Presentation given at the 2008 Ohio Information Security Summit, October 2008. This was the first presentation I did using skills learned from "presentation zen" which I highly recommend you read! Attackers are evolving...and so must your penetration testing program. No longer can an organization only conduct a "traditional" penetration test against network hosts. Why bother attacking your external firewall? That could be too difficult and time consuming for an attacker. Attackers have evolved to using "no tech" hacking techniques. These techniques allow an attacker to gain access to networks and corporate facilities to steal confidential customer information for identity theft, trade secrets, and to potentially damage the reputation of a corporation. There will always be multiple ways to gain access to this type of information so the external firewall, internal network, applications, and the human element of security all cannot be ignored. Whether you are a large or small corporation, the next step in evolving your penetration testing program begins with testing all areas of security in an organization. This presentation will begin with an overview of emerging threats to organizations in the form of no tech means (social engineering, dumpster diving, tailgating, etc...) and include more recent technology threats such as client side attacks using phishing. We will talk about what a Tiger Team is, what areas of security the Tiger Team will address (physical, technology, application, security awareness), testing methodology, team formation (if you have the ability to do this internally) and what qualifications should you look for in a third-party penetration testing firm. Finally, we will conclude with a real-world example of a Corporate Tiger Team assessment from start to finish which will demonstrate how each area of security is tested.

1. Penetration Testing 2.0:
Corporate Tiger Team
Tom Eston

2. Why are you here?
• Threats to your organization
• Why a Tiger Team?
• How can you do this?
• Real world scenario
• ...it’s one of the last talks of
the day!

3. Threats to your
organization
(Yes, Dan Kaminsky is a threat...)

4. No Tech Attacks

5. Social Engineering
“The clever manipulation
of the natural human
tendency to trust”
“Because there is
no patch for human
stupidity”

6. “Thief woos bank staff with chocolates...
then steals $28 million in diamonds”

7. 64%

9. Dumpster Diving

10. Tailgating

11. This might be a
problem...

12. Shoulder Surfing

13. Buy his book!

14. Electronic Attacks

15. External Network
Attacks
• Web applications
• External servers
• Wireless
• DNS and BGP Internet
Routing

16. Help!
Their attacking our clients!
(aka: Internal Network Attacks)

17. Phishing

18. 94%

19. Malfunction
• Software glitches
• Process breakdown
• Act of God/War/Terrorism
• Disruption

20. What is a Tiger Team?

21. What does a Tiger Team test?

22. Physical Security

23. Technology (Electronic)

24. Application

25. Security Awareness

26. Testing Methodology
• ISSAF/NIST 800-42
• OSSTMM v2
• OWASP Testing Guide
• Other Penetration Testing Methodologies

27. Team Formation

28. Internal Team

29. The need for “experts”
• Physical Security
• Network/Application Pentest
• Social Engineering and People Skills!

30. Third-Party Assisted

31. What to look for in a
3rd Party?
• Physical Security
• Social Engineering
• Network Penetration
• Inguardians
• Lares Consulting

32. Conducting the
Assessment

33. What’s the goal?

34. Get permission!

35. Reconnaissance

36. Maltego

37. Penetration and
Exploitation

38. Coordinate the Attack

39. Facility Walk Through

40. Reporting and Clean-up

41. Real World Assessment
Example

42. Tiger Team TV Show

43. Let’s Review...
• Threats to your
organization
• What is a tiger team,
what can it test
• Methodologies, how to
form your team
• Real world example