SlideShare ist ein Scribd-Unternehmen logo

A Journey Into Pen-tester land: Myths or Facts!

Ammar WK
Ammar WK

This Presentation consist of three part, About Penentration testing; How to become a Pen-tester; Myths and Facts around Pen-test.

Internet
1 von 54
Downloaden Sie, um offline zu lesen
A Journey into Pen-tester Land: Myths or Facts y3dips!(c)2018 Bina Insani, Bekasi,14 April 2018
Ahmad Muammar WK, OSCE, OSCP, eMAPT. •Professional hacker/Penetration tester •Doing offensive security/hacking for 15+ years •Founder of echo.or.id & idsecconf.org •Web: http://me.ammar.web.id •email: me@ammar.web.id •twitter: @y3dips
A Journey into Pen-tester Land: Myths or Facts - y3dips •About Penetration Testing •How to become Penetration Tester •Myths or Facts Around Pen-test Agenda
Penetration Testing
A Journey into Pen-tester Land: Myths or Facts - y3dips •Is a way to Validate/check the level of security on every aspect of IT Infrastructure. •Also to ensure that necessary security controls are integrated into the design and implementation. •To prepare for better enhancement IT Security Assessment
A Journey into Pen-tester Land: Myths or Facts - y3dips •Vulnerability Assessment •Penetration Testing •Security Audit IT Security Assessment
A Journey into Pen-tester Land: Myths or Facts - y3dips •A vulnerability assessment is usually carried out by security vulnerability scanner application. Most of the product test type of Operating system, application, patch level, user account and else. •Vulnerability scanner identify common security configuration mistakes and common attack. Vulnerability Assessment (VA)
A Journey into Pen-tester Land: Myths or Facts - y3dips Vulnerability Assessment (VA)
A Journey into Pen-tester Land: Myths or Facts - y3dips •Most part are checklist-based (corporate security policies or regulation standards (ISO) or PBI) •IMPORTANT for being complied with security policies, legislation and standards •e.g: is there any backups? ANTIVIRUS? Security Audit
A Journey into Pen-tester Land: Myths or Facts - y3dips Security Audit http://vsanspareil.com/security-audit-report-template/security-audit-report-template-2/
A Journey into Pen-tester Land: Myths or Facts - y3dips •Is When a “Hacker” do the attacker work. •The only goal is to get as much as possible and as deep as possible to break into the system. Penetration Testing
A Journey into Pen-tester Land: Myths or Facts - y3dips •Vulnerability Assessment identifies the “possible” vulnerabilities (Also false positive). •Penetration Testing validates the vulnerability. VA vs Pen-test
A Journey into Pen-tester Land: Myths or Facts - y3dips •Security Audits important for being complied with security policies, legislation and standards. •Pen-test compliment Security Audit and help to fix security threat before an attacker discovers it. Security Audit vs Pen-test
A Journey into Pen-tester Land: Myths or Facts - y3dips •Check sensitive information available. •Check what kind of privileges pen-tester gain. •Check if it is possible to escalate privileges. •Check if Vulnerability can lead to more exploitation (another application, system, or server, scope). Pen-test
A Journey into Pen-tester Land: Myths or Facts - y3dips •Should be only Blackbox! •Black box: 0 information about the system, maybe only the ip/domain name. Full attacker perspective •grey box: partial information about a system, simulate attack by employee, vendors. •White box: significant information about a system, source code/configuration review. Type of Pen-test
A Journey into Pen-tester Land: Myths or Facts - y3dips •Ideal = no scope that limited the activity. •Wire Network Infrastructure •Wireless Network Infrastructure •Application Infrastructure •Operating System Infrastructure •Physical Infrastructure •Social Engineering (people hacking) Pen-test Scope?
A Journey into Pen-tester Land: Myths or Facts - y3dips Pen-test Methodology !
A Journey into Pen-tester Land: Myths or Facts - y3dips ISSAF
A Journey into Pen-tester Land: Myths or Facts - y3dips Demo [Video 1]
Pen-tester
A Journey into Pen-tester Land: Myths or Facts - y3dips •IT Security Officer •IT Security Analyst •IT Security Auditor •IT Security Engineer Information Security Professional
A Journey into Pen-tester Land: Myths or Facts - y3dips •Security Contact Point for Organisation •Principle Advisor for IT Security •Ensure Security Program Running ( Security Awareness course, etc) •Creating Security Policy, Procedures, Hardening guide •Title: CSO, CISO, Head of IT Security, VP Security, IT Sec Manager IT Security Officer
A Journey into Pen-tester Land: Myths or Facts - y3dips •Monitor all type of access to protect confidentiality and integrity •Provides Direct Support and Advise to the IT Security Manager •Title: System Security Analyst, Network Security Analyst IT Security Analyst
A Journey into Pen-tester Land: Myths or Facts - y3dips •Auditing an Organisations Technology processes and security. •IT General Controls Reviews •Application Controls Reviews •Title: Security Auditor, Penetration Tester IT Security Auditor
A Journey into Pen-tester Land: Myths or Facts - y3dips •Maintenance Computer Hardware and Software that comprises a computer Network •Doing a Security hardening and Configuration •Title: System Security Engineer, Network Security Engineer IT Security Engineer
