Common Assessment Mistakes Pen Testers and Clients Should Avoid

DerbyCon 7.0 - Legacy

Presented by: Tim Roberts, Brent White
Date: Saturday September 23, 2017
Time: 14:00 - 14:50
Location: Track 2 - Fix Me

Penetration assessments can be a stressful time for those involved. It’s a moment where the network admins find out if the network they manage, or maybe even helped to build, holds up against simulated attacks. Or, it’s a moment as a pen tester where you can help the client and strengthen their security posture, or screw things up by making a mistake - potentially losing a client and giving your company a black eye. However, this shouldn’t be a stressful time. As a client, it is important to understand why the test is taking place and how this helps. As a pentester it is important that you know what you are doing, need to ask for and aren’t just going in blind or throwing the kitchen sink at the network.

This talk is to highlight common issues that we’ve either encountered or have have been vented to about from both the penetration tester’s side of the assessment as well as the client’s side. We’d like to bring these issues to light to hopefully help ensure a more smooth assessment “experience” for all parties involved.

Brent White

Tim and Brent are Sr. Security Consultants within NTT Security’s Threat Services group. They have developed Red Team and Social Engineering testing methodologies and have spoken at internationally recognized security conferences including DEFCON, DerbyCon, B-Sides, ISSA International, AIDE at Marshall Univ, Techno Sec & Forensics Invest. Con, and more. Tim has held management, IT and physical security roles across multiple industries, including healthcare and government. He is a regular contributor to NTT Security’s ‘#WarStoryWednesday' series, has developed methodologies for for red team and social engineering assessments and has been featured in CSO on the subject of onsite social engineering. Brent is the founding member of the Nashville Def Con group (DC615), and is a supervisor for the Def Con conference “Groups” program. He has also held several IT roles including Security Director of a global franchise company as well as Web Manager and information security positions for multiple television personalities and television shows on The Travel Channel. He has also been interviewed on the topic of social engineering on the popular web series, “Hak5” with Darren Kitchen. Both have been interviewed on the topic of “White hat hacking” for Microsoft’s “Roadtrip Nation” television series. Their experiences with traditional/non-traditional pentesting techniques include network, wireless, social engineering, application and physical testing. These techniques have led to highly successful Red Team assessments against corporate environments. By sharing their experiences, they hope to continue to contribute to the InfoSec community. Brent White - @brentwdesign

Tim Roberts

Tim and Brent are Sr. Security Consultants within NTT Security’s Threat Services group. They have developed Red Team and Social Engineering testing methodologies and have spoken at internationally recognized security conferences including DEFCON, DerbyCon, B-Sides, ISSA International, AIDE at Marshall Univ, Techno Sec & Forensics Invest. Con, and more. Tim has held management, IT and physical security roles across multiple industries, including healthcare and government. He is a regular contributor to NTT Security’s ‘#WarStoryWednesday' series, has developed methodologies for for red team and social engineering assessments and has been featured in CSO on the subject of onsite social engineering. Brent is the founding member of the Nashville Def Con group (DC615), and is a supervisor for the Def Con conference “Groups” program. He has also held several IT roles including Security Director of a global franchise company as well as Web Manager and information security positions for multiple television personalities and television shows on The Travel Channel. He has also been interviewed on the topic of social engineering on the popular web series, “Hak5” with Darren Kitchen. Both have been interviewed on the topic of “White hat hacking” for Microsoft’s “Roadtrip Nation” television series. Their experiences with traditional/non-traditional pentesting techniques include network, wireless, social engineering, application and physical testing. These techniques have led to highly successful Red Team assessments against corporate environments. By sharing their experiences, they hope to continue to contribute to the InfoSec community. Tim Roberts - @zanshinh4x


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats