Operational Security in Penetration Testing
Penetration Testing is intended to improve a given organisation's security posture. However, such a potentially invasive process can often provide pentesters with significant or in some cases unprecedented access to an organisation's most sensitive systems. Without considering the results of their actions, or the behaviours of their tooling, pentesters can leave remnants of their privileged activities for real attackers to find, or even be detrimental to the overall security posture of the organisation by changing the state of play to be of benefit to a real attacker.
This talk aims to address some of the key operational risks in the daily life of a penetration tester, provide guidance to penetration testers to reduce any potential negative impact towards their customer's network, and to accentuate the point that Twitter is not always a great source of real-world penetration testing techniques.
Having worked in the UK InfoSec industry for around five and a half years at Deloitte and later Context Information Security, Troy abandoned a dreary sun-less London and has been working in the Australian industry out of Sydney for over a year with Pure Security. His interest and experience is largely in bespoke penetration testing engagements (red teaming, ICS, scenario-based assessments, etc.), with broad coverage across the penetration testing spectrum. Other interests include music, electronics, the outdoors, travel, rugby, CTF, and being bad at golf.