SlideShare une entreprise Scribd logo

Butler

Télécharger en tant que PPTX, PDF
T
Thomas Butler, CISSP, CEH, CHFI, CISA, CPA, CIA

Penetration Testing-How to create a pen test lab

Formation
1  sur  24
Powerpoint Templates Page 1 PRACTICE MAKES PERFECT. CREATION OF A PENETRATION TESTING LABORATORY, PROCEDURES AND TOOLS, START TO FINISH. LQT2 Multimedia Presentation by Thomas Butler Presented to the Information Technology College Faculty of Western Governors University in Partial Fulfillment of the Requirements for the Degree Master of Science in Information Security and Assurance February 26, 2013
Powerpoint Templates Page 2 root@bt:~# WHOAMI? Thomas Butler……Houston, Texas CPA, CIA, CISA, CISSP, Security+, Network+, PMP Over 20 years in DoD IT Audit (Retired) Interested in IT Security & Penetration Testing Started IT Security Consulting Co.-Dec 2011-http://www.butleritsec.com Started WGU MS Degree-1 July 2012 WGU MS Degree Offers Credibility in IT Security
Powerpoint Templates Page 3 PRESENTATION OVERVIEW-PER THE RUBRIC Why I Chose This Project Overview of Problem What Project Consisted Of Special Strategies Used Successes In Achieving Milestones Obstacles Encountered What I Learned How I Will Apply What I Learned
Powerpoint Templates Page 4 WHY I CHOSE THIS PROJECT A SERIOUS PROBLEM TO THE CYBERSECURITY OF THE NATION. RESPONSE TO CURRENT CRITICISM THAT AVAILABLE SECURITY CERTIFICATIONS DO NOT TEACH ENOUGH HANDS-ON PROCEDURES AND THAT THEIR EXAMS DO NOT REQUIRE HANDS-ON BUT ARE INSTEAD MULTIPLE CHOICE.  DOD AND OTHER GOVERNMENT AGENCIES CLAIM EMPLOYEES OBTAINING AVAILABLE CERTIFICATIONS CANNOT DO THE JOB REQUIRED DUE TO LACK OF HANDS-ON SKILLS. TRAINING NEEDS TO EMPHASIZE MORE HANDS-ON AND LESS BOOK KNOWLEDGE. (refer to news article in page 6)  I COULD NOT FIND A TURN-KEY, OFF –THE-SHELF SOLUTION SO I DECIDED TO CREATE ONE.  I GOT ALL THE CERTS , THE CEH, CHFI, CISSP, SECURITY+, CCENT, BUT I NEED HANDS-ON PRACTICE OR I WILL COMPLETELY FORGET EVERYTHING I LEARNED.  HANDS ON PRACTICE MAKES PERFECT AND INSTILLS CONFIDENCE.
Powerpoint Templates Page 5 OVERVIEW OF PROBLEM DISCUSSED IN PROJECT THE PROBLEM! Practice on systems you do not own without written permission is illegal. Need more hands-on. I needed:  A way to practice, ethically and legally  All-in-one document  Easy to follow. Easy to setup and use.  Free and/or cheap I could not find anything that satisfied all my needs, therefore, I decided to do this project to create a practice lab for myself. Hopefully the project will benefit others as well.
Powerpoint Templates Page 6 CAUSES OF THE PROBLEM High demand for penetration tests>government regulations & industry standards a. PCI-DSS (Penetration Testing. Wikipedia, 2013) requires both annual and ongoing penetration testing (after system changes). a. FISMA -Federal Information Security Management Act (FISMA) via procedures promulgated by NIST 800-53, Appendix E. (NIST 800-53, Rev. 3, 2009) Shortage of well-trained penetration testers-THERE IS ARTICLE AFTER ARTICLE AFTER ARTICLE a. A Barclay Simpson Corporate Governance Recruitment report on Information Security found that the demand exceeds the supply of qualified penetration testers (Barclay Simpson, Corporate Governance Recruitment, 2011). b. US Air Force is planning on going on a “hiring binge” to hire 1,000 persons in cyber operations in 2014 (Magnuson, 1/17/2013). National Defense Industrial Association Magazine, 2111 Wilson Blvd., Suite 400, Arlington, VA 22201, Air Force Cyber-Operations Wing to Go on Hiring Binge). c. Experts say DoD cyber workers undertrained By Zachary Fryer-Biggs - Staff writer Posted : Saturday Feb 16, 2013 12:38:06 EST in the Federal Times a Gannett Pub. http://www.marinecorpstimes.com/news/2013/02/dn-cyber-certification- 021613/?goback=.gde_54384_member_216288717 ”Money is not being spent on hands-on training.” Others focused on the lack of hands-on training required, resulting in broad certifications that are required for many jobs but are not specific to any of them. Book training is simply not enough.”
Powerpoint Templates Page 7 MORE CAUSES OF THE PROBLEM Requires almost daily training reinforcement practice, or skills rapidly lost. Every day new hacking software is introduced. Every day new vulnerabilities are discovered. How do you keep up if everything changes so rapidly? Penetration testing is unique and very difficult because skills must be transferred by computer keyboard>very labor intensive>requires humans to think “outside the box”. No two infrastructures or system requires the same penetration testing procedures. How do you use what was learned in CEH when testing the client’s systems?
Powerpoint Templates Page 8 STILL MORE CAUSES OF THE PROBLEM
Powerpoint Templates Page 9 WHAT THE PROJECT CONSISTED OF The project is documented in appendices A through G. Appendix A: Creation of the Penetration Testing Lab Appendix B: Penetration Testing Methodology Appendix C: Reconnaissance and Information Gathering Appendix D: Active Scanning and Enumeration Appendix E: Exploitation Appendix F: Post-exploitation and Covering Tracks Appendix G: Technology Terms/Acronyms
Powerpoint Templates Page 10 WHAT THE PROJECT CONSISTED OF Appendix A: Creation of the Penetration Testing Lab Three virtual machines created within a Windows Vista OS using FREE VMWare Player community edition “Attack Machine” FREE Linux Ubuntu “Backtrack5R3” ”The pen testers premier OS and toolkit.” “Victim Machine” FREE Linux “Metasploitable”- OS-Created by Metasploit Project to allow hands-on practice “Victim Machine” FREE Trinux “Badstore.net”- vulnerable OS and Web App Did I say FREE?
Powerpoint Templates Page 11 WHAT THE PROJECT CONSISTED OF Appendix B: Penetration Testing Methodologies Penetration Testing Execution Standard, (2013) PTES. Retrieved 2013 from: http://www.pentest-standard.org/index.php/Main_Page Open System Security Testing Methodology Manual, (2013) ISECOM. Retrieved 2013 from: http://www.isecom.org/research/osstmm.html Certified Ethical Hacker (CEH), (2013) Ethical Hacking. Retrieved 2013 from: http://eccouncil.org NIST 800-53, Appendix E. Retrieved from: http://csrc.nist.gov/publications/PubsSPs.html#800-53
Powerpoint Templates Page 12 WHAT THE PROJECT CONSISTED OF Appendix C: Reconnaissance and Information Gathering In summary of reconnaissance and foot printing, we have used the following for legal, passive, reconnaissance and information gathering on J.C.Penney and have provided screen print proof of concept (picture worth a thousand words). These tools are included in Backtrack5R3 or built into command line. Google-website URL, tons of other info; Netcraft-OS & Web server running and IP address; SmartWhoIs-Domain Registrar information theHarvester-Emails and Sub-domains; Maltego-Subdomains;  traceroute/tracert command line-traces routers from origin to destination;  nslookup command line-finds IP address from domain name>Linux “dig” and “host” are alternatives, but NA in Windows
