Upload
intersecutech
View
217
Download
0
Embed Size (px)
Citation preview
8/8/2019 SANS Penetration Testing Summit 2010
1/24
The Good, The Bad,and the RidiculousSANS Penetration Testing Summit 2010
14 JUNE 2010
8/8/2019 SANS Penetration Testing Summit 2010
2/24
About MeW H O I S T H I S D U D E ?
Vinnie LiuManaging Partner @Stach & Liu
Penetration testingprofessionally since1999
Background in GovIntel, Big 4, F100
2
8/8/2019 SANS Penetration Testing Summit 2010
3/24
3
Simulate a real world
attack against atarget network or
application.- EVERYBODY
8/8/2019 SANS Penetration Testing Summit 2010
4/24
4
Real World Pen Testing
8/8/2019 SANS Penetration Testing Summit 2010
5/24
5
It answers the
question, couldsomeone break in?
- ME
8/8/2019 SANS Penetration Testing Summit 2010
6/24
Types of Testing J U S T A F E W
6
Penetration Testing
Vulnerability Assessment
Risk Assessment
8/8/2019 SANS Penetration Testing Summit 2010
7/24
7
8/8/2019 SANS Penetration Testing Summit 2010
8/24
8
Proficient
80%*I MADE THESE NUMBERS UP
8/8/2019 SANS Penetration Testing Summit 2010
9/24
Proficient Pen TestersC A N T H A C K O U T O F A W E T P A P E R B A G
Runs tools, validatesresults, adheres tochecklist
Standard vulnerabilityknowledge
Performs simplisticmanual testing
9
8/8/2019 SANS Penetration Testing Summit 2010
10/24
10
These arent the droids
were looking for.
8/8/2019 SANS Penetration Testing Summit 2010
11/24
Over Reliance on Tools
11
8/8/2019 SANS Penetration Testing Summit 2010
12/24
12
Productivity
8/8/2019 SANS Penetration Testing Summit 2010
13/24
13
Productivity
8/8/2019 SANS Penetration Testing Summit 2010
14/24
14
Advanced
15%
8/8/2019 SANS Penetration Testing Summit 2010
15/24
Advanced Pen TestersB E Y O N D T O O L S
Understand the nature of
exploratory testing Passionate aboutlearning on their own Able to perform morecomplex exploitation
15
8/8/2019 SANS Penetration Testing Summit 2010
16/24
How Do You Get Better?
16
8/8/2019 SANS Penetration Testing Summit 2010
17/24
17
Expert
5%
8/8/2019 SANS Penetration Testing Summit 2010
18/24
Expert Pen TestersA R E N A T U R A L S
Synthesize disparatedata points
Find patterns inseemingly unrelatedinformation
Build attack avenues intheir mind
18
8/8/2019 SANS Penetration Testing Summit 2010
19/24
Synthesis and PatternsC A N B E B O T H G O O D A N D B A D
19
8/8/2019 SANS Penetration Testing Summit 2010
20/24
Attack VisualizationL I K E B O B B Y F I S C H E R
20
8/8/2019 SANS Penetration Testing Summit 2010
21/24
21
Master
8/8/2019 SANS Penetration Testing Summit 2010
22/24
22
Until a man is twenty-five he still thinks, every sooften, that under the right circumstances he could be
the baddest motherf@*&! in the world. If [he] movedto a martial-arts monastery in China and studied realhard for ten years. If [his] family was wiped out byColumbian drug dealers and [he] swore [him]self to
revengeIf [he] just dropped out and devoted [his]life to being bad.
Hiro used to feel that way, too, but then he ran intoRaven. In a way, this is liberating. He no longer has
to worry about being the baddest motherf@*&! in theworld. The position is taken.
- SNOWCRASH
8/8/2019 SANS Penetration Testing Summit 2010
23/24
Master Pen TestersA R E R E L E N T L E S S
They do all of the
aboveand they dontgive up.
23
8/8/2019 SANS Penetration Testing Summit 2010
24/24
Thank You
24