SlideShare una empresa de Scribd logo

Becoming a better pen tester overview

Descargar como PPTX, PDF
Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
Todd Benson (I.T. SPECIALIST and I.T. SECURITY)

How to continue growing as a security professional

Tecnología
1 de 22
Security Testing
Test Process Flow • • • • Info gathering Planning Execution Closeout
Testing Methodology • • • • Recon Mapping Discovery Exploitation – Post-exploitation • Reporting Recon Exploitation Mapping Discovery
Testing Checklist
Info Gathering/Planning Recon Reporting Mapping Risk Analysis Discovery Postexploitation Exploitation • • • Functional Analysis Process Flow Mapping Request/Response Mapping Security Testing Checklist
Info Gathering Planning Execution Closeout Notification of a request for testing Questionnaire and checklist is sent Questionnaire is returned with project documentation Tester assigned to project (if not already assigned)
Info Gathering Planning Execution Closeout Review documentation Conduct interview with analyst/developer Application walkthrough Set the schedule Write Ready for Test Conduct a kickoff meeting Verify necessary access Recon phase of testing Checklist - Recon and analysis
Info Gathering Planning Execution Closeout Host Assessment Patches and updates Ports/Services CIS Benchmarks OS/Web Server/DB configuration Checklist – Assess application hosting & Configuration management Web Application Mapping Functional Analysis Process flow mapping Request/response mapping Discovery (Covered by TSB checklist) Configuration Management Testing Authentication Testing Session Management Testing Authorization Testing Business Logic Testing Data Validation Testing Exploitation Post-exploitation
Info Gathering Planning Execution Closeout Remove false positives Risk analysis Compute CVSS score Conduct a findings meeting with the project Write final report
Weekly Status Reports • Follow the template • Set verbosity to “3” • Include where you are in the process and the methodology • Show progress • Include non-test related items (demos, research, etc)
Post Testing Findings • Schedule it for after the test, while writing the final report • May provide helpful insight that is useful during the reporting process • Assures that there are no surprises in the Final Report
Automated tool output • • • • • Verify issues Provide clearer explanations Tune risk levels Provide custom recommendations Prioritize recommendations
Writing of Issues • Be concise and direct • Include – – – – – description of the issue (how it is) how to reproduce it why it occurred (i.e. root cause) why it is a security issue (significance of the impact) recommendations on how to remediate the issue (how it should be) – CVSS risk • Should be able to fill out a CVSS calculator
Questions that should be taken into consideration and answered • What assets are affected? • What population of people have access to this exploit? • What is the level of difficulty? • What is the frequency that this exploit happens “in the wild”? • What controls are in place that would mitigate the ability of someone to exploit this?
The issue is not written until these 2 questions can be answered by the audience: – Will the reader understand why this is a security risk? – Will the reader understand how to fix the issue?
Why exploit? • Find things that automated tools can’t or won’t • Reduces false positives • Improves the report – Saying that the password policy is weak and passwords and PII shouldn’t be stored in plain text • True, but understated – Saying we were able to crack a user’s password and then obtain user IDs, passwords and PII (in detail) • More powerful • Identifies root causes efficient and effectively • Leads to more security issues that otherwise may have been missed • Threat modeling is important • CVSS scores each vulnerability separate
Final Report • Executive Summary – 3-6 key findings (root causes) – Highlight business impact – Explain the levers management can pull to change root causes
Non-Technical Skills • Project Management • Education – Staying up to date and learning new technologies • Teaching – Being able to explain new concepts and share knowledge • Research • BS Management (people skills & business skills) • Writing – Being able to explain and influence other people • Attack modeling – Having a security mindset
Technical Skills (The Baseline) • Master of an OS (and some web server knowledge) – Linux – Windows • In depth knowledge of TCP/IP • Basic Scripting – BASH, Perl, Python – JavaScript • Databases and SQL • Lean how to program! – Recommend python or Java • Ability to complete the Security Testing Checklist
Basic tools – – – – – – – – – – – – – NMAP NetCat TCPDump/Wireshark Metasploit Framework Burpsuite Pro Nessus Cenzic Hailstorm Core Impact Firefox plugins Backtrack/Samurai WTF SQLmap Command line tools Many, many more
Best Practices • • • • • • • • • • Run tcpdump when testing, especially with tools Use Burp as a proxy when browsing Disable firewall and A/V on attack system (and no PII) Start writing the report as you go Ask the project what is important and what needs to be protected Take notes as you test, include dates Save logs and checklist (especially burp logs) Update tools before the test begins Tune your tools Always verify results – especially verify results discovered by an automated tool with manual verification • Stick to Mapping -> Discovery -> Exploit • When in Discovery phase, don’t get side-tracked into exploits – 5 attempts or 5 minutes • Break vulnerabilities down until you hit root cause(s)
Ideas for Future Research – – – – – – – – – – ASP.net & Powershell Web Services Cloud Computing Mobile Remediation recommendations Design input Attack analysis and forensics Code reviews Tool “tuning” HTML5

