SlideShare a Scribd company logo

So, you wanna be a pen tester

Download as PPTX, PDF
A
Adrien de Beaupre

So, you wanna be a pen tester? Are you Sure? On Security Weekly episode 486! https://youtu.be/bvKZvae3HiQ?list=PLlPkFwQHxYE4atQRxwAsTux2PmOuWGgAA

Career
1 of 14
so, you wanna be a pen tester? are you sure?
wots a pentest? • circumvention of security controls. • identifying alternate functionality in a ‘system’. • identifying alternate means of accessing functionality in a ‘system’. • generally a very thorough and technical assessment of the security controls and functionality in a ‘system’. • wots a ‘system’? those things that provide business functionality and access to information. (app, end point, protocol…) • wots a pentester? deliberate professional breaker of things. hacker.
why? • people seem to think that it is a sexy profession. • oddly enough it is at least 50% boring and frustrating. • then you write reports, that’s the exciting part. • the actual exploitation is such a small part of the thing. • there is an industry over emphasis on the ‘hacking’ thing… • are you sure? it can be a lot of work. • it really isn’t about the hack, it’s about making things better.
what are the top 10 thingies… • probably the number one question, what are the top 10 coolest most important hacking tools for penetration testers? • what are the top 10 skills that are important to become the worlds greatest hacker? make up lots of lies, plagiarize, and write a book! • how do I become the bestest cyber hacker? • can you hack my buddies hotmail for me? • do I need a cool hacker handle? • love the next two questions… • do I really need to learn all that stuff to be a cool hacker? • do I really have to work hard for many years to be a pentester? • the best one: i have a $CERT or degree in * so that makes me an expert!!
what you really need • attitude, aptitude, and initiative. • desire. • dedication. • discipline. • integrity. • ethics. • experience. • knowledge. • tools. • so, how do I get me some?
tools? • while somewhat important to the specific engagement the tools are not as important overall. the most important things are: • deep technical knowledge. • team composition. • project planning. • scoping (what you can test). • rules of engagement (tests you can run). • logistics and controls. • understanding the goals and objectives. • methodology! and creativity! • oh and writing and analysis…
no honestly, which tools do I need? • the only required tool is the matter most (some) people have between their ears. brains. • a friend of mine said that the only tools are perspective and perception… the rest are just pretty accessories and squirrels and shiny things • the honest answer is a web browser to do the recon and information gathering, a project management tool for scheduling, and a database to track target data in. scripting is very very very very useful. learn one • the remainder depend heavily on the nature of the engagement. • it honestly isn’t about the tools, it’s about having the appropriate tool to efficiently and effectively meet the pentest objectives. whichever tools meets the requirements, they are mostly interchangeable. • often pen testers talk about tactics, tools, techniques, and methodologies. the tools are interchangeable for the most part.
ok, then what do we actually need? • people with the training, painstaking attention to detail, experience, analysis skills, and creativity to emulate attackers in a controlled professional manner. oh and teamwork and soft skills, who can write. • process, which includes determining the scope of the project, rules of engagement, plus details like policies and process and procedures. • technology. the tools are the easy part, anyone can download the tools, which are readily available, but in the hands of an unskilled individual they may do a lot of damage, and do not always achieve the objective of identifying and demonstrating risk. • pen testers are restricted by scope, legality, morality, and ethics, and there are rules of engagement, always have both hands tied behind our backs. we can’t do all the things that the attackers can do. bummer. • you have to be the ball. what? (caddy shack)
no, what about me? • how do I get to be a pentester? • ask really good questions. then find answers. that’s it. • honestly i have no idea, i can tell you what i did, and i can tell you the things I would look for in new hires when i was a manager… • my degree is in political science, but i have played with computers and networks since the early 1980’s. i like to break stuff. • i have always said that i can teach people the technology, but i cannot teach good attitude, good team fit, problem solving, or curiosity • why does this presentation seem like random rambling? • why are your slides so boring?
what do I need? • passion! • interesting question in that we tend to think in terms of a single lone wolf penetration tester, when the truth is that the best engagements are run with teams. • some of the skills that are required on that team are project management, creativity, being methodical, analysis, and writing. am i getting repetitive? • some will need an extensive background in information security, and to be very technical in their areas of expertise. • team membership will vary based on the specifics of each engagement, expertise in web skills are not as useful in a wireless or network test. • oh, and someone to run the scanning tools. minions! • a good security analyst and project manager are worth 100 testers!
what is the path? • you may have noticed the theme to this discussion by now. • highly technical and specialized knowledge moving into information security as a pentester. they often have mucho academic background and technical experience, may be self-taught. • information security generalist willing to acquire technical skills to become a pentester. unless there is mucho training budget often will have to be self-taught. academics and certifications might help. • it specialist: developer, dba, architect, network, sysadmin…! • forge your own path, there is no spoon. • must have a deep understanding what it is you are trying to pentest. • i have met very few who started out their career as a pentester…
where? • mentors. • communities. • education, training, certifications are one way. • being the security person on an IT team. • taking the initiative and learning on your own, or a mix. • boutique consulting firms. • large consulting integration or services firms. • many enterprises had red or purple teams. • what the industry really needs are more blue team people who know how offensive security works…
is that your final answer? • no. • it is up to you to learn, to ensure that you can do it. • nobody else can do it for you. • if this is your chosen career path, do not take no for an answer. • make it happen, do it. now I sound like a broken nike commercial • do the hard work, learn what you need to learn. • it isn’t about what others have done, it is your journey. • make it your precious, your passion, you will make it. • not everyone gets to be a pen tester, sorry • lots of openings in blue team.
questions? it is entirely possible that I do not have any answers that you will like  Adrien de Beaupré, lots of certs and stuff penetration tester and SANS instructor a member of the fellowship of the testers of pens Twitter @adriendb adriendb@gmail.com 1 613 797 3912 http://www.intru-shun.ca https://www.sans.org/instructors/adrien-de-beaupre

