TESTING
When
Slide 51
Slide 51 text
ATTACKS
happen when
you’re asleep
Slide 52
Slide 52 text
ATTACKS
happen when
you’re on vacation
Slide 53
Slide 53 text
ATTACKS
happen when
you have no budget
Slide 54
Slide 54 text
ATTACKS
happen when
during business hours
Slide 55
Slide 55 text
ATTACKS
happen when
you are not ready
Slide 56
Slide 56 text
ATTACKS
happen when
you are ready
PENTESTS
Slide 57
Slide 57 text
Date&Time&Resources
Slide 58
Slide 58 text
No content
Slide 59
Slide 59 text
Attackers aren’t
limited by resources
Slide 60
Slide 60 text
MIMIC
THE REAL
Slide 61
Slide 61 text
MIMIC
THE REAL
Slide 62
Slide 62 text
Why
Who
Where
When
What
PENETRATION
TESTING
Where
Slide 63
Slide 63 text
Rules of Engagement
Slide 64
Slide 64 text
Internet
Slide 65
Slide 65 text
Web Application only
Slide 66
Slide 66 text
On-site
Slide 67
Slide 67 text
Dialup
Slide 68
Slide 68 text
The Wi-fi’s
Slide 69
Slide 69 text
‘puters
Slide 70
Slide 70 text
News Flash
Slide 71
Slide 71 text
Attackers
don’t care
Slide 72
Slide 72 text
Limits
Slide 73
Slide 73 text
Attackers aren’t
limited by resources
previously
learned
Slide 74
Slide 74 text
Attackers aren’t
limited by resources
Revision
Slide 75
Slide 75 text
Attackers aren’t
limited
Slide 76
Slide 76 text
Phone
Slide 77
Slide 77 text
MIMIC
THE REAL
Slide 78
Slide 78 text
Why
Who
Where
When
What
PENETRATION
TESTING
Why
Slide 79
Slide 79 text
Penetration testing
isn’t important
Slide 80
Slide 80 text
Penetration testing
isn’t important
to most organizations
Slide 81
Slide 81 text
Penetration testing
doesn’t secure you
Slide 82
Slide 82 text
Penetration testing
tests defenses
Slide 83
Slide 83 text
required
We’ve Convinced
Everyone*
it’s
Slide 84
Slide 84 text
TANGENT
ALERT
Slide 85
Slide 85 text
Penetration Testers
love to diss vendors
Slide 86
Slide 86 text
Penetration Testers
are vendors
Slide 87
Slide 87 text
BACK TO YOUR
REGULARLY SCHEDULED
PROGRAM
Slide 88
Slide 88 text
Penetration testing
proves two things
Slide 89
Slide 89 text
Penetration testing
proves vulnerability
One
Slide 90
Slide 90 text
Penetration testing
proves vulnerability
adjective
One
Slide 91
Slide 91 text
Penetration testing
identifies a few* risky issues
Two
Slide 92
Slide 92 text
Penetration testing
identifies a few* risky issues
* Actual Results may vary
Two
Slide 93
Slide 93 text
known and unknown
Slide 94
Slide 94 text
new exploits
aren’t needed
Slide 95
Slide 95 text
known exploits
work
Slide 96
Slide 96 text
low-hanging fruit
Slide 97
Slide 97 text
expensive & rare
New Exploits
Slide 98
Slide 98 text
MIMIC
THE REAL
Slide 99
Slide 99 text
When pen testing
isn’t stupid
Slide 100
Slide 100 text
No more
defensive ideas
Slide 101
Slide 101 text
No more
low-hanging fruit
Slide 102
Slide 102 text
Management wants
to assess security controls
Slide 103
Slide 103 text
check&balance
Slide 104
Slide 104 text
Why
Who
Where
When
What
<
Attackers
are
unique
Slide 105
Slide 105 text
Why
Who
Where
When
What <
Different
attack
methods
Slide 106
Slide 106 text
Why
Who
Where
When
What
<
Unlimited
by time
Slide 107
Slide 107 text
Why
Who
Where
When
What
No Rules
of
Engagement
<
Slide 108
Slide 108 text
Why
Who
Where
When
What
<
Doesn’t
protect
you
Slide 109
Slide 109 text
Penetration Tests
don’t mimic real attacks
summary
Slide 110
Slide 110 text
Penetration Tests
don’t secure you
summary
Slide 111
Slide 111 text
Penetration Tests
test your defenses
summary
Slide 112
Slide 112 text
Thanks.
Slide 113
Slide 113 text
Brett Hardin
http://bretthard.in