Updated Gamification of InfoSec Learning Talk

At the SANS Orlando conference on Sunday night, March 25, 2012, I presented an updated version of my talk “Put Your Game Face On” about gamification and how people can use infosec challenges to develop their skills.  We got some great questions during the session, and turnout was wonderful.  Thanks to all who were involved!

The updated version of the talk is downloadable here.  My primary updates focused on the new announcements for the schedule for Cyber Foundations competitions for high schoolers and Cyber Quests for college students.  I also made a bunch of small tweaks throughout.  I hope you enjoy the talk.

Thank you!

–Ed Skoudis.
SANS Instructor

RSA Flash Talk: Top 5 Reasons It’s GREAT To Be a Pen Tester…

By Ed Skoudis

Last week at RSA, I presented a Flash talk called “The Top 5 Reasons It’s Great To Be a Pen Tester… And How You Can Help Fix That Problem.”  For those unfamiliar with the Flash talk format, presenters are required to have exactly 20 slides, and they get exactly 20 seconds per slide, auto-advanced.  As a presenter, it’s not for the feint of heart, as that 20-second timer is a ruthless mistress.  Additionally, the fine folks at RSA also asked for our talks to be fun, engaging, and to… you know… have a point.  Always a glutton for punishment, I gladly accepted their invite.

The resulting slides are available here.  The presentation is my tongue-in-cheek quirky take on what I think to be a really significant problem in the penetration testing space — The Rise of the Really Crappy Pen Test, as some (not all) penetration testers aren’t focused on delivering high-quality valuable results in their work.  I’ve written about this problem in a variety of fora, including on this blog with my article “Maximizing Value in Penetration Tests.”  In countering this problem, I’m really fond of the efforts of the folks working on the Penetration Testing Execution Standard, with their focus on transparency, technical excellence, quality, and providing real business value.  In fact, slides 11 and 12 of my Flash talk focus on these principles embodied by PTES.

Additionally, as you read through these slides, you’ll get to see me with a woman’s girdle on my head (Slide 3), an attempt at a smoldering look (as in the movie Tangled, Slide 4), and my best Jack Nicholson Shining impersonation (Slide 16).  Photo credit goes to my darling 14-year-old daughter, Jessica, who I am sure is scarred for life after the photo shoot.  She’s also the one who drew the “Monkey throwing poo” figure on Slide 6.  What a great kid!

By the way, if you are interested in building your skills for providing high-value penetration tests, please consider taking my SANS Security 560 course, which I’ll be teaching at SANS Orlando March 25 to 30, SANS Cyber Guardian in Baltimore April 30 to May 5, and SANS Denver June 4 to 9.

Thank you!

–Ed.

Emerging Attack Vectors – RSA Slide Deck

By Ed Skoudis

Last week, I had the honor of presenting at the RSA conference in a session with Dr. Johannes Ullrich and Alan Paller.  We presented on six major attack vectors, a theme we have revisited each year for the past 6 or so years, as we watch the bad guys’ tactics evolve.  I base my analysis on what I’m seeing in the breach cases I work on, while Dr. J gets his data from the activities of the Internet Storm Center.

In the RSA session, Dr. J and I each talk for 15 minutes to set the tone of the conversation and explore some issues, and then we open it up for questions and answers from the audience, panel style.  Our slides are available here.

Darren Pauli from SC Magazine wrote up a fantastic summary of the session here.  He really pulled out the most important points and explained them well.

My section of the talk focused on DNS as a malware command-and-control channel in recent large-scale breach cases, SSL getting slapped again and again, and emerging mobile device attacks to establish a beach-head inside an enterprise.  That first topic, the DNS command and control channel, got some notice by the press, as did my mention of the upcoming CertGuard tool from Tom Liston, the Internet Storm Center, and InGuardians.  CertGuard is slotted for free release later this Spring.  In the SC Magazine photo included with the article on DNS command and control (included below), I look like I’m about to eat a puppy.

I was really happy with the way the session turned out, and I’m hoping we’ll get a chance to do it all again next year!

–Ed.