Penetration Testing 2.0 - Corporate Tiger Team


Published on

Presentation given at the 2008 Ohio Information Security Summit, October 2008. This was the first presentation I did using skills learned from "presentation zen" which I highly recommend you read!

Attackers are evolving...and so must your penetration testing program.

No longer can an organization only conduct a "traditional" penetration test against network hosts. Why bother attacking your external firewall? That could be too difficult and time consuming for an attacker. Attackers have evolved to using "no tech" hacking techniques. These techniques allow an attacker to gain access to networks and corporate facilities to steal confidential customer information for identity theft, trade secrets, and to potentially damage the reputation of a corporation. There will always be multiple ways to gain access to this type of information so the external firewall, internal network, applications, and the human element of security all cannot be ignored. Whether you are a large or small corporation, the next step in evolving your penetration testing program begins with testing all areas of security in an organization.

This presentation will begin with an overview of emerging threats to organizations in the form of no tech means (social engineering, dumpster diving, tailgating, etc...) and include more recent technology threats such as client side attacks using phishing. We will talk about what a Tiger Team is, what areas of security the Tiger Team will address (physical, technology, application, security awareness), testing methodology, team formation (if you have the ability to do this internally) and what qualifications should you look for in a third-party penetration testing firm. Finally, we will conclude with a real-world example of a Corporate Tiger Team assessment from start to finish which will demonstrate how each area of security is tested.

Published in: Technology

Penetration Testing 2.0 - Corporate Tiger Team

  1. 1. Penetration Testing 2.0: Corporate Tiger Team Tom Eston
  2. 2. Why are you here? • Threats to your organization • Why a Tiger Team? • How can you do this? • Real world scenario •’s one of the last talks of the day!
  3. 3. Threats to your organization (Yes, Dan Kaminsky is a threat...)
  4. 4. No Tech Attacks
  5. 5. Social Engineering “The clever manipulation of the natural human tendency to trust” “Because there is no patch for human stupidity”
  6. 6. “Thief woos bank staff with chocolates... then steals $28 million in diamonds”
  7. 7. 64%
  8. 8. Dumpster Diving
  9. 9. Tailgating
  10. 10. This might be a problem...
  11. 11. Shoulder Surfing
  12. 12. Buy his book!
  13. 13. Electronic Attacks
  14. 14. External Network Attacks • Web applications • External servers • Wireless • DNS and BGP Internet Routing
  15. 15. Help! Their attacking our clients! (aka: Internal Network Attacks)
  16. 16. Phishing
  17. 17. 94%
  18. 18. Malfunction • Software glitches • Process breakdown • Act of God/War/Terrorism • Disruption
  19. 19. What is a Tiger Team?
  20. 20. What does a Tiger Team test?
  21. 21. Physical Security
  22. 22. Technology (Electronic)
  23. 23. Application
  24. 24. Security Awareness
  25. 25. Testing Methodology • ISSAF/NIST 800-42 • OSSTMM v2 • OWASP Testing Guide • Other Penetration Testing Methodologies
  26. 26. Team Formation
  27. 27. Internal Team
  28. 28. The need for “experts” • Physical Security • Network/Application Pentest • Social Engineering and People Skills!
  29. 29. Third-Party Assisted
  30. 30. What to look for in a 3rd Party? • Physical Security • Social Engineering • Network Penetration • Inguardians • Lares Consulting
  31. 31. Conducting the Assessment
  32. 32. What’s the goal?
  33. 33. Get permission!
  34. 34. Reconnaissance
  35. 35. Maltego
  36. 36. Penetration and Exploitation
  37. 37. Coordinate the Attack
  38. 38. Facility Walk Through
  39. 39. Reporting and Clean-up
  40. 40. Real World Assessment Example
  41. 41. Tiger Team TV Show
  42. 42. Let’s Review... • Threats to your organization • What is a tiger team, what can it test • Methodologies, how to form your team • Real world example