Penetration Testing is Stupid - BsidesSF 2013

Transcript

1. Penetration Testing is stupid

2. Brett Hardin @miscsecurity

3. None
4. None

5. pentesters

6. Why Who Where When What PENETRATION TESTING Why Who Where

   When What

7. Why Who Where When What PENETRATION TESTING What

8. Audience Participation Educated Guess?

9. A live test of the effectiveness of security defenses through

   mimicking the actions of real-life attackers. ISACA

10. test security defenses

11. mimicking real-life attackers

12. MIMIC THE REAL

13. Gunter Ollmann of Damballa on Real Attacks

14. Submit CV 2000

15. USB Keys 2005 2000

16. Buy the machine 2009+ 2005 2000

17. Penetration tests are unique

18. Penetration testers are friendly

19. Penetration tests don’t simulate attacks

20. Why Who Where When What PENETRATION TESTING Who

21. The Average Penetration tester

22. performed by

23. Jack Nicholson

24. I’M A PROFESSIONAL TRUST ME.

25. I’LL TRY ‘PASSWORD’

26. I’LL TRY ‘PA55WORD’

27. LET ME IN. PLEASE.

28. YOU WILL LET ME IN.

29. WE’RE FRIENDS

30. WHY CAN’T I GET IN?

31. LOOK, A WAY IN.

32. THEY WERE SO DUMB

33. I’M GONNA REDRUM HIM

34. pentesters

35. The average penetration tester

36. The average are common

37. The average are necessary

38. The average are cheap

39. The average are simple to copy

40. The average follow methodologies

41. The best penetration testers

42. The best are rare

43. The best invent new attacks

44. The best are expensive

45. The best are overkill

46. The best mimic the real

47. The average mimic tools

48. MIMIC THE REAL

49. MIMIC THE REAL

50. Why Who Where When What PENETRATION TESTING When

51. ATTACKS happen when you’re asleep

52. ATTACKS happen when you’re on vacation

53. ATTACKS happen when you have no budget

54. ATTACKS happen when during business hours

55. ATTACKS happen when you are not ready

56. ATTACKS happen when you are ready PENTESTS

57. Date&Time&Resources

58. None

59. Attackers aren’t limited by resources

60. MIMIC THE REAL

61. MIMIC THE REAL

62. Why Who Where When What PENETRATION TESTING Where

63. Rules of Engagement

64. Internet

65. Web Application only

66. On-site

67. Dialup

68. The Wi-fi’s

69. ‘puters

70. News Flash

71. Attackers don’t care

72. Limits

73. Attackers aren’t limited by resources previously learned

74. Attackers aren’t limited by resources Revision

75. Attackers aren’t limited

76. Phone

77. MIMIC THE REAL

78. Why Who Where When What PENETRATION TESTING Why

79. Penetration testing isn’t important

80. Penetration testing isn’t important to most organizations

81. Penetration testing doesn’t secure you

82. Penetration testing tests defenses

83. required We’ve Convinced Everyone* it’s

84. TANGENT ALERT

85. Penetration Testers love to diss vendors

86. Penetration Testers are vendors

87. BACK TO YOUR REGULARLY SCHEDULED PROGRAM

88. Penetration testing proves two things

89. Penetration testing proves vulnerability One

90. Penetration testing proves vulnerability adjective One

91. Penetration testing identifies a few* risky issues Two

92. Penetration testing identifies a few* risky issues * Actual Results

    may vary Two

93. known and unknown

94. new exploits aren’t needed

95. known exploits work

96. low-hanging fruit

97. expensive & rare New Exploits

98. MIMIC THE REAL

99. When pen testing isn’t stupid

100. No more defensive ideas

101. No more low-hanging fruit

102. Management wants to assess security controls

103. check&balance

104. Why Who Where When What < Attackers are unique

105. Why Who Where When What < Different attack methods

106. Why Who Where When What < Unlimited by time

107. Why Who Where When What No Rules of Engagement <

108. Why Who Where When What < Doesn’t protect you

109. Penetration Tests don’t mimic real attacks summary

110. Penetration Tests don’t secure you summary

111. Penetration Tests test your defenses summary

112. Thanks.

113. Brett Hardin http://bretthard.in