Presentation given at the 2008 Ohio Information Security Summit, October 2008. This was the first presentation I did using skills learned from "presentation zen" which I highly recommend you read!
Attackers are evolving...and so must your penetration testing program.
No longer can an organization only conduct a "traditional" penetration test against network hosts. Why bother attacking your external firewall? That could be too difficult and time consuming for an attacker. Attackers have evolved to using "no tech" hacking techniques. These techniques allow an attacker to gain access to networks and corporate facilities to steal confidential customer information for identity theft, trade secrets, and to potentially damage the reputation of a corporation. There will always be multiple ways to gain access to this type of information so the external firewall, internal network, applications, and the human element of security all cannot be ignored. Whether you are a large or small corporation, the next step in evolving your penetration testing program begins with testing all areas of security in an organization.
This presentation will begin with an overview of emerging threats to organizations in the form of no tech means (social engineering, dumpster diving, tailgating, etc...) and include more recent technology threats such as client side attacks using phishing. We will talk about what a Tiger Team is, what areas of security the Tiger Team will address (physical, technology, application, security awareness), testing methodology, team formation (if you have the ability to do this internally) and what qualifications should you look for in a third-party penetration testing firm. Finally, we will conclude with a real-world example of a Corporate Tiger Team assessment from start to finish which will demonstrate how each area of security is tested.