Security teams should not operate under the assumption that a breach will happen, but when. The fresh twist on penetration testing puts an attacker (good guy/gal) on your systems running under the context of an authorized user. The goal is to simulate a compromised system (such as via phish) or a rogue trusted insider. The goals of the test should be focused on the business risk and how insecurities, vulnerabilities, and misconfigurations can impact the data and processes vital to the organization. Goals are business focus, not domain admin focused.
- Assume defenses will fail
- Sensitive data is often left accessible to all users
- Deficiencies in penetration testing mean missed learning
About Tim Medin
Tim Medin is a Principal Consultant at Red Siege, a company focused to adversary emulation and penetration testing. Tim is also the SANS MSISE Program Director and a course author. Through the course of his career, Tim has performed penetration tests on a wide range of organizations and technologies. He gained information security experience in a variety of industries including previous positions in control systems, higher education, financial services, and manufacturing. Tim is an experienced international speaker, having presented to a organizations around the world. Tim is also the creator of the Kerberoasting, a technique to extract kerberos tickets in order to offline attack the password of enterprise service accounts. Tim earned his MBA through the University of Texas.