Recomendados

Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
Thick client application security assessment
Thick client application security assessmentThick client application security assessment
Thick client application security assessmentSanjay Kumar (Seeking options outside India)
 
Reducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceReducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceSecurity Innovation
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
501 ch 7 advanced attacks
501 ch 7 advanced attacks501 ch 7 advanced attacks
501 ch 7 advanced attacksgocybersec
 
CISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingCISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingSam Bowne
 
501 ch 6 threats vulnerabilities attacks
501 ch 6 threats vulnerabilities attacks501 ch 6 threats vulnerabilities attacks
501 ch 6 threats vulnerabilities attacksgocybersec
 

Recomendados

Thick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxThick client pentesting_the-hackers_meetup_version1.0pptx
Thick client pentesting_the-hackers_meetup_version1.0pptxAnurag Srivastava
 
Thick client application security assessment
Thick client application security assessmentThick client application security assessment
Thick client application security assessmentSanjay Kumar (Seeking options outside India)
 
Reducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceReducing Application Risk: minimizing your web application's attack surface
Reducing Application Risk: minimizing your web application's attack surfaceSecurity Innovation
 
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2
Application Risk Prioritization - Overview - Secure360 2015 - Part 1 of 2NetSPI
 
AppSec in an Agile World
AppSec in an Agile WorldAppSec in an Agile World
AppSec in an Agile WorldDavid Lindner
 
501 ch 7 advanced attacks
501 ch 7 advanced attacks501 ch 7 advanced attacks
501 ch 7 advanced attacksgocybersec
 
CISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingCISSP Prep: Ch 7. Security Assessment and Testing
CISSP Prep: Ch 7. Security Assessment and TestingSam Bowne
 
501 ch 6 threats vulnerabilities attacks
501 ch 6 threats vulnerabilities attacks501 ch 6 threats vulnerabilities attacks
501 ch 6 threats vulnerabilities attacksgocybersec
 
A Brief Insight into Penetration Testing
A Brief Insight into Penetration TestingA Brief Insight into Penetration Testing
A Brief Insight into Penetration TestingVikram Khanna
 
BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat v18 || Improving security posture through increased agility with meas...BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat v18 || Improving security posture through increased agility with meas...BlueHat Security Conference
 
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...OWASP Delhi
 
501 ch 7 advanced attacks
501 ch 7 advanced attacks501 ch 7 advanced attacks
501 ch 7 advanced attacksgocybersec
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive SecurityAndy Hoernecke
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotjstnkndy
 
Security War Games
Security War GamesSecurity War Games
Security War GamesSeniorStoryteller
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security EngineeringSam Bowne
 
Rugged DevOps at Scale with Rich Mogull
Rugged DevOps at Scale with Rich MogullRugged DevOps at Scale with Rich Mogull
Rugged DevOps at Scale with Rich MogullSeniorStoryteller
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
The Final Frontier
The Final FrontierThe Final Frontier
The Final FrontierjClarity
 
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Dragos, Inc.
 
