Network Penetration Testing Considered Harmful Today presented at 44Con 2011

by Haroon Meer,

Summary : (Imagine you hire a team of white hot pen-testers, who 0day their way through your border-router, firewall and then take your domain controller. You take the steps and remediate. Will it help tomorrow when your CEO visits evil-lol-cat and gets owned? How is it possible that some organizations have had pen-tests for close to a decade, but are still one 0day away from the worst days of their lives? Something is very very broken here..)
We have been doing network penetration tests for some time, and those of us who are skilled at it have built tools and procedures to take testing to ridiculous levels (we will demo and discuss some of the ridiculous data extrusion tools we have built and used over the years). With all of this attacker sophistication, very few networks are considerably better for the testing. In fact, its our contention that the networks are often worse off, since they are lulled into a false sense of security.
This talk will aim to cover the number of areas where network pen-testing (in its current guise) is actually adding to the problem and will propose some suggestions for alternative pen-testing techniques that can be used..