Abstract
What if penetration testing programs went a step further? Once legal and ethical approvals are obtained, a device could be placed within the organization to test more than network and application security. By placing a “rogue device” within an organization the general user knowledge of physical IT practices, IT security policies, and awareness of devices in the environment can be evaluated.
This talk will cover creating a penetration platform that can be hidden in plain sight for under $200. The device will be housed in a common item found within many offices and places of business. The device will have a number of camouflage techniques that allow it to blend into the environment to avoid detection.
The device will include remote connection capabilities, wireless and wired attack/monitoring functions, and monitoring methods to let the penetration tester know when the device has been discovered.
The talk will cover:
• Device functions and requirements
• Device materials and build
• Creating a device that “blends in” (Dents, organization standards, asset tags, dust)
• Getting alerts when the device is discovered
• Penetration testing capabilities
• Preventing devices like this in your environment.
This talk will demonstrate how to build a low, cost, flexible, remote penetration testing platform for ethical and legal testing programs that can be hidden in plain sight. The talk will also show the audience some of the techniques an attacker may use to hide monitoring devices within organizations. Knowledge of these techniques may help develop and refine IT practices to discover these devices.
Bio
Ean Meyer is an information security professional working in Central Florida. Ean’s current focus areas are PCI, FERPA, HIPAA HITECH, Intrusion Detection and Prevent Systems, Information Security Program Management, Penetration Testing, and Social Engineering/User Awareness Training. Ean has a BS in Information Security and an AS in Computer Network Systems. He runs the blog www.thetheaterofsecurity.com.