50 Shades of Purple(teaming): Getting penetration testing into a conservative company

No ratings

Presented at GrrCon 2013 by

Scott Thomas

Getting paid to hack sounds pretty cool right? Unfortunately not all of us are cut out for the red team. We may not be happy being only blue team though. So maybe “Purple-team”? For those of us feeling like we’re choking to death on ITIL stimulated change aversion, how can we show the value of a little corporate hacking or “Penetration Testing” outside of the compliance checkbox? This talk is one security professional’s journey of working in an environment where the sysadmin XKCD comic is all too true. Companies want availability and cringe at the thought of the security team hacking their systems, but want the same team to prevent the “bad guys” from doing it. Maybe they’re scared the security professional could succeed or just want to ignore the obvious. If you want to “Turn the Titanic” from this mindset, you’ll need a little bit of knowledge, a little social engineering, and of course, a little bit of help.