• No results found

The Penetration Testing Execution Standard (PTES) Dave Kennedy (ReL1K) Twitter: Dave_ReL1K

N/A
N/A
Protected

Academic year: 2021

Share "The Penetration Testing Execution Standard (PTES) Dave Kennedy (ReL1K) Twitter: Dave_ReL1K"

Copied!
40
0
0

Loading.... (view fulltext now)

Full text

(1)

Social-Engineering

Changing an Industry

The Penetration Testing Execution Standard (PTES)

Dave Kennedy (ReL1K)

http://www.secmaniac.com

(2)

Before we start

•  Open discussion

•  Shouldn’t be me driving this presentation

•  Community collaboration

(3)

History

•  PTES started officially at

ShmooCon 2010 however it was an idea we’ve all had for years. •  Penetration Testing is a

fundamental principle in security. •  Something that is required to

mature and advance a security program. Something that’s

(4)

The Goal

(5)

Not all is wrong

•  Security is actually going better than expected for such a young

industry.

•  We have people dedicated to security, this room is filled with

people passionate about security.

(6)

Penetration Testing

•  Who has had a penetration test?

•  Everyones hands should have been

raised by now…

•  But who here has really had a

(7)

Lets share our thoughts on a pentest

Let’s go around the room and share thoughts on “what” is a penetration test.

(8)

A pentest to me

•  The ability to identify exposures within the organization that

represents a true breach simulation and the ability to hinder the companies ability to generate revenue.

•  The baseline analysis of how well the overall security program is

functioning and to test the effectiveness of controls.

•  Only true testament to what exposures exist and how to prioritize

(9)

That’s just me

•  Others may view it as a way to become compliant with regulations

and standards.

•  Others may view it as a way to tactically fix all vulnerabilities found.

•  Others may view it as a way to test controls.

(10)

But that’s just it

•  Going around the room, we may have heard some similar ideas of

what a pentest is, but were they all the same?

(11)

Welcome to PTES

•  PTES was designed to take industry leaders, people in the field,

people just starting off.

•  Listen, learn, and come up with something that identifies what a

penetration test is.

(12)

I’m selling this to you..

•  I am selling this to you. You are the only way PTES will be

successful. Through adoption.

•  Think about an industry that’s united in its views on how to tackle

(13)
(14)
(15)
(16)
(17)
(18)
(19)
(20)
(21)

They can work

•  The concepts are strong and noble. But they lack the fundamental

principles of why we’re here.

•  This is my personal opinion and mine only, but we have made an

(22)

Let’s go around and discuss how we are doing in

security

(23)

PTES Basics

•  Penetration tests are the only tangible aspects in identifying and

prioritizing true risks to the company.

•  Foundational building block to a security program.

•  Each company is different, and thus each penetration test must be

(24)
(25)

PTES-G Basics

•  Technical guidelines on how to conduct a penetration test.

•  This is more of the “living” document of the standard.

•  Always needs work and always needs help. Contribute to what

(26)

The Standard

•  Draft form and undergoing a lot of work and additions.

•  Sections have been completed.

•  Industry is adding a ton of more things to make it solid.

•  Already being discussed to be integrated into multiple regulatory

(27)

What this means

•  A clear standard of what a penetration test is and the language that

should be used.

•  Ways for you as an organization or company to sell or procure

pentesting services.

•  To truly get to the root cause of a security program versus

(28)

What this means

(cont)

•  Raises the bar for penetration testers and the dime a dozen ones

out there.

•  Hopefully throws out the cheapest bidder (big hope).

•  Establishes criteria and expectations we have to abide by.

•  Changes an industry to where we focus on fixing problems veruss

(29)

Lets walk through the standard

•  Phased approach

•  Repeatable

•  Methodical

•  Still keeps true to the hacker

(30)

Levels of Effort

•  Not every company (99 percent aren’t) is ready for a crazy pentest.

•  Varying levels (something we’re building into PTES) based on

maturity model.

(31)

Pre-Engagement Interaction

•  This is probably one of the most important elements.

•  Focus on understanding the purpose of the penetration test.

•  What the struggles are of the company and what they need.

•  Ability to gauge the penetration testers and outline what efforts will

(32)

Intelligence Gathering

•  Learn about the company.

•  Understand the company.

•  How does it tick?

•  Gather as much information as

(33)

Threat Modeling

•  Learning our best way to attack the organization..

•  Is it SE? Web app? Physical? Hugs?

•  Finding the most successful, most impactful, and best route into the

(34)

Vulnerability Analysis

•  After the threat modeling phase, identifying the best vulnerable way

to penetrate the infrastructure or company.

•  Identify what exposures exist through manual attack vectors and

exploit the best method that will be most impactful to the company. •  Learn the overall company and attempt to circumvent controls

(35)

Exploitation

•  Precision hit.

•  Targeted.

•  Well thought out.

•  Aimed at impacting the most

(36)

Post-Exploitation

•  This is where it really counts.

•  Impact the company’s ability to generate revenue (see a theme?!)

(37)

Reporting

•  Take everything you’ve learned

and build something tangible. •  Don’t focus on GRC, BIA, CIA,

BCP..focus on the companies overall security program and ways on improving.

•  Get to the root cause, focus

(38)

Think differently

•  I urge you to think differently, to think outside of what you’re taught.

•  Throw away the vendor and consulting lingo, bring in common

sense.

•  We’re trying it and doing it…

(39)

Adoption

•  It’s you. Don’t hire someone if they don’t adopt PTES.

•  Learn PTES and what you should be asking.

•  Consulting companies: Offer this as an offering.

(40)

References

Related documents

Mahesh Sarda: In terms of the rig environment the industry more so, not specifically to Aban, in terms of activity last one year we have seen the activity, right down

A mathematical model was used for estimating the solar radiation on a tilted surface, and to determine the optimum tilt angle and orientation (surface azimuth angle) for the solar

But there is no such thing as a "spot" exercise, to make the body lose weight in a certain area, nor to make the skin tighter.. Exercise can increase muscle bulk, and

ON Semiconductor makes no warranty, representation or guarantee regarding the suitability of its products for any particular purpose, nor does ON Semiconductor assume any

To test this hypothesis, we collected detailed individual scores on Questions 1-4 for two of the exams (Spring Term and Fall Term 2003 with a total of 758 students), and we used

The results presented in this paper suggest that, over the last couple of decades, changes in the quality of state standards have had little impact on overall student

– Consumer Lifestyle growth businesses -- Personal Care, Health & Wellness, and Domestic Appliances -- achieved high-single-digit comparable sales increase, 1% growth