https://www.quora.com/Do-I-need-a-degree-or-certification-to-get-started-in- Computer-Security-and-Penetration-Testing-jobs But not in Indonesia ;-)
A Journey into Pen-tester Land: Myths or Facts - y3dips •Penetration Tester •Ethical Hacker •Professional Hacker •Information Security Professional •Red Team officer Pen-tester
A Journey into Pen-tester Land: Myths or Facts - y3dips •Recently, New ‘Hot’ Profession beyond and separate from Security Auditor. •Nowadays so many Information Security Curriculum, Faculty, also a University. •High Demand because of Regulation, especially the growth in electronic transactions. Pen-tester
A Journey into Pen-tester Land: Myths or Facts - y3dips •Skillset, Knowledge •Experience •Attitude •Able to work independent/group •.. Requirements
A Journey into Pen-tester Land: Myths or Facts - y3dips •Knowledge of Operating System •Knowledge of Networking •Knowledge of Application •Knowledge of Programming •Much more :) Skillset, Knowledge
A Journey into Pen-tester Land: Myths or Facts - y3dips •Self-taught Hacker •Formal Education Skill & Experience
A Journey into Pen-tester Land: Myths or Facts - y3dips •Join in the community/hacking group •Gain their hacking knowledge by Hacking •Hack to Learn not otherwise. •Often start as kiddies and hike the way into Hackers Self-Taught Hacker
A Journey into Pen-tester Land: Myths or Facts - y3dips •Newbie (larva) > kiddies < Hacker (elite) •Know the Tools, Able to use the tools and modify; But, Do not know how the tool “really” works. kiddies
A Journey into Pen-tester Land: Myths or Facts - y3dips •Gain Information Security/Knowledge from formal Education, Course, Certification Formal Education
A Journey into Pen-tester Land: Myths or Facts - y3dips •Most of University (nowadays) has Info-sec curriculum. •ITB has Master engineering of Information Security. Formal Education
A Journey into Pen-tester Land: Myths or Facts - y3dips •Penetration Testing certifications: •Offensive Security: OSCP, OSCE •EC-Council: CEH, LPT, ECSA •SANS: GPEN •IACRB: CEPT, CWAPT •CompTIA: Security+ •E-learnSecurity: eCPPT, eMAPT, eWPT Formal Education
A Journey into Pen-tester Land: Myths or Facts - y3dips •Self-Taught [+] / Formal [-] •Proven Skill and Experiences •Able to do a proof of concept Self-Taught Hacker vs Formal Education
A Journey into Pen-tester Land: Myths or Facts - y3dips •Self-Taught [-] / Formal[+] •Lack of Methodologies •Lack or Organisations/Managerial Self-Taught Hacker vs Formal Education
A Journey into Pen-tester Land: Myths or Facts - y3dips •[+] Need to Boost •Willing to learn, share and teach. •Eager to learn new things faster. •… Attitude
A Journey into Pen-tester Land: Myths or Facts - y3dips •[-] Need To Avoid at all costs! •Become Drama Queen/King!. •like to selfie around data centre, client server, target. •publish post in social media especially about client and the weakness even with or without NDA. •Always take and not give. Attitude
A Journey into Pen-tester Land: Myths or Facts - y3dips •Able to work Alone (individual), •or a Team Player Work
A Journey into Pen-tester Land: Myths or Facts - y3dips Demo [Video 2]
Myths | Facts
A Journey into Pen-tester Land: Myths or Facts - y3dips •Myth! •Penetration Testing validates the vulnerability. •If the company get Pen-tests report that look like VA reports, then blame your selection process of pen-tester. Pen-test is just “marketing VA”
A Journey into Pen-tester Land: Myths or Facts - y3dips
A Journey into Pen-tester Land: Myths or Facts - y3dips https://www.offensive-security.com/reports/sample-penetration-testing-report.pdf
A Journey into Pen-tester Land: Myths or Facts - y3dips •Myth! •They do need to have knowledge about the target but not to be a master of all (since it won’t be possible) •Great Pen-tester should be a fast learner and able to adapt since most of the system he never interact before even heard. •Technologies will always changing and improves and hard to stick to only one. Great Pen-tester is “master” of programming, networking, …. everything!
A Journey into Pen-tester Land: Myths or Facts - y3dips •Myth! •Ideally pen-test not cover every vulnerability, because it’s only the one that give access even the smallest vulnerability. •Security is a process. •Now you are secure, next minute is not. •Compare to actual criminal, pen-tester limited by time, scope, resources. After fixing pen-test result, Yeay we are secure!
A Journey into Pen-tester Land: Myths or Facts - y3dips •Myth! •Truth is VA results are equal! •Even with same School or Certifications. •Thats why “smart company” spend time on sorting the pen-tester. (beauty contest, administrations, go through the cv for every pen-tester, etc) Pen-tester are Equal!
A Journey into Pen-tester Land: Myths or Facts - y3dips •Myths! •Targeting Low Hanging Fruit Vulnerability first. •Weak/Default Password •Out-of-date and vulnerable version usage. •Security Misconfiguration •… •Well, some are really sophisticated, since it already being pen-test over and over ;) Wow, pen-test is always sophisticated!
A Journey into Pen-tester Land: Myths or Facts - y3dips Wow, pen-test is always sophisticated! https://xkcd.com/538/
A Journey into Pen-tester Land: Myths or Facts - y3dips Wow, pen-test is always sophisticated! http://allthetropes.wikia.com/wiki/Hollywood_Hacking
A Journey into Pen-tester Land: Myths or Facts - y3dips
A Journey into Pen-tester Land: Myths or Facts y3dips!(c)2018 Bina Insani, Bekasi,14 April 2018

