SlideShare ist ein Scribd-Unternehmen logo

So, you wanna be a pen tester ctsc2017

A
Adrien de Beaupre

Introduction to evading security controls.

Unterhaltung & Humor
1 von 18
Downloaden Sie, um offline zu lesen
introduction to evading security controls. or so, you wanna be a pen tester? are you sure? CTSC 2017
what? • this presentation will discuss the things that you will actually need to become a penetration tester, be prepared for a no-fluff honest discussion. • somewhat sarcastic, tongue in cheek, occasionally serious. • based on my own personal observations on trends in industry and the demand for security professionals. • unfortunately much of the demand is for trained and experienced people, not necessarily junior or intro level. • please do ask questions and participate! • otherwise you will hear me talk for 55 minutes straight…
wots a pentest? • circumvention of security controls. • identifying alternate functionality in a ‘system’. • identifying alternate means of accessing functionality in a ‘system’. • generally a very thorough logical and technical assessment of the security controls and functionality in a ‘system’. • wots a ‘system’? those things and people and processes that provide business functionality and access to information. (app, end point, protocol, physical…) • wots a pentester? deliberate professional breaker of things. hacker. • curious explorer? the definition changed at some point.
why? • people seem to think that it is a sexy profession. • oddly enough it is at least 50% boring and frustrating. • then you write reports, that’s the exciting part. • the actual exploitation is such a small part of the thing. • there is an industry over emphasis on the ‘hacking’ thing… • are you sure? it can be a lot of work. • it really isn’t about the hack, it’s about making things better. • don't get me wrong, i enjoy what I do, and a good root dance.
everything has changed… • the industry re-invents itself every 5 years or so. • which means that we have to do the same, evolve. • everything has merged with technology. • security must be inter-disciplinary. • we must solve risk problems with people, common sense, science, and technology. • massive implications of interconnection. • attacks against ci have an entirely new impact. • security, safety, and privacy; it is a brave new world.
what to do • threat modelling. • attacker emulation. • red team. • identify objectives. • project planning and resourcing. • enumerate controls. • sometimes we just login… • discover vulnerabilities. • exploitation, post-exploitation, passwords, pivoting, pillaging… • reporting.
what are the top 10 thingies… • probably the number one question, what are the top 10 coolest most important hacking tools for penetration testers? • what are the top 10 skills that are important to become the worlds greatest hacker? make up lots of lies, plagiarize, and write a book! • how do I become the bestest cyber hacker? • can you hack my buddies hotmail for me? • do I need a cool hacker handle? • love the next two questions… • do I really need to learn all that stuff to be a cool hacker? • do I really have to work hard for many years to be a pentester? • the best one: i have a $CERT or degree in * so that makes me an expert!!
what you really need • attitude, aptitude, and initiative. • desire. • dedication. • discipline. • integrity. • ethics. • experience. • knowledge. • tools. • so, how do I get me some?
tools? • while somewhat important to the specific engagement the tools are not as important overall. the most important things are: • deep technical knowledge. • expertise in what you are assessing. • team composition. • project planning. • scoping (what you can test). • rules of engagement (tests you can run). • legality, morality, ethics! • logistics and controls. • understanding the goals and objectives. • methodology! and creativity!
no honestly, which tools do I need? • the only required tool is the matter most (some) people have between their ears. brains. • a friend of mine said that the only tools are perspective and perception… the rest are just pretty accessories and squirrels and shiny things • the honest answer is a web browser to do the recon and information gathering, a project management tool for scheduling, and a database to track target data in. scripting is very very very very useful. learn one. • the remainder depend heavily on the nature of the engagement. • it honestly isn’t about the tools, it’s about having the appropriate tool to efficiently and effectively meet the pentest objectives. whichever tools meets the requirements, they are mostly interchangeable. • often pen testers talk about tactics, tools, techniques, and methodologies. the tools are only relevant if they work correctly, for the most part.
ok, then what do we actually need? • people with the training, painstaking attention to detail, experience, analysis skills, and creativity to emulate attackers in a controlled professional manner. oh and teamwork and soft skills, who can write. • process, which includes determining the scope of the project, rules of engagement, plus details like policies and process and procedures. • technology. the tools are the easy part, anyone can download the tools, which are readily available, but in the hands of an unskilled individual they may do a lot of damage, and do not always achieve the objective of identifying and demonstrating risk. • pen testers are restricted by scope, legality, morality, and ethics, and there are rules of engagement, always have both hands tied behind our backs. we can’t do all the things that the attackers can do. bummer. • you have to be the ball. what? (caddy shack)
no, what about me? • how do I get to be a pentester? • ask really good questions. then find answers. that’s it. • honestly i have no idea, i can tell you what i did, and i can tell you the things I would look for in new hires when i was a manager… • my degree is in political science, but i have played with computers and networks since the early 1980’s. i like to break stuff. • i have always said that i can teach people the technology, but i cannot teach good attitude, good team fit, problem solving, or curiosity • why does this presentation seem like random rambling? • why are your slides so boring?
what do I need? • passion! • interesting question in that we tend to think in terms of a single lone wolf penetration tester, when the truth is that the best engagements are run with teams. • some of the skills that are required on that team are project management, creativity, being methodical, analysis, and writing. am i getting repetitive? • some will need an extensive background in information security, and to be very technical in their areas of expertise. • team membership will vary based on the specifics of each engagement, expertise in web skills are not as useful in a wireless or network test. • oh, and someone to run the scanning tools. minions! • a good security analyst and project manager are worth 100 testers!
what is the path? • you may have noticed the theme to this discussion by now. • highly technical and specialized knowledge moving into information security as a pentester. they often have mucho academic background and technical experience, may be self-taught. • information security generalist willing to acquire technical skills to become a pentester. unless there is mucho training budget often will have to be self-taught. academics and certifications might help. • it specialist: developer, dba, architect, network, sysadmin…! • forge your own path, there is no spoon. • must have a deep understanding what it is you are trying to pentest and expertise in testing. • i have met very few who started out their career as a pentester…
specialize, don't generalize • penetration testing is not a junior role… it is a senior technical role. • those who wish to follow a technical path over a long career soon realize that they must specialize. • being a generalist or on the path to management is good for some. • not so much for others. • being a member of an enterprise team leads to expertise. • or a consultant. • pick an area, you cannot do them all: physical, rf, locks, web applications, end points, protocols, databases, wifi, ics, social engineering…
where? • mentors. • communities. • education, training, certifications are one way. • being the security person on a team. • taking the initiative and learning on your own, or a mix. • boutique consulting firms. • large consulting integration or services firms. • many enterprises have red or purple teams. • what the industry really needs are more blue team people who know how offensive security works…
is that your final answer? • no. • it is up to you to learn, to ensure that you can do it. • nobody else can do it for you. • if this is your chosen career path, do not take no for an answer. • make it happen, do it. now I sound like a broken nike commercial. • do the hard work, learn what you need to learn. • it isn’t about what others have done, it is your journey. • make it your precious, your passion, you will make it. • not everyone gets to be a pen tester, sorry. • lots of openings in blue team. someone has to work in the soc.
questions? was this the talk that you were expecting? it is entirely possible that I do not have any answers that you will like  adrien de beaupré, lots of certs and stuff penetration tester and SANS instructor a member of the fellowship of the testers of pens twitter @adriendb adriendb@gmail.com 1 613 797 3912 http://www.intru-shun.ca https://www.sans.org/instructors/adrien-de-beaupre