Powerpoint Templates Page 13 WHAT THE PROJECT CONSISTED OF Appendix D: Active Scanning and Enumeration Using scanning tools in Backtrack5R3, we performed active scanning of Metasploitable and Badstore.net, our “victims.” We provided screen prints (picture worth a thousand words)for proof of concept. All these tools are included in BT5R3.  Nmap-port scan, OS version, services running;  Nessus-port scans and vulnerability scans;  Nikto (Wikto-Windows)-port scans and vulnerability scans;  Metasploit-port, OS version, services running, vulnerability
Powerpoint Templates Page 14 WHAT THE PROJECT CONSISTED OF Appendix E: Exploitation with Metasploit Metasploit-included free in Backtrack5R3-msfconsole. Proof of concept screen prints (picture worth a thousand words) included in project. Command line: root@bt:~# /pentest/exploits/framework2/msfconsole OR> root@bt:~# /opt/metasploit/msf3/msfconsole modules: auxiliary, exploits, payloads We also used Armitage-a GUI for Metasploit Command line: root@bt:~# /opt/metasploit/msf3/armitage modules: auxiliary, exploits, payloads
Powerpoint Templates Page 15 WHAT THE PROJECT CONSISTED OF Appendix F: Post-exploitation and Covering Tracks Not a lot of in-depth information available on this topic! Post-Exploitation: Got Root?, Elevation of privilege=Create user, Add user to Admin Group; Offline and online password attacks, John the Ripper, Pass the Hash, Cain and Abel. Covering Tracks: Use Metaspoit to delete Event Logs. Use Metasploit to remove file timestamps.
Powerpoint Templates Page 16 WHAT THE PROJECT CONSISTED OF Appendix G: Technology Terms/Acronyms Includes 33 definition of terms
Powerpoint Templates Page 17 SPECIAL STRATEGIES USED Member of 41 Linked-In IT Security Groups>To share information with IT security groups Subscriptions to 35 IT Security Tutorial Blogs>To learn IT security and ethical hacking 750 Linked-In Connections>To share information with IT security individuals Some basic knowledge of HTML, SQL, PYTHON
Powerpoint Templates Page 18 SUCCESSES IN ACHIEVING MILESTONES All files were downloaded and installed successfully with no problems All three virtual machines were successfully created, opened simultaneously, and run simultaneously on my Windows Vista box with no memory problems. My Windows box has 4 G RAM and I allocated 1G RAM for the “attack” machine and .5G RAM for each “victim machine” leaving approx. 2 G RAM for the Windows box. All penetration testing tools were run successfully and proof of concept screen prints were obtained for all tools.
Powerpoint Templates Page 19 OBSTACLES ENCOUNTERED Limitation: Lab only includes software. Practice in this lab will not encounter Hardware firewalls, routers, switches, hardware intrusion systems, and other hardware security devices that would be encountered in a real world penetration test. I somewhat lacked an intermediate programming knowledge. I recommend that the penetration testing student learn the following programming languages: HTML to understand http requests and responses for use of web proxies like Paros Proxy, Webscarab Proxy, Burp Proxy SQL to understand SQL injection for use of tools like SQLMap and manual injection of code PYTHON to understand most of the penetration testing tools in Backtrack5R3 for tools like theHarvester. The predominant language for most tools in BT5R3 is python. root@bt:~# ./theHarvester.py
Powerpoint Templates Page 20 WHAT I LEARNED A penetration test should not just be to gain access and get a shell and quit. It should be an audit of the IT security posture and the goal should be to identify as many vulnerabilities as possible that need fixing. Money is wasted on training-Companies with a lot of money and the US Government (DoD) will send their employees to SANS training for a 4 day crash course. Costs of travel, hotel, per diem, salary, SANS Course fee could be > $10K for one student. Student returns to work and still cannot do the job. (refer to recent news article in slide 6) There has to be a better way. WGU is part of the solution to a better way Cyberlaw, regulations, and compliance-Penetration testing without written permission is illegal. Some regulations and industry standards require periodic penetration testing, i.e. PCI-DSS, FISMA. Leadership and professionalism-penetration testing is not a true profession like CPA, law, medicine, etc. There is no barrier to entry. A barber needs a state license; a penetration tester does not. Anyone can hold themselves out to be a penetration tester. High ethical standards should be required for penetration testers. Background checks, criminal checks, financial and credit checks, REFERENCES, memberships in IT security organizations, and certifications.
Powerpoint Templates Page 21 WHAT I LEARNED Security Planning and Management- Organizations need to: Start with a framework and set of internal controls such as ISO 27000/27001/27002; Set a reasonable policy that can be followed and enforced; Employee training ; Create policy that requires vulnerability scans, periodic penetration testing, periodic IT security audits, and periodic IT policy compliance audits. Systems Security No such thing as 100% security; Penetration test is only one part of “defense in depth.” Perimeter defenses such as firewalls, routers, switches, IDS/IPS, web application and database monitoring systems must be properly configured;  Patches and AV must be kept up to date. Log files must be filtered (quantity reduced) and suspicious log entries must be examined.
Powerpoint Templates Page 22 HOW I WILLAPPLY WHAT I LEARNED I will apply the knowledge to running the company http://www.butleritsec.com , an IT Security consultant Company I will apply the knowledge to provide best value to clients in a highly ethical way. I will continuously study and practice hands-on. I am just beginning to learn.
Powerpoint Templates Page 23 REFERENCES Penetration Test, (2013) Wikipedia. Retrieved 2013 from: http://en.wikipedia.org/wiki/Penetration_test NIST 800-53 and Federal Information Processing Standards (FIPS) 200 Retrieved from: http://csrc.nist.gov/publications/PubsSPs.html#800-53. Barclay Simpson, Corporate Governance Recruitment, (2011) Market Report on Information Security. Retrieved 2013 from: http://www.barclaysimpson.com/document_uploaded/BS_InfoSec_2011.pdf Magnuson, (2013) National Defense Industrial Association Magazine, Air Force Cyber-Operations Wing to Go on Hiring Binge. Retrieved 2013 from: http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=1026&goback=.gde_1836487_member_20563 4892 Penetration Testing Execution Standard, (2013) PTES. Retrieved 2013 from: http://www.pentest- standard.org/index.php/Main_Page Open System Security Testing Methodology Manual, (2013) ISECOM. Retrieved 2013 from: http://www.isecom.org/research/osstmm.html Certified Ethical Hacker (CEH), (2013) Ethical Hacking. Retrieved 2013 from: http://eccouncil.org Experts say DoD cyber workers undertrained By Zachary Fryer-Biggs - Staff writer Posted : Saturday Feb 16, 2013 12:38:06 EST in the Federal Times a Gannett Pub. http://www.marinecorpstimes.com/news/2013/02/dn-cyber-certification- 021613/?goback=.gde_54384_member_216288717
Powerpoint Templates Page 24 FINIS A THANK YOU TO ALL THE WGU IT FACULTY CINDY WENDY NORMA CHARLES AND MY MENTOR, BRETT I HAVE THOROUGHLY ENJOYED THE EXPERIENCE QUESTIONS FOR ME?