Recommended

So, you wanna be a pen tester ctsc2017
So, you wanna be a pen tester ctsc2017So, you wanna be a pen tester ctsc2017
So, you wanna be a pen tester ctsc2017Adrien de Beaupre
 
Letter of Recommendation
Letter of RecommendationLetter of Recommendation
Letter of RecommendationShanayAbbas Fazal
 
六合采:六和彩图库
六合采:六和彩图库六合采:六和彩图库
六合采:六和彩图库6hc1846
 
Carissa & Josh Wedding SlideShow
Carissa & Josh Wedding SlideShowCarissa & Josh Wedding SlideShow
Carissa & Josh Wedding SlideShowcarissa2286
 
hvac_basics
hvac_basicshvac_basics
hvac_basicsSaptarshi Das
 
Cache is king
Cache is kingCache is king
Cache is kingedrone
 
Blogging
BloggingBlogging
Bloggingheinricb
 
Sierra Nevada, Granada
Sierra Nevada, GranadaSierra Nevada, Granada
Sierra Nevada, GranadaJosé Jiménez
 

Recommended

So, you wanna be a pen tester ctsc2017
So, you wanna be a pen tester ctsc2017So, you wanna be a pen tester ctsc2017
So, you wanna be a pen tester ctsc2017Adrien de Beaupre
 
Letter of Recommendation
Letter of RecommendationLetter of Recommendation
Letter of RecommendationShanayAbbas Fazal
 
六合采:六和彩图库
六合采:六和彩图库六合采:六和彩图库
六合采:六和彩图库6hc1846
 
Carissa & Josh Wedding SlideShow
Carissa & Josh Wedding SlideShowCarissa & Josh Wedding SlideShow
Carissa & Josh Wedding SlideShowcarissa2286
 
hvac_basics
hvac_basicshvac_basics
hvac_basicsSaptarshi Das
 
Cache is king
Cache is kingCache is king
Cache is kingedrone
 
Blogging
BloggingBlogging
Bloggingheinricb
 
Sierra Nevada, Granada
Sierra Nevada, GranadaSierra Nevada, Granada
Sierra Nevada, GranadaJosé Jiménez
 
Η γλώσσα προγραμματισμού Clipper.
Η γλώσσα προγραμματισμού Clipper.Η γλώσσα προγραμματισμού Clipper.
Η γλώσσα προγραμματισμού Clipper.Stathis Gourzis
 
FootGaming for Behavior Modification
FootGaming for Behavior ModificationFootGaming for Behavior Modification
FootGaming for Behavior ModificationExer Learning
 
Khgd tinh.205
Khgd tinh.205Khgd tinh.205
Khgd tinh.205vinhduchanh
 
Parts of speech menu project complete packet
Parts of speech menu project complete packetParts of speech menu project complete packet
Parts of speech menu project complete packetcbalsamo
 
Etre hepatant 05_2016
Etre hepatant 05_2016Etre hepatant 05_2016
Etre hepatant 05_2016soshepatites
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010Chris Gates
 
Granada: Sierra Nevada
Granada: Sierra NevadaGranada: Sierra Nevada
Granada: Sierra NevadaJose Antonio Tamarit
 
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton ChuvakinAnton Chuvakin
 
Making Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management TogetherMaking Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management TogetherAnton Chuvakin
 
Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'Anton Chuvakin
 
Etre hepatant 01_2016
Etre hepatant 01_2016Etre hepatant 01_2016
Etre hepatant 01_2016soshepatites
 
Tài liệu (phần 2) | Tài liệu GMP
Tài liệu (phần 2) | Tài liệu GMPTài liệu (phần 2) | Tài liệu GMP
Tài liệu (phần 2) | Tài liệu GMPCông ty cổ phần GMPc Việt Nam | Tư vấn GMP, HS GMP, CGMP ASEAN, EU GMP, WHO GMP
 
Nhân sự | Tài liệu GMP
Nhân sự | Tài liệu GMPNhân sự | Tài liệu GMP
Nhân sự | Tài liệu GMPCông ty cổ phần GMPc Việt Nam | Tư vấn GMP, HS GMP, CGMP ASEAN, EU GMP, WHO GMP
 
Андрей Гавриков: Как понять целевую аудиторию?
Андрей Гавриков: Как понять целевую аудиторию?Андрей Гавриков: Как понять целевую аудиторию?
Андрей Гавриков: Как понять целевую аудиторию?Alexander Rys
 
Ms powerpoint
Ms powerpointMs powerpoint
Ms powerpointRahul Kantak
 
Александр Рысь: Продающая email рассылка
Александр Рысь: Продающая email рассылка Александр Рысь: Продающая email рассылка
Александр Рысь: Продающая email рассылка Alexander Rys
 