Security testing-What can we do - Trinh Minh Hien
Security testing-What can we do - Trinh Minh HienSecurity testing-What can we do - Trinh Minh Hien
Security testing-What can we do - Trinh Minh HienHo Chi Minh City Software Testing Club
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsSecurity Innovation
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelineskarthz
 
501 ch 2 understanding iam
501 ch 2 understanding iam501 ch 2 understanding iam
501 ch 2 understanding iamgocybersec
 
9780840024220 ppt ch09
9780840024220 ppt ch099780840024220 ppt ch09
9780840024220 ppt ch09Kristin Harrison
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case StudyAndy Hoernecke
 
Chapter 13 web security
Chapter 13 web securityChapter 13 web security
Chapter 13 web securitynewbie2019
 
Censum - Garbage Collection Log Analyser
Censum - Garbage Collection Log AnalyserCensum - Garbage Collection Log Analyser
Censum - Garbage Collection Log AnalyserjClarity
 
Eula
EulaEula
EulaLionel Jaime
 
Nuevo presentación de microsoft office power point (2)
Nuevo presentación de microsoft office power point (2)Nuevo presentación de microsoft office power point (2)
Nuevo presentación de microsoft office power point (2)probandoqueesgerundio
 

Más contenido relacionado

La actualidad más candente

A Brief Insight into Penetration Testing
A Brief Insight into Penetration TestingA Brief Insight into Penetration Testing
A Brief Insight into Penetration TestingVikram Khanna
 
BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat v18 || Improving security posture through increased agility with meas...BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat v18 || Improving security posture through increased agility with meas...BlueHat Security Conference
 
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...OWASP Delhi
 
501 ch 7 advanced attacks
501 ch 7 advanced attacks501 ch 7 advanced attacks
501 ch 7 advanced attacksgocybersec
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive SecurityAndy Hoernecke
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotjstnkndy
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security EngineeringSam Bowne
 
Rugged DevOps at Scale with Rich Mogull
Rugged DevOps at Scale with Rich MogullRugged DevOps at Scale with Rich Mogull
Rugged DevOps at Scale with Rich MogullSeniorStoryteller
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
The Final Frontier
The Final FrontierThe Final Frontier
The Final FrontierjClarity
 
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Dragos, Inc.
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsSecurity Innovation
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelineskarthz
 
501 ch 2 understanding iam
501 ch 2 understanding iam501 ch 2 understanding iam
501 ch 2 understanding iamgocybersec
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case StudyAndy Hoernecke
 
Chapter 13 web security
Chapter 13 web securityChapter 13 web security
Chapter 13 web securitynewbie2019
 
Censum - Garbage Collection Log Analyser
Censum - Garbage Collection Log AnalyserCensum - Garbage Collection Log Analyser
Censum - Garbage Collection Log AnalyserjClarity
 

La actualidad más candente (20)

A Brief Insight into Penetration Testing
A Brief Insight into Penetration TestingA Brief Insight into Penetration Testing
A Brief Insight into Penetration Testing
 
BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat v18 || Improving security posture through increased agility with meas...BlueHat v18 || Improving security posture through increased agility with meas...
BlueHat v18 || Improving security posture through increased agility with meas...
 
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
Affordable app sec for startups by - Sandeep Singh, Vaibhav Gupta and Vishal ...
 