Empfohlen

Pen-testing is Dead?
Pen-testing is Dead?Pen-testing is Dead?
Pen-testing is Dead?
Ammar WK
 
How To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsHow To [relatively] Secure your Web Applications
How To [relatively] Secure your Web Applications
Ammar WK
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
Sherif Koussa
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
 
Enabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responseEnabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident response
jeffmcjunkin
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers Job
Arbin Godar
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
Clare Nelson, CISSP, CIPP-E
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat Intelligence
AlienVault
 

Empfohlen

Pen-testing is Dead?
Pen-testing is Dead?Pen-testing is Dead?
Pen-testing is Dead?
Ammar WK
 
How To [relatively] Secure your Web Applications
How To [relatively] Secure your Web ApplicationsHow To [relatively] Secure your Web Applications
How To [relatively] Secure your Web Applications
Ammar WK
 
Simplified Security Code Review Process
Simplified Security Code Review ProcessSimplified Security Code Review Process
Simplified Security Code Review Process
Sherif Koussa
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
OWASP Delhi
 
Enabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident responseEnabling effective hunt teaming and incident response
Enabling effective hunt teaming and incident response
jeffmcjunkin
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers Job
Arbin Godar
 
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
The Inmates Are Running the Asylum: Why Some Multi-Factor Authentication Tech...
Clare Nelson, CISSP, CIPP-E
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat Intelligence
AlienVault
 
Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
vicenteDiaz_KL
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program
bugcrowd
 
Click and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobileClick and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobile
grugq
 
(SACON) Shomiron das gupta - threat hunting use cases
(SACON) Shomiron das gupta - threat hunting use cases(SACON) Shomiron das gupta - threat hunting use cases
(SACON) Shomiron das gupta - threat hunting use cases
Priyanka Aash
 
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
CODE BLUE
 
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Mazin Ahmed
 
Defender economics
Defender economicsDefender economics
Defender economics
addelindh
 
