February’s meeting information is as follows:
Date: Wednesday February 19, 2014
Time: 8:00 AM to 9:00 AM EST
Hosted By: MSU Federal Credit Union, Farm Lane Branch
4825 E. Mt. Hope Road
East Lansing, MI 48824
Topic: “Pen-testers: Adapt or Perish.” – Knowing how to conduct pen-testing on a REAL organization and still provide meaningful product.
As Sean describes:
It’s pretty easy to own a network when half the systems are vulnerable to MS08-067 and the other half is running SSH where root is using a crummy password like “letmein.” This is often the quality of environment you’ll be working in during an ethical hacking training course. Fast forward to the real world where you’re executing a pen-test against an actual organization. You’ve run a few different vulnerability scanners against the target environment and nothing exploitable is jumping out of the scan results. Maybe you’re testing the organization’s client-side security and you keep getting beat by one control or another whether it’s layers of AV engines, a web proxy, email AV scanning, firewall egress restrictions, up-to-date patching, browser security settings, or a combination thereof. Or perhaps you’re working on a web application pen-test and all that your web app scanner is telling you is that the application has a trusted SSL certificate and auto-complete isn’t set to no on the login form.
Does this mean all the low-hanging fruit has already been picked over? Hardly. Whether you’re executing a network pen-test, a web application pen-test, or client-side testing, there’s probably a blind spot or two in the target organization’s enterprise that they will likely want to know about. Take the time to understand what you’re up against so you can develop an effective course of action to shine a light on the blind spots that need to be fixed.
Mr. Verity has over nine years of experience in IT, IT audit, and pen-testing at various companies. He is also a modest contributor to the sqlmap and Metasploit projects.