Recommandé

Butler
ButlerButler
ButlerThomas Butler, CISSP, CEH, CHFI, CISA, CPA, CIA
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.uNIX Jim
 
MALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELSMALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELSSergey Gordeychik
 
The Curious Case of Fuzzing for Automated Software Testing
The Curious Case of Fuzzing for Automated Software TestingThe Curious Case of Fuzzing for Automated Software Testing
The Curious Case of Fuzzing for Automated Software Testingmboehme
 
Cehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hackingCehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hackingMehrdad Jingoism
 
Jerod Brennen - What You Need to Know About OSINT
Jerod Brennen - What You Need to Know About OSINTJerod Brennen - What You Need to Know About OSINT
Jerod Brennen - What You Need to Know About OSINTcentralohioissa
 
Fuzzing: Challenges and Reflections
Fuzzing: Challenges and ReflectionsFuzzing: Challenges and Reflections
Fuzzing: Challenges and Reflectionsmboehme
 

Recommandé

Butler
ButlerButler
ButlerThomas Butler, CISSP, CEH, CHFI, CISA, CPA, CIA
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.Biggest info security mistakes security innovation inc.
Biggest info security mistakes security innovation inc.uNIX Jim
 
MALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELSMALIGN MACHINE LEARNING MODELS
MALIGN MACHINE LEARNING MODELSSergey Gordeychik
 
The Curious Case of Fuzzing for Automated Software Testing
The Curious Case of Fuzzing for Automated Software TestingThe Curious Case of Fuzzing for Automated Software Testing
The Curious Case of Fuzzing for Automated Software Testingmboehme
 
Cehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hackingCehv8 module 01 introduction to ethical hacking
Cehv8 module 01 introduction to ethical hackingMehrdad Jingoism
 
Jerod Brennen - What You Need to Know About OSINT
Jerod Brennen - What You Need to Know About OSINTJerod Brennen - What You Need to Know About OSINT
Jerod Brennen - What You Need to Know About OSINTcentralohioissa
 
Fuzzing: Challenges and Reflections
Fuzzing: Challenges and ReflectionsFuzzing: Challenges and Reflections
Fuzzing: Challenges and Reflectionsmboehme
 
Core define and_win_cmd_line gr
Core define and_win_cmd_line grCore define and_win_cmd_line gr
Core define and_win_cmd_line grFrancisco Anastácio
 
Allegory of the cave(1)
Allegory of the cave(1)Allegory of the cave(1)
Allegory of the cave(1)setuid0
 
2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class TenFRSecure
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikSergey Gordeychik
 
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-Shively
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-ShivelyProcess_to_Produce_Secure_Software-DHS_White-House_Geoff-Shively
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-ShivelyCurious Geoff (Shively)
 
2020 FRsecure CISSP Mentor Program - Class 1
2020 FRsecure CISSP Mentor Program - Class 12020 FRsecure CISSP Mentor Program - Class 1
2020 FRsecure CISSP Mentor Program - Class 1FRSecure
 
1.Security Overview And Patching
1.Security Overview And Patching1.Security Overview And Patching
1.Security Overview And Patchingphanleson
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsEric Vétillard
 
#ATAGTR2019 Presentation "Security testing using ML(Machine learning), AI(Art...
#ATAGTR2019 Presentation "Security testing using ML(Machine learning), AI(Art...#ATAGTR2019 Presentation "Security testing using ML(Machine learning), AI(Art...
#ATAGTR2019 Presentation "Security testing using ML(Machine learning), AI(Art...Agile Testing Alliance
 
Preliminary chapter of Certified Ethical Hacker course
Preliminary chapter of Certified Ethical Hacker coursePreliminary chapter of Certified Ethical Hacker course
Preliminary chapter of Certified Ethical Hacker courseDavid Sweigert
 
Zero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and AuthenticationZero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and AuthenticationClare Nelson, CISSP, CIPP-E
 
Foundations Of Software Testing
Foundations Of Software TestingFoundations Of Software Testing
Foundations Of Software Testingmboehme
 
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyEdith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyHamisi Kibonde
 
AI Security : Machine Learning, Deep Learning and Computer Vision Security
AI Security : Machine Learning, Deep Learning and Computer Vision SecurityAI Security : Machine Learning, Deep Learning and Computer Vision Security
AI Security : Machine Learning, Deep Learning and Computer Vision SecurityCihan Özhan
 
2019 FRecure CISSP Mentor Program: Session Two
2019 FRecure CISSP Mentor Program: Session Two2019 FRecure CISSP Mentor Program: Session Two
2019 FRecure CISSP Mentor Program: Session TwoFRSecure
 
Build Automate and Test Strategies - BATMAN
Build Automate and Test Strategies - BATMAN Build Automate and Test Strategies - BATMAN
Build Automate and Test Strategies - BATMAN Eturnti Consulting Pvt Ltd
 
2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.milNASA Open Government Initiative
 
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...DevOps Indonesia
 
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Amélie Gyrard
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
Democratizing security
Democratizing securityDemocratizing security
Democratizing securitySanjeev Sharma
 
Pydata Chicago - work hard once
Pydata Chicago - work hard oncePydata Chicago - work hard once
Pydata Chicago - work hard onceJi Dong
 

