Following previous presentations on the dangers penetration testers face in using current off-the-shelf tools and practices, this presentation explores how widely available learning materials used to train penetration testers lead to inadequate protection of client data and penetration testing operations. With widely available books and other training resources targeting the smallest set of prerequisites, in order to attract the largest audience, many penetration testers adopt the techniques used in simplified examples to real world tests, where the network environment can be much more dangerous. Malicious threat actors are incentivized to attack and compromise penetration testers, and given current practices, can do so easily and with dramatic impact. This presentation will include a live demonstration of techniques for hijacking a penetration tester's normal practices, as well as guidance for examining and securing your current testing procedures. Tools shown in this demonstration will be released along with the talk.
Wesley McGrew currently oversees and participates in penetration testing inhis role of Director of Cyber Operations for HORNE Cyber Solutions. He haspresented on topics of penetration testing, vulnerabilities, and malwareanalysis at DEF CON and Black Hat USA. He teaches a self-designed course onreverse engineering to students at Mississippi State University, using real-world, high-profile malware samples. Wesley graduated from Mississippi StateUniversity's Department of Computer Science and Engineering and previouslyworked at the Distributed Analytics and Security Institute. He holds a Ph.D.in computer science for his research in vulnerability analysis of SCADA HMIsystems.