Circle City Con 9.0 - 2022

Whatever Happened Last Time, It Wasn't A Penetration Test

As a penetration tester, I have lots of awkward conversations when a client has misguided assumptions about their security. One of the most awkward is when we complete our testing and have a laundry list of low-hanging fruit that needs to be fixed that previous vendors never brought up. This leads to fear, uncertainty, and doubt, often times resulting in one or more of the following:

• But we let you in.
• That’s not a realistic scenario.
• Our MSSP would have stopped you.
• This report does not adequately reflect our environment.
• But we’re tracking that issue.
• Our report was clean last year.
• Why didn’t the previous vendor find this?

Clearly, whoever was hired to do this last time failed to adequately explain why we do what we do.

Offensive security practitioners need to do a better job at partnering with clients to enable them to make security a part of the business that helps it function better, not a cost center that is seen as a burden. Our job is not to play gotcha, it is to help security teams build trust within their organizations that will holistically create a secure environment for all.

If you want to know:

• The difference between a penetration test and that vulnerability scan that was sold to you as one
• Why you likely don’t need a red team exercise
• How to evaluate what your MSP/MSSPs are actually doing for you
• Why phishing metrics are not as simple as your click rate
• Why there are so many competing ideas on how to perform and report these assessments in a way you can understand

Then this talk is for you!

Joseph Sarkisian

Joe serves as the Lead Penetration Tester on Wolf & Company’s Information Technology (IT) Assurance Team. Joe is responsible for coordinating and conducting penetration testing services for clients in a variety of industries including financial, healthcare, and software. His expertise consists of internal and external network penetration testing, social engineering, vulnerability assessments, Microsoft Windows security and management audits, and general information security and controls. Joe has over 4 years experience conducting penetration testing audits and is pursuing ethical hacking certifications from industry-recognized organizations like the SANS Institute and Offensive Security.

[ Ссылка ]

свернуть