Empfohlen

Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...EC-Council
 
Connecting the Dots
Connecting the DotsConnecting the Dots
Connecting the DotsInnoTech
 
From Human Intelligence to Machine Intelligence
From Human Intelligence to Machine IntelligenceFrom Human Intelligence to Machine Intelligence
From Human Intelligence to Machine IntelligenceNUS-ISS
 
So, you wanna be a pen tester
So, you wanna be a pen testerSo, you wanna be a pen tester
So, you wanna be a pen testerAdrien de Beaupre
 
NCET Biz Bite | Aaron Boigon, Practical IT management | Sept 2017
NCET Biz Bite | Aaron Boigon, Practical IT management | Sept 2017NCET Biz Bite | Aaron Boigon, Practical IT management | Sept 2017
NCET Biz Bite | Aaron Boigon, Practical IT management | Sept 2017Archersan
 
Hacking hired [Forecasting 2021] Jan 2021
Hacking hired [Forecasting 2021] Jan 2021Hacking hired [Forecasting 2021] Jan 2021
Hacking hired [Forecasting 2021] Jan 2021Rachel Harpley
 
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)Shawn Tuma
 
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...Kimberley Dray
 

Empfohlen

Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...
Hacker Halted 2018: Breaking the Bad News: How to Prevent Your IR Messages fr...EC-Council
 
Connecting the Dots
Connecting the DotsConnecting the Dots
Connecting the DotsInnoTech
 
From Human Intelligence to Machine Intelligence
From Human Intelligence to Machine IntelligenceFrom Human Intelligence to Machine Intelligence
From Human Intelligence to Machine IntelligenceNUS-ISS
 
So, you wanna be a pen tester
So, you wanna be a pen testerSo, you wanna be a pen tester
So, you wanna be a pen testerAdrien de Beaupre
 
NCET Biz Bite | Aaron Boigon, Practical IT management | Sept 2017
NCET Biz Bite | Aaron Boigon, Practical IT management | Sept 2017NCET Biz Bite | Aaron Boigon, Practical IT management | Sept 2017
NCET Biz Bite | Aaron Boigon, Practical IT management | Sept 2017Archersan
 
Hacking hired [Forecasting 2021] Jan 2021
Hacking hired [Forecasting 2021] Jan 2021Hacking hired [Forecasting 2021] Jan 2021
Hacking hired [Forecasting 2021] Jan 2021Rachel Harpley
 
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)
Cybersecurity is a Team Sport (SecureWorld - Dallas 2018)Shawn Tuma
 
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...
Co-Presented: YOU are the Alpha and Omega of a Secure Future (Kottova / Dray)...Kimberley Dray
 
Why i hate digital forensics - draft
Why i hate digital forensics - draftWhy i hate digital forensics - draft
Why i hate digital forensics - draftDamir Delija
 
