How not to infosec

Presented at ToorCon San Diego 17 (2015), Oct. 25, 2015, 1:30 p.m. (50 minutes)

There are many organizations that conduct penetration testing and red team consulting engagements. Concurrently, there are many which also conduct remediation and professional services engagements. In every circumstance mistakes can be made, and there are lessons to be learned - however rarely if ever are they communicated back and forth between client and vendor. When people make mistakes, they are concealed so that egos and reputations do not suffer. There are also many speakers who articulate “what to do” on a variety of topics and in some cases “how to do it”, but I challenge you to name one occurrence of “what not to do” on a security conference docket. Few people speak of their mistakes. When we fail, we learn. We learn what not to do in a given circumstance. If we do not pass this information on to others, then we are destined to watch others make the same mistakes we have made over and over again. After 8 years in nearly every facet of information security, I’ve compiled a colorful and entertaining compendium of mistakes that I’ve made, in addition to mistakes that I’ve watched and encountered in the line of duty during my information security career. Everything from configuration problems, to destroying networks with nmap, to tipping over firewalls with masscan, to using masscan as a load testing aperatus, to talking about public breaches and being visited by law enforcement, and more. This talk will cover several topics and articulate what I’ve come to call ‘land mines’ in an effort to educate the audience in unforseen consequences - specifically, within the context of pentesters, red teams, blueteams, and site reliability engineers / sysadmins. The target audience for this topic is anyone in the fields of: redteam/pentest/attack, blueteam/defense/security ops, systems architects, and others who either are responsible for the stability of an environment, uptime of an environment, or to make sure their testing doesn’t break anything.

Presenters:

  • Dan Tentler / Viss as Viss
    Dan Tentler is Co-Founder of a pre-launch startup, a boutique Red Team and security services firm. Previously, Dan has been the sole proprietor of Aten Labs, a freelance Information Security consultancy firm in San Diego. He is often paid to be the bad guy. He’s allergic to cyber. Twitter: @viss