• Save
Penetration Testing 2.0 - Corporate Tiger Team
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Penetration Testing 2.0 - Corporate Tiger Team

on

  • 6,878 views

Presentation given at the 2008 Ohio Information Security Summit, October 2008. This was the first presentation I did using skills learned from "presentation zen" which I highly recommend you ...

Presentation given at the 2008 Ohio Information Security Summit, October 2008. This was the first presentation I did using skills learned from "presentation zen" which I highly recommend you read!

Attackers are evolving...and so must your penetration testing program.

No longer can an organization only conduct a "traditional" penetration test against network hosts. Why bother attacking your external firewall? That could be too difficult and time consuming for an attacker. Attackers have evolved to using "no tech" hacking techniques. These techniques allow an attacker to gain access to networks and corporate facilities to steal confidential customer information for identity theft, trade secrets, and to potentially damage the reputation of a corporation. There will always be multiple ways to gain access to this type of information so the external firewall, internal network, applications, and the human element of security all cannot be ignored. Whether you are a large or small corporation, the next step in evolving your penetration testing program begins with testing all areas of security in an organization.

This presentation will begin with an overview of emerging threats to organizations in the form of no tech means (social engineering, dumpster diving, tailgating, etc...) and include more recent technology threats such as client side attacks using phishing. We will talk about what a Tiger Team is, what areas of security the Tiger Team will address (physical, technology, application, security awareness), testing methodology, team formation (if you have the ability to do this internally) and what qualifications should you look for in a third-party penetration testing firm. Finally, we will conclude with a real-world example of a Corporate Tiger Team assessment from start to finish which will demonstrate how each area of security is tested.

Statistics

Views

Total Views
6,878
Views on SlideShare
6,840
Embed Views
38

Actions

Likes
7
Downloads
0
Comments
2

4 Embeds 38

http://www.slideshare.net 29
http://www.linkedin.com 5
http://www.pentest.sg 3
https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Download Link ; http://jmp.sh/EtTdcLj

    Download Here ; http://jmp.sh/FGdrgKO
    Are you sure you want to
    Your message goes here
    Processing…
  • gooooood
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Penetration Testing 2.0 - Corporate Tiger Team Presentation Transcript

  • 1. Penetration Testing 2.0: Corporate Tiger Team Tom Eston
  • 2. Why are you here? • Threats to your organization • Why a Tiger Team? • How can you do this? • Real world scenario • ...it’s one of the last talks of the day!
  • 3. Threats to your organization (Yes, Dan Kaminsky is a threat...)
  • 4. No Tech Attacks
  • 5. Social Engineering “The clever manipulation of the natural human tendency to trust” “Because there is no patch for human stupidity”
  • 6. “Thief woos bank staff with chocolates... then steals $28 million in diamonds”
  • 7. 64%
  • 8. Dumpster Diving
  • 9. Tailgating
  • 10. This might be a problem...
  • 11. Shoulder Surfing
  • 12. Buy his book!
  • 13. Electronic Attacks
  • 14. External Network Attacks • Web applications • External servers • Wireless • DNS and BGP Internet Routing
  • 15. Help! Their attacking our clients! (aka: Internal Network Attacks)
  • 16. Phishing
  • 17. 94%
  • 18. Malfunction • Software glitches • Process breakdown • Act of God/War/Terrorism • Disruption
  • 19. What is a Tiger Team?
  • 20. What does a Tiger Team test?
  • 21. Physical Security
  • 22. Technology (Electronic)
  • 23. Application
  • 24. Security Awareness
  • 25. Testing Methodology • ISSAF/NIST 800-42 • OSSTMM v2 • OWASP Testing Guide • Other Penetration Testing Methodologies
  • 26. Team Formation
  • 27. Internal Team
  • 28. The need for “experts” • Physical Security • Network/Application Pentest • Social Engineering and People Skills!
  • 29. Third-Party Assisted
  • 30. What to look for in a 3rd Party? • Physical Security • Social Engineering • Network Penetration • Inguardians • Lares Consulting
  • 31. Conducting the Assessment
  • 32. What’s the goal?
  • 33. Get permission!
  • 34. Reconnaissance
  • 35. Maltego
  • 36. Penetration and Exploitation
  • 37. Coordinate the Attack
  • 38. Facility Walk Through
  • 39. Reporting and Clean-up
  • 40. Real World Assessment Example
  • 41. Tiger Team TV Show
  • 42. Let’s Review... • Threats to your organization • What is a tiger team, what can it test • Methodologies, how to form your team • Real world example