Wednesday evening, I was notified that my proposal for a talk at the Black Hat USA 2016 Briefings (August 3rd and 4th) was accepted by the review board, composed of professionals in the information security industry. Black Hat USA is one of the highest-profile events in information security, and a great venue for presenting the latest vendor-neutral research and trends. I feel honored to have a panel of peers select my talk out of the many submissions they receive.
I’m also excited, since the topic is an issue that requires the attention of all that professionally practice penetration testing. My talk, Secure Penetration Testing Operations: Demonstrated Weaknesses in Learning Material and Tools, is my latest and strongest statement on the importance of conducting penetration tests without our actions exposing clients to more risk. In previous talks, I have described security flaws within tools used by penetration testers, and the ways third-party attackers could compromise both tester and client.
In this talk, I tackle the core issues and ask the uncomfortable, but necessary, questions:
Are the materials we use to learn and train others in the craft of penetration testing teaching insecure practices?
Does the current, established state of the art in penetration testing encourage common processes and tools that put clients at risk?
Moving forward, how can we address these issues, improving our operational security and reducing the potential exposure of client systems and data?
These are difficult questions, as they require introspection: within this segment of the industry, and within ourselves. We have to take an honest look at the training material, documentation, tools, and processes that are in place and
In my talk, I will provide examples of insecure practices, and will demonstrate and release tools that can be used to illustrate how processes commonly used by penetration testers can be exploited. Offensive security professionals hold a “show me” mindset, and the tradition each year with the Vegas conferences is to entertain and inform with vulnerabilities and exploit code you can take home and use. On this front, I will not disappoint, and may even have a surprise or two...
Since taking my current position at HORNE Cyber, I’ve been focused on applying this work towards conducting more secure penetration tests for our clients, who have high demands for continued security of their operations and data. There is a rapidly shrinking tolerance for security services and tools that have negative side-effects for client security, and I’m looking forward to sharing my views on the matter with the rest of the industry.
I will be writing more in the months leading up to the conference, about my own talk and the other great speakers that have been accepted. I will be present for Black Hat USA as well as DEF CON, which takes places immediately after Black Hat. I’m looking forward to meeting with as many readers of this blog as possible, so do not hesitate to get in touch if you’re going to attend as well.
For weekly insights into cybersecurity, please sign up here: