Presented at DeepSec 2015 „DeepSec No. 9“
Penetration testing is a subject that seems to has been discussed thoroughly. How to test, what tools to use and who is doing the testing . But how do we connect all of the real issues around pen testing?
And how should we create a successful process that truly makes sure that the right part of our business are safely and securely tested? I have been involved with the pen testing business for the better half of the last decade.
The target of this talk is to help security professionals to get an understanding of various approaches that are currently implemented around the world within leading companies, of how they test their business (and not their systems) and what process and controls they have in place to make sure they are on the right path to success.
We will discuss the common mistakes of security professionals when they approach penetration testing, and try to debunk some common myths around the business behind this practice.
This talk is aimed at security professionals that are a part of IT security operations and governance teams, but the benefits of the insights will assist client servicing professionals just as well.
I'll talk about some of the leading practices I have been exposed to and of some of the process and controls that the team I work with have been able to implement with some of the world's largest and successful companies (or as we call them, "our clients").
This talk will provide you with an overall understanding of why tests not always succeed - not because of a lack of a professional knowledge, but because of an unwelcome surprise, a root cause you didn't think about…
We will review the world of pen testing from a global perspective; where do we find the best infrastructure testers, application testers, or reverse engineers? and why do we find them all in different geographic regions, scattered around the globe?
We will review how a cyber-security team can communicate their findings to the company's management in a non-technical manner, and how pen testing can help you to get more budget and recognition within the organization.
Another aspect we'll talk about is what you can test, within your organization.
Or in other words, how to focus on testing the right issues, and, more importantly how not to focus on the wrong ones. Tthere is only one thing better than learning how to do something, and that is how not to do it.
Another corner stone of this talk is automation. The technology is already available, and leading organizations, with adequate planning, have been using it correctly to automate all that can be automated. But there are still some processes which they don't automate. Some things are still considered to be tasks, no computing power is able to deal with.
This talk is in no way a sales talk. Besides the "EY" logo on the slide deck template I will not try to promote our business, I give this talk with the full intention of sharing the insights I have from seeing a wide range of pen testing processes with the clients I have worked for.
- Ernst & Young
Johnny Deutsch is a Senior Manager in the Advanced Security Center part of the Advisory Services practice of Ernst & Young LLP.
This cutting-edge security team is dedicated to implementing advance defense techniques to counter today's growing forces in the global cyber arena for EY's clients.
In his experience, Johnny has delivered the following services:
• Cyber Threat Intelligence Services - providing in-depth insights on the latest threats in the world of cyber crime.
• Cyber Simulation Testing - manage and performed cyber penetration tests aimed at simulating real world scenarios of cyber attacks, combined of a wide range of operational needs in various domains, such as: application security, infrastructure and embedded devices.
• Cyber Risk Assessment - survey and asses the validity of cyber security risks within complex environments, such as critical infrastructure or high availability oriented environments.
• Cyber Strategy Planning - work with the organization to characterize and prepare for relevant threat from the cyber arena.
Johnny Deutsch's experience is coming from the intelligence community, in which Johnny has performed numerous cyber security roles, over an extend time period.
Johnny was a speaker in several international cyber security conferences, such as: Troopers, DeepINTEL, Toorcon, GrrCon.
Prior to Johnny's employment at EY, he was a consultant at the Israeli Ministry of Defense (MoD) and managed large scale projects in the field of cyber security.