Contenu connexe

Tendances

Allegory of the cave(1)
Allegory of the cave(1)Allegory of the cave(1)
Allegory of the cave(1)setuid0
 
2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class TenFRSecure
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikSergey Gordeychik
 
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-Shively
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-ShivelyProcess_to_Produce_Secure_Software-DHS_White-House_Geoff-Shively
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-ShivelyCurious Geoff (Shively)
 
2020 FRsecure CISSP Mentor Program - Class 1
2020 FRsecure CISSP Mentor Program - Class 12020 FRsecure CISSP Mentor Program - Class 1
2020 FRsecure CISSP Mentor Program - Class 1FRSecure
 
1.Security Overview And Patching
1.Security Overview And Patching1.Security Overview And Patching
1.Security Overview And Patchingphanleson
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsEric Vétillard
 
#ATAGTR2019 Presentation "Security testing using ML(Machine learning), AI(Art...
#ATAGTR2019 Presentation "Security testing using ML(Machine learning), AI(Art...#ATAGTR2019 Presentation "Security testing using ML(Machine learning), AI(Art...
#ATAGTR2019 Presentation "Security testing using ML(Machine learning), AI(Art...Agile Testing Alliance
 
Preliminary chapter of Certified Ethical Hacker course
Preliminary chapter of Certified Ethical Hacker coursePreliminary chapter of Certified Ethical Hacker course
Preliminary chapter of Certified Ethical Hacker courseDavid Sweigert
 
Zero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and AuthenticationZero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and AuthenticationClare Nelson, CISSP, CIPP-E
 
Foundations Of Software Testing
Foundations Of Software TestingFoundations Of Software Testing
Foundations Of Software Testingmboehme
 
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyEdith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyHamisi Kibonde
 
AI Security : Machine Learning, Deep Learning and Computer Vision Security
AI Security : Machine Learning, Deep Learning and Computer Vision SecurityAI Security : Machine Learning, Deep Learning and Computer Vision Security
AI Security : Machine Learning, Deep Learning and Computer Vision SecurityCihan Özhan
 
2019 FRecure CISSP Mentor Program: Session Two
2019 FRecure CISSP Mentor Program: Session Two2019 FRecure CISSP Mentor Program: Session Two
2019 FRecure CISSP Mentor Program: Session TwoFRSecure
 

Tendances (15)

Core define and_win_cmd_line gr
Core define and_win_cmd_line grCore define and_win_cmd_line gr
Core define and_win_cmd_line gr
 
Allegory of the cave(1)
Allegory of the cave(1)Allegory of the cave(1)
Allegory of the cave(1)
 
2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten
 
AI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey GordeychikAI for security or security for AI - Sergey Gordeychik
AI for security or security for AI - Sergey Gordeychik
 
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-Shively
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-ShivelyProcess_to_Produce_Secure_Software-DHS_White-House_Geoff-Shively
Process_to_Produce_Secure_Software-DHS_White-House_Geoff-Shively
 
2020 FRsecure CISSP Mentor Program - Class 1
2020 FRsecure CISSP Mentor Program - Class 12020 FRsecure CISSP Mentor Program - Class 1
2020 FRsecure CISSP Mentor Program - Class 1
 
1.Security Overview And Patching
1.Security Overview And Patching1.Security Overview And Patching
1.Security Overview And Patching
 
Threat Modeling for the Internet of Things
Threat Modeling for the Internet of ThingsThreat Modeling for the Internet of Things
Threat Modeling for the Internet of Things
 
#ATAGTR2019 Presentation "Security testing using ML(Machine learning), AI(Art...
#ATAGTR2019 Presentation "Security testing using ML(Machine learning), AI(Art...#ATAGTR2019 Presentation "Security testing using ML(Machine learning), AI(Art...
#ATAGTR2019 Presentation "Security testing using ML(Machine learning), AI(Art...
 
Preliminary chapter of Certified Ethical Hacker course
Preliminary chapter of Certified Ethical Hacker coursePreliminary chapter of Certified Ethical Hacker course
Preliminary chapter of Certified Ethical Hacker course
 
Zero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and AuthenticationZero-Knowledge Proofs: Identity Proofing and Authentication
Zero-Knowledge Proofs: Identity Proofing and Authentication
 
Foundations Of Software Testing
Foundations Of Software TestingFoundations Of Software Testing
Foundations Of Software Testing
 
Edith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the SocietyEdith Turuka: Cyber-Security, An Eye Opener to the Society
Edith Turuka: Cyber-Security, An Eye Opener to the Society
 
AI Security : Machine Learning, Deep Learning and Computer Vision Security
AI Security : Machine Learning, Deep Learning and Computer Vision SecurityAI Security : Machine Learning, Deep Learning and Computer Vision Security
AI Security : Machine Learning, Deep Learning and Computer Vision Security
 
2019 FRecure CISSP Mentor Program: Session Two
2019 FRecure CISSP Mentor Program: Session Two2019 FRecure CISSP Mentor Program: Session Two
2019 FRecure CISSP Mentor Program: Session Two
 

Similaire à Butler

Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...DevOps Indonesia
 
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Amélie Gyrard
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
Democratizing security
Democratizing securityDemocratizing security
Democratizing securitySanjeev Sharma
 
Pydata Chicago - work hard once
Pydata Chicago - work hard oncePydata Chicago - work hard once
Pydata Chicago - work hard onceJi Dong
 
GNUCITIZEN Dwk Owasp Day September 2007
GNUCITIZEN Dwk Owasp Day September 2007GNUCITIZEN Dwk Owasp Day September 2007
GNUCITIZEN Dwk Owasp Day September 2007guest20ab09
 
Aging Services Expo Presentation
Aging Services Expo PresentationAging Services Expo Presentation
Aging Services Expo PresentationMary Derrick Cook
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogStefan Streichsbier
 
CompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the examCompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the examInfosec
 
Introduction to Puppet Enterprise - Jan 30, 2019
Introduction to Puppet Enterprise - Jan 30, 2019Introduction to Puppet Enterprise - Jan 30, 2019
Introduction to Puppet Enterprise - Jan 30, 2019Puppet
 
Product security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsProduct security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsLabSharegroup
 
STS _ Test Leadership Forum 2015
STS _ Test Leadership Forum 2015STS _ Test Leadership Forum 2015
STS _ Test Leadership Forum 2015Hank Lydick
 
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNOliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNcentralohioissa
 
Emerging engineering issues for building large scale AI systems By Srinivas P...
Emerging engineering issues for building large scale AI systems By Srinivas P...Emerging engineering issues for building large scale AI systems By Srinivas P...
Emerging engineering issues for building large scale AI systems By Srinivas P...Analytics India Magazine
 
IRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud EnvironmentIRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud EnvironmentIRJET Journal
 
Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018Stefan Streichsbier
 
CohenNancyPresentation.ppt
CohenNancyPresentation.pptCohenNancyPresentation.ppt
CohenNancyPresentation.pptmypc72
 
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia Insurance
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia InsuranceSplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia Insurance
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia InsuranceSplunk
 

Similaire à Butler (20)

Build Automate and Test Strategies - BATMAN
Build Automate and Test Strategies - BATMAN Build Automate and Test Strategies - BATMAN
Build Automate and Test Strategies - BATMAN
 
2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil2011 NASA Open Source Summit - Forge.mil
2011 NASA Open Source Summit - Forge.mil
 
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
Securing a Great Developer Experience - DevOps Indonesia Meetup by Stefan Str...
 