501 ch 7 advanced attacks
501 ch 7 advanced attacks501 ch 7 advanced attacks
501 ch 7 advanced attacks
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
 
Shmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshotShmoocon 2015 - httpscreenshot
Shmoocon 2015 - httpscreenshot
 
Security War Games
Security War GamesSecurity War Games
Security War Games
 
3. Security Engineering
3. Security Engineering3. Security Engineering
3. Security Engineering
 
Rugged DevOps at Scale with Rich Mogull
Rugged DevOps at Scale with Rich MogullRugged DevOps at Scale with Rich Mogull
Rugged DevOps at Scale with Rich Mogull
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
 
The Final Frontier
The Final FrontierThe Final Frontier
The Final Frontier
 
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE
 
Security testing-What can we do - Trinh Minh Hien
Security testing-What can we do - Trinh Minh HienSecurity testing-What can we do - Trinh Minh Hien
Security testing-What can we do - Trinh Minh Hien
 
How to Get the Most Out of Security Tools
How to Get the Most Out of Security ToolsHow to Get the Most Out of Security Tools
How to Get the Most Out of Security Tools
 
Security guidelines
Security guidelinesSecurity guidelines
Security guidelines
 
501 ch 2 understanding iam
501 ch 2 understanding iam501 ch 2 understanding iam
501 ch 2 understanding iam
 
9780840024220 ppt ch09
9780840024220 ppt ch099780840024220 ppt ch09
9780840024220 ppt ch09
 
Proactive Security AppSec Case Study
Proactive Security AppSec Case StudyProactive Security AppSec Case Study
Proactive Security AppSec Case Study
 
Chapter 13 web security
Chapter 13 web securityChapter 13 web security
Chapter 13 web security
 
Censum - Garbage Collection Log Analyser
Censum - Garbage Collection Log AnalyserCensum - Garbage Collection Log Analyser
Censum - Garbage Collection Log Analyser
 

Destacado

Nuevo presentación de microsoft office power point (2)
Nuevo presentación de microsoft office power point (2)Nuevo presentación de microsoft office power point (2)
Nuevo presentación de microsoft office power point (2)probandoqueesgerundio
 
Traumatic Brain Injury
Traumatic Brain InjuryTraumatic Brain Injury
Traumatic Brain InjurySobana01
 
Green Actions/Going Green
Green Actions/Going Green Green Actions/Going Green
Green Actions/Going Green Joana Martins
 
My sql administrator
My sql administratorMy sql administrator
My sql administratormohcs
 
Prezentacja polska
Prezentacja polskaPrezentacja polska
Prezentacja polskamg1knurow
 
2° ano aula 1 - recuperação
2° ano aula 1 - recuperação2° ano aula 1 - recuperação
2° ano aula 1 - recuperaçãoCristiano Sávio
 
Casa del terror
Casa del terrorCasa del terror
Casa del terrormarinagpl
 
Peatonalización de la ciudad. Núcleos de aparcamiento.
Peatonalización de la ciudad. Núcleos de aparcamiento.Peatonalización de la ciudad. Núcleos de aparcamiento.
Peatonalización de la ciudad. Núcleos de aparcamiento.Marta Rivas Ortega
 
Top secret nutrition sleep
Top secret nutrition sleepTop secret nutrition sleep
Top secret nutrition sleepMark Hudson
 
(Coffee & Dinner 2015 - Cecafé) Painel Brasil: Oferta Brasileira / Tendências...
(Coffee & Dinner 2015 - Cecafé) Painel Brasil: Oferta Brasileira / Tendências...(Coffee & Dinner 2015 - Cecafé) Painel Brasil: Oferta Brasileira / Tendências...
(Coffee & Dinner 2015 - Cecafé) Painel Brasil: Oferta Brasileira / Tendências...Luiz Valeriano
 

Destacado (19)

Eula
EulaEula
Eula
 
Nuevo presentación de microsoft office power point (2)
Nuevo presentación de microsoft office power point (2)Nuevo presentación de microsoft office power point (2)
Nuevo presentación de microsoft office power point (2)
 
Aoife daly kronologi og oprindelse – træet fra odense
Aoife daly kronologi og oprindelse – træet fra odenseAoife daly kronologi og oprindelse – træet fra odense
Aoife daly kronologi og oprindelse – træet fra odense
 
Plan de-tesis
Plan de-tesisPlan de-tesis
Plan de-tesis
 
Curiculum Vita in English
Curiculum Vita in EnglishCuriculum Vita in English
Curiculum Vita in English
 