Bit by Bit: Effective Use of People, Processes and Computer Technology in the...
Bit by Bit: Effective Use of People, Processes and Computer Technology in the...Bit by Bit: Effective Use of People, Processes and Computer Technology in the...
Bit by Bit: Effective Use of People, Processes and Computer Technology in the...Jack Pringle
 
Final project
Final projectFinal project
Final projectDawn Steere
 
Tech Tools for Nonprofits
Tech Tools for NonprofitsTech Tools for Nonprofits
Tech Tools for NonprofitsDeron Tse
 
NUS Hackers Project Intern 2016
NUS Hackers Project Intern 2016NUS Hackers Project Intern 2016
NUS Hackers Project Intern 2016Vishnu Prem
 
"Startups, comment gérer une équipe de développeurs" par Laurent Cerveau
"Startups, comment gérer une équipe de développeurs" par Laurent Cerveau"Startups, comment gérer une équipe de développeurs" par Laurent Cerveau
"Startups, comment gérer une équipe de développeurs" par Laurent CerveauTheFamily
 
Marketing Your Open Source Project
Marketing Your Open Source ProjectMarketing Your Open Source Project
Marketing Your Open Source Projectdeirdrestraughan
 
Social engineering
Social engineeringSocial engineering
Social engineeringRobert Hood
 
Oscon2015 150724001540-lva1-app6891
Oscon2015 150724001540-lva1-app6891Oscon2015 150724001540-lva1-app6891
Oscon2015 150724001540-lva1-app6891Gerald Mayfield
 
Building a Successful Organization By Mastering Failure
Building a Successful Organization By Mastering FailureBuilding a Successful Organization By Mastering Failure
Building a Successful Organization By Mastering Failurejgoulah
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Charity Majors - Bootstrapping an Ops Team
Charity Majors - Bootstrapping an Ops TeamCharity Majors - Bootstrapping an Ops Team
Charity Majors - Bootstrapping an Ops TeamHeavybit
 
Information Security : A look
Information Security : A lookInformation Security : A look
Information Security : A lookDeepak Kumar (D3)
 
Binary crosswords
Binary crosswordsBinary crosswords
Binary crosswordsLaurent Cerveau
 
Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleanerJohn Stauffacher
 
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?Anthony Melfi
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Matt Hathaway
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Alexandre Sieira
 
Special Topics Day for Engineering Innovation Lecture on Cybersecurity
Special Topics Day for Engineering Innovation Lecture on CybersecuritySpecial Topics Day for Engineering Innovation Lecture on Cybersecurity
Special Topics Day for Engineering Innovation Lecture on CybersecurityMichael Rushanan
 
"What have the techies ever done for us?"Can technology help lawyers lead a h...
"What have the techies ever done for us?"Can technology help lawyers lead a h..."What have the techies ever done for us?"Can technology help lawyers lead a h...
"What have the techies ever done for us?"Can technology help lawyers lead a h...Ethien
 
VIP Call Girls Darjeeling Aaradhya 8250192130 Independent Escort Service Darj...
VIP Call Girls Darjeeling Aaradhya 8250192130 Independent Escort Service Darj...VIP Call Girls Darjeeling Aaradhya 8250192130 Independent Escort Service Darj...
VIP Call Girls Darjeeling Aaradhya 8250192130 Independent Escort Service Darj...Neha Kaur
 
𓀤Call On 6297143586 𓀤 Ultadanga Call Girls In All Kolkata 24/7 Provide Call W...
𓀤Call On 6297143586 𓀤 Ultadanga Call Girls In All Kolkata 24/7 Provide Call W...𓀤Call On 6297143586 𓀤 Ultadanga Call Girls In All Kolkata 24/7 Provide Call W...
𓀤Call On 6297143586 𓀤 Ultadanga Call Girls In All Kolkata 24/7 Provide Call W...rahim quresi
 

Weitere ähnliche Inhalte

Ähnlich wie So, you wanna be a pen tester ctsc2017

Why i hate digital forensics - draft
Why i hate digital forensics - draftWhy i hate digital forensics - draft
Why i hate digital forensics - draftDamir Delija
 
Bit by Bit: Effective Use of People, Processes and Computer Technology in the...
Bit by Bit: Effective Use of People, Processes and Computer Technology in the...Bit by Bit: Effective Use of People, Processes and Computer Technology in the...
Bit by Bit: Effective Use of People, Processes and Computer Technology in the...Jack Pringle
 
Tech Tools for Nonprofits
Tech Tools for NonprofitsTech Tools for Nonprofits
Tech Tools for NonprofitsDeron Tse
 
NUS Hackers Project Intern 2016
NUS Hackers Project Intern 2016NUS Hackers Project Intern 2016
NUS Hackers Project Intern 2016Vishnu Prem
 
"Startups, comment gérer une équipe de développeurs" par Laurent Cerveau
"Startups, comment gérer une équipe de développeurs" par Laurent Cerveau"Startups, comment gérer une équipe de développeurs" par Laurent Cerveau
"Startups, comment gérer une équipe de développeurs" par Laurent CerveauTheFamily
 
Marketing Your Open Source Project
Marketing Your Open Source ProjectMarketing Your Open Source Project
Marketing Your Open Source Projectdeirdrestraughan
 
Social engineering
Social engineeringSocial engineering
Social engineeringRobert Hood
 