Star delta trsformation
Star delta trsformationStar delta trsformation
Star delta trsformationHem Bhattarai
 
RAM RESUME CURRENT
RAM RESUME CURRENTRAM RESUME CURRENT
RAM RESUME CURRENTRichard Marose
 
MS PowerPoint for Begninners
MS PowerPoint for BegninnersMS PowerPoint for Begninners
MS PowerPoint for BegninnersMinna Corcuera
 
Log correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataLog correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataErtugrul Akbas
 
Tech Tools for Nonprofits
Tech Tools for NonprofitsTech Tools for Nonprofits
Tech Tools for NonprofitsDeron Tse
 
Bit by Bit: Effective Use of People, Processes and Computer Technology in the...
Bit by Bit: Effective Use of People, Processes and Computer Technology in the...Bit by Bit: Effective Use of People, Processes and Computer Technology in the...
Bit by Bit: Effective Use of People, Processes and Computer Technology in the...Jack Pringle
 

More Related Content

Viewers also liked

Η γλώσσα προγραμματισμού Clipper.
Η γλώσσα προγραμματισμού Clipper.Η γλώσσα προγραμματισμού Clipper.
Η γλώσσα προγραμματισμού Clipper.Stathis Gourzis
 
FootGaming for Behavior Modification
FootGaming for Behavior ModificationFootGaming for Behavior Modification
FootGaming for Behavior ModificationExer Learning
 
Parts of speech menu project complete packet
Parts of speech menu project complete packetParts of speech menu project complete packet
Parts of speech menu project complete packetcbalsamo
 
Etre hepatant 05_2016
Etre hepatant 05_2016Etre hepatant 05_2016
Etre hepatant 05_2016soshepatites
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010Chris Gates
 
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton ChuvakinAnton Chuvakin
 
Making Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management TogetherMaking Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management TogetherAnton Chuvakin
 
Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'Anton Chuvakin
 
Etre hepatant 01_2016
Etre hepatant 01_2016Etre hepatant 01_2016
Etre hepatant 01_2016soshepatites
 
Андрей Гавриков: Как понять целевую аудиторию?
Андрей Гавриков: Как понять целевую аудиторию?Андрей Гавриков: Как понять целевую аудиторию?
Андрей Гавриков: Как понять целевую аудиторию?Alexander Rys
 
Александр Рысь: Продающая email рассылка
Александр Рысь: Продающая email рассылка Александр Рысь: Продающая email рассылка
Александр Рысь: Продающая email рассылка Alexander Rys
 
Star delta trsformation
Star delta trsformationStar delta trsformation
Star delta trsformationHem Bhattarai
 
MS PowerPoint for Begninners
MS PowerPoint for BegninnersMS PowerPoint for Begninners
MS PowerPoint for BegninnersMinna Corcuera
 
Log correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataLog correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataErtugrul Akbas
 

Viewers also liked (20)

Η γλώσσα προγραμματισμού Clipper.
Η γλώσσα προγραμματισμού Clipper.Η γλώσσα προγραμματισμού Clipper.
Η γλώσσα προγραμματισμού Clipper.
 
FootGaming for Behavior Modification
FootGaming for Behavior ModificationFootGaming for Behavior Modification
FootGaming for Behavior Modification
 
Khgd tinh.205
Khgd tinh.205Khgd tinh.205
Khgd tinh.205
 
Parts of speech menu project complete packet
Parts of speech menu project complete packetParts of speech menu project complete packet
Parts of speech menu project complete packet
 
Etre hepatant 05_2016
Etre hepatant 05_2016Etre hepatant 05_2016
Etre hepatant 05_2016
 
Appsec DC - wXf -2010
Appsec DC - wXf -2010Appsec DC - wXf -2010
Appsec DC - wXf -2010
 
Granada: Sierra Nevada
Granada: Sierra NevadaGranada: Sierra Nevada
Granada: Sierra Nevada
 
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
 
Making Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management TogetherMaking Log Data Useful: SIEM and Log Management Together
Making Log Data Useful: SIEM and Log Management Together
 
Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'Anton's Log Management 'Worst Practices'
Anton's Log Management 'Worst Practices'
 
Etre hepatant 01_2016
Etre hepatant 01_2016Etre hepatant 01_2016
Etre hepatant 01_2016
 
Tài liệu (phần 2) | Tài liệu GMP
Tài liệu (phần 2) | Tài liệu GMPTài liệu (phần 2) | Tài liệu GMP
Tài liệu (phần 2) | Tài liệu GMP
 
Nhân sự | Tài liệu GMP
Nhân sự | Tài liệu GMPNhân sự | Tài liệu GMP
Nhân sự | Tài liệu GMP
 
Андрей Гавриков: Как понять целевую аудиторию?
Андрей Гавриков: Как понять целевую аудиторию?Андрей Гавриков: Как понять целевую аудиторию?
Андрей Гавриков: Как понять целевую аудиторию?
 