Modlishka - Is a Mantis Eating 2FA's Lunch?
Modlishka - Is a Mantis Eating 2FA's Lunch?Modlishka - Is a Mantis Eating 2FA's Lunch?
Modlishka - Is a Mantis Eating 2FA's Lunch?
Lance Peterman
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For Money
Shubham Gupta
 
Developing Software with Security in Mind
Developing Software with Security in MindDeveloping Software with Security in Mind
Developing Software with Security in Mind
sblom
 
Infographic analytics infographic_illustrations_120617
Infographic analytics infographic_illustrations_120617Infographic analytics infographic_illustrations_120617
Infographic analytics infographic_illustrations_120617
Richard Smiraldi
 
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE - ATT&CKcon
 
It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013
Ben Ten (0xA)
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
Abhinav Mishra
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James
EC-Council
 
OSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersOSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and Practitioners
Megan DeBlois
 
Security of Voice Controlled Device
Security of Voice Controlled DeviceSecurity of Voice Controlled Device
Security of Voice Controlled Device
Faysal Hossain Shezan
 
Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptx
Peter Yaworski
 
Machine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedMachine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wanted
Cyphort
 
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
Shawn Tuma
 
The_Pentester_Blueprint.pdf
The_Pentester_Blueprint.pdfThe_Pentester_Blueprint.pdf
The_Pentester_Blueprint.pdf
gcara4
 
Hacking and Penetration Testing - a beginners guide
Hacking and Penetration Testing - a beginners guideHacking and Penetration Testing - a beginners guide
Hacking and Penetration Testing - a beginners guide
Pankaj Dubey
 

Weitere ähnliche Inhalte

Was ist angesagt?

Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
CODE BLUE
 
Modlishka - Is a Mantis Eating 2FA's Lunch?
Modlishka - Is a Mantis Eating 2FA's Lunch?Modlishka - Is a Mantis Eating 2FA's Lunch?
Modlishka - Is a Mantis Eating 2FA's Lunch?
Lance Peterman
 
Developing Software with Security in Mind
Developing Software with Security in MindDeveloping Software with Security in Mind
Developing Software with Security in Mind
sblom
 
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE - ATT&CKcon
 
It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013
Ben Ten (0xA)
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James
EC-Council
 

Was ist angesagt? (20)

Opsec for security researchers
Opsec for security researchersOpsec for security researchers
Opsec for security researchers
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program
 
Click and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobileClick and Dragger: Denial and Deception on Android mobile
Click and Dragger: Denial and Deception on Android mobile
 
(SACON) Shomiron das gupta - threat hunting use cases
(SACON) Shomiron das gupta - threat hunting use cases(SACON) Shomiron das gupta - threat hunting use cases
(SACON) Shomiron das gupta - threat hunting use cases
 
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
Practical network defense at scale Or: Protecting the “Eierlegende Wollmichsa...
 
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
Bug Bounty Hunting for Companies & Researchers: Bounty Hunting in Sudan and A...
 
Defender economics
Defender economicsDefender economics
Defender economics
 
Modlishka - Is a Mantis Eating 2FA's Lunch?
Modlishka - Is a Mantis Eating 2FA's Lunch?Modlishka - Is a Mantis Eating 2FA's Lunch?
Modlishka - Is a Mantis Eating 2FA's Lunch?
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For Money
 
Developing Software with Security in Mind
Developing Software with Security in MindDeveloping Software with Security in Mind
Developing Software with Security in Mind
 
Infographic analytics infographic_illustrations_120617
Infographic analytics infographic_illustrations_120617Infographic analytics infographic_illustrations_120617
Infographic analytics infographic_illustrations_120617
 
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincen...
 
It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013It's Okay To Touch Yourself - DerbyCon 2013
It's Okay To Touch Yourself - DerbyCon 2013
 
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and FameThe Game of Bug Bounty Hunting - Money, Drama, Action and Fame
The Game of Bug Bounty Hunting - Money, Drama, Action and Fame
 
Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James Weaponizing OSINT – Hacker Halted 2019 – Michael James
Weaponizing OSINT – Hacker Halted 2019 – Michael James
 
OSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and PractitionersOSINT Basics for Threat Hunters and Practitioners
OSINT Basics for Threat Hunters and Practitioners
 
Security of Voice Controlled Device
Security of Voice Controlled DeviceSecurity of Voice Controlled Device
Security of Voice Controlled Device
 
Hackfest presentation.pptx
Hackfest presentation.pptxHackfest presentation.pptx
Hackfest presentation.pptx
 
Machine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wantedMachine learning cyphort_malware_most_wanted
Machine learning cyphort_malware_most_wanted
 
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
#CyberAvengers - Artificial Intelligence in the Legal and Regulatory Realm
 

Ähnlich wie A Journey Into Pen-tester land: Myths or Facts!

Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
TEST Huddle
 
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access ControlStopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
SecureAuth
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
Spyglass Security
 

Ähnlich wie A Journey Into Pen-tester land: Myths or Facts! (20)

The_Pentester_Blueprint.pdf
The_Pentester_Blueprint.pdfThe_Pentester_Blueprint.pdf
The_Pentester_Blueprint.pdf
 
Hacking and Penetration Testing - a beginners guide
Hacking and Penetration Testing - a beginners guideHacking and Penetration Testing - a beginners guide
Hacking and Penetration Testing - a beginners guide
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
Zen and the art of Security Testing
Zen and the art of Security TestingZen and the art of Security Testing
Zen and the art of Security Testing
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
 
Intro to INFOSEC
Intro to INFOSECIntro to INFOSEC
Intro to INFOSEC
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
PACE-IT, Security+3.8: Vulnerability Scanning vs Pen Testing
PACE-IT, Security+3.8: Vulnerability Scanning vs Pen TestingPACE-IT, Security+3.8: Vulnerability Scanning vs Pen Testing
PACE-IT, Security+3.8: Vulnerability Scanning vs Pen Testing
 
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptxINTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
 
Ethical hacking and cyber security intro
Ethical hacking and cyber security introEthical hacking and cyber security intro
Ethical hacking and cyber security intro
 
Fundamentals of Network security
Fundamentals of Network securityFundamentals of Network security
Fundamentals of Network security
 
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access ControlStopping Breaches at the Perimeter: Strategies for Secure Access Control
Stopping Breaches at the Perimeter: Strategies for Secure Access Control
 
2018 FRSecure CISSP Mentor Program Session 9
2018 FRSecure CISSP Mentor Program Session 92018 FRSecure CISSP Mentor Program Session 9
2018 FRSecure CISSP Mentor Program Session 9
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security Intelligence
 
DEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testersDEF CON 23 - Wesley McGrew - i hunt penetration testers
DEF CON 23 - Wesley McGrew - i hunt penetration testers
 
2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class Nine2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class Nine
 
Bar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 HackingBar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 Hacking
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
 
Certified Ethical Hacking - Book Summary
Certified Ethical Hacking - Book SummaryCertified Ethical Hacking - Book Summary
Certified Ethical Hacking - Book Summary
 

Mehr von Ammar WK

Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malware
Ammar WK
 
Network Packet Analysis
Network Packet AnalysisNetwork Packet Analysis
Network Packet Analysis
Ammar WK
 
Packet analysis (Basic)
Packet analysis (Basic)Packet analysis (Basic)
Packet analysis (Basic)
Ammar WK
 
Mastering Network HackingFU - idsecconf2008
Mastering Network HackingFU - idsecconf2008Mastering Network HackingFU - idsecconf2008
Mastering Network HackingFU - idsecconf2008
Ammar WK
 

Mehr von Ammar WK (20)

Vvdp-fgd-bssn
Vvdp-fgd-bssnVvdp-fgd-bssn
Vvdp-fgd-bssn
 
Cybercrime: A threat to Financial industry
Cybercrime: A threat to Financial industryCybercrime: A threat to Financial industry
Cybercrime: A threat to Financial industry
 
Bugbounty vs-0day
Bugbounty vs-0dayBugbounty vs-0day
Bugbounty vs-0day
 
Advanced Persistent Threat
Advanced Persistent ThreatAdvanced Persistent Threat
Advanced Persistent Threat
 
Mobile hacking, pentest, and malware
Mobile hacking, pentest, and malwareMobile hacking, pentest, and malware
Mobile hacking, pentest, and malware
 
Hacker? : it's not about Black or White
Hacker? : it's not about Black or WhiteHacker? : it's not about Black or White
Hacker? : it's not about Black or White
 
Introduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration TestingIntroduction to IOS Application Penetration Testing
Introduction to IOS Application Penetration Testing
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Web Hacking (basic)
Web Hacking (basic)Web Hacking (basic)
Web Hacking (basic)
 
Network Packet Analysis
Network Packet AnalysisNetwork Packet Analysis
Network Packet Analysis
 
Packet analysis (Basic)
Packet analysis (Basic)Packet analysis (Basic)
Packet analysis (Basic)
 
Network security
Network securityNetwork security
Network security
 
Penetration testing
Penetration testingPenetration testing
Penetration testing
 
Information Security Professional
Information Security ProfessionalInformation Security Professional
Information Security Professional
 
Handout infosec defense-mechanism-y3dips
Handout infosec defense-mechanism-y3dipsHandout infosec defense-mechanism-y3dips
Handout infosec defense-mechanism-y3dips
 
Layer 7 denial of services attack mitigation
Layer 7 denial of services attack mitigationLayer 7 denial of services attack mitigation
Layer 7 denial of services attack mitigation
 
How To Become A Hacker
How To Become A HackerHow To Become A Hacker
How To Become A Hacker
 
y3dips - Who Own Your Sensitive Information?
y3dips - Who Own Your Sensitive Information?y3dips - Who Own Your Sensitive Information?
y3dips - Who Own Your Sensitive Information?
 
idsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 networkidsecconf2010-hacking priv8 network
idsecconf2010-hacking priv8 network
 
Mastering Network HackingFU - idsecconf2008
Mastering Network HackingFU - idsecconf2008Mastering Network HackingFU - idsecconf2008
Mastering Network HackingFU - idsecconf2008
 

Kürzlich hochgeladen

2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
F
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
Monica Sydney
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
kumargunjan9515
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Monica Sydney
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 

Kürzlich hochgeladen (20)

Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 

A Journey Into Pen-tester land: Myths or Facts!