Traumatic Brain Injury
Traumatic Brain InjuryTraumatic Brain Injury
Traumatic Brain Injury
 
Green Actions/Going Green
Green Actions/Going Green Green Actions/Going Green
Green Actions/Going Green
 
La narración
La narraciónLa narración
La narración
 
My sql administrator
My sql administratorMy sql administrator
My sql administrator
 
Prezentacja polska
Prezentacja polskaPrezentacja polska
Prezentacja polska
 
2° ano aula 1 - recuperação
2° ano aula 1 - recuperação2° ano aula 1 - recuperação
2° ano aula 1 - recuperação
 
Lítio x sulfonato
Lítio x sulfonatoLítio x sulfonato
Lítio x sulfonato
 
Casa del terror
Casa del terrorCasa del terror
Casa del terror
 
Revista fcgp 158
Revista fcgp 158Revista fcgp 158
Revista fcgp 158
 
4 aa4 3925enw
4 aa4 3925enw4 aa4 3925enw
4 aa4 3925enw
 
Peatonalización de la ciudad. Núcleos de aparcamiento.
Peatonalización de la ciudad. Núcleos de aparcamiento.Peatonalización de la ciudad. Núcleos de aparcamiento.
Peatonalización de la ciudad. Núcleos de aparcamiento.
 
Tercer ojo
Tercer ojoTercer ojo
Tercer ojo
 
Top secret nutrition sleep
Top secret nutrition sleepTop secret nutrition sleep
Top secret nutrition sleep
 
(Coffee & Dinner 2015 - Cecafé) Painel Brasil: Oferta Brasileira / Tendências...
(Coffee & Dinner 2015 - Cecafé) Painel Brasil: Oferta Brasileira / Tendências...(Coffee & Dinner 2015 - Cecafé) Painel Brasil: Oferta Brasileira / Tendências...
(Coffee & Dinner 2015 - Cecafé) Painel Brasil: Oferta Brasileira / Tendências...
 

Similar a Becoming a better pen tester overview

Its Not You Its Me MSSP Couples Counseling
Its Not You Its Me MSSP Couples CounselingIts Not You Its Me MSSP Couples Counseling
Its Not You Its Me MSSP Couples CounselingAtif Ghauri
 
Security Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif GhauriSecurity Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif GhauriAtif Ghauri
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014Digital Bond
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauroMatt Tesauro
 
Unified Security Governance
Unified Security GovernanceUnified Security Governance
Unified Security GovernanceCan Demirel
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDaveEdwards12
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Monitoring Oracle SOA Suite - UKOUG Tech15 2015
Monitoring Oracle SOA Suite - UKOUG Tech15 2015Monitoring Oracle SOA Suite - UKOUG Tech15 2015
Monitoring Oracle SOA Suite - UKOUG Tech15 2015C2B2 Consulting
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Achim D. Brucker
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Digital Bond
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwarePriyanka Aash
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart WaySecurity Innovation
 
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxIntroduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxMardhaniAR
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestMatt Tesauro
 
CIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfCIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfBabyBoy55
 
Using AWS to Build a Scalable Big Data Management & Processing Service (BDT40...
Using AWS to Build a Scalable Big Data Management & Processing Service (BDT40...Using AWS to Build a Scalable Big Data Management & Processing Service (BDT40...
Using AWS to Build a Scalable Big Data Management & Processing Service (BDT40...Amazon Web Services
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Securitysedukull
 

Similar a Becoming a better pen tester overview (20)

Its Not You Its Me MSSP Couples Counseling
Its Not You Its Me MSSP Couples CounselingIts Not You Its Me MSSP Couples Counseling
Its Not You Its Me MSSP Couples Counseling
 
Security Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif GhauriSecurity Outsourcing - Couples Counseling - Atif Ghauri
Security Outsourcing - Couples Counseling - Atif Ghauri
 
API Training 10 Nov 2014
API Training 10 Nov 2014API Training 10 Nov 2014
API Training 10 Nov 2014
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Making security-agile matt-tesauro
Making security-agile matt-tesauroMaking security-agile matt-tesauro
Making security-agile matt-tesauro
 