Ms powerpoint
Ms powerpointMs powerpoint
Ms powerpoint
 
Александр Рысь: Продающая email рассылка
Александр Рысь: Продающая email рассылка Александр Рысь: Продающая email рассылка
Александр Рысь: Продающая email рассылка
 
Star delta trsformation
Star delta trsformationStar delta trsformation
Star delta trsformation
 
RAM RESUME CURRENT
RAM RESUME CURRENTRAM RESUME CURRENT
RAM RESUME CURRENT
 
MS PowerPoint for Begninners
MS PowerPoint for BegninnersMS PowerPoint for Begninners
MS PowerPoint for Begninners
 
Log correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance dataLog correlation SIEM rule examples and correlation engine performance data
Log correlation SIEM rule examples and correlation engine performance data
 

Similar to So, you wanna be a pen tester

Tech Tools for Nonprofits
Tech Tools for NonprofitsTech Tools for Nonprofits
Tech Tools for NonprofitsDeron Tse
 
Bit by Bit: Effective Use of People, Processes and Computer Technology in the...
Bit by Bit: Effective Use of People, Processes and Computer Technology in the...Bit by Bit: Effective Use of People, Processes and Computer Technology in the...
Bit by Bit: Effective Use of People, Processes and Computer Technology in the...Jack Pringle
 
NCET Biz Bite | Aaron Boigon, Practical IT management | Sept 2017
NCET Biz Bite | Aaron Boigon, Practical IT management | Sept 2017NCET Biz Bite | Aaron Boigon, Practical IT management | Sept 2017
NCET Biz Bite | Aaron Boigon, Practical IT management | Sept 2017Archersan
 
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)Shawn Tuma
 
NUS Hackers Project Intern 2016
NUS Hackers Project Intern 2016NUS Hackers Project Intern 2016
NUS Hackers Project Intern 2016Vishnu Prem
 
How to Prepare for and Survive a Technical Interview
How to Prepare for and Survive a Technical InterviewHow to Prepare for and Survive a Technical Interview
How to Prepare for and Survive a Technical InterviewPerl Careers
 
Marketing Your Open Source Project
Marketing Your Open Source ProjectMarketing Your Open Source Project
Marketing Your Open Source Projectdeirdrestraughan
 
Hacking hired [Forecasting 2021] Jan 2021
Hacking hired [Forecasting 2021] Jan 2021Hacking hired [Forecasting 2021] Jan 2021
Hacking hired [Forecasting 2021] Jan 2021Rachel Harpley
 
"What have the techies ever done for us?"Can technology help lawyers lead a h...
"What have the techies ever done for us?"Can technology help lawyers lead a h..."What have the techies ever done for us?"Can technology help lawyers lead a h...
"What have the techies ever done for us?"Can technology help lawyers lead a h...Ethien
 
Charity Majors - Bootstrapping an Ops Team
Charity Majors - Bootstrapping an Ops TeamCharity Majors - Bootstrapping an Ops Team
Charity Majors - Bootstrapping an Ops TeamHeavybit
 
Increasing your corporate value
Increasing your corporate value Increasing your corporate value
Increasing your corporate value LavaConConference
 
Tech and Ethics
Tech and EthicsTech and Ethics
Tech and EthicsDeb Osborn
 
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...Kimberley Dray
 
Oscon2015 150724001540-lva1-app6891
Oscon2015 150724001540-lva1-app6891Oscon2015 150724001540-lva1-app6891
Oscon2015 150724001540-lva1-app6891Gerald Mayfield
 
Building a Successful Organization By Mastering Failure
Building a Successful Organization By Mastering FailureBuilding a Successful Organization By Mastering Failure
Building a Successful Organization By Mastering Failurejgoulah
 
Why i hate digital forensics - draft
Why i hate digital forensics - draftWhy i hate digital forensics - draft
Why i hate digital forensics - draftDamir Delija
 
Be the Captain of Your Career
Be the Captain of Your Career Be the Captain of Your Career
Be the Captain of Your Career Jack Molisani
 
You Cant Be Agile If Your Code Sucks (with 9 Tips For Dev Teams)
You Cant Be Agile If Your Code Sucks (with 9 Tips For Dev Teams)You Cant Be Agile If Your Code Sucks (with 9 Tips For Dev Teams)
You Cant Be Agile If Your Code Sucks (with 9 Tips For Dev Teams)Peter Gfader
 

Similar to So, you wanna be a pen tester (20)

Tech Tools for Nonprofits
Tech Tools for NonprofitsTech Tools for Nonprofits
Tech Tools for Nonprofits
 
Bit by Bit: Effective Use of People, Processes and Computer Technology in the...
Bit by Bit: Effective Use of People, Processes and Computer Technology in the...Bit by Bit: Effective Use of People, Processes and Computer Technology in the...
Bit by Bit: Effective Use of People, Processes and Computer Technology in the...
 
NCET Biz Bite | Aaron Boigon, Practical IT management | Sept 2017
NCET Biz Bite | Aaron Boigon, Practical IT management | Sept 2017NCET Biz Bite | Aaron Boigon, Practical IT management | Sept 2017
NCET Biz Bite | Aaron Boigon, Practical IT management | Sept 2017
 
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
 
NUS Hackers Project Intern 2016
NUS Hackers Project Intern 2016NUS Hackers Project Intern 2016
NUS Hackers Project Intern 2016
 
How to Prepare for and Survive a Technical Interview
How to Prepare for and Survive a Technical InterviewHow to Prepare for and Survive a Technical Interview
How to Prepare for and Survive a Technical Interview
 
Final project
Final projectFinal project
Final project
 
Marketing Your Open Source Project
Marketing Your Open Source ProjectMarketing Your Open Source Project
Marketing Your Open Source Project
 
Hacking hired [Forecasting 2021] Jan 2021
Hacking hired [Forecasting 2021] Jan 2021Hacking hired [Forecasting 2021] Jan 2021
Hacking hired [Forecasting 2021] Jan 2021
 
"What have the techies ever done for us?"Can technology help lawyers lead a h...
"What have the techies ever done for us?"Can technology help lawyers lead a h..."What have the techies ever done for us?"Can technology help lawyers lead a h...
"What have the techies ever done for us?"Can technology help lawyers lead a h...
 