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
Democratizing security
Democratizing securityDemocratizing security
Democratizing security
 
Pydata Chicago - work hard once
Pydata Chicago - work hard oncePydata Chicago - work hard once
Pydata Chicago - work hard once
 
GNUCITIZEN Dwk Owasp Day September 2007
GNUCITIZEN Dwk Owasp Day September 2007GNUCITIZEN Dwk Owasp Day September 2007
GNUCITIZEN Dwk Owasp Day September 2007
 
Aging Services Expo Presentation
Aging Services Expo PresentationAging Services Expo Presentation
Aging Services Expo Presentation
 
DevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together LogDevSecOps in 2031: How robots and humans will secure apps together Log
DevSecOps in 2031: How robots and humans will secure apps together Log
 
CompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the examCompTIA PenTest+: Everything you need to know about the exam
CompTIA PenTest+: Everything you need to know about the exam
 
Introduction to Puppet Enterprise - Jan 30, 2019
Introduction to Puppet Enterprise - Jan 30, 2019Introduction to Puppet Enterprise - Jan 30, 2019
Introduction to Puppet Enterprise - Jan 30, 2019
 
Product security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security CertsProduct security by Blockchain, AI and Security Certs
Product security by Blockchain, AI and Security Certs
 
STS _ Test Leadership Forum 2015
STS _ Test Leadership Forum 2015STS _ Test Leadership Forum 2015
STS _ Test Leadership Forum 2015
 
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDNOliver Schuermann - Integrated Software in Networking - the Mystery of SDN
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
 
Emerging engineering issues for building large scale AI systems By Srinivas P...
Emerging engineering issues for building large scale AI systems By Srinivas P...Emerging engineering issues for building large scale AI systems By Srinivas P...
Emerging engineering issues for building large scale AI systems By Srinivas P...
 
IRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud EnvironmentIRJET- Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud Environment
 
Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018Securing a great DX - DevSecOps Days Singapore 2018
Securing a great DX - DevSecOps Days Singapore 2018
 
CohenNancyPresentation.ppt
CohenNancyPresentation.pptCohenNancyPresentation.ppt
CohenNancyPresentation.ppt
 
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia Insurance
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia InsuranceSplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia Insurance
SplunkLive! Zurich 2018: The Evolution of Splunk at Helvetia Insurance
 

Dernier

Role Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptxRole Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptxNikitaBankoti2
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxnegromaestrong
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfChris Hunter
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.pptRamjanShidvankar
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptxMaritesTamaniVerdade
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxPoojaSen20
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfAdmir Softic
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...Poonam Aher Patil
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfciinovamais
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibitjbellavia9
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdfQucHHunhnh
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfPoh-Sun Goh
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfAyushMahapatra5
 
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural Resources
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural ResourcesEnergy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural Resources
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural ResourcesShubhangi Sonawane
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPoojaSen20
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Celine George
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 

Dernier (20)

Role Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptxRole Of Transgenic Animal In Target Validation-1.pptx
Role Of Transgenic Animal In Target Validation-1.pptx
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Activity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdfActivity 01 - Artificial Culture (1).pdf
Activity 01 - Artificial Culture (1).pdf
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Asian American Pacific Islander Month DDSD 2024.pptx
Asian American Pacific Islander Month DDSD 2024.pptxAsian American Pacific Islander Month DDSD 2024.pptx
Asian American Pacific Islander Month DDSD 2024.pptx
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural Resources
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural ResourcesEnergy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural Resources
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural Resources
 
PROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docxPROCESS RECORDING FORMAT.docx
PROCESS RECORDING FORMAT.docx
 
Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17Advanced Views - Calendar View in Odoo 17
Advanced Views - Calendar View in Odoo 17
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 