Oscon2015 150724001540-lva1-app6891
Oscon2015 150724001540-lva1-app6891Oscon2015 150724001540-lva1-app6891
Oscon2015 150724001540-lva1-app6891Gerald Mayfield
 
Building a Successful Organization By Mastering Failure
Building a Successful Organization By Mastering FailureBuilding a Successful Organization By Mastering Failure
Building a Successful Organization By Mastering Failurejgoulah
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Stephen Cobb
 
Charity Majors - Bootstrapping an Ops Team
Charity Majors - Bootstrapping an Ops TeamCharity Majors - Bootstrapping an Ops Team
Charity Majors - Bootstrapping an Ops TeamHeavybit
 
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?Anthony Melfi
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Matt Hathaway
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Alexandre Sieira
 
Special Topics Day for Engineering Innovation Lecture on Cybersecurity
Special Topics Day for Engineering Innovation Lecture on CybersecuritySpecial Topics Day for Engineering Innovation Lecture on Cybersecurity
Special Topics Day for Engineering Innovation Lecture on CybersecurityMichael Rushanan
 
"What have the techies ever done for us?"Can technology help lawyers lead a h...
"What have the techies ever done for us?"Can technology help lawyers lead a h..."What have the techies ever done for us?"Can technology help lawyers lead a h...
"What have the techies ever done for us?"Can technology help lawyers lead a h...Ethien
 

Ähnlich wie So, you wanna be a pen tester ctsc2017 (20)

Why i hate digital forensics - draft
Why i hate digital forensics - draftWhy i hate digital forensics - draft
Why i hate digital forensics - draft
 
Bit by Bit: Effective Use of People, Processes and Computer Technology in the...
Bit by Bit: Effective Use of People, Processes and Computer Technology in the...Bit by Bit: Effective Use of People, Processes and Computer Technology in the...
Bit by Bit: Effective Use of People, Processes and Computer Technology in the...
 
Final project
Final projectFinal project
Final project
 
Tech Tools for Nonprofits
Tech Tools for NonprofitsTech Tools for Nonprofits
Tech Tools for Nonprofits
 
NUS Hackers Project Intern 2016
NUS Hackers Project Intern 2016NUS Hackers Project Intern 2016
NUS Hackers Project Intern 2016
 
"Startups, comment gérer une équipe de développeurs" par Laurent Cerveau
"Startups, comment gérer une équipe de développeurs" par Laurent Cerveau"Startups, comment gérer une équipe de développeurs" par Laurent Cerveau
"Startups, comment gérer une équipe de développeurs" par Laurent Cerveau
 
Marketing Your Open Source Project
Marketing Your Open Source ProjectMarketing Your Open Source Project
Marketing Your Open Source Project
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Oscon2015 150724001540-lva1-app6891
Oscon2015 150724001540-lva1-app6891Oscon2015 150724001540-lva1-app6891
Oscon2015 150724001540-lva1-app6891
 
Building a Successful Organization By Mastering Failure
Building a Successful Organization By Mastering FailureBuilding a Successful Organization By Mastering Failure
Building a Successful Organization By Mastering Failure
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Charity Majors - Bootstrapping an Ops Team
Charity Majors - Bootstrapping an Ops TeamCharity Majors - Bootstrapping an Ops Team
Charity Majors - Bootstrapping an Ops Team
 
Information Security : A look
Information Security : A lookInformation Security : A look
Information Security : A look
 
Binary crosswords
Binary crosswordsBinary crosswords
Binary crosswords
 
Janitor vs cleaner
Janitor vs cleanerJanitor vs cleaner
Janitor vs cleaner
 
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
bsides NOVA 2017 So You Want to Be a Cyber Threat Analyst eh?
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
 
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
Reverse Engineering the Wetware: Understanding Human Behavior to Improve Info...
 
Special Topics Day for Engineering Innovation Lecture on Cybersecurity
Special Topics Day for Engineering Innovation Lecture on CybersecuritySpecial Topics Day for Engineering Innovation Lecture on Cybersecurity
Special Topics Day for Engineering Innovation Lecture on Cybersecurity
 
"What have the techies ever done for us?"Can technology help lawyers lead a h...
"What have the techies ever done for us?"Can technology help lawyers lead a h..."What have the techies ever done for us?"Can technology help lawyers lead a h...
"What have the techies ever done for us?"Can technology help lawyers lead a h...
 

Kürzlich hochgeladen

VIP Call Girls Darjeeling Aaradhya 8250192130 Independent Escort Service Darj...
VIP Call Girls Darjeeling Aaradhya 8250192130 Independent Escort Service Darj...VIP Call Girls Darjeeling Aaradhya 8250192130 Independent Escort Service Darj...
VIP Call Girls Darjeeling Aaradhya 8250192130 Independent Escort Service Darj...Neha Kaur
 
𓀤Call On 6297143586 𓀤 Ultadanga Call Girls In All Kolkata 24/7 Provide Call W...
𓀤Call On 6297143586 𓀤 Ultadanga Call Girls In All Kolkata 24/7 Provide Call W...𓀤Call On 6297143586 𓀤 Ultadanga Call Girls In All Kolkata 24/7 Provide Call W...
𓀤Call On 6297143586 𓀤 Ultadanga Call Girls In All Kolkata 24/7 Provide Call W...rahim quresi
 
