.

[Article]-Webcast: Modern Social Engineering - A Vital Component of Pen Testing

<<

timmedin

User avatar

Sr. Member
Sr. Member

Posts: 469

Joined: Thu Feb 05, 2009 11:18 pm

Post Tue Mar 10, 2009 3:12 pm

Re: [Article]-Webcast: Modern Social Engineering - A Vital Component of Pen Testing

cnickerson wrote:#1  here is my linked in profile.. Go there to look for the reading List.

http://www.linkedin.com/in/nickersonlares


So Don...
Is this the real Chris Nickerson?

<Damn, I accidently deleted this post, it was originally before Don's response>
Last edited by timmedin on Tue Mar 10, 2009 4:38 pm, edited 1 time in total.
twitter.com/timmedin | http://blog.securitywhole.com
<<

cnickerson

Newbie
Newbie

Posts: 7

Joined: Tue Mar 10, 2009 12:40 pm

Post Tue Mar 10, 2009 3:22 pm

Re: [Article]-Webcast: Modern Social Engineering - A Vital Component of Pen Testing

2. How can I measure ROI for the SE portion of pen testing?

This one is a great topic. I have a blog post coming to detail this in depth, but will give you the tops of the waves.

#1 The ROI of appliances can not be truly realized without testing the products for effectiveness, responsiveness, proper config, and regular testing/tuning for the environment. The basics....  "how do i know it's thing is providing value if I cant sow you it is working"

#2 The Other way to show the value is to make a bit more of a personal connection. To make relevant the current attacks...  show a sample of where you see these types of attacks (phish, clientside) hitting your network today.  In addition create some VM's to do a demo. If I learned anything from my years of testing is that VIDEO WORKS!  As a side note. Make a claim. "With this type of testing, we will show how to alter/change/delete information in the ""XYZ" system. This system runs our... *make it industry specific.. like  EPHI data, financial data, intellectual property, source code... you get the point*" Then explain to them that a compromise within those systems will put you in violation of compliance * use what applies... If there is no compliance... make it relevant to the business. XYZ system controls our $$ or how we make $$.  If it gets hacked...  we lose.

The whitepaper is a bit more eloquent... but u get the point.

=o)
<<

cnickerson

Newbie
Newbie

Posts: 7

Joined: Tue Mar 10, 2009 12:40 pm

Post Tue Mar 10, 2009 3:28 pm

Re: [Article]-Webcast: Modern Social Engineering - A Vital Component of Pen Testing

Q: It seems to me that there is not an orgnaization out there that would not fall for a client side attack.  There is always at least one person that will click on a malicious link.  Would a failure of such a test be the user clicking on a link, or lack of a safeguard such as A/V to prevent the malicious code from doing its thing?

Ok...  lets work from the standpoint that SE is a process. If we test 5 techniques across 100 users then that makes our sample data.

if the results are as follows
Phish: 20 of 100
PDF: 50 of 100
Browser Attacks: 45 of 100
Keydrop: 1 of 20
EXE: 2 of 100

it is retty easy to show a company the results and make a  you are X% resistant to attacks.

The goal of pentesting is not TOTAL security. It is to test the overall % of security. If my client was sent 100 mails and 1 person clicked to root... I'd give them a gold star... and focus on something else in the security program
<<

cnickerson

Newbie
Newbie

Posts: 7

Joined: Tue Mar 10, 2009 12:40 pm

Post Tue Mar 10, 2009 3:32 pm

Re: [Article]-Webcast: Modern Social Engineering - A Vital Component of Pen Testing

Q: On a PenTest team, what is the best way to collaborate what you have found? I pentest and I have found that communication break down is one of the biggest problems within the PT team social context.

In person is #1. Grab the team, put em in a room and  go at it.

#2  make sure you have a distinct process. It allows engineers to freestyle but keeps everyone on the same page.

#3 P0wned list. Mae a secured Wiki, have a shared doc..  or use collaboration frameworks to take notes for juicy intel and info. Review this list with the whole team daily for large projects and  every half day for smaller gigs.

#4 Leverage traditional PM skills

#5 Create incentive. You get x bonus if you find unique info.. . You lose y points/bonus if you dupe info.

i have more  if ya really need help. I have ran roughly 30 security consulting shops and managed 10-50 engineers at a time
<<

cnickerson

Newbie
Newbie

Posts: 7

Joined: Tue Mar 10, 2009 12:40 pm

Post Tue Mar 10, 2009 3:58 pm

Re: [Article]-Webcast: Modern Social Engineering - A Vital Component of Pen Testing

cnickerson wrote:2. How can I measure ROI for the SE portion of pen testing?