Butler

  • 1. Powerpoint Templates Page 1 PRACTICE MAKES PERFECT. CREATION OF A PENETRATION TESTING LABORATORY, PROCEDURES AND TOOLS, START TO FINISH. LQT2 Multimedia Presentation by Thomas Butler Presented to the Information Technology College Faculty of Western Governors University in Partial Fulfillment of the Requirements for the Degree Master of Science in Information Security and Assurance February 26, 2013
  • 2. Powerpoint Templates Page 2 root@bt:~# WHOAMI? Thomas Butler……Houston, Texas CPA, CIA, CISA, CISSP, Security+, Network+, PMP Over 20 years in DoD IT Audit (Retired) Interested in IT Security & Penetration Testing Started IT Security Consulting Co.-Dec 2011-http://www.butleritsec.com Started WGU MS Degree-1 July 2012 WGU MS Degree Offers Credibility in IT Security
  • 3. Powerpoint Templates Page 3 PRESENTATION OVERVIEW-PER THE RUBRIC Why I Chose This Project Overview of Problem What Project Consisted Of Special Strategies Used Successes In Achieving Milestones Obstacles Encountered What I Learned How I Will Apply What I Learned
  • 4. Powerpoint Templates Page 4 WHY I CHOSE THIS PROJECT A SERIOUS PROBLEM TO THE CYBERSECURITY OF THE NATION. RESPONSE TO CURRENT CRITICISM THAT AVAILABLE SECURITY CERTIFICATIONS DO NOT TEACH ENOUGH HANDS-ON PROCEDURES AND THAT THEIR EXAMS DO NOT REQUIRE HANDS-ON BUT ARE INSTEAD MULTIPLE CHOICE.  DOD AND OTHER GOVERNMENT AGENCIES CLAIM EMPLOYEES OBTAINING AVAILABLE CERTIFICATIONS CANNOT DO THE JOB REQUIRED DUE TO LACK OF HANDS-ON SKILLS. TRAINING NEEDS TO EMPHASIZE MORE HANDS-ON AND LESS BOOK KNOWLEDGE. (refer to news article in page 6)  I COULD NOT FIND A TURN-KEY, OFF –THE-SHELF SOLUTION SO I DECIDED TO CREATE ONE.  I GOT ALL THE CERTS , THE CEH, CHFI, CISSP, SECURITY+, CCENT, BUT I NEED HANDS-ON PRACTICE OR I WILL COMPLETELY FORGET EVERYTHING I LEARNED.  HANDS ON PRACTICE MAKES PERFECT AND INSTILLS CONFIDENCE.
  • 5. Powerpoint Templates Page 5 OVERVIEW OF PROBLEM DISCUSSED IN PROJECT THE PROBLEM! Practice on systems you do not own without written permission is illegal. Need more hands-on. I needed:  A way to practice, ethically and legally  All-in-one document  Easy to follow. Easy to setup and use.  Free and/or cheap I could not find anything that satisfied all my needs, therefore, I decided to do this project to create a practice lab for myself. Hopefully the project will benefit others as well.
  • 6. Powerpoint Templates Page 6 CAUSES OF THE PROBLEM High demand for penetration tests>government regulations & industry standards a. PCI-DSS (Penetration Testing. Wikipedia, 2013) requires both annual and ongoing penetration testing (after system changes). a. FISMA -Federal Information Security Management Act (FISMA) via procedures promulgated by NIST 800-53, Appendix E. (NIST 800-53, Rev. 3, 2009) Shortage of well-trained penetration testers-THERE IS ARTICLE AFTER ARTICLE AFTER ARTICLE a. A Barclay Simpson Corporate Governance Recruitment report on Information Security found that the demand exceeds the supply of qualified penetration testers (Barclay Simpson, Corporate Governance Recruitment, 2011). b. US Air Force is planning on going on a “hiring binge” to hire 1,000 persons in cyber operations in 2014 (Magnuson, 1/17/2013). National Defense Industrial Association Magazine, 2111 Wilson Blvd., Suite 400, Arlington, VA 22201, Air Force Cyber-Operations Wing to Go on Hiring Binge). c. Experts say DoD cyber workers undertrained By Zachary Fryer-Biggs - Staff writer Posted : Saturday Feb 16, 2013 12:38:06 EST in the Federal Times a Gannett Pub. http://www.marinecorpstimes.com/news/2013/02/dn-cyber-certification- 021613/?goback=.gde_54384_member_216288717 ”Money is not being spent on hands-on training.” Others focused on the lack of hands-on training required, resulting in broad certifications that are required for many jobs but are not specific to any of them. Book training is simply not enough.”
  • 7. Powerpoint Templates Page 7 MORE CAUSES OF THE PROBLEM Requires almost daily training reinforcement practice, or skills rapidly lost. Every day new hacking software is introduced. Every day new vulnerabilities are discovered. How do you keep up if everything changes so rapidly? Penetration testing is unique and very difficult because skills must be transferred by computer keyboard>very labor intensive>requires humans to think “outside the box”. No two infrastructures or system requires the same penetration testing procedures. How do you use what was learned in CEH when testing the client’s systems?
  • 8. Powerpoint Templates Page 8 STILL MORE CAUSES OF THE PROBLEM
  • 9. Powerpoint Templates Page 9 WHAT THE PROJECT CONSISTED OF The project is documented in appendices A through G. Appendix A: Creation of the Penetration Testing Lab Appendix B: Penetration Testing Methodology Appendix C: Reconnaissance and Information Gathering Appendix D: Active Scanning and Enumeration Appendix E: Exploitation Appendix F: Post-exploitation and Covering Tracks Appendix G: Technology Terms/Acronyms
  • 10. Powerpoint Templates Page 10 WHAT THE PROJECT CONSISTED OF Appendix A: Creation of the Penetration Testing Lab Three virtual machines created within a Windows Vista OS using FREE VMWare Player community edition “Attack Machine” FREE Linux Ubuntu “Backtrack5R3” ”The pen testers premier OS and toolkit.” “Victim Machine” FREE Linux “Metasploitable”- OS-Created by Metasploit Project to allow hands-on practice “Victim Machine” FREE Trinux “Badstore.net”- vulnerable OS and Web App Did I say FREE?
  • 11. Powerpoint Templates Page 11 WHAT THE PROJECT CONSISTED OF Appendix B: Penetration Testing Methodologies Penetration Testing Execution Standard, (2013) PTES. Retrieved 2013 from: http://www.pentest-standard.org/index.php/Main_Page Open System Security Testing Methodology Manual, (2013) ISECOM. Retrieved 2013 from: http://www.isecom.org/research/osstmm.html Certified Ethical Hacker (CEH), (2013) Ethical Hacking. Retrieved 2013 from: http://eccouncil.org NIST 800-53, Appendix E. Retrieved from: http://csrc.nist.gov/publications/PubsSPs.html#800-53
  • 12. Powerpoint Templates Page 12 WHAT THE PROJECT CONSISTED OF Appendix C: Reconnaissance and Information Gathering In summary of reconnaissance and foot printing, we have used the following for legal, passive, reconnaissance and information gathering on J.C.Penney and have provided screen print proof of concept (picture worth a thousand words). These tools are included in Backtrack5R3 or built into command line. Google-website URL, tons of other info; Netcraft-OS & Web server running and IP address; SmartWhoIs-Domain Registrar information theHarvester-Emails and Sub-domains; Maltego-Subdomains;  traceroute/tracert command line-traces routers from origin to destination;  nslookup command line-finds IP address from domain name>Linux “dig” and “host” are alternatives, but NA in Windows
  • 13. Powerpoint Templates Page 13 WHAT THE PROJECT CONSISTED OF Appendix D: Active Scanning and Enumeration Using scanning tools in Backtrack5R3, we performed active scanning of Metasploitable and Badstore.net, our “victims.” We provided screen prints (picture worth a thousand words)for proof of concept. All these tools are included in BT5R3.  Nmap-port scan, OS version, services running;  Nessus-port scans and vulnerability scans;  Nikto (Wikto-Windows)-port scans and vulnerability scans;  Metasploit-port, OS version, services running, vulnerability
