BSidesCHS 2014: Keynote Speaker - Kizz Myanthia

hopefully everybody can hear me all right so uh this talk specifically is going to focus on uh critical thinking and why it is really one of the most important things that uh we as pentesters can ever have and actually applying that to pentest um is key throughout the life cycle not only as an industry but also as uh as we grow as pentesters specifically so who am I well my name is kiz my anthia I'm a senior pentester over at uh HP Shadow labs and I've been doing this for a pretty long time um I got started way back in uh the 2000 era and uh and I've been doing this ever since uh you know really enjoy uh

penetration testing really enjoy information security and it's kind of my passion more than uh it's been a career move or anything else and hopefully most people going into it kind of have built from that that passion that fun that Hobby and are doing something that they love today so what is penetration testing what what is the actual uh what do we have why do we have it done uh what is the real goal I'm asking I want to see somebody there we go we got a hand what is pen testinga okay emulating the bad guy right what are some of the things that we look for what are the goals of a pent test I throw temper tantrums if people

don't answer me right looking for weaknesses looking for breaks yep right figuring out what that actual cost is right what what that organization could lose what it's going to what that actual monetary value what that public relations value is anybody else go for

it there we go making that real world example so this Big Blob of text right here is uh what Wikipedia defines as a penetration test uh this it's pretty good definition um it really is explaining that it's a real world test a real world look at system security at uh network security at applications and what the real world risk is to that organization and it looks at at the specific technical details so when a pentest uh and an organ when a pentester actually gives this information to an organization they rely on that information so a lot of or a lot of pentesters and times don't realize how invaluable that information can be to an organization if they're spending

millions and millions and millions of dollars on security products whether it's uh from monitoring and whether it's for firewalls whether it's for actually locking down the end users organizations spend lots and lots and lots of money on these controls with our recommendations they either decide whether they're doing it right or doing it wrong you know and a lot of pentesters don't realize that and by having that understanding and actually looking at the value that they're presenting to that organization you can start to see the impact of directly with what you're doing and your work to what that organization actually needs from you so if we find a major hole if we find a significant vulnerability uh an organization is

going to spend their resources for remediation of that that whatever it is whether it's SQL injection whether it's um some some sort of a remote exploit they're going to devel they're going to spend development dollars they're going to spend remediation dollars and they're going to look at that and say okay this is where we need to spend our money if we turn around and say okay well we have X number of lows and they're going to go okay well you know lows are very good we we can we can handle lows that's that's an acceptable risk and they they can believe that they're doing something right we as that pentester really have to start adding that extra layer of

information and giving them the F the full feel uh and that's where penetration tests really become invaluable so as pentesters and hackers we we're thrown into Dynamic environments and uh Dynamic situations every single day from having to work with large clients small clients um old clients clients that have had systems online for ages since the computer was invented to uh clients that have a very well and uh defined information security program to organizations that have can't even spell information security we deal with organizations from every Walk of Life and every organ every size each and every day and we have to ensure that we're at the Forefront of making sure that we stay up with that technology

because uh when we keep up we're able to then make sure that we're doing our best effort and providing that best value to those organizations so and the point being made is specifically that we as pentesters really have a knack for learning we enjoy learning we we do that we do this stuff outside over and above um most times for what we would normally get paid what we consider our job and thinking outside the box and thinking critically is asking that why why was this done why was something portrayed why was something installed why was something deployed in such a manner and in many cases we're able to determine the why or do the research and as far as

we possibly can go gives us not only the knowledge but also the ability to take that and apply that to Future tests we're able to take that human element of the feeling of what I've learned and what I've found and actually apply that to not only what we're doing today but what we're able to do in the future so what what do I mean by uh don't be a tool what what is and you know why did I name my presentation this it's not really to be an ass maybe a little bit but uh you know it it's really to discern or differentiate what we do and the importance of what we do versus just running a tool or just using the

tools that are out there we humans have the ability to perform repetitive tasks just like the tools out there but we also have the ability to apply experience with things we do outside thinking feelings and how we things that we've come to actually experience in other tests we can apply that and make sure that when we're looking at something we're not just looking at it as face value we're actually looking at what the other aspects are so uh this is where we really kind of find the ability to find our Foo if you will that that aspect of this isn't just cross- site scripting what can we do with cross-site scripting cross-site scripting is a

bigger issue than just it creates a pop-up box with a couple numbers right that's all cross-site scripting is most reports that organizations or vulnerability assessments turnover are simply popup box with a number value in it well what is an organization that is not in the business of information security supposed to do with that without having that understanding without having that person to give that secondary knowledge all they all they know is that you can create a popup when you start applying that thought process to well what if that popup was presenting a username and credentials login box how many users are going to fall susp or fall for a fake login page where does that exist and what do we

