sans penetration testing summit 2010
TRANSCRIPT
-
8/8/2019 SANS Penetration Testing Summit 2010
1/24
The Good, The Bad,and the RidiculousSANS Penetration Testing Summit 2010
14 JUNE 2010
-
8/8/2019 SANS Penetration Testing Summit 2010
2/24
About MeW H O I S T H I S D U D E ?
Vinnie LiuManaging Partner @Stach & Liu
Penetration testingprofessionally since1999
Background in GovIntel, Big 4, F100
2
-
8/8/2019 SANS Penetration Testing Summit 2010
3/24
3
Simulate a real world
attack against atarget network or
application.- EVERYBODY
-
8/8/2019 SANS Penetration Testing Summit 2010
4/24
4
Real World Pen Testing
-
8/8/2019 SANS Penetration Testing Summit 2010
5/24
5
It answers the
question, couldsomeone break in?
- ME
-
8/8/2019 SANS Penetration Testing Summit 2010
6/24
Types of Testing J U S T A F E W
6
Penetration Testing
Vulnerability Assessment
Risk Assessment
-
8/8/2019 SANS Penetration Testing Summit 2010
7/24
7
-
8/8/2019 SANS Penetration Testing Summit 2010
8/24
8
Proficient
80%*I MADE THESE NUMBERS UP
-
8/8/2019 SANS Penetration Testing Summit 2010
9/24
Proficient Pen TestersC A N T H A C K O U T O F A W E T P A P E R B A G
Runs tools, validatesresults, adheres tochecklist
Standard vulnerabilityknowledge
Performs simplisticmanual testing
9
-
8/8/2019 SANS Penetration Testing Summit 2010
10/24
10
These arent the droids
were looking for.
-
8/8/2019 SANS Penetration Testing Summit 2010
11/24
Over Reliance on Tools
11
-
8/8/2019 SANS Penetration Testing Summit 2010
12/24
12
Productivity
-
8/8/2019 SANS Penetration Testing Summit 2010
13/24
13
Productivity
-
8/8/2019 SANS Penetration Testing Summit 2010
14/24
14
Advanced
15%
-
8/8/2019 SANS Penetration Testing Summit 2010
15/24
Advanced Pen TestersB E Y O N D T O O L S
Understand the nature of
exploratory testing Passionate aboutlearning on their own Able to perform morecomplex exploitation
15
-
8/8/2019 SANS Penetration Testing Summit 2010
16/24
How Do You Get Better?
16
-
8/8/2019 SANS Penetration Testing Summit 2010
17/24
17
Expert
5%
-
8/8/2019 SANS Penetration Testing Summit 2010
18/24
Expert Pen TestersA R E N A T U R A L S
Synthesize disparatedata points
Find patterns inseemingly unrelatedinformation
Build attack avenues intheir mind
18
-
8/8/2019 SANS Penetration Testing Summit 2010
19/24
Synthesis and PatternsC A N B E B O T H G O O D A N D B A D
19
-
8/8/2019 SANS Penetration Testing Summit 2010
20/24
Attack VisualizationL I K E B O B B Y F I S C H E R
20
-
8/8/2019 SANS Penetration Testing Summit 2010
21/24
21
Master
-
8/8/2019 SANS Penetration Testing Summit 2010
22/24
22
Until a man is twenty-five he still thinks, every sooften, that under the right circumstances he could be
the baddest motherf@*&! in the world. If [he] movedto a martial-arts monastery in China and studied realhard for ten years. If [his] family was wiped out byColumbian drug dealers and [he] swore [him]self to
revengeIf [he] just dropped out and devoted [his]life to being bad.
Hiro used to feel that way, too, but then he ran intoRaven. In a way, this is liberating. He no longer has
to worry about being the baddest motherf@*&! in theworld. The position is taken.
- SNOWCRASH
-
8/8/2019 SANS Penetration Testing Summit 2010
23/24
Master Pen TestersA R E R E L E N T L E S S
They do all of the
aboveand they dontgive up.
23
-
8/8/2019 SANS Penetration Testing Summit 2010
24/24
Thank You
24