MCH2022 Curated content
A CISO approach to pentesting; why so many reports are never used
Pentesting can provide vital information to organisations about their security. However, many reports end up never being used or not being used to their full potential. That is partly due to the pentesters and their writing skills. But in large part is also to be attributed to CISO's lack of guidance and involvement.
I am not a spokesperson for all CISOs, but I do have quite a bit of experience in the pentesting field as a CISO. As such; I would like to share my thoughts about how a CISO can lead the pentesting process as effectively as possible, as well as what I as a CISO like to see in my pentesting reports.
I will also highlight why some reports don't get used and why I think we struggle with this as much as we sometimes do.
I think this information is usefull for pentesters and CISO's alike, because it shows both sides how the other one works and thinks.
I have yet to write the talk, as I am currently at the end of my pregnancy, I will probably do this at a later time. But here are some points I will likely address in this talk:
- A few (funny) examples of why some pentesting reports are unreadable to managers/board (mainly due to language and words used)
- A poll (ask people to raise hands) about something statistical about pentesting reports that I will then reveal the actual statistics about later in the talk.
- What I think is essential to a good pentest that a CISO should take care of:
* Clear scope. Technical as well as in terms of goals. What is the goal of the test and what is allowed/out of scope. What IP addresses/domains/network areas may you approach etc.
* Communicate in advance with the actual tester(s)
* Liability waiver
* Planning
* (On site) support during the test
- What I think a good report should include and why
* Reports should be usefull to management as well as IT, because both are needed to fix the issues. It is better to have a report that can be shown to management directly, than to have the CISO translate the report to management. This is because managers tend to listen better to the outside expert, than the CISO. Sad, but true.
* Write a management summary with the 3-5 most important findings, described in a way managers can understand (so don't talk about CVE's). Explain the (potential) impact of these findings if they are left unfixed for the organisation. Very important!
* Explain what is needed to fix these findings in terms of activity, time and estimated budget.
* Then explain what you did to get to these findings and a little bit about other findings in general ("We found most problematic vulnerabilities in the X area of the network. Explain what the potential impact is to the organisation.
* The last part of the report is purely technical and meant for IT/security. This containts ALL findings, with CVE's if applicable, severity, how to reproduce the finding and how to fix it. This does not need to be in a language management can understand.
- I will talk about why I think this approach works better than just writing a technical report and why I think CISO's and pentesters should work closer together during the pentesting process.
Additional information
| Type | Talk |
|---|---|
| Language | English |
More sessions
| 7/22/22 |
⚠️ Warning! This talk may contain hackers. There may be hackers in the room. There may be hackers surrounding the room. There may be hackers recording this. There may be hackers listening in. There may be hackers that exfiltrate data. There may be hackers wearing shirts. There may be hackers carrying spying devices. OH NO! There are hackers EVERYWHERE! What can we do now, except having a party?
|
| 7/22/22 |
What do big tech, synthesizers, the crucifixion and Matthäus Passion have in common? Find the answer in the tech performance The Silicon Passion. We’ve all embraced big tech —but is it a warm hug or a strangulation? Bear witness to a debate of biblical proportions between tech nerds, technology and its users. In The Silicon Passion SETUP, in collaboration with de Transmissie (David Schwarz en Derk Stenvers) and Rodrigo Ferreira, is looking for a way out of the pit that technology has ...
|
| 7/22/22 |
Lightning talks are a 5 to 10 minute quick talk on an interesting subject. They can be with or without slides, and with or without proper preparation. if you weren't accepted in the main CfP, this is also a great opportunity to give an abridged version of your talk. These sessions will be available to sign up to later on, with details on the wiki: https://wiki.mch2022.org/Static:Lightning_Talks
|
| 7/22/22 |
In this workshop, we will learn how to assemble tiny parts on circuit boards by building an electronic touch-activated purring kitten. Anyone can do it. Yes, even you who never touched anything electronic before. Takes 120mins, 20€/kit, avoid caffeine immediately before. Max 10 participants per session, sign up on PAPER at the Hardware Hacking Area.
|
| 7/22/22 |
This is a submission for a keynote talk at MCH2022. The Internet is both a familiar, comfortable place as well as a bottomless rabbit hole you can lose yourself in. The Internet has always been like this from its inception, the difference now is the scale and consequences are almost immeasurable - and it tests the limits of human imagination. When you look into the mirror of the Internet what you see reflected back depends on what you are looking for. It has become largely a reflection of ...
|
| 7/22/22 |
Have you ever forgotten a passphrase or lost a hardware token? Lost access to enough Bitcoin to buy a pizza or two? Encryption is fundamental to securing our liberties, but key and password management remain difficult even for professionals, let alone the general public. This talk presents Passcrow, an Open Source project attempting to address one of crypto's largest usability issues: password and key recovery in a decentralized environment.
|
| 7/22/22 |
Thanks to DNSSEC and DANE, it is possible to automatically verify user@domain.name identities by checking with domain.name servers. The real problem however, is integration with existing protocols, instead of inventing something completely new and perhaps web-only. The purpose of our work on Realm Crossover mechanisms has been to design generic solutions that extend many different application protocols, without changing their protocol specs.
|