  • 14. Powerpoint Templates Page 14 WHAT THE PROJECT CONSISTED OF Appendix E: Exploitation with Metasploit Metasploit-included free in Backtrack5R3-msfconsole. Proof of concept screen prints (picture worth a thousand words) included in project. Command line: root@bt:~# /pentest/exploits/framework2/msfconsole OR> root@bt:~# /opt/metasploit/msf3/msfconsole modules: auxiliary, exploits, payloads We also used Armitage-a GUI for Metasploit Command line: root@bt:~# /opt/metasploit/msf3/armitage modules: auxiliary, exploits, payloads
  • 15. Powerpoint Templates Page 15 WHAT THE PROJECT CONSISTED OF Appendix F: Post-exploitation and Covering Tracks Not a lot of in-depth information available on this topic! Post-Exploitation: Got Root?, Elevation of privilege=Create user, Add user to Admin Group; Offline and online password attacks, John the Ripper, Pass the Hash, Cain and Abel. Covering Tracks: Use Metaspoit to delete Event Logs. Use Metasploit to remove file timestamps.
  • 16. Powerpoint Templates Page 16 WHAT THE PROJECT CONSISTED OF Appendix G: Technology Terms/Acronyms Includes 33 definition of terms
  • 17. Powerpoint Templates Page 17 SPECIAL STRATEGIES USED Member of 41 Linked-In IT Security Groups>To share information with IT security groups Subscriptions to 35 IT Security Tutorial Blogs>To learn IT security and ethical hacking 750 Linked-In Connections>To share information with IT security individuals Some basic knowledge of HTML, SQL, PYTHON
  • 18. Powerpoint Templates Page 18 SUCCESSES IN ACHIEVING MILESTONES All files were downloaded and installed successfully with no problems All three virtual machines were successfully created, opened simultaneously, and run simultaneously on my Windows Vista box with no memory problems. My Windows box has 4 G RAM and I allocated 1G RAM for the “attack” machine and .5G RAM for each “victim machine” leaving approx. 2 G RAM for the Windows box. All penetration testing tools were run successfully and proof of concept screen prints were obtained for all tools.
  • 19. Powerpoint Templates Page 19 OBSTACLES ENCOUNTERED Limitation: Lab only includes software. Practice in this lab will not encounter Hardware firewalls, routers, switches, hardware intrusion systems, and other hardware security devices that would be encountered in a real world penetration test. I somewhat lacked an intermediate programming knowledge. I recommend that the penetration testing student learn the following programming languages: HTML to understand http requests and responses for use of web proxies like Paros Proxy, Webscarab Proxy, Burp Proxy SQL to understand SQL injection for use of tools like SQLMap and manual injection of code PYTHON to understand most of the penetration testing tools in Backtrack5R3 for tools like theHarvester. The predominant language for most tools in BT5R3 is python. root@bt:~# ./theHarvester.py
  • 20. Powerpoint Templates Page 20 WHAT I LEARNED A penetration test should not just be to gain access and get a shell and quit. It should be an audit of the IT security posture and the goal should be to identify as many vulnerabilities as possible that need fixing. Money is wasted on training-Companies with a lot of money and the US Government (DoD) will send their employees to SANS training for a 4 day crash course. Costs of travel, hotel, per diem, salary, SANS Course fee could be > $10K for one student. Student returns to work and still cannot do the job. (refer to recent news article in slide 6) There has to be a better way. WGU is part of the solution to a better way Cyberlaw, regulations, and compliance-Penetration testing without written permission is illegal. Some regulations and industry standards require periodic penetration testing, i.e. PCI-DSS, FISMA. Leadership and professionalism-penetration testing is not a true profession like CPA, law, medicine, etc. There is no barrier to entry. A barber needs a state license; a penetration tester does not. Anyone can hold themselves out to be a penetration tester. High ethical standards should be required for penetration testers. Background checks, criminal checks, financial and credit checks, REFERENCES, memberships in IT security organizations, and certifications.
  • 21. Powerpoint Templates Page 21 WHAT I LEARNED Security Planning and Management- Organizations need to: Start with a framework and set of internal controls such as ISO 27000/27001/27002; Set a reasonable policy that can be followed and enforced; Employee training ; Create policy that requires vulnerability scans, periodic penetration testing, periodic IT security audits, and periodic IT policy compliance audits. Systems Security No such thing as 100% security; Penetration test is only one part of “defense in depth.” Perimeter defenses such as firewalls, routers, switches, IDS/IPS, web application and database monitoring systems must be properly configured;  Patches and AV must be kept up to date. Log files must be filtered (quantity reduced) and suspicious log entries must be examined.
  • 22. Powerpoint Templates Page 22 HOW I WILLAPPLY WHAT I LEARNED I will apply the knowledge to running the company http://www.butleritsec.com , an IT Security consultant Company I will apply the knowledge to provide best value to clients in a highly ethical way. I will continuously study and practice hands-on. I am just beginning to learn.
  • 23. Powerpoint Templates Page 23 REFERENCES Penetration Test, (2013) Wikipedia. Retrieved 2013 from: http://en.wikipedia.org/wiki/Penetration_test NIST 800-53 and Federal Information Processing Standards (FIPS) 200 Retrieved from: http://csrc.nist.gov/publications/PubsSPs.html#800-53. Barclay Simpson, Corporate Governance Recruitment, (2011) Market Report on Information Security. Retrieved 2013 from: http://www.barclaysimpson.com/document_uploaded/BS_InfoSec_2011.pdf Magnuson, (2013) National Defense Industrial Association Magazine, Air Force Cyber-Operations Wing to Go on Hiring Binge. Retrieved 2013 from: http://www.nationaldefensemagazine.org/blog/Lists/Posts/Post.aspx?ID=1026&goback=.gde_1836487_member_20563 4892 Penetration Testing Execution Standard, (2013) PTES. Retrieved 2013 from: http://www.pentest- standard.org/index.php/Main_Page Open System Security Testing Methodology Manual, (2013) ISECOM. Retrieved 2013 from: http://www.isecom.org/research/osstmm.html Certified Ethical Hacker (CEH), (2013) Ethical Hacking. Retrieved 2013 from: http://eccouncil.org Experts say DoD cyber workers undertrained By Zachary Fryer-Biggs - Staff writer Posted : Saturday Feb 16, 2013 12:38:06 EST in the Federal Times a Gannett Pub. http://www.marinecorpstimes.com/news/2013/02/dn-cyber-certification- 021613/?goback=.gde_54384_member_216288717
  • 24. Powerpoint Templates Page 24 FINIS A THANK YOU TO ALL THE WGU IT FACULTY CINDY WENDY NORMA CHARLES AND MY MENTOR, BRETT I HAVE THOROUGHLY ENJOYED THE EXPERIENCE QUESTIONS FOR ME?