Unified Security Governance
Unified Security GovernanceUnified Security Governance
Unified Security Governance
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Monitoring Oracle SOA Suite - UKOUG Tech15 2015
Monitoring Oracle SOA Suite - UKOUG Tech15 2015Monitoring Oracle SOA Suite - UKOUG Tech15 2015
Monitoring Oracle SOA Suite - UKOUG Tech15 2015
 
Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...Bringing Security Testing to Development: How to Enable Developers to Act as ...
Bringing Security Testing to Development: How to Enable Developers to Act as ...
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
 
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malwareDefcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
Defcon 22-wesley-mc grew-instrumenting-point-of-sale-malware
 
Assessing System Risk the Smart Way
Assessing System Risk the Smart WayAssessing System Risk the Smart Way
Assessing System Risk the Smart Way
 
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsxIntroduction to the Microsoft Security Development Lifecycle (SDL).ppsx
Introduction to the Microsoft Security Development Lifecycle (SDL).ppsx
 
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux FestBuilding an Open Source AppSec Pipeline - 2015 Texas Linux Fest
Building an Open Source AppSec Pipeline - 2015 Texas Linux Fest
 
CIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdfCIA-Triad-Presentation.pdf
CIA-Triad-Presentation.pdf
 
Using AWS to Build a Scalable Big Data Management & Processing Service (BDT40...
Using AWS to Build a Scalable Big Data Management & Processing Service (BDT40...Using AWS to Build a Scalable Big Data Management & Processing Service (BDT40...
Using AWS to Build a Scalable Big Data Management & Processing Service (BDT40...
 
Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 

Más de Todd Benson (I.T. SPECIALIST and I.T. SECURITY)

Más de Todd Benson (I.T. SPECIALIST and I.T. SECURITY) (9)

Owasp consumer top 10 safe habits
Owasp consumer top 10 safe habitsOwasp consumer top 10 safe habits
Owasp consumer top 10 safe habits
 
The Unlikely Couple, DevOps and Security. Can it work?
The Unlikely Couple, DevOps and Security. Can it work?The Unlikely Couple, DevOps and Security. Can it work?
The Unlikely Couple, DevOps and Security. Can it work?
 
Sar writingv2
Sar writingv2Sar writingv2
Sar writingv2
 
Defending web applications v.1.0
Defending web applications v.1.0Defending web applications v.1.0
Defending web applications v.1.0
 
Application Context and Discovering XSS without
Application Context and Discovering XSS without Application Context and Discovering XSS without
Application Context and Discovering XSS without
 
SQLmap
SQLmapSQLmap
SQLmap
 
Regex 101
Regex 101Regex 101
Regex 101
 
Overview of java web services
Overview of java web servicesOverview of java web services
Overview of java web services
 
SSL overview
SSL overviewSSL overview
SSL overview
 

Último

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...apidays
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 

Último (20)

