- This topic has 30 replies, 15 voices, and was last updated 11 years, 11 months ago by
.
-
Posts
-
-
[align=center:10ieytuh]Slide Deck in Searchable PDF
38 Slides
6.74 MBLook for video soon![/align:10ieytuh]
[hr:10ieytuh][/hr:10ieytuh]
This is EH-Net’s first of hopefully many more webcasts. How many more we do depends greatly on the size of the audience we reach. So now is the time for you to help the entire EH-Net Comunity by spreading the word and getting as many as you can to attend. Many thanks in advance.
Two additional announcements:– After the live event, come right back to this thread to talk to Chris and Mike.
– A coupon code for a huge discount to the Social Engineering Master Class at ChicagoCon 2009s will be shown during the webcast. Don’t miss it!!
This one is sponsored by Core Security Technologies.
Permanent link: [Article]-Webcast: Modern Social Engineering – A Vital Component of Pen Testing
[align=center:10ieytuh]
[/align:10ieytuh]The world of Information Security is changing. Budgets are tighter, attacks are more sophisticated, and the corporate network is no longer the low hanging fruit. That leaves web-enabled applications as the vector-du-jour, but that well is quickly drying up for organized crime as well. As they creep up the OSI Model looking for easier ways to steal your corporate assets, they are quickly making their way up the stack to the unspoken 8th layer, the end user. So what is the next step in the never-ending escalation of this cyber war?
To find out, we must do as Sun Tzu taught. “Think like our enemy!” That is, after all, the primary tenet of penetration testing AKA ethical hacking, isn’t it? After years of hardening physical systems, networks, OSs, and applications, we have now come full circle to a new dawn of attack. People are now the target of the advanced hacker, and the cross-hairs are focused squarely on their foreheads… literally. It is only a matter of time before corporations feel the pain of wetware hacking requiring a new approach to testing and defense.
Join world-renowned social engineers, Chris Nickerson of TruTV’s Tiger Team and noted expert and international speaker, Mike Murray, as they prepare you for the future of pen testing. This webcast on Tuesday March 10, 2009 at 11:00 CST is your primer to the world of “Modern Social Engineering.”
[align=center:10ieytuh]
[/align:10ieytuh]Let us know what topics you’d like for us to cover in the future,
Don -
-
-
-
-
-
-
-
Thanks everyone for the compliments on and offline. There were many questions we just couldn’t get to, even though we allowed about another 10 – 15 minutes of Q&A. Then again, that’s why we have this thread. ;D
Here are a few more questions for the guys:
1. What are some ways that I can convince my boss that we should add SE into our normal pen tests both internally and externally?
2. How can I measure ROI for the SE portion of pen testing?
3. I know you mentioned Core IMPACT and Maltego. Can you expand on some of the more technical components that will be in the class?
Don
-
#1 here is my linked in profile.. Go there to look for the reading List.
-
DAMNIT.. I wrote a resp for about 20 min.. and the site timed me out F%$#^%#
ok.. Ill go backwards.
3. I know you mentioned Core IMPACT and Maltego. Can you expand on some of the more technical components that will be in the class?
Its hard to show you everyhting without going over the whole class, but I can tell you some things. The outline is about 10 pages of bullets. Each section from intel collection to – gigging for information comes with training, examples, tools, practical exercise, and scnarios to make you put it all into play.
And what the hell.. don knows I am a liability… so heres a lil 0day.
(part of outline)
Determining Tests
• Types of testing
o Direction of attacks
o External
Electronic
• Phishing
• Client-side / browser side exploitation
• Metasploit
• Core
• By hand• Malicious attachments
Person to Person
• Phone
• Written
• Social Networks/IM
• Public Manipulation
o Internal
Person to Person
• Gaining access to physical credentials
• Solicitation
• Direct interaction
• Creating spies / information leak sources
o Methods (al mamalik,qulaam, kgb,cia,others)
o Trading information
• Becoming an employee
Electronic
• CD/Key drops
• Authentication bypass
• Key /perimeter bypass
• Falsification of credentials
• RFID/ HID copyingif u need more info… pm me.. =o)
Don
[/quote] -
-
@don wrote:
Thanks everyone for the compliments on and offline. There were many questions we just couldn’t get to, even though we allowed about another 10 – 15 minutes of Q&A. Then again, that’s why we have this thread. ;D
Here are a few more questions for the guys:
1. What are some ways that I can convince my boss that we should add SE into our normal pen tests both internally and externally?
2. How can I measure ROI for the SE portion of pen testing?
3. I know you mentioned Core IMPACT and Maltego. Can you expand on some of the more technical components that will be in the class?
Don
Question #1 is what I was wonder. A corollary to that is, how do I get him to pay for my training? 🙂
-
-
It is if you believe it to be. 😮
Here are some more questions for Chris & Mike that didn’t get answered during the live event:
Q: On a PenTest team, what is the best way to collaborate what you have found? I pentest and I have found that communication break down is one of the biggest problems within the PT team social context.
Q: It seems to me that there is not an orgnaization out there that would not fall for a client side attack. There is always at least one person that will click on a malicious link. Would a failure of such a test be the user clicking on a link, or lack of a safeguard such as A/V to prevent the malicious code from doing its thing?
To combine a bunch of questions… how does someone get into pen testing? What are your general thoughts on certs like CISSP? What foundational training would you recommend as a starting point?
Don
-
@cnickerson wrote:
#1 here is my linked in profile.. Go there to look for the reading List.
