pen testing with confidence - lenny zeltser...pen testing with confidence: planning and executing to...
TRANSCRIPT
![Page 1: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/1.jpg)
Pen Testing with Confidence:Planning and Executing to Achieve the
Desired Results
Lenny ZeltserNYMISSA - 03.14.2007
![Page 2: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/2.jpg)
Pen tests have become more popular.
![Page 3: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/3.jpg)
Playing the role of an attacker is sometimes tricky for defenders.
![Page 4: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/4.jpg)
Mishandled pen tests can be hazardous to your career.
![Page 5: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/5.jpg)
Asking the right questions about the pen test is essential to success.
![Page 6: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/6.jpg)
Of all assessment types, is pen test the one needed?
Q #1
![Page 7: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/7.jpg)
vulnerability assessment
![Page 8: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/8.jpg)
security policy assessment
![Page 9: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/9.jpg)
penetration test
![Page 10: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/10.jpg)
What is the scope of the test?
Q #2
![Page 11: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/11.jpg)
targets
![Page 12: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/12.jpg)
depth
![Page 13: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/13.jpg)
exclusions
![Page 14: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/14.jpg)
What tests should be performed?
Q #3
![Page 15: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/15.jpg)
denial of service
![Page 16: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/16.jpg)
physical security
![Page 17: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/17.jpg)
social engineering
![Page 18: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/18.jpg)
war dialing
![Page 19: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/19.jpg)
client-side attacks
![Page 20: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/20.jpg)
![Page 21: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/21.jpg)
Are non-commercial tools OK to use?
Q #4
![Page 22: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/22.jpg)
core impact
immunity canvas
metasploit
standalone exploits
backtrack distribution
![Page 23: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/23.jpg)
What is the attacker's profile?
Q #5
![Page 24: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/24.jpg)
professional vs. amateur
![Page 25: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/25.jpg)
attack of opportunity
![Page 26: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/26.jpg)
Is the test black-box…Is the test back-box…… or white-box?
Q #6
![Page 27: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/27.jpg)
path of least resistance
![Page 28: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/28.jpg)
attack trees
![Page 29: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/29.jpg)
![Page 30: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/30.jpg)
![Page 31: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/31.jpg)
What are the time constraints?
Q #7
![Page 32: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/32.jpg)
duration of the test
![Page 33: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/33.jpg)
timing restrictions
![Page 34: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/34.jpg)
How to handle issues that may arise during the test?
Q #8
![Page 35: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/35.jpg)
targeted system crashed
![Page 36: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/36.jpg)
sensitive data found
![Page 37: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/37.jpg)
pen test contact form
![Page 38: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/38.jpg)
What to do with the pen test’s results?
Q #9
![Page 39: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/39.jpg)
The Internet is becoming less forgiving of security mistakes.
![Page 40: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/40.jpg)
Well-planned, carefully-orchestrated pen testing helps.
![Page 41: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/41.jpg)
Of all assessment types, is pen test the one needed?What is the scope of the test?What tests should be performed?
Are non-commercial tools OK to use?What is the attacker's profile?Is the test back-box or white-box?What are the time constraints?How to handle issues that may arise?What to do with the pen test’s results?
![Page 42: Pen Testing with Confidence - Lenny Zeltser...Pen Testing with Confidence: Planning and Executing to Achieve the Desired Results Lenny Zeltser NYMISSA - 03.14.2007 Pen tests have become](https://reader034.vdocuments.net/reader034/viewer/2022042810/5f9daceefaa7ca5c587cd888/html5/thumbnails/42.jpg)
Lenny Zeltser
InfoSec Practice LeaderGemini Systems, LLC