When scoping a penetration test for a client, there is often a disconnect between ?check-box? requirements and actual preparation for what real-world attackers might attempt. With an influx of major data breaches, organizations need to take ownership and realize that compliance is not a ?silver bullet? and is subject to the implementation of the organization?s needs and requirements. Check-box security isn?t a bad start, but it?s just that--a start. Because it?s often required for compliance, it seems to be the main, or only driver for many security programs. This pushes companies to just meet the minimum requirements, can instill a false sense of security and can overshadow the entire view of their security posture. This talk will cover what we often see as pentesters in regards to scoping an assessment with a client and views/ways to help them broaden their understanding of attack methods that go far beyond the requirements of ?check-box security? to hopefully help improve their security posture overall.

Tim and Brent are Sr. Offensive Security Consultants within Solutionary's Offensive Security Services team (NTT Security Group). They have developed Red Team and Social Engineering testing methodologies and have spoken at internationally recognized security conferences including DEFCON, DerbyCon, B-Sides, ISSA International, AIDE at Marshall Univ, Techno Sec & Forensics Invest. Con, and more. Tim has held management, IT and physical security roles across multiple industries, including healthcare and government. He is a regular contributor to Solutionary Mind?s ?#WarStoryWednesday' series and has been featured in CSO on the subject of onsite social engineering. Brent has held several IT roles including Security Director of a global franchise company as well as Web Manager and information security positions for multiple television personalities and television shows on The Travel Channel. He has also been interviewed on the topic of social engineering on the popular web series, ?Hak5? with Darren Kitchen. Both have been interviewed on the topic of ?White hat hacking? for Microsoft?s ?Roadtrip Nation? television series. Their experiences with traditional/non-traditional pentesting techniques include network, wireless, social engineering, application and physical testing. These techniques have led to highly successful Red Team assessments against corporate environments. By sharing their experiences, they hope to continue to contribute to the InfoSec community.

@brentwdesign && @zanshinh4x

Back to Derbycon 2016 video list