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 

Becoming a better pen tester overview

  • 2. Test Process Flow • • • • Info gathering Planning Execution Closeout
  • 6. Info Gathering Planning Execution Closeout Notification of a request for testing Questionnaire and checklist is sent Questionnaire is returned with project documentation Tester assigned to project (if not already assigned)
  • 7. Info Gathering Planning Execution Closeout Review documentation Conduct interview with analyst/developer Application walkthrough Set the schedule Write Ready for Test Conduct a kickoff meeting Verify necessary access Recon phase of testing Checklist - Recon and analysis
  • 8. Info Gathering Planning Execution Closeout Host Assessment Patches and updates Ports/Services CIS Benchmarks OS/Web Server/DB configuration Checklist – Assess application hosting & Configuration management Web Application Mapping Functional Analysis Process flow mapping Request/response mapping Discovery (Covered by TSB checklist) Configuration Management Testing Authentication Testing Session Management Testing Authorization Testing Business Logic Testing Data Validation Testing Exploitation Post-exploitation
  • 9. Info Gathering Planning Execution Closeout Remove false positives Risk analysis Compute CVSS score Conduct a findings meeting with the project Write final report
  • 10. Weekly Status Reports • Follow the template • Set verbosity to “3” • Include where you are in the process and the methodology • Show progress • Include non-test related items (demos, research, etc)
  • 11. Post Testing Findings • Schedule it for after the test, while writing the final report • May provide helpful insight that is useful during the reporting process • Assures that there are no surprises in the Final Report
  • 12. Automated tool output • • • • • Verify issues Provide clearer explanations Tune risk levels Provide custom recommendations Prioritize recommendations
  • 13. Writing of Issues • Be concise and direct • Include – – – – – description of the issue (how it is) how to reproduce it why it occurred (i.e. root cause) why it is a security issue (significance of the impact) recommendations on how to remediate the issue (how it should be) – CVSS risk • Should be able to fill out a CVSS calculator
  • 14. Questions that should be taken into consideration and answered • What assets are affected? • What population of people have access to this exploit? • What is the level of difficulty? • What is the frequency that this exploit happens “in the wild”? • What controls are in place that would mitigate the ability of someone to exploit this?
  • 15. The issue is not written until these 2 questions can be answered by the audience: – Will the reader understand why this is a security risk? – Will the reader understand how to fix the issue?
  • 16. Why exploit? • Find things that automated tools can’t or won’t • Reduces false positives • Improves the report – Saying that the password policy is weak and passwords and PII shouldn’t be stored in plain text • True, but understated – Saying we were able to crack a user’s password and then obtain user IDs, passwords and PII (in detail) • More powerful • Identifies root causes efficient and effectively • Leads to more security issues that otherwise may have been missed • Threat modeling is important • CVSS scores each vulnerability separate
  • 17. Final Report • Executive Summary – 3-6 key findings (root causes) – Highlight business impact – Explain the levers management can pull to change root causes
  • 18. Non-Technical Skills • Project Management • Education – Staying up to date and learning new technologies • Teaching – Being able to explain new concepts and share knowledge • Research • BS Management (people skills & business skills) • Writing – Being able to explain and influence other people • Attack modeling – Having a security mindset
  • 19. Technical Skills (The Baseline) • Master of an OS (and some web server knowledge) – Linux – Windows • In depth knowledge of TCP/IP • Basic Scripting – BASH, Perl, Python – JavaScript • Databases and SQL • Lean how to program! – Recommend python or Java • Ability to complete the Security Testing Checklist
  • 20. Basic tools – – – – – – – – – – – – – NMAP NetCat TCPDump/Wireshark Metasploit Framework Burpsuite Pro Nessus Cenzic Hailstorm Core Impact Firefox plugins Backtrack/Samurai WTF SQLmap Command line tools Many, many more
  • 21. Best Practices • • • • • • • • • • Run tcpdump when testing, especially with tools Use Burp as a proxy when browsing Disable firewall and A/V on attack system (and no PII) Start writing the report as you go Ask the project what is important and what needs to be protected Take notes as you test, include dates Save logs and checklist (especially burp logs) Update tools before the test begins Tune your tools Always verify results – especially verify results discovered by an automated tool with manual verification • Stick to Mapping -> Discovery -> Exploit • When in Discovery phase, don’t get side-tracked into exploits – 5 attempts or 5 minutes • Break vulnerabilities down until you hit root cause(s)
  • 22. Ideas for Future Research – – – – – – – – – – ASP.net & Powershell Web Services Cloud Computing Mobile Remediation recommendations Design input Attack analysis and forensics Code reviews Tool “tuning” HTML5

Notas del editor

  1. Often we don’t do exploitation and post-exploitation
  2. Who has done this in a test?
  3. If you don’t have these, get them quick!
  4. Knowing your tools makes a huge difference in what you might find
  5. Virtual desktop – 1) admin 2) Firefox 3) Burp 4) Wireshark 5) Chrome 6) Music 7-10) Misc