  • 1. A Journey into Pen-tester Land: Myths or Facts y3dips!(c)2018 Bina Insani, Bekasi,14 April 2018
  • 2. Ahmad Muammar WK, OSCE, OSCP, eMAPT. •Professional hacker/Penetration tester •Doing offensive security/hacking for 15+ years •Founder of echo.or.id & idsecconf.org •Web: http://me.ammar.web.id •email: me@ammar.web.id •twitter: @y3dips
  • 3. A Journey into Pen-tester Land: Myths or Facts - y3dips •About Penetration Testing •How to become Penetration Tester •Myths or Facts Around Pen-test Agenda
  • 5. A Journey into Pen-tester Land: Myths or Facts - y3dips •Is a way to Validate/check the level of security on every aspect of IT Infrastructure. •Also to ensure that necessary security controls are integrated into the design and implementation. •To prepare for better enhancement IT Security Assessment
  • 6. A Journey into Pen-tester Land: Myths or Facts - y3dips •Vulnerability Assessment •Penetration Testing •Security Audit IT Security Assessment
  • 7. A Journey into Pen-tester Land: Myths or Facts - y3dips •A vulnerability assessment is usually carried out by security vulnerability scanner application. Most of the product test type of Operating system, application, patch level, user account and else. •Vulnerability scanner identify common security configuration mistakes and common attack. Vulnerability Assessment (VA)
  • 8. A Journey into Pen-tester Land: Myths or Facts - y3dips Vulnerability Assessment (VA)
  • 9. A Journey into Pen-tester Land: Myths or Facts - y3dips •Most part are checklist-based (corporate security policies or regulation standards (ISO) or PBI) •IMPORTANT for being complied with security policies, legislation and standards •e.g: is there any backups? ANTIVIRUS? Security Audit
  • 10. A Journey into Pen-tester Land: Myths or Facts - y3dips Security Audit http://vsanspareil.com/security-audit-report-template/security-audit-report-template-2/
  • 11. A Journey into Pen-tester Land: Myths or Facts - y3dips •Is When a “Hacker” do the attacker work. •The only goal is to get as much as possible and as deep as possible to break into the system. Penetration Testing
  • 12. A Journey into Pen-tester Land: Myths or Facts - y3dips •Vulnerability Assessment identifies the “possible” vulnerabilities (Also false positive). •Penetration Testing validates the vulnerability. VA vs Pen-test
  • 13. A Journey into Pen-tester Land: Myths or Facts - y3dips •Security Audits important for being complied with security policies, legislation and standards. •Pen-test compliment Security Audit and help to fix security threat before an attacker discovers it. Security Audit vs Pen-test
  • 14. A Journey into Pen-tester Land: Myths or Facts - y3dips •Check sensitive information available. •Check what kind of privileges pen-tester gain. •Check if it is possible to escalate privileges. •Check if Vulnerability can lead to more exploitation (another application, system, or server, scope). Pen-test
  • 15. A Journey into Pen-tester Land: Myths or Facts - y3dips •Should be only Blackbox! •Black box: 0 information about the system, maybe only the ip/domain name. Full attacker perspective •grey box: partial information about a system, simulate attack by employee, vendors. •White box: significant information about a system, source code/configuration review. Type of Pen-test
  • 16. A Journey into Pen-tester Land: Myths or Facts - y3dips •Ideal = no scope that limited the activity. •Wire Network Infrastructure •Wireless Network Infrastructure •Application Infrastructure •Operating System Infrastructure •Physical Infrastructure •Social Engineering (people hacking) Pen-test Scope?
  • 17. A Journey into Pen-tester Land: Myths or Facts - y3dips Pen-test Methodology !
  • 18. A Journey into Pen-tester Land: Myths or Facts - y3dips ISSAF
  • 19. A Journey into Pen-tester Land: Myths or Facts - y3dips Demo [Video 1]
  • 21. A Journey into Pen-tester Land: Myths or Facts - y3dips •IT Security Officer •IT Security Analyst •IT Security Auditor •IT Security Engineer Information Security Professional
  • 22. A Journey into Pen-tester Land: Myths or Facts - y3dips •Security Contact Point for Organisation •Principle Advisor for IT Security •Ensure Security Program Running ( Security Awareness course, etc) •Creating Security Policy, Procedures, Hardening guide •Title: CSO, CISO, Head of IT Security, VP Security, IT Sec Manager IT Security Officer
  • 23. A Journey into Pen-tester Land: Myths or Facts - y3dips •Monitor all type of access to protect confidentiality and integrity •Provides Direct Support and Advise to the IT Security Manager •Title: System Security Analyst, Network Security Analyst IT Security Analyst
  • 24. A Journey into Pen-tester Land: Myths or Facts - y3dips •Auditing an Organisations Technology processes and security. •IT General Controls Reviews •Application Controls Reviews •Title: Security Auditor, Penetration Tester IT Security Auditor
  • 25. A Journey into Pen-tester Land: Myths or Facts - y3dips •Maintenance Computer Hardware and Software that comprises a computer Network •Doing a Security hardening and Configuration •Title: System Security Engineer, Network Security Engineer IT Security Engineer
  • 27. A Journey into Pen-tester Land: Myths or Facts - y3dips •Penetration Tester •Ethical Hacker •Professional Hacker •Information Security Professional •Red Team officer Pen-tester
