Most organizations conduct a vulnerability assessment or penetration test of their network as part of their security program. Testing may be conducted by employees, or by external specialists, and the results may be used to comply with regulations such as PCI DSS, or they may just satisfy your sense of “security’s being done right”. However, a survey of Canadian organizations find that the majority have problems with the testing, or even believe that the testing failed in some way. As a failure, not only does the testing cost valuable resources, but it leaves the network vulnerable to attack.
The purpose of this talk is to review test methodologies – including approaches to use in assessing active directory and cloud resources – from both the organization and the tester perspectives to identify where poor management and implementation can result in a fail. The goal will be to emphasize the changes that must be made by both the organization and the testers to develop a definable goal, and successfully complete a security test.