Your SlideShare is downloading. ×
Penetration Testing 2.0 - Corporate Tiger Team
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Penetration Testing 2.0 - Corporate Tiger Team


Published on

Presentation given at the 2008 Ohio Information Security Summit, October 2008. This was the first presentation I did using skills learned from "presentation zen" which I highly recommend you …

Presentation given at the 2008 Ohio Information Security Summit, October 2008. This was the first presentation I did using skills learned from "presentation zen" which I highly recommend you read!

Attackers are evolving...and so must your penetration testing program.

No longer can an organization only conduct a "traditional" penetration test against network hosts. Why bother attacking your external firewall? That could be too difficult and time consuming for an attacker. Attackers have evolved to using "no tech" hacking techniques. These techniques allow an attacker to gain access to networks and corporate facilities to steal confidential customer information for identity theft, trade secrets, and to potentially damage the reputation of a corporation. There will always be multiple ways to gain access to this type of information so the external firewall, internal network, applications, and the human element of security all cannot be ignored. Whether you are a large or small corporation, the next step in evolving your penetration testing program begins with testing all areas of security in an organization.

This presentation will begin with an overview of emerging threats to organizations in the form of no tech means (social engineering, dumpster diving, tailgating, etc...) and include more recent technology threats such as client side attacks using phishing. We will talk about what a Tiger Team is, what areas of security the Tiger Team will address (physical, technology, application, security awareness), testing methodology, team formation (if you have the ability to do this internally) and what qualifications should you look for in a third-party penetration testing firm. Finally, we will conclude with a real-world example of a Corporate Tiger Team assessment from start to finish which will demonstrate how each area of security is tested.

Published in: Technology
No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Penetration Testing 2.0: Corporate Tiger Team Tom Eston
  • 2. Why are you here? • Threats to your organization • Why a Tiger Team? • How can you do this? • Real world scenario •’s one of the last talks of the day!
  • 3. Threats to your organization (Yes, Dan Kaminsky is a threat...)
  • 4. No Tech Attacks
  • 5. Social Engineering “The clever manipulation of the natural human tendency to trust” “Because there is no patch for human stupidity”
  • 6. “Thief woos bank staff with chocolates... then steals $28 million in diamonds”
  • 7. 64%
  • 8. Dumpster Diving
  • 9. Tailgating
  • 10. This might be a problem...
  • 11. Shoulder Surfing
  • 12. Buy his book!
  • 13. Electronic Attacks
  • 14. External Network Attacks • Web applications • External servers • Wireless • DNS and BGP Internet Routing
  • 15. Help! Their attacking our clients! (aka: Internal Network Attacks)
  • 16. Phishing
  • 17. 94%
  • 18. Malfunction • Software glitches • Process breakdown • Act of God/War/Terrorism • Disruption
  • 19. What is a Tiger Team?
  • 20. What does a Tiger Team test?
  • 21. Physical Security
  • 22. Technology (Electronic)
  • 23. Application
  • 24. Security Awareness
  • 25. Testing Methodology • ISSAF/NIST 800-42 • OSSTMM v2 • OWASP Testing Guide • Other Penetration Testing Methodologies
  • 26. Team Formation
  • 27. Internal Team
  • 28. The need for “experts” • Physical Security • Network/Application Pentest • Social Engineering and People Skills!
  • 29. Third-Party Assisted
  • 30. What to look for in a 3rd Party? • Physical Security • Social Engineering • Network Penetration • Inguardians • Lares Consulting
  • 31. Conducting the Assessment
  • 32. What’s the goal?
  • 33. Get permission!
  • 34. Reconnaissance
  • 35. Maltego
  • 36. Penetration and Exploitation
  • 37. Coordinate the Attack
  • 38. Facility Walk Through
  • 39. Reporting and Clean-up
  • 40. Real World Assessment Example
  • 41. Tiger Team TV Show
  • 42. Let’s Review... • Threats to your organization • What is a tiger team, what can it test • Methodologies, how to form your team • Real world example