know that can be found or executed against that specific function or that specific location in an application these are things that a tool can't differentiate from so critical thinking and using every res resource um should be should be used and not closing yourself off to just whatever that face value is is is more important than um than actually you know relying or just running a tool so what is critical thinking what actually is the process of thinking and what is uh what does thinking tell us what are some of the things that when we when we think or and the actual science this isn't this isn't a technology question what does the actual process of

thinking uh give you anybody all right I'll throw it out an example it it gives us information as far as what there is right what we're looking at it gives us information about what's happening what's going on with that application what kind of problems are we running into things that are either a risk or where we're able to take that information or that that vulnerability if we have SQL injection are we able to actually gain information from that um vulnerability or is it just we're just getting an air message so now we have to go take another step and get more details why why is something important versus unimportant when we start thinking about the questions and start thinking about

things that are not quite just what's presented to us we can start getting a much deeper and a much more uh full version and understand what we're truly looking at so why are these types of questions really useful why why is it good to start asking questions of why or what are we looking at there we go focus on what's important right you can start to Define your focus right all of a sudden something huge becomes oh well I've got 5,000 pages in this applic but I know that only five of them have a login page and one of them is one that I'm getting an error message on so now we now we're starting to Define and

we're starting to reduce what we have to F focus our attention on how about anybody else what why else are these questions really good I'll come sit down by you guys and I'll start asking you personally what's that possible right what's possible what's impossible how about how things should be viewed versus how we see them okay how the developer expected them to be interacted with versus what we actually are doing when we take start taking these steps and start looking outside of just that Norm we start to experience and we start to understand a more about not only the application but we start to understand more about what our problems specifically are and then we can deter

start to determine what our answers to our problems are so thinking and critical thinking specifically is important because it's requires a conscious level of processing okay you consciously are looking outside of whatever is presented you're doing an analysis of all that information whether it's technical data whether it's previous uh experiences whether it's things you know from other research we're we're analyzing all of the data and all of the specific pieces of whatever that problem is whether it's a vulnerability whether it's a break in the application what have you and starting to look at the other pieces and parts that it plays with and then it's also the creation and valuation of possible outcomes now if we have SQL

injection and we know that we have SQL injection we know that there's certain things that we can take from that we can take data from that in potentially we can get detailed information for the actual server or the version of software that's running we can get a lot of information all just from thinking about what our possible outcomes are and then we get to turn around and we reflect on the things that not only did we come up with that could happen but what the results were when we actually tried that critical thinking is that whole piece that that full circle and understanding how that plays to doing a pentest will make you as a pentester grow uh

exponentially and it keeps that process of being that Forefront uh thinkers in the industry so how does this really relate to pen testing well every single day that we're out there we're faced with changing World we're cha faced with changing technology we're faced with changing version information from assessing the different types of clients uh and the different types of Technologies we have every single problem that a developer has we have every single problem that a a bad guy hacker has we have every single problem that a support team has we as a professional have to play the multiple roles and understand that through those multiple roles that uh we're able to actually gain more information and more experience that

will make us grow and and fulfill a more full role as a professional pentester down the line so we use tools every day every day whether it's Bur whether it's uh etics whether it's uh metlo whatever it is we use utilities to do our job every single day and one of the things that you know these things do is they do a fantastic job at what they were developed for they do a fantastic job at repetitive tasks they do a fantastic job at cutting the amount of time that we need to spend on specific areas but what do they lack they lack the understanding to look further than just what they were coded to a a tool is

only as good as the code itself so understanding where to color Outside the Lines it's one of those ideas that's drilled into us as kids is something that we don't want to do we want to make sure that we stay in the lines and we want to make sure that we stay and understand that we need to work in the constraints of what is what whatever it is it was developed to do whether it's an application whether it's the way that we do things whether it's a script or a specific methodology that we use understanding that we are we are there to follow the the specifics allows us to only go so far so this is dangerous for the future

of information security uh because opponents the omin ominous them the bad guys uh they they're not going to play by the rules they're not going to be the ones that are going to follow a specific methodology every single time they're going to be the ones that are going to look out outside that box and they're going to say okay well this developer expected me to go from A to B to Z to C to D and now I'm able to go from a to L to B down all the way to X and when I get there I get it to break they're going to start looking at it and start breaking it apart and looking at

whatever that application is and whatever that uh problem is in the most dynamic and critical thinking way so we we need to use tools to accomplish our goals but we don't we have to look past just what's being presented at face value we C we need to be able to use them but we not we can't be used by the tools so sometimes it's good to go with the pack you know you understand that you continue the same way you you go the same and do the same things that it was in the past you follow the instructions uh you perform your tasks you keep the wheel turning and uh you know you never question the why or how because it's