Charity Majors - Bootstrapping an Ops Team
Charity Majors - Bootstrapping an Ops TeamCharity Majors - Bootstrapping an Ops Team
Charity Majors - Bootstrapping an Ops Team
 
Increasing your corporate value
Increasing your corporate value Increasing your corporate value
Increasing your corporate value
 
Tech and Ethics
Tech and EthicsTech and Ethics
Tech and Ethics
 
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...
 
Oscon2015 150724001540-lva1-app6891
Oscon2015 150724001540-lva1-app6891Oscon2015 150724001540-lva1-app6891
Oscon2015 150724001540-lva1-app6891
 
Building a Successful Organization By Mastering Failure
Building a Successful Organization By Mastering FailureBuilding a Successful Organization By Mastering Failure
Building a Successful Organization By Mastering Failure
 
Why i hate digital forensics - draft
Why i hate digital forensics - draftWhy i hate digital forensics - draft
Why i hate digital forensics - draft
 
Think Digital - developing agile, responsive organisations | Dave Briggs | Oc...
Think Digital - developing agile, responsive organisations | Dave Briggs | Oc...Think Digital - developing agile, responsive organisations | Dave Briggs | Oc...
Think Digital - developing agile, responsive organisations | Dave Briggs | Oc...
 
Be the Captain of Your Career
Be the Captain of Your Career Be the Captain of Your Career
Be the Captain of Your Career
 
You Cant Be Agile If Your Code Sucks (with 9 Tips For Dev Teams)
You Cant Be Agile If Your Code Sucks (with 9 Tips For Dev Teams)You Cant Be Agile If Your Code Sucks (with 9 Tips For Dev Teams)
You Cant Be Agile If Your Code Sucks (with 9 Tips For Dev Teams)
 

Recently uploaded

VIP Call Girls Service Saharanpur Aishwarya 8250192130 Independent Escort Ser...
VIP Call Girls Service Saharanpur Aishwarya 8250192130 Independent Escort Ser...VIP Call Girls Service Saharanpur Aishwarya 8250192130 Independent Escort Ser...
VIP Call Girls Service Saharanpur Aishwarya 8250192130 Independent Escort Ser...Suhani Kapoor
 
Low Rate Call Girls Gorakhpur Anika 8250192130 Independent Escort Service Gor...
Low Rate Call Girls Gorakhpur Anika 8250192130 Independent Escort Service Gor...Low Rate Call Girls Gorakhpur Anika 8250192130 Independent Escort Service Gor...
Low Rate Call Girls Gorakhpur Anika 8250192130 Independent Escort Service Gor...Suhani Kapoor
 
Dark Dubai Call Girls O525547819 Skin Call Girls Dubai
Dark Dubai Call Girls O525547819 Skin Call Girls DubaiDark Dubai Call Girls O525547819 Skin Call Girls Dubai
Dark Dubai Call Girls O525547819 Skin Call Girls Dubaikojalkojal131
 
VIP Kolkata Call Girl Lake Gardens 👉 8250192130 Available With Room
VIP Kolkata Call Girl Lake Gardens 👉 8250192130 Available With RoomVIP Kolkata Call Girl Lake Gardens 👉 8250192130 Available With Room
VIP Kolkata Call Girl Lake Gardens 👉 8250192130 Available With Roomdivyansh0kumar0
 
VIP Call Girls Firozabad Aaradhya 8250192130 Independent Escort Service Firoz...
VIP Call Girls Firozabad Aaradhya 8250192130 Independent Escort Service Firoz...VIP Call Girls Firozabad Aaradhya 8250192130 Independent Escort Service Firoz...
VIP Call Girls Firozabad Aaradhya 8250192130 Independent Escort Service Firoz...Suhani Kapoor
 
Delhi Call Girls South Ex 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls South Ex 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls South Ex 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls South Ex 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Experience Certificate - Marketing Analyst-Soham Mondal.pdf
Experience Certificate - Marketing Analyst-Soham Mondal.pdfExperience Certificate - Marketing Analyst-Soham Mondal.pdf
Experience Certificate - Marketing Analyst-Soham Mondal.pdfSoham Mondal
 
CALL ON ➥8923113531 🔝Call Girls Husainganj Lucknow best Female service 🧳
CALL ON ➥8923113531 🔝Call Girls Husainganj Lucknow best Female service 🧳CALL ON ➥8923113531 🔝Call Girls Husainganj Lucknow best Female service 🧳
CALL ON ➥8923113531 🔝Call Girls Husainganj Lucknow best Female service 🧳anilsa9823
 
CALL ON ➥8923113531 🔝Call Girls Gosainganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Gosainganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Gosainganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Gosainganj Lucknow best sexual serviceanilsa9823
 
Delhi Call Girls Preet Vihar 9711199171 ☎✔👌✔ Whatsapp Body to body massage wi...
Delhi Call Girls Preet Vihar 9711199171 ☎✔👌✔ Whatsapp Body to body massage wi...Delhi Call Girls Preet Vihar 9711199171 ☎✔👌✔ Whatsapp Body to body massage wi...
Delhi Call Girls Preet Vihar 9711199171 ☎✔👌✔ Whatsapp Body to body massage wi...shivangimorya083
 
Employee of the Month - Samsung Semiconductor India Research
Employee of the Month - Samsung Semiconductor India ResearchEmployee of the Month - Samsung Semiconductor India Research
Employee of the Month - Samsung Semiconductor India ResearchSoham Mondal
 
Booking open Available Pune Call Girls Ambegaon Khurd 6297143586 Call Hot In...
Booking open Available Pune Call Girls Ambegaon Khurd 6297143586 Call Hot In...Booking open Available Pune Call Girls Ambegaon Khurd 6297143586 Call Hot In...
Booking open Available Pune Call Girls Ambegaon Khurd 6297143586 Call Hot In...Call Girls in Nagpur High Profile
 
VIP Russian Call Girls in Bhilai Deepika 8250192130 Independent Escort Servic...
VIP Russian Call Girls in Bhilai Deepika 8250192130 Independent Escort Servic...VIP Russian Call Girls in Bhilai Deepika 8250192130 Independent Escort Servic...
VIP Russian Call Girls in Bhilai Deepika 8250192130 Independent Escort Servic...Suhani Kapoor
 
Neha +91-9537192988-Friendly Ahmedabad Call Girls has Complete Authority for ...
Neha +91-9537192988-Friendly Ahmedabad Call Girls has Complete Authority for ...Neha +91-9537192988-Friendly Ahmedabad Call Girls has Complete Authority for ...
Neha +91-9537192988-Friendly Ahmedabad Call Girls has Complete Authority for ...Niya Khan
 
Delhi Call Girls South Delhi 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls South Delhi 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls South Delhi 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls South Delhi 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
OSU毕业证留学文凭,制做办理
OSU毕业证留学文凭,制做办理OSU毕业证留学文凭,制做办理
OSU毕业证留学文凭,制做办理cowagem
 
Low Rate Call Girls Cuttack Anika 8250192130 Independent Escort Service Cuttack
Low Rate Call Girls Cuttack Anika 8250192130 Independent Escort Service CuttackLow Rate Call Girls Cuttack Anika 8250192130 Independent Escort Service Cuttack
Low Rate Call Girls Cuttack Anika 8250192130 Independent Escort Service CuttackSuhani Kapoor
 
Call Girl in Low Price Delhi Punjabi Bagh 9711199012
Call Girl in Low Price Delhi Punjabi Bagh 9711199012Call Girl in Low Price Delhi Punjabi Bagh 9711199012
Call Girl in Low Price Delhi Punjabi Bagh 9711199012sapnasaifi408
 
Delhi Call Girls In Atta Market 9711199012 Book Your One night Stand Call Girls
Delhi Call Girls In Atta Market 9711199012 Book Your One night Stand Call GirlsDelhi Call Girls In Atta Market 9711199012 Book Your One night Stand Call Girls
Delhi Call Girls In Atta Market 9711199012 Book Your One night Stand Call Girlsshivangimorya083
 

Recently uploaded (20)

VIP Call Girls Service Saharanpur Aishwarya 8250192130 Independent Escort Ser...
VIP Call Girls Service Saharanpur Aishwarya 8250192130 Independent Escort Ser...VIP Call Girls Service Saharanpur Aishwarya 8250192130 Independent Escort Ser...
VIP Call Girls Service Saharanpur Aishwarya 8250192130 Independent Escort Ser...
 
Low Rate Call Girls Gorakhpur Anika 8250192130 Independent Escort Service Gor...
Low Rate Call Girls Gorakhpur Anika 8250192130 Independent Escort Service Gor...Low Rate Call Girls Gorakhpur Anika 8250192130 Independent Escort Service Gor...
Low Rate Call Girls Gorakhpur Anika 8250192130 Independent Escort Service Gor...
 
Dark Dubai Call Girls O525547819 Skin Call Girls Dubai
Dark Dubai Call Girls O525547819 Skin Call Girls DubaiDark Dubai Call Girls O525547819 Skin Call Girls Dubai
Dark Dubai Call Girls O525547819 Skin Call Girls Dubai
 
VIP Kolkata Call Girl Lake Gardens 👉 8250192130 Available With Room
VIP Kolkata Call Girl Lake Gardens 👉 8250192130 Available With RoomVIP Kolkata Call Girl Lake Gardens 👉 8250192130 Available With Room
VIP Kolkata Call Girl Lake Gardens 👉 8250192130 Available With Room
 
VIP Call Girls Firozabad Aaradhya 8250192130 Independent Escort Service Firoz...
VIP Call Girls Firozabad Aaradhya 8250192130 Independent Escort Service Firoz...VIP Call Girls Firozabad Aaradhya 8250192130 Independent Escort Service Firoz...
VIP Call Girls Firozabad Aaradhya 8250192130 Independent Escort Service Firoz...
 
