[Article]-Webcast: Modern Social Engineering – A Vital Component of Pen Testing

Viewing 30 reply threads
  • Author
    Posts
    • #3437
      Don Donzal
      Keymaster

      [align=center:10ieytuh]Slide Deck in Searchable PDF

      38 Slides
      6.74 MB

      Look for video soon![/align:10ieytuh]

      [hr:10ieytuh][/hr:10ieytuh]
      This is EH-Net’s first of hopefully many more webcasts. How many more we do depends greatly on the size of the audience we reach. So now is the time for you to help the entire EH-Net Comunity by spreading the word and getting as many as you can to attend. Many thanks in advance.


      Two additional announcements:

      – After the live event, come right back to this thread to talk to Chris and Mike.
      – A coupon code for a huge discount to the Social Engineering Master Class at ChicagoCon 2009s will be shown during the webcast. Don’t miss it!!

      This one is sponsored by Core Security Technologies.

      Permanent link: [Article]-Webcast: Modern Social Engineering – A Vital Component of Pen Testing

      [align=center:10ieytuh][/align:10ieytuh]

      The world of Information Security is changing. Budgets are tighter, attacks are more sophisticated, and the corporate network is no longer the low hanging fruit. That leaves web-enabled applications as the vector-du-jour, but that well is quickly drying up for organized crime as well. As they creep up the OSI Model looking for easier ways to steal your corporate assets, they are quickly making their way up the stack to the unspoken 8th layer, the end user. So what is the next step in the never-ending escalation of this cyber war?

      To find out, we must do as Sun Tzu taught. “Think like our enemy!” That is, after all, the primary tenet of penetration testing AKA ethical hacking, isn’t it? After years of hardening physical systems, networks, OSs, and applications, we have now come full circle to a new dawn of attack. People are now the target of the advanced hacker, and the cross-hairs are focused squarely on their foreheads… literally. It is only a matter of time before corporations feel the pain of wetware hacking requiring a new approach to testing and defense.

      Join world-renowned social engineers, Chris Nickerson of TruTV’s Tiger Team and noted expert and international speaker, Mike Murray, as they prepare you for the future of pen testing. This webcast on Tuesday March 10, 2009 at 11:00 CST is your primer to the world of “Modern Social Engineering.”

      [align=center:10ieytuh][/align:10ieytuh]

      Let us know what topics you’d like for us to cover in the future,
      Don

    • #22510
      KrisTeason
      Participant

      Sweet just registered.  😛

    • #22511
      RoleReversal
      Participant

      Cool, looking forward to it.

    • #22512
      gregtampa
      Participant

      who else is going to chicon?
      I’m try to make plans to be there!

    • #22513
      MicroJay
      Participant

      Just registered!  Met Chris a couple years back.  Very interesting person.

    • #22514
      nmehra
      Participant

      I am new to this webcast thing.
      Does it require me to pay to attend the webcast?

    • #22515
      Don Donzal
      Keymaster

      No sir. It’s free… just like everything else on EH-Net.  8)

      Welcome to the community,
      Don

    • #22516
      alan
      Participant

      will this be recorded? would be interested to check it out but wont be able to watch it live

    • #22517
      Don Donzal
      Keymaster

      Thanks everyone for the compliments on and offline. There were many questions we just couldn’t get to, even though we allowed about another 10 – 15 minutes of Q&A. Then again, that’s why we have this thread.  ;D

      Here are a few more questions for the guys:

      1. What are some ways that I can convince my boss that we should add SE into our normal pen tests both internally and externally?

      2. How can I measure ROI for the SE portion of pen testing?

      3. I know you mentioned Core IMPACT and Maltego. Can you expand on some of the more technical components that will be in the class?

      Don

    • #22518
      cnickerson
      Participant

      #1  here is my linked in profile.. Go there to look for the reading List.

      http://www.linkedin.com/in/nickersonlares

    • #22519
      cnickerson
      Participant

      DAMNIT.. I wrote a resp for about 20 min.. and the site timed me out F%$#^%#

      ok..  Ill go backwards.

      3. I know you mentioned Core IMPACT and Maltego. Can you expand on some of the more technical components that will be in the class?

      Its hard to show you everyhting without going over the whole class, but I can tell you some things. The outline is about 10 pages of bullets. Each section from intel collection to – gigging for information comes with training, examples, tools, practical exercise, and scnarios to make you put it all into play.

      And what the hell..  don knows I am a liability… so heres a lil 0day.