Behala ( Call Girls ) Kolkata ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Ready ...
Behala ( Call Girls ) Kolkata ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Ready ...Behala ( Call Girls ) Kolkata ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Ready ...
Behala ( Call Girls ) Kolkata ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Ready ...ritikasharma
 
Beyond Bar & Club Udaipur CaLL GiRLS 09602870969
Beyond Bar & Club Udaipur CaLL GiRLS 09602870969Beyond Bar & Club Udaipur CaLL GiRLS 09602870969
Beyond Bar & Club Udaipur CaLL GiRLS 09602870969Apsara Of India
 
Jinx Manga-Season 1 - Chapters Summary.docx
Jinx Manga-Season 1 - Chapters Summary.docxJinx Manga-Season 1 - Chapters Summary.docx
Jinx Manga-Season 1 - Chapters Summary.docxJinx Manga
 
VIP Call Girls Service Banjara Hills Hyderabad Call +91-8250192130
VIP Call Girls Service Banjara Hills Hyderabad Call +91-8250192130VIP Call Girls Service Banjara Hills Hyderabad Call +91-8250192130
VIP Call Girls Service Banjara Hills Hyderabad Call +91-8250192130Suhani Kapoor
 
Top Rated Pune Call Girls Pimpri Chinchwad ⟟ 6297143586 ⟟ Call Me For Genuin...
Top Rated Pune Call Girls Pimpri Chinchwad ⟟ 6297143586 ⟟ Call Me For Genuin...Top Rated Pune Call Girls Pimpri Chinchwad ⟟ 6297143586 ⟟ Call Me For Genuin...
Top Rated Pune Call Girls Pimpri Chinchwad ⟟ 6297143586 ⟟ Call Me For Genuin...Call Girls in Nagpur High Profile
 
VIP Call Girl Kolhapur Aashi 8250192130 Independent Escort Service Kolhapur
VIP Call Girl Kolhapur Aashi 8250192130 Independent Escort Service KolhapurVIP Call Girl Kolhapur Aashi 8250192130 Independent Escort Service Kolhapur
VIP Call Girl Kolhapur Aashi 8250192130 Independent Escort Service KolhapurRiya Pathan
 
↑Top Model (Kolkata) Call Girls Sonagachi ⟟ 8250192130 ⟟ High Class Call Girl...
↑Top Model (Kolkata) Call Girls Sonagachi ⟟ 8250192130 ⟟ High Class Call Girl...↑Top Model (Kolkata) Call Girls Sonagachi ⟟ 8250192130 ⟟ High Class Call Girl...
↑Top Model (Kolkata) Call Girls Sonagachi ⟟ 8250192130 ⟟ High Class Call Girl...noor ahmed
 
(DIVYA) Dhanori Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(DIVYA) Dhanori Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(DIVYA) Dhanori Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(DIVYA) Dhanori Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...ranjana rawat
 
Call Girls Service Bantala - Call 8250192130 Rs-3500 with A/C Room Cash on De...
Call Girls Service Bantala - Call 8250192130 Rs-3500 with A/C Room Cash on De...Call Girls Service Bantala - Call 8250192130 Rs-3500 with A/C Room Cash on De...
Call Girls Service Bantala - Call 8250192130 Rs-3500 with A/C Room Cash on De...anamikaraghav4
 
Low Rate Call Girls Gulbarga Anika 8250192130 Independent Escort Service Gulb...
Low Rate Call Girls Gulbarga Anika 8250192130 Independent Escort Service Gulb...Low Rate Call Girls Gulbarga Anika 8250192130 Independent Escort Service Gulb...
Low Rate Call Girls Gulbarga Anika 8250192130 Independent Escort Service Gulb...Riya Pathan
 
↑Top Model (Kolkata) Call Girls Rajpur ⟟ 8250192130 ⟟ High Class Call Girl In...
↑Top Model (Kolkata) Call Girls Rajpur ⟟ 8250192130 ⟟ High Class Call Girl In...↑Top Model (Kolkata) Call Girls Rajpur ⟟ 8250192130 ⟟ High Class Call Girl In...
↑Top Model (Kolkata) Call Girls Rajpur ⟟ 8250192130 ⟟ High Class Call Girl In...noor ahmed
 
Independent Joka Escorts ✔ 8250192130 ✔ Full Night With Room Online Booking 2...
Independent Joka Escorts ✔ 8250192130 ✔ Full Night With Room Online Booking 2...Independent Joka Escorts ✔ 8250192130 ✔ Full Night With Room Online Booking 2...
Independent Joka Escorts ✔ 8250192130 ✔ Full Night With Room Online Booking 2...noor ahmed
 
Independent Hatiara Escorts ✔ 8250192130 ✔ Full Night With Room Online Bookin...
Independent Hatiara Escorts ✔ 8250192130 ✔ Full Night With Room Online Bookin...Independent Hatiara Escorts ✔ 8250192130 ✔ Full Night With Room Online Bookin...
Independent Hatiara Escorts ✔ 8250192130 ✔ Full Night With Room Online Bookin...Riya Pathan
 