Notes de l'éditeur

  1. (PTES, 2013) PTES-Penetration Testing Execution Standard >Penetration Testing Execution Standard, (2013) PTES. Retrieved 2013 from: http://www.pentest-standard.org/index.php/Main_Page (OSSTMM, 2013) OSSTMM-Open System Security Testing Methodology Manual>Open System Security Testing Methodology Manual, (2013) ISECOM. Retrieved 2013 from: http://www.isecom.org/research/osstmm.html  
  2. (PTES, 2013) PTES-Penetration Testing Execution Standard >Penetration Testing Execution Standard, (2013) PTES. Retrieved 2013 from: http://www.pentest-standard.org/index.php/Main_Page (OSSTMM, 2013) OSSTMM-Open System Security Testing Methodology Manual>Open System Security Testing Methodology Manual, (2013) ISECOM. Retrieved 2013 from: http://www.isecom.org/research/osstmm.html  
  3. (PTES, 2013) PTES-Penetration Testing Execution Standard >Penetration Testing Execution Standard, (2013) PTES. Retrieved 2013 from: http://www.pentest-standard.org/index.php/Main_Page (OSSTMM, 2013) OSSTMM-Open System Security Testing Methodology Manual>Open System Security Testing Methodology Manual, (2013) ISECOM. Retrieved 2013 from: http://www.isecom.org/research/osstmm.html  
  4. (PTES, 2013) PTES-Penetration Testing Execution Standard >Penetration Testing Execution Standard, (2013) PTES. Retrieved 2013 from: http://www.pentest-standard.org/index.php/Main_Page (OSSTMM, 2013) OSSTMM-Open System Security Testing Methodology Manual>Open System Security Testing Methodology Manual, (2013) ISECOM. Retrieved 2013 from: http://www.isecom.org/research/osstmm.html  
  5. (PTES, 2013) PTES-Penetration Testing Execution Standard >Penetration Testing Execution Standard, (2013) PTES. Retrieved 2013 from: http://www.pentest-standard.org/index.php/Main_Page (OSSTMM, 2013) OSSTMM-Open System Security Testing Methodology Manual>Open System Security Testing Methodology Manual, (2013) ISECOM. Retrieved 2013 from: http://www.isecom.org/research/osstmm.html  
  6. (PTES, 2013) PTES-Penetration Testing Execution Standard >Penetration Testing Execution Standard, (2013) PTES. Retrieved 2013 from: http://www.pentest-standard.org/index.php/Main_Page (OSSTMM, 2013) OSSTMM-Open System Security Testing Methodology Manual>Open System Security Testing Methodology Manual, (2013) ISECOM. Retrieved 2013 from: http://www.isecom.org/research/osstmm.html  
  7. (PTES, 2013) PTES-Penetration Testing Execution Standard >Penetration Testing Execution Standard, (2013) PTES. Retrieved 2013 from: http://www.pentest-standard.org/index.php/Main_Page (OSSTMM, 2013) OSSTMM-Open System Security Testing Methodology Manual>Open System Security Testing Methodology Manual, (2013) ISECOM. Retrieved 2013 from: http://www.isecom.org/research/osstmm.html  
  8. (PTES, 2013) PTES-Penetration Testing Execution Standard >Penetration Testing Execution Standard, (2013) PTES. Retrieved 2013 from: http://www.pentest-standard.org/index.php/Main_Page (OSSTMM, 2013) OSSTMM-Open System Security Testing Methodology Manual>Open System Security Testing Methodology Manual, (2013) ISECOM. Retrieved 2013 from: http://www.isecom.org/research/osstmm.html  
  9. (PTES, 2013) PTES-Penetration Testing Execution Standard >Penetration Testing Execution Standard, (2013) PTES. Retrieved 2013 from: http://www.pentest-standard.org/index.php/Main_Page (OSSTMM, 2013) OSSTMM-Open System Security Testing Methodology Manual>Open System Security Testing Methodology Manual, (2013) ISECOM. Retrieved 2013 from: http://www.isecom.org/research/osstmm.html  
  10. (PTES, 2013) PTES-Penetration Testing Execution Standard >Penetration Testing Execution Standard, (2013) PTES. Retrieved 2013 from: http://www.pentest-standard.org/index.php/Main_Page (OSSTMM, 2013) OSSTMM-Open System Security Testing Methodology Manual>Open System Security Testing Methodology Manual, (2013) ISECOM. Retrieved 2013 from: http://www.isecom.org/research/osstmm.html  
  11. (PTES, 2013) PTES-Penetration Testing Execution Standard >Penetration Testing Execution Standard, (2013) PTES. Retrieved 2013 from: http://www.pentest-standard.org/index.php/Main_Page (OSSTMM, 2013) OSSTMM-Open System Security Testing Methodology Manual>Open System Security Testing Methodology Manual, (2013) ISECOM. Retrieved 2013 from: http://www.isecom.org/research/osstmm.html  
  12. (PTES, 2013) PTES-Penetration Testing Execution Standard >Penetration Testing Execution Standard, (2013) PTES. Retrieved 2013 from: http://www.pentest-standard.org/index.php/Main_Page (OSSTMM, 2013) OSSTMM-Open System Security Testing Methodology Manual>Open System Security Testing Methodology Manual, (2013) ISECOM. Retrieved 2013 from: http://www.isecom.org/research/osstmm.html  
  13. (PTES, 2013) PTES-Penetration Testing Execution Standard >Penetration Testing Execution Standard, (2013) PTES. Retrieved 2013 from: http://www.pentest-standard.org/index.php/Main_Page (OSSTMM, 2013) OSSTMM-Open System Security Testing Methodology Manual>Open System Security Testing Methodology Manual, (2013) ISECOM. Retrieved 2013 from: http://www.isecom.org/research/osstmm.html  
  14. (PTES, 2013) PTES-Penetration Testing Execution Standard >Penetration Testing Execution Standard, (2013) PTES. Retrieved 2013 from: http://www.pentest-standard.org/index.php/Main_Page (OSSTMM, 2013) OSSTMM-Open System Security Testing Methodology Manual>Open System Security Testing Methodology Manual, (2013) ISECOM. Retrieved 2013 from: http://www.isecom.org/research/osstmm.html  
  15. (PTES, 2013) PTES-Penetration Testing Execution Standard >Penetration Testing Execution Standard, (2013) PTES. Retrieved 2013 from: http://www.pentest-standard.org/index.php/Main_Page (OSSTMM, 2013) OSSTMM-Open System Security Testing Methodology Manual>Open System Security Testing Methodology Manual, (2013) ISECOM. Retrieved 2013 from: http://www.isecom.org/research/osstmm.html  
  16. (PTES, 2013) PTES-Penetration Testing Execution Standard >Penetration Testing Execution Standard, (2013) PTES. Retrieved 2013 from: http://www.pentest-standard.org/index.php/Main_Page (OSSTMM, 2013) OSSTMM-Open System Security Testing Methodology Manual>Open System Security Testing Methodology Manual, (2013) ISECOM. Retrieved 2013 from: http://www.isecom.org/research/osstmm.html