  • 28. A Journey into Pen-tester Land: Myths or Facts - y3dips •Recently, New ‘Hot’ Profession beyond and separate from Security Auditor. •Nowadays so many Information Security Curriculum, Faculty, also a University. •High Demand because of Regulation, especially the growth in electronic transactions. Pen-tester
  • 29. A Journey into Pen-tester Land: Myths or Facts - y3dips •Skillset, Knowledge •Experience •Attitude •Able to work independent/group •.. Requirements
  • 30. A Journey into Pen-tester Land: Myths or Facts - y3dips •Knowledge of Operating System •Knowledge of Networking •Knowledge of Application •Knowledge of Programming •Much more :) Skillset, Knowledge
  • 31. A Journey into Pen-tester Land: Myths or Facts - y3dips •Self-taught Hacker •Formal Education Skill & Experience
  • 32. A Journey into Pen-tester Land: Myths or Facts - y3dips •Join in the community/hacking group •Gain their hacking knowledge by Hacking •Hack to Learn not otherwise. •Often start as kiddies and hike the way into Hackers Self-Taught Hacker
  • 33. A Journey into Pen-tester Land: Myths or Facts - y3dips •Newbie (larva) > kiddies < Hacker (elite) •Know the Tools, Able to use the tools and modify; But, Do not know how the tool “really” works. kiddies
  • 34. A Journey into Pen-tester Land: Myths or Facts - y3dips •Gain Information Security/Knowledge from formal Education, Course, Certification Formal Education
  • 35. A Journey into Pen-tester Land: Myths or Facts - y3dips •Most of University (nowadays) has Info-sec curriculum. •ITB has Master engineering of Information Security. Formal Education
  • 36. A Journey into Pen-tester Land: Myths or Facts - y3dips •Penetration Testing certifications: •Offensive Security: OSCP, OSCE •EC-Council: CEH, LPT, ECSA •SANS: GPEN •IACRB: CEPT, CWAPT •CompTIA: Security+ •E-learnSecurity: eCPPT, eMAPT, eWPT Formal Education
  • 37. A Journey into Pen-tester Land: Myths or Facts - y3dips •Self-Taught [+] / Formal [-] •Proven Skill and Experiences •Able to do a proof of concept Self-Taught Hacker vs Formal Education
  • 38. A Journey into Pen-tester Land: Myths or Facts - y3dips •Self-Taught [-] / Formal[+] •Lack of Methodologies •Lack or Organisations/Managerial Self-Taught Hacker vs Formal Education
  • 39. A Journey into Pen-tester Land: Myths or Facts - y3dips •[+] Need to Boost •Willing to learn, share and teach. •Eager to learn new things faster. •… Attitude
  • 40. A Journey into Pen-tester Land: Myths or Facts - y3dips •[-] Need To Avoid at all costs! •Become Drama Queen/King!. •like to selfie around data centre, client server, target. •publish post in social media especially about client and the weakness even with or without NDA. •Always take and not give. Attitude
  • 41. A Journey into Pen-tester Land: Myths or Facts - y3dips •Able to work Alone (individual), •or a Team Player Work
  • 42. A Journey into Pen-tester Land: Myths or Facts - y3dips Demo [Video 2]
  • 44. A Journey into Pen-tester Land: Myths or Facts - y3dips •Myth! •Penetration Testing validates the vulnerability. •If the company get Pen-tests report that look like VA reports, then blame your selection process of pen-tester. Pen-test is just “marketing VA”
  • 45. A Journey into Pen-tester Land: Myths or Facts - y3dips
  • 46. A Journey into Pen-tester Land: Myths or Facts - y3dips https://www.offensive-security.com/reports/sample-penetration-testing-report.pdf
  • 47. A Journey into Pen-tester Land: Myths or Facts - y3dips •Myth! •They do need to have knowledge about the target but not to be a master of all (since it won’t be possible) •Great Pen-tester should be a fast learner and able to adapt since most of the system he never interact before even heard. •Technologies will always changing and improves and hard to stick to only one. Great Pen-tester is “master” of programming, networking, …. everything!
  • 48. A Journey into Pen-tester Land: Myths or Facts - y3dips •Myth! •Ideally pen-test not cover every vulnerability, because it’s only the one that give access even the smallest vulnerability. •Security is a process. •Now you are secure, next minute is not. •Compare to actual criminal, pen-tester limited by time, scope, resources. After fixing pen-test result, Yeay we are secure!
  • 49. A Journey into Pen-tester Land: Myths or Facts - y3dips •Myth! •Truth is VA results are equal! •Even with same School or Certifications. •Thats why “smart company” spend time on sorting the pen-tester. (beauty contest, administrations, go through the cv for every pen-tester, etc) Pen-tester are Equal!
  • 50. A Journey into Pen-tester Land: Myths or Facts - y3dips •Myths! •Targeting Low Hanging Fruit Vulnerability first. •Weak/Default Password •Out-of-date and vulnerable version usage. •Security Misconfiguration •… •Well, some are really sophisticated, since it already being pen-test over and over ;) Wow, pen-test is always sophisticated!
  • 51. A Journey into Pen-tester Land: Myths or Facts - y3dips Wow, pen-test is always sophisticated! https://xkcd.com/538/
  • 52. A Journey into Pen-tester Land: Myths or Facts - y3dips Wow, pen-test is always sophisticated! http://allthetropes.wikia.com/wiki/Hollywood_Hacking
  • 53. A Journey into Pen-tester Land: Myths or Facts - y3dips
  • 54. A Journey into Pen-tester Land: Myths or Facts y3dips!(c)2018 Bina Insani, Bekasi,14 April 2018