GV'S 24 CLUB & BAR CONTACT 09602870969 CALL GIRLS IN UDAIPUR ESCORT SERVICE
GV'S 24 CLUB & BAR CONTACT 09602870969 CALL GIRLS IN UDAIPUR ESCORT SERVICEGV'S 24 CLUB & BAR CONTACT 09602870969 CALL GIRLS IN UDAIPUR ESCORT SERVICE
GV'S 24 CLUB & BAR CONTACT 09602870969 CALL GIRLS IN UDAIPUR ESCORT SERVICEApsara Of India
 

Kürzlich hochgeladen (20)

VIP Call Girls Darjeeling Aaradhya 8250192130 Independent Escort Service Darj...
VIP Call Girls Darjeeling Aaradhya 8250192130 Independent Escort Service Darj...VIP Call Girls Darjeeling Aaradhya 8250192130 Independent Escort Service Darj...
VIP Call Girls Darjeeling Aaradhya 8250192130 Independent Escort Service Darj...
 
𓀤Call On 6297143586 𓀤 Ultadanga Call Girls In All Kolkata 24/7 Provide Call W...
𓀤Call On 6297143586 𓀤 Ultadanga Call Girls In All Kolkata 24/7 Provide Call W...𓀤Call On 6297143586 𓀤 Ultadanga Call Girls In All Kolkata 24/7 Provide Call W...
𓀤Call On 6297143586 𓀤 Ultadanga Call Girls In All Kolkata 24/7 Provide Call W...
 
Desi Bhabhi Call Girls In Goa 💃 730 02 72 001💃desi Bhabhi Escort Goa
Desi Bhabhi Call Girls In Goa 💃 730 02 72 001💃desi Bhabhi Escort GoaDesi Bhabhi Call Girls In Goa 💃 730 02 72 001💃desi Bhabhi Escort Goa
Desi Bhabhi Call Girls In Goa 💃 730 02 72 001💃desi Bhabhi Escort Goa
 
Behala ( Call Girls ) Kolkata ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Ready ...
Behala ( Call Girls ) Kolkata ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Ready ...Behala ( Call Girls ) Kolkata ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Ready ...
Behala ( Call Girls ) Kolkata ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Ready ...
 
Beyond Bar & Club Udaipur CaLL GiRLS 09602870969
Beyond Bar & Club Udaipur CaLL GiRLS 09602870969Beyond Bar & Club Udaipur CaLL GiRLS 09602870969
Beyond Bar & Club Udaipur CaLL GiRLS 09602870969
 
Goa Call Girls 9316020077 Call Girls In Goa By Russian Call Girl in goa
Goa Call Girls 9316020077 Call Girls In Goa By Russian Call Girl in goaGoa Call Girls 9316020077 Call Girls In Goa By Russian Call Girl in goa
Goa Call Girls 9316020077 Call Girls In Goa By Russian Call Girl in goa
 
Call Girls South Avenue Delhi WhatsApp Number 9711199171
Call Girls South Avenue Delhi WhatsApp Number 9711199171Call Girls South Avenue Delhi WhatsApp Number 9711199171
Call Girls South Avenue Delhi WhatsApp Number 9711199171
 
Jinx Manga-Season 1 - Chapters Summary.docx
Jinx Manga-Season 1 - Chapters Summary.docxJinx Manga-Season 1 - Chapters Summary.docx
Jinx Manga-Season 1 - Chapters Summary.docx
 
CHEAP Call Girls in Malviya Nagar, (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Malviya Nagar, (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Malviya Nagar, (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Malviya Nagar, (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
VIP Call Girls Service Banjara Hills Hyderabad Call +91-8250192130
VIP Call Girls Service Banjara Hills Hyderabad Call +91-8250192130VIP Call Girls Service Banjara Hills Hyderabad Call +91-8250192130
VIP Call Girls Service Banjara Hills Hyderabad Call +91-8250192130
 
Top Rated Pune Call Girls Pimpri Chinchwad ⟟ 6297143586 ⟟ Call Me For Genuin...
Top Rated Pune Call Girls Pimpri Chinchwad ⟟ 6297143586 ⟟ Call Me For Genuin...Top Rated Pune Call Girls Pimpri Chinchwad ⟟ 6297143586 ⟟ Call Me For Genuin...
Top Rated Pune Call Girls Pimpri Chinchwad ⟟ 6297143586 ⟟ Call Me For Genuin...
 
VIP Call Girl Kolhapur Aashi 8250192130 Independent Escort Service Kolhapur
VIP Call Girl Kolhapur Aashi 8250192130 Independent Escort Service KolhapurVIP Call Girl Kolhapur Aashi 8250192130 Independent Escort Service Kolhapur
VIP Call Girl Kolhapur Aashi 8250192130 Independent Escort Service Kolhapur
 
↑Top Model (Kolkata) Call Girls Sonagachi ⟟ 8250192130 ⟟ High Class Call Girl...
↑Top Model (Kolkata) Call Girls Sonagachi ⟟ 8250192130 ⟟ High Class Call Girl...↑Top Model (Kolkata) Call Girls Sonagachi ⟟ 8250192130 ⟟ High Class Call Girl...
↑Top Model (Kolkata) Call Girls Sonagachi ⟟ 8250192130 ⟟ High Class Call Girl...
 