This one is a great topic. I have a blog post coming to detail this in depth, but will give you the tops of the waves.

#1 The ROI of appliances can not be truly realized without testing the products for effectiveness, responsiveness, proper config, and regular testing/tuning for the environment. The basics....  "how do i know it's thing is providing value if I cant sow you it is working"

#2 The Other way to show the value is to make a bit more of a personal connection. To make relevant the current attacks...  show a sample of where you see these types of attacks (phish, clientside) hitting your network today.  In addition create some VM's to do a demo. If I learned anything from my years of testing is that VIDEO WORKS!  As a side note. Make a claim. "With this type of testing, we will show how to alter/change/delete information in the ""XYZ" system. This system runs our... *make it industry specific.. like  EPHI data, financial data, intellectual property, source code... you get the point*" Then explain to them that a compromise within those systems will put you in violation of compliance * use what applies... If there is no compliance... make it relevant to the business. XYZ system controls our $$ or how we make $$.  If it gets hacked...  we lose.

The whitepaper is a bit more eloquent... but u get the point.

=o)


Does that take care of #1 too?
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue Mar 10, 2009 5:37 pm

Re: [Article]-Webcast: Modern Social Engineering - A Vital Component of Pen Testing

Thanks so much for a great presentation and thanks for answering all of the questions.  I hope EH does more of these.
~~~~~~~~~~~~~~
Ketchup
<<

jason

User avatar

Hero Member
Hero Member

Posts: 1013

Joined: Sat Jun 21, 2008 6:23 pm

Location: USA

Post Tue Mar 10, 2009 7:19 pm

Re: [Article]-Webcast: Modern Social Engineering - A Vital Component of Pen Testing

Great presentation. I agree, I'd like to see more  ;D
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Mar 10, 2009 7:26 pm

Re: [Article]-Webcast: Modern Social Engineering - A Vital Component of Pen Testing

More SE or just more webcasts in general?

Don
CISSP, MCSE, CSTA, Security+ SME
<<

jason

User avatar

Hero Member
Hero Member

Posts: 1013

Joined: Sat Jun 21, 2008 6:23 pm

Location: USA

Post Tue Mar 10, 2009 8:46 pm

Re: [Article]-Webcast: Modern Social Engineering - A Vital Component of Pen Testing

Yes to both!
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Tue Mar 10, 2009 9:25 pm

Re: [Article]-Webcast: Modern Social Engineering - A Vital Component of Pen Testing

I second that, more of both, SE and Webcasts. 
~~~~~~~~~~~~~~
Ketchup
<<

jason

User avatar

Hero Member
Hero Member

Posts: 1013

Joined: Sat Jun 21, 2008 6:23 pm

Location: USA

Post Tue Mar 10, 2009 9:43 pm

Re: [Article]-Webcast: Modern Social Engineering - A Vital Component of Pen Testing

And we need video of Ryan in his ninja costume  :o
<<

frever

Newbie
Newbie

Posts: 2

Joined: Thu Feb 12, 2009 2:42 am

Post Wed Mar 11, 2009 4:47 am

Re: [Article]-Webcast: Modern Social Engineering - A Vital Component of Pen Test

I had to leave the webinar half-way through.
but my interest was peaked.
I would very much like to see the rest of the presentation.
Will the recorded session be made available for EH.NET users ?

I sure hope so  :)
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Wed Mar 11, 2009 7:21 am

Re: [Article]-Webcast: Modern Social Engineering - A Vital Component of Pen Testing

@frever
Yes, the recorded video will be made available to everyone.
Don replied to a similar question on the first page of this thread.
The webcast was recorded in a video format. I am reviewing it now. Give me a little bit to review, clips the start and ending, convert, etc. But it will be made available soon for those who didn't catch the coupon code for basically half off the ChicagoCon training.
Last edited by Xen on Wed Mar 11, 2009 7:25 am, edited 1 time in total.
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Wed Mar 11, 2009 12:29 pm

Re: [Article]-Webcast: Modern Social Engineering - A Vital Component of Pen Testing



Look for video soon!

Don
CISSP, MCSE, CSTA, Security+ SME
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Wed Mar 11, 2009 5:12 pm

Re: [Article]-Webcast: Modern Social Engineering - A Vital Component of Pen Testing

The video of the webcast has been posted in a new article.



Enjoy.

Don
CISSP, MCSE, CSTA, Security+ SME
PreviousNext

Return to Special Events

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software