Presentation on theme: "WHEN A VULNERABILITY ASSESSMENT > PENTEST THE ANOMALY."— Presentation transcript:
WHEN A VULNERABILITY ASSESSMENT > PENTEST THE ANOMALY
$WHOAMI Network Security for Dept of VA Father/Husband Fan of Futbol (Viva Mexico!) Fan of Martial Arts Brazilian JiuJitsu
WHAT IS A PENTEST? Recon Pwnage Pillage Loot Report
WHAT IS A PENTEST? http://www.pentest-standard.org/ http://www.sans.org/reading_room/whitepapers/bestprac/writ ing-penetration-testing-report_33343 http://www.offensive-security.com/offsec/sample-penetration- test-report/
WHAT IS A PENTEST?
PROBANDO BOLIGRAFOS - How to Not get a good pentest? http://blog.pentesterlab.com/2012/12/how-not-to-get-good-pentest.html -Marcus Ranum – The only favorable or useful outcome of a pentest is the worst one. http://www.ranum.com/security/computer_security/editorials/point- counterpoint/pentesting.html
PWNING NOOBS -Cons and breaking stuff tracks/talks -Social Media: If you break stuff, talk about how to fix it. -Reporting is Seriously lacking
PENTESTING – MI MUJER ME PEGA Why dont you find their weaknesses and then help them fix it?
-Scan, how? Inside, external, credentials, ips, firewalls -Agent based vs passive vs active -Results integration -Results reporting -Team player
SCAN HOW? -Scanner Location -inside Network, outside network -Denial of service -Nmap
SCAN HOW? -Exclusions for Scanners -White box vs. Black box -Firewalls, IPS
SCAN HOW? -Credentials -Windows Desktops and Servers -Linux/Unix servers with SSH account/keys -SNMP strings -Cisco/Networking SSH credentials -Be careful with credentials: Dave/Immunity, Ron/Tenable, Qualys, more. -https://lists.immunityinc.com/pipermail/dailydave/2013- February/000334.htmlhttps://lists.immunityinc.com/pipermail/dailydave/2013- February/000334.html