(DIVYA) Dhanori Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(DIVYA) Dhanori Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(DIVYA) Dhanori Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(DIVYA) Dhanori Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
 
Call Girls Service Bantala - Call 8250192130 Rs-3500 with A/C Room Cash on De...
Call Girls Service Bantala - Call 8250192130 Rs-3500 with A/C Room Cash on De...Call Girls Service Bantala - Call 8250192130 Rs-3500 with A/C Room Cash on De...
Call Girls Service Bantala - Call 8250192130 Rs-3500 with A/C Room Cash on De...
 
Low Rate Call Girls Gulbarga Anika 8250192130 Independent Escort Service Gulb...
Low Rate Call Girls Gulbarga Anika 8250192130 Independent Escort Service Gulb...Low Rate Call Girls Gulbarga Anika 8250192130 Independent Escort Service Gulb...
Low Rate Call Girls Gulbarga Anika 8250192130 Independent Escort Service Gulb...
 
↑Top Model (Kolkata) Call Girls Rajpur ⟟ 8250192130 ⟟ High Class Call Girl In...
↑Top Model (Kolkata) Call Girls Rajpur ⟟ 8250192130 ⟟ High Class Call Girl In...↑Top Model (Kolkata) Call Girls Rajpur ⟟ 8250192130 ⟟ High Class Call Girl In...
↑Top Model (Kolkata) Call Girls Rajpur ⟟ 8250192130 ⟟ High Class Call Girl In...
 
Independent Joka Escorts ✔ 8250192130 ✔ Full Night With Room Online Booking 2...
Independent Joka Escorts ✔ 8250192130 ✔ Full Night With Room Online Booking 2...Independent Joka Escorts ✔ 8250192130 ✔ Full Night With Room Online Booking 2...
Independent Joka Escorts ✔ 8250192130 ✔ Full Night With Room Online Booking 2...
 
Independent Hatiara Escorts ✔ 8250192130 ✔ Full Night With Room Online Bookin...
Independent Hatiara Escorts ✔ 8250192130 ✔ Full Night With Room Online Bookin...Independent Hatiara Escorts ✔ 8250192130 ✔ Full Night With Room Online Bookin...
Independent Hatiara Escorts ✔ 8250192130 ✔ Full Night With Room Online Bookin...
 
GV'S 24 CLUB & BAR CONTACT 09602870969 CALL GIRLS IN UDAIPUR ESCORT SERVICE
GV'S 24 CLUB & BAR CONTACT 09602870969 CALL GIRLS IN UDAIPUR ESCORT SERVICEGV'S 24 CLUB & BAR CONTACT 09602870969 CALL GIRLS IN UDAIPUR ESCORT SERVICE
GV'S 24 CLUB & BAR CONTACT 09602870969 CALL GIRLS IN UDAIPUR ESCORT SERVICE
 

So, you wanna be a pen tester ctsc2017

  • 1. introduction to evading security controls. or so, you wanna be a pen tester? are you sure? CTSC 2017
  • 2. what? • this presentation will discuss the things that you will actually need to become a penetration tester, be prepared for a no-fluff honest discussion. • somewhat sarcastic, tongue in cheek, occasionally serious. • based on my own personal observations on trends in industry and the demand for security professionals. • unfortunately much of the demand is for trained and experienced people, not necessarily junior or intro level. • please do ask questions and participate! • otherwise you will hear me talk for 55 minutes straight…
  • 3. wots a pentest? • circumvention of security controls. • identifying alternate functionality in a ‘system’. • identifying alternate means of accessing functionality in a ‘system’. • generally a very thorough logical and technical assessment of the security controls and functionality in a ‘system’. • wots a ‘system’? those things and people and processes that provide business functionality and access to information. (app, end point, protocol, physical…) • wots a pentester? deliberate professional breaker of things. hacker. • curious explorer? the definition changed at some point.
  • 4. why? • people seem to think that it is a sexy profession. • oddly enough it is at least 50% boring and frustrating. • then you write reports, that’s the exciting part. • the actual exploitation is such a small part of the thing. • there is an industry over emphasis on the ‘hacking’ thing… • are you sure? it can be a lot of work. • it really isn’t about the hack, it’s about making things better. • don't get me wrong, i enjoy what I do, and a good root dance.
  • 5. everything has changed… • the industry re-invents itself every 5 years or so. • which means that we have to do the same, evolve. • everything has merged with technology. • security must be inter-disciplinary. • we must solve risk problems with people, common sense, science, and technology. • massive implications of interconnection. • attacks against ci have an entirely new impact. • security, safety, and privacy; it is a brave new world.
  • 6. what to do • threat modelling. • attacker emulation. • red team. • identify objectives. • project planning and resourcing. • enumerate controls. • sometimes we just login… • discover vulnerabilities. • exploitation, post-exploitation, passwords, pivoting, pillaging… • reporting.
  • 7. what are the top 10 thingies… • probably the number one question, what are the top 10 coolest most important hacking tools for penetration testers? • what are the top 10 skills that are important to become the worlds greatest hacker? make up lots of lies, plagiarize, and write a book! • how do I become the bestest cyber hacker? • can you hack my buddies hotmail for me? • do I need a cool hacker handle? • love the next two questions… • do I really need to learn all that stuff to be a cool hacker? • do I really have to work hard for many years to be a pentester? • the best one: i have a $CERT or degree in * so that makes me an expert!!
  • 8. what you really need • attitude, aptitude, and initiative. • desire. • dedication. • discipline. • integrity. • ethics. • experience. • knowledge. • tools. • so, how do I get me some?
  • 9. tools? • while somewhat important to the specific engagement the tools are not as important overall. the most important things are: • deep technical knowledge. • expertise in what you are assessing. • team composition. • project planning. • scoping (what you can test). • rules of engagement (tests you can run). • legality, morality, ethics! • logistics and controls. • understanding the goals and objectives. • methodology! and creativity!
  • 10. no honestly, which tools do I need? • the only required tool is the matter most (some) people have between their ears. brains. • a friend of mine said that the only tools are perspective and perception… the rest are just pretty accessories and squirrels and shiny things • the honest answer is a web browser to do the recon and information gathering, a project management tool for scheduling, and a database to track target data in. scripting is very very very very useful. learn one. • the remainder depend heavily on the nature of the engagement. • it honestly isn’t about the tools, it’s about having the appropriate tool to efficiently and effectively meet the pentest objectives. whichever tools meets the requirements, they are mostly interchangeable. • often pen testers talk about tactics, tools, techniques, and methodologies. the tools are only relevant if they work correctly, for the most part.
  • 11. ok, then what do we actually need? • people with the training, painstaking attention to detail, experience, analysis skills, and creativity to emulate attackers in a controlled professional manner. oh and teamwork and soft skills, who can write. • process, which includes determining the scope of the project, rules of engagement, plus details like policies and process and procedures. • technology. the tools are the easy part, anyone can download the tools, which are readily available, but in the hands of an unskilled individual they may do a lot of damage, and do not always achieve the objective of identifying and demonstrating risk. • pen testers are restricted by scope, legality, morality, and ethics, and there are rules of engagement, always have both hands tied behind our backs. we can’t do all the things that the attackers can do. bummer. • you have to be the ball. what? (caddy shack)
  • 12. no, what about me? • how do I get to be a pentester? • ask really good questions. then find answers. that’s it. • honestly i have no idea, i can tell you what i did, and i can tell you the things I would look for in new hires when i was a manager… • my degree is in political science, but i have played with computers and networks since the early 1980’s. i like to break stuff. • i have always said that i can teach people the technology, but i cannot teach good attitude, good team fit, problem solving, or curiosity • why does this presentation seem like random rambling? • why are your slides so boring?
  • 13. what do I need? • passion! • interesting question in that we tend to think in terms of a single lone wolf penetration tester, when the truth is that the best engagements are run with teams. • some of the skills that are required on that team are project management, creativity, being methodical, analysis, and writing. am i getting repetitive? • some will need an extensive background in information security, and to be very technical in their areas of expertise. • team membership will vary based on the specifics of each engagement, expertise in web skills are not as useful in a wireless or network test. • oh, and someone to run the scanning tools. minions! • a good security analyst and project manager are worth 100 testers!
  • 14. what is the path? • you may have noticed the theme to this discussion by now. • highly technical and specialized knowledge moving into information security as a pentester. they often have mucho academic background and technical experience, may be self-taught. • information security generalist willing to acquire technical skills to become a pentester. unless there is mucho training budget often will have to be self-taught. academics and certifications might help. • it specialist: developer, dba, architect, network, sysadmin…! • forge your own path, there is no spoon. • must have a deep understanding what it is you are trying to pentest and expertise in testing. • i have met very few who started out their career as a pentester…
  • 15. specialize, don't generalize • penetration testing is not a junior role… it is a senior technical role. • those who wish to follow a technical path over a long career soon realize that they must specialize. • being a generalist or on the path to management is good for some. • not so much for others. • being a member of an enterprise team leads to expertise. • or a consultant. • pick an area, you cannot do them all: physical, rf, locks, web applications, end points, protocols, databases, wifi, ics, social engineering…
  • 16. where? • mentors. • communities. • education, training, certifications are one way. • being the security person on a team. • taking the initiative and learning on your own, or a mix. • boutique consulting firms. • large consulting integration or services firms. • many enterprises have red or purple teams. • what the industry really needs are more blue team people who know how offensive security works…
  • 17. is that your final answer? • no. • it is up to you to learn, to ensure that you can do it. • nobody else can do it for you. • if this is your chosen career path, do not take no for an answer. • make it happen, do it. now I sound like a broken nike commercial. • do the hard work, learn what you need to learn. • it isn’t about what others have done, it is your journey. • make it your precious, your passion, you will make it. • not everyone gets to be a pen tester, sorry. • lots of openings in blue team. someone has to work in the soc.
  • 18. questions? was this the talk that you were expecting? it is entirely possible that I do not have any answers that you will like  adrien de beaupré, lots of certs and stuff penetration tester and SANS instructor a member of the fellowship of the testers of pens twitter @adriendb adriendb@gmail.com 1 613 797 3912 http://www.intru-shun.ca https://www.sans.org/instructors/adrien-de-beaupre