So Don…
Is this the real Chris Nickerson? -
2. How can I measure ROI for the SE portion of pen testing?
This one is a great topic. I have a blog post coming to detail this in depth, but will give you the tops of the waves.
#1 The ROI of appliances can not be truly realized without testing the products for effectiveness, responsiveness, proper config, and regular testing/tuning for the environment. The basics…. “how do i know it’s thing is providing value if I cant sow you it is working”
#2 The Other way to show the value is to make a bit more of a personal connection. To make relevant the current attacks… show a sample of where you see these types of attacks (phish, clientside) hitting your network today. In addition create some VM’s to do a demo. If I learned anything from my years of testing is that VIDEO WORKS! As a side note. Make a claim. “With this type of testing, we will show how to alter/change/delete information in the “”XYZ” system. This system runs our… *make it industry specific.. like EPHI data, financial data, intellectual property, source code… you get the point*” Then explain to them that a compromise within those systems will put you in violation of compliance * use what applies… If there is no compliance… make it relevant to the business. XYZ system controls our $$ or how we make $$. If it gets hacked… we lose.
The whitepaper is a bit more eloquent… but u get the point.
=o)
-
Q: It seems to me that there is not an orgnaization out there that would not fall for a client side attack. There is always at least one person that will click on a malicious link. Would a failure of such a test be the user clicking on a link, or lack of a safeguard such as A/V to prevent the malicious code from doing its thing?
Ok… lets work from the standpoint that SE is a process. If we test 5 techniques across 100 users then that makes our sample data.
if the results are as follows
Phish: 20 of 100
PDF: 50 of 100
Browser Attacks: 45 of 100
Keydrop: 1 of 20
EXE: 2 of 100it is retty easy to show a company the results and make a you are X% resistant to attacks.
The goal of pentesting is not TOTAL security. It is to test the overall % of security. If my client was sent 100 mails and 1 person clicked to root… I’d give them a gold star… and focus on something else in the security program
-
Q: On a PenTest team, what is the best way to collaborate what you have found? I pentest and I have found that communication break down is one of the biggest problems within the PT team social context.
In person is #1. Grab the team, put em in a room and go at it.
#2 make sure you have a distinct process. It allows engineers to freestyle but keeps everyone on the same page.
#3 P0wned list. Mae a secured Wiki, have a shared doc.. or use collaboration frameworks to take notes for juicy intel and info. Review this list with the whole team daily for large projects and every half day for smaller gigs.
#4 Leverage traditional PM skills
#5 Create incentive. You get x bonus if you find unique info.. . You lose y points/bonus if you dupe info.
i have more if ya really need help. I have ran roughly 30 security consulting shops and managed 10-50 engineers at a time
-
@cnickerson wrote:
2. How can I measure ROI for the SE portion of pen testing?
This one is a great topic. I have a blog post coming to detail this in depth, but will give you the tops of the waves.
#1 The ROI of appliances can not be truly realized without testing the products for effectiveness, responsiveness, proper config, and regular testing/tuning for the environment. The basics…. “how do i know it’s thing is providing value if I cant sow you it is working”
#2 The Other way to show the value is to make a bit more of a personal connection. To make relevant the current attacks… show a sample of where you see these types of attacks (phish, clientside) hitting your network today. In addition create some VM’s to do a demo. If I learned anything from my years of testing is that VIDEO WORKS! As a side note. Make a claim. “With this type of testing, we will show how to alter/change/delete information in the “”XYZ” system. This system runs our… *make it industry specific.. like EPHI data, financial data, intellectual property, source code… you get the point*” Then explain to them that a compromise within those systems will put you in violation of compliance * use what applies… If there is no compliance… make it relevant to the business. XYZ system controls our $$ or how we make $$. If it gets hacked… we lose.
The whitepaper is a bit more eloquent… but u get the point.
=o)
Does that take care of #1 too?
-
-
-
-
-
-
-
-
@frever
Yes, the recorded video will be made available to everyone.
Don replied to a similar question on the first page of this thread.The webcast was recorded in a video format. I am reviewing it now. Give me a little bit to review, clips the start and ending, convert, etc. But it will be made available soon for those who didn’t catch the coupon code for basically half off the ChicagoCon training.
-
[align=center:2y5zl61x]Modern Social Engineering
Slide Deck in Searchable PDF[/url:2y5zl61x]38 Slides
6.74 MB[/align:2y5zl61x]Look for video soon!
Don
-
The video of the webcast has been posted in a new article.
[align=center:2bl7tni3]Video: Modern Social Engineering – A Vital Component of Pen Testing[/align:2bl7tni3]
Enjoy.
Don
-
I’m late to the party, but I just couldn’t help throw a few more thoughts into here.
@cnickerson wrote:
Q: On a PenTest team, what is the best way to collaborate what you have found? I pentest and I have found that communication break down is one of the biggest problems within the PT team social context.
…..#3 P0wned list. Mae a secured Wiki, have a shared doc.. or use collaboration frameworks to take notes for juicy intel and info. Review this list with the whole team daily for large projects and every half day for smaller gigs.
For this function, I’d suggest checking out Dradis. http://dradis.nomejortu.com/
It’s a work in progress, but at Foreground we’ve already started testing it and we’re thinking about putting it in production.
@cnickerson wrote:
#4 Leverage traditional PM skills
Since traditional pen-tests aren’t highly complex projects, you don’t need a full-scale PM. Here’s where a student intern can really help out – I’m a big fan of finding someone in a local college who is looking to become a project manager… they can learn to PM, track data, track progress, etc. And you get a resource appropriate for the level required.
Depends on the project, of course.
-
- You must be logged in to reply to this topic.