      (part of outline)

      Determining Tests
      •        Types of testing
      o  Direction of attacks
      o  External
        Electronic
      •        Phishing
      •        Client-side / browser side exploitation
      • Metasploit
      • Core
      • By hand

      •        Malicious attachments
        Person to Person
      •        Phone
      •        Written
      •        Social Networks/IM
      •        Public Manipulation
      o  Internal
        Person to Person
      •        Gaining access to physical credentials
      •        Solicitation
      •        Direct interaction
      •        Creating spies / information leak sources
      o  Methods (al mamalik,qulaam, kgb,cia,others)
      o  Trading information
      •        Becoming an employee
        Electronic
      •        CD/Key drops
      •        Authentication bypass
      •        Key /perimeter bypass
      •        Falsification of credentials
      •        RFID/ HID copying

      if u need more info… pm me..  =o)

      Don
      [/quote]

    • #22520
      jakx
      Participant

      Was this video recorded by chance? I was not able to make it and would love to see it.

    • #22521
      timmedin
      Participant

      @don wrote:

      Thanks everyone for the compliments on and offline. There were many questions we just couldn’t get to, even though we allowed about another 10 – 15 minutes of Q&A. Then again, that’s why we have this thread.  ;D

      Here are a few more questions for the guys:

      1. What are some ways that I can convince my boss that we should add SE into our normal pen tests both internally and externally?

      2. How can I measure ROI for the SE portion of pen testing?

      3. I know you mentioned Core IMPACT and Maltego. Can you expand on some of the more technical components that will be in the class?

      Don

      Question #1 is what I was wonder. A corollary to that is, how do I get him to pay for my training? 🙂

    • #22522
      Don Donzal
      Keymaster

      The webcast was recorded in a video format. I am reviewing it now. Give me a little bit to review, clips the start and ending, convert, etc. But it will be made available soon for those who didn’t catch the coupon code for basically half off the ChicagoCon training.

      w00t!!

      Don

    • #22523
      Don Donzal
      Keymaster

      It is if you believe it to be.  😮

      Here are some more questions for Chris & Mike that didn’t get answered during the live event:

      Q: On a PenTest team, what is the best way to collaborate what you have found? I pentest and I have found that communication break down is one of the biggest problems within the PT team social context.

      Q: It seems to me that there is not an orgnaization out there that would not fall for a client side attack.  There is always at least one person that will click on a malicious link.  Would a failure of such a test be the user clicking on a link, or lack of a safeguard such as A/V to prevent the malicious code from doing its thing?

      To combine a bunch of questions… how does someone get into pen testing? What are your general thoughts on certs like CISSP? What foundational training would you recommend as a starting point?

      Don

    • #22524
      timmedin
      Participant

      @cnickerson wrote:

      #1  here is my linked in profile.. Go there to look for the reading List.

      http://www.linkedin.com/in/nickersonlares

      So Don…
      Is this the real Chris Nickerson?

    • #22525
      cnickerson
      Participant

      2. How can I measure ROI for the SE portion of pen testing?

      This one is a great topic. I have a blog post coming to detail this in depth, but will give you the tops of the waves.

      #1 The ROI of appliances can not be truly realized without testing the products for effectiveness, responsiveness, proper config, and regular testing/tuning for the environment. The basics….  “how do i know it’s thing is providing value if I cant sow you it is working”

      #2 The Other way to show the value is to make a bit more of a personal connection. To make relevant the current attacks…  show a sample of where you see these types of attacks (phish, clientside) hitting your network today.  In addition create some VM’s to do a demo. If I learned anything from my years of testing is that VIDEO WORKS!  As a side note. Make a claim. “With this type of testing, we will show how to alter/change/delete information in the “”XYZ” system. This system runs our… *make it industry specific.. like  EPHI data, financial data, intellectual property, source code… you get the point*” Then explain to them that a compromise within those systems will put you in violation of compliance * use what applies… If there is no compliance… make it relevant to the business. XYZ system controls our $$ or how we make $$.  If it gets hacked…  we lose.

      The whitepaper is a bit more eloquent… but u get the point.

      =o)

    • #22526
      cnickerson
      Participant

      Q: It seems to me that there is not an orgnaization out there that would not fall for a client side attack.  There is always at least one person that will click on a malicious link.  Would a failure of such a test be the user clicking on a link, or lack of a safeguard such as A/V to prevent the malicious code from doing its thing?

      Ok…  lets work from the standpoint that SE is a process. If we test 5 techniques across 100 users then that makes our sample data.

      if the results are as follows
      Phish: 20 of 100
      PDF: 50 of 100
      Browser Attacks: 45 of 100
      Keydrop: 1 of 20
      EXE: 2 of 100

      it is retty easy to show a company the results and make a  you are X% resistant to attacks.

      The goal of pentesting is not TOTAL security. It is to test the overall % of security. If my client was sent 100 mails and 1 person clicked to root… I’d give them a gold star… and focus on something else in the security program

    • #22527
      cnickerson
      Participant

      Q: On a PenTest team, what is the best way to collaborate what you have found? I pentest and I have found that communication break down is one of the biggest problems within the PT team social context.

      In person is #1. Grab the team, put em in a room and  go at it.

      #2  make sure you have a distinct process. It allows engineers to freestyle but keeps everyone on the same page.

      #3 P0wned list. Mae a secured Wiki, have a shared doc..  or use collaboration frameworks to take notes for juicy intel and info. Review this list with the whole team daily for large projects and  every half day for smaller gigs.

      #4 Leverage traditional PM skills

      #5 Create incentive. You get x bonus if you find unique info.. . You lose y points/bonus if you dupe info.

      i have more  if ya really need help. I have ran roughly 30 security consulting shops and managed 10-50 engineers at a time

    • #22528
      cnickerson
      Participant

      @cnickerson wrote:

      2. How can I measure ROI for the SE portion of pen testing?

      This one is a great topic. I have a blog post coming to detail this in depth, but will give you the tops of the waves.

      #1 The ROI of appliances can not be truly realized without testing the products for effectiveness, responsiveness, proper config, and regular testing/tuning for the environment. The basics….  “how do i know it’s thing is providing value if I cant sow you it is working”

      #2 The Other way to show the value is to make a bit more of a personal connection. To make relevant the current attacks…  show a sample of where you see these types of attacks (phish, clientside) hitting your network today.  In addition create some VM’s to do a demo. If I learned anything from my years of testing is that VIDEO WORKS!  As a side note. Make a claim. “With this type of testing, we will show how to alter/change/delete information in the “”XYZ” system. This system runs our… *make it industry specific.. like  EPHI data, financial data, intellectual property, source code… you get the point*” Then explain to them that a compromise within those systems will put you in violation of compliance * use what applies… If there is no compliance… make it relevant to the business. XYZ system controls our $$ or how we make $$.  If it gets hacked…  we lose.

      The whitepaper is a bit more eloquent… but u get the point.

      =o)

      Does that take care of #1 too?

    • #22529
      Ketchup
      Participant

      Thanks so much for a great presentation and thanks for answering all of the questions.  I hope EH does more of these.

    • #22530
      jason
      Participant

      Great presentation. I agree, I’d like to see more  ;D

    • #22531
      Don Donzal
      Keymaster

      More SE or just more webcasts in general?

      Don

    • #22532
      jason
      Participant

      Yes to both!

    • #22533
      Ketchup
      Participant

      I second that, more of both, SE and Webcasts. 

    • #22534
      jason
      Participant

      And we need video of Ryan in his ninja costume  😮

    • #22535
      frever
      Participant

      I had to leave the webinar half-way through.
      but my interest was peaked.
      I would very much like to see the rest of the presentation.
      Will the recorded session be made available for EH.NET users ?

      I sure hope so  🙂

    • #22536
      Xen
      Participant

      @frever
      Yes, the recorded video will be made available to everyone.
      Don replied to a similar question on the first page of this thread.

      The webcast was recorded in a video format. I am reviewing it now. Give me a little bit to review, clips the start and ending, convert, etc. But it will be made available soon for those who didn’t catch the coupon code for basically half off the ChicagoCon training.

    • #22537
      Don Donzal
      Keymaster
    • #22538
      Don Donzal
      Keymaster

      The video of the webcast has been posted in a new article.

      [align=center:2bl7tni3]Video: Modern Social Engineering – A Vital Component of Pen Testing[/align:2bl7tni3]

      Enjoy.

      Don

    • #22539
      mmurray
      Participant

      I’m late to the party, but I just couldn’t help throw a few more thoughts into here.

      @cnickerson wrote:

      Q: On a PenTest team, what is the best way to collaborate what you have found? I pentest and I have found that communication break down is one of the biggest problems within the PT team social context.
      …..

      #3 P0wned list. Mae a secured Wiki, have a shared doc..  or use collaboration frameworks to take notes for juicy intel and info. Review this list with the whole team daily for large projects and  every half day for smaller gigs.

      For this function, I’d suggest checking out Dradis.  http://dradis.nomejortu.com/

      It’s a work in progress, but at Foreground we’ve already started testing it and we’re thinking about putting it in production.

      @cnickerson wrote:

      #4 Leverage traditional PM skills

      Since traditional pen-tests aren’t highly complex projects, you don’t need a full-scale PM.  Here’s where a student intern can really help out – I’m a big fan of finding someone in a local college who is looking to become a project manager… they can learn to PM, track data, track progress, etc.  And you get a resource appropriate for the level required. 

      Depends on the project, of course. 

Viewing 30 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?