While most red team talks focus on the tools and tactics, this talk with take a compliance slant. Focusing on the NIST 800-53a revision 4 assessment framework, we will explain how the government definesred team testing. Afterwards, we will walk through all of the controls in the NIST risk management framework that are met using red team exercises. This can be used by CISO/CIO personnel to justify red team exercises or sales people to better focus their efforts from a technical approach to a compliance approach.

Keith Pachulski, Security Officer for Health Network Laboratories (HNL) and Security Consultant. Keith has over 23 years of experience in physical and information security realms. He is currently responsible for the development and management of the information security program at HNL. Previously he was responsible for the management and performance of onsite red team tests for Dell - SecureWorks. Additionally he performed physical and electronic penetration tests, web application assessments and wireless assessments. Prior to that, he was a CSO overseeing the operations of 13 companies and created/managed a Managed Security Services program for a private sector company supporting clients internationally. He has extensive experience working in the Federal sector performing vulnerability assessments, penetration testing and compliance assessments.

Recorded at BSides Philly 2016