Delhi Call Girls South Ex 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls South Ex 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls South Ex 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls South Ex 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Experience Certificate - Marketing Analyst-Soham Mondal.pdf
Experience Certificate - Marketing Analyst-Soham Mondal.pdfExperience Certificate - Marketing Analyst-Soham Mondal.pdf
Experience Certificate - Marketing Analyst-Soham Mondal.pdf
 
CALL ON ➥8923113531 🔝Call Girls Husainganj Lucknow best Female service 🧳
CALL ON ➥8923113531 🔝Call Girls Husainganj Lucknow best Female service 🧳CALL ON ➥8923113531 🔝Call Girls Husainganj Lucknow best Female service 🧳
CALL ON ➥8923113531 🔝Call Girls Husainganj Lucknow best Female service 🧳
 
CALL ON ➥8923113531 🔝Call Girls Gosainganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Gosainganj Lucknow best sexual serviceCALL ON ➥8923113531 🔝Call Girls Gosainganj Lucknow best sexual service
CALL ON ➥8923113531 🔝Call Girls Gosainganj Lucknow best sexual service
 
Delhi Call Girls Preet Vihar 9711199171 ☎✔👌✔ Whatsapp Body to body massage wi...
Delhi Call Girls Preet Vihar 9711199171 ☎✔👌✔ Whatsapp Body to body massage wi...Delhi Call Girls Preet Vihar 9711199171 ☎✔👌✔ Whatsapp Body to body massage wi...
Delhi Call Girls Preet Vihar 9711199171 ☎✔👌✔ Whatsapp Body to body massage wi...
 
Employee of the Month - Samsung Semiconductor India Research
Employee of the Month - Samsung Semiconductor India ResearchEmployee of the Month - Samsung Semiconductor India Research
Employee of the Month - Samsung Semiconductor India Research
 
Booking open Available Pune Call Girls Ambegaon Khurd 6297143586 Call Hot In...
Booking open Available Pune Call Girls Ambegaon Khurd 6297143586 Call Hot In...Booking open Available Pune Call Girls Ambegaon Khurd 6297143586 Call Hot In...
Booking open Available Pune Call Girls Ambegaon Khurd 6297143586 Call Hot In...
 
VIP Russian Call Girls in Bhilai Deepika 8250192130 Independent Escort Servic...
VIP Russian Call Girls in Bhilai Deepika 8250192130 Independent Escort Servic...VIP Russian Call Girls in Bhilai Deepika 8250192130 Independent Escort Servic...
VIP Russian Call Girls in Bhilai Deepika 8250192130 Independent Escort Servic...
 
Neha +91-9537192988-Friendly Ahmedabad Call Girls has Complete Authority for ...
Neha +91-9537192988-Friendly Ahmedabad Call Girls has Complete Authority for ...Neha +91-9537192988-Friendly Ahmedabad Call Girls has Complete Authority for ...
Neha +91-9537192988-Friendly Ahmedabad Call Girls has Complete Authority for ...
 
Delhi Call Girls South Delhi 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls South Delhi 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls South Delhi 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls South Delhi 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
OSU毕业证留学文凭,制做办理
OSU毕业证留学文凭,制做办理OSU毕业证留学文凭,制做办理
OSU毕业证留学文凭,制做办理
 
Call Girls In Prashant Vihar꧁❤ 🔝 9953056974🔝❤꧂ Escort ServiCe
Call Girls In Prashant Vihar꧁❤ 🔝 9953056974🔝❤꧂ Escort ServiCeCall Girls In Prashant Vihar꧁❤ 🔝 9953056974🔝❤꧂ Escort ServiCe
Call Girls In Prashant Vihar꧁❤ 🔝 9953056974🔝❤꧂ Escort ServiCe
 
Low Rate Call Girls Cuttack Anika 8250192130 Independent Escort Service Cuttack
Low Rate Call Girls Cuttack Anika 8250192130 Independent Escort Service CuttackLow Rate Call Girls Cuttack Anika 8250192130 Independent Escort Service Cuttack
Low Rate Call Girls Cuttack Anika 8250192130 Independent Escort Service Cuttack
 
Call Girl in Low Price Delhi Punjabi Bagh 9711199012
Call Girl in Low Price Delhi Punjabi Bagh 9711199012Call Girl in Low Price Delhi Punjabi Bagh 9711199012
Call Girl in Low Price Delhi Punjabi Bagh 9711199012
 
Delhi Call Girls In Atta Market 9711199012 Book Your One night Stand Call Girls
Delhi Call Girls In Atta Market 9711199012 Book Your One night Stand Call GirlsDelhi Call Girls In Atta Market 9711199012 Book Your One night Stand Call Girls
Delhi Call Girls In Atta Market 9711199012 Book Your One night Stand Call Girls
 

So, you wanna be a pen tester

  • 1. so, you wanna be a pen tester? are you sure?
  • 2. wots a pentest? • circumvention of security controls. • identifying alternate functionality in a ‘system’. • identifying alternate means of accessing functionality in a ‘system’. • generally a very thorough and technical assessment of the security controls and functionality in a ‘system’. • wots a ‘system’? those things that provide business functionality and access to information. (app, end point, protocol…) • wots a pentester? deliberate professional breaker of things. hacker.
  • 3. why? • people seem to think that it is a sexy profession. • oddly enough it is at least 50% boring and frustrating. • then you write reports, that’s the exciting part. • the actual exploitation is such a small part of the thing. • there is an industry over emphasis on the ‘hacking’ thing… • are you sure? it can be a lot of work. • it really isn’t about the hack, it’s about making things better.
  • 4. what are the top 10 thingies… • probably the number one question, what are the top 10 coolest most important hacking tools for penetration testers? • what are the top 10 skills that are important to become the worlds greatest hacker? make up lots of lies, plagiarize, and write a book! • how do I become the bestest cyber hacker? • can you hack my buddies hotmail for me? • do I need a cool hacker handle? • love the next two questions… • do I really need to learn all that stuff to be a cool hacker? • do I really have to work hard for many years to be a pentester? • the best one: i have a $CERT or degree in * so that makes me an expert!!
  • 5. what you really need • attitude, aptitude, and initiative. • desire. • dedication. • discipline. • integrity. • ethics. • experience. • knowledge. • tools. • so, how do I get me some?
  • 6. tools? • while somewhat important to the specific engagement the tools are not as important overall. the most important things are: • deep technical knowledge. • team composition. • project planning. • scoping (what you can test). • rules of engagement (tests you can run). • logistics and controls. • understanding the goals and objectives. • methodology! and creativity! • oh and writing and analysis…
  • 7. no honestly, which tools do I need? • the only required tool is the matter most (some) people have between their ears. brains. • a friend of mine said that the only tools are perspective and perception… the rest are just pretty accessories and squirrels and shiny things • the honest answer is a web browser to do the recon and information gathering, a project management tool for scheduling, and a database to track target data in. scripting is very very very very useful. learn one • the remainder depend heavily on the nature of the engagement. • it honestly isn’t about the tools, it’s about having the appropriate tool to efficiently and effectively meet the pentest objectives. whichever tools meets the requirements, they are mostly interchangeable. • often pen testers talk about tactics, tools, techniques, and methodologies. the tools are interchangeable for the most part.
  • 8. ok, then what do we actually need? • people with the training, painstaking attention to detail, experience, analysis skills, and creativity to emulate attackers in a controlled professional manner. oh and teamwork and soft skills, who can write. • process, which includes determining the scope of the project, rules of engagement, plus details like policies and process and procedures. • technology. the tools are the easy part, anyone can download the tools, which are readily available, but in the hands of an unskilled individual they may do a lot of damage, and do not always achieve the objective of identifying and demonstrating risk. • pen testers are restricted by scope, legality, morality, and ethics, and there are rules of engagement, always have both hands tied behind our backs. we can’t do all the things that the attackers can do. bummer. • you have to be the ball. what? (caddy shack)
  • 9. no, what about me? • how do I get to be a pentester? • ask really good questions. then find answers. that’s it. • honestly i have no idea, i can tell you what i did, and i can tell you the things I would look for in new hires when i was a manager… • my degree is in political science, but i have played with computers and networks since the early 1980’s. i like to break stuff. • i have always said that i can teach people the technology, but i cannot teach good attitude, good team fit, problem solving, or curiosity • why does this presentation seem like random rambling? • why are your slides so boring?
  • 10. what do I need? • passion! • interesting question in that we tend to think in terms of a single lone wolf penetration tester, when the truth is that the best engagements are run with teams. • some of the skills that are required on that team are project management, creativity, being methodical, analysis, and writing. am i getting repetitive? • some will need an extensive background in information security, and to be very technical in their areas of expertise. • team membership will vary based on the specifics of each engagement, expertise in web skills are not as useful in a wireless or network test. • oh, and someone to run the scanning tools. minions! • a good security analyst and project manager are worth 100 testers!
  • 11. what is the path? • you may have noticed the theme to this discussion by now. • highly technical and specialized knowledge moving into information security as a pentester. they often have mucho academic background and technical experience, may be self-taught. • information security generalist willing to acquire technical skills to become a pentester. unless there is mucho training budget often will have to be self-taught. academics and certifications might help. • it specialist: developer, dba, architect, network, sysadmin…! • forge your own path, there is no spoon. • must have a deep understanding what it is you are trying to pentest. • i have met very few who started out their career as a pentester…
  • 12. where? • mentors. • communities. • education, training, certifications are one way. • being the security person on an IT team. • taking the initiative and learning on your own, or a mix. • boutique consulting firms. • large consulting integration or services firms. • many enterprises had red or purple teams. • what the industry really needs are more blue team people who know how offensive security works…
  • 13. is that your final answer? • no. • it is up to you to learn, to ensure that you can do it. • nobody else can do it for you. • if this is your chosen career path, do not take no for an answer. • make it happen, do it. now I sound like a broken nike commercial • do the hard work, learn what you need to learn. • it isn’t about what others have done, it is your journey. • make it your precious, your passion, you will make it. • not everyone gets to be a pen tester, sorry • lots of openings in blue team.
  • 14. questions? it is entirely possible that I do not have any answers that you will like  Adrien de Beaupré, lots of certs and stuff penetration tester and SANS instructor a member of the fellowship of the testers of pens Twitter @adriendb adriendb@gmail.com 1 613 797 3912 http://www.intru-shun.ca https://www.sans.org/instructors/adrien-de-beaupre