dangerous right once you start asking questions or once you start breaking from that that stride something might break right well we need to use every aspect of our abilities to strive to be more and strive to look outside of what we're presented so black hats the bad guys the real black hats out there are probably the upper echelon of critical thinkers they are the ones that sit every single day and try to figure out how to overcome everything that you're doing you know and will an attack or do things that are expected sometimes sure you know there's certain things that most attackers will do to to start that process but the best ones are the ones that are not going to

you know abide by some kind of scope they're going to start looking at that application they're going to ask that question why how and when and where from the moment that they look at whatever it is whether it's a network whether it's a system whether it's application so um they look at what they can touch how they touch it where it comes into play and the importance of each one of those pieces so why why does this really happen so if we take a look at at security itself and applications uh you know security defects are pretty much baked into the applications themselves so security can be bolted on and built on as an afterthought a secondary thought and

even you know sometimes not even thought of at all even in departments that want to audit web applications that spend millions of dollars every year um lack effective tools and and have impractical ways of managing monitoring remediating a lot of these issues so as a result you have your intended functionality which is developed by your your development teams these are the coded in functions this is that business functionality and then you have the actual function functionality so in a real world you have the way that it it's expected to work right and you have the uh the way that that it works is the only way it's ever going to work well if we look at the real world

right you have your intended functionality you have that developer that team that spent their time their efforts to create an application that did one specific task that task was to do XYZ whether it's to process Bank information whether it's to act as a social Med media site they've built that out we have the actual functionality okay you have the things that work the things that don't and there's certain versions of those breaks and those problems that are overlapping you have your working features this is everything that the developer intended to work and then you have all the things that actually work right and this is this is the stuff that works flawlessly you can do your post you can do your updates you

can do everything well the fun functional defects are breaks within the actual technology so this is going to be something like um you know a a SQL injection on that page because that application is passing clear SQL queries in the back end you then have your security defects these are going to be the way the application processes uh certain functions this is going to be your business logic breaks once we understand that every application from the time that it comes out has flaws in it we can start looking at the way that those classic or those repeatable issues can be applied as we move through each one of our tests and when we start thinking about how we can

apply that we start thinking about those why those when those how's those where much sooner in the process this allows us to gain the M the best concrete footing to take that next step so where really does uh security fall security Falls across the entire gamut and it doesn't matter if you're doing a pen test that deals specifically with networks it doesn't no matter if you're doing a pen test that specifically deals with applications there's vulnerabilities that fall within each and every single one of these groups and when you start looking at all of the different pieces from the things that organizations have to keep up you can start to see how all of a sudden be it

becomes overwhelming if an organization was specifically focused on an application had one vulnerability and that was the only thing that they had to worry about and deal deal with across their information security life cycle how easy would it be for them to secure that one vulnerability cross everything they own be pretty easy right they know where to focus they know exactly where they're going to deploy their money they're going to they know exactly how to deploy their money it's very easy to Define and determine once you start looking at all the differences when you start looking at network security when you start looking at host and and server level security when you start looking at

application security organizations today don't understand how each one of those kind of plays together once you start getting into some of the larg organizations they may even start breaking out those teams completely separate and cause you know communication gaps so now all of a sudden the infrastructure security team only talks to infrastructure but doesn't talk to to the application team you as a pentester know that that application not only interacts with the user but they it also interacts with that infrastructure right because the organization needs to provide holes in the firewall to allow that application to get to users they need to determine what servers they need on the backend whether it's SQL or some other database

things like that they need to handle authentication are they going to integrate that with their internal Network medication understanding and and a knowing and a knowledge of uh of where and how each one of these play to each other really allows us to grow and have and provide that best picture and that best effort as a professional pentester so let's take a look at a real world application here so we got a web page here right Capital One it's it's got specific functionality what types of things when a user comes here are they going to do apply for credit all right we got what else are they going are they able to do with just what we're looking at

here log in all right so we've got authentication right what else can we do search well we've got location search up there so we've got we've got a point where someone can find an ATM or or a local branch uh anybody else what else can we get mean TR different pages maybe get some information about where those branches are if we're going to start looking maybe at a social engineering engagement so the from this point this is where an attacker starts thinking outside the box if we take a look here this is just an example okay maybe inside the URL line maybe we're able to get information specifically to what sorts of forms or fields or where that

application is pushing data um maybe we can do some brute forcing stuff right we've got login are we able to get uh credentials are we able to do a username Brute Force what are we able to gain uh what about the uh search function and then the uh the actual query function for local uh branches and ATMs we've got SQL injection cross-site scripting right when we start looking at what a user sees and we start saying okay this developer made this app to do X and that's all we look at it as we we start missing the big picture when we start applying critical thinking start thinking outside the box for what these little pieces can do we start to

get a whole new Viewpoint and by looking at the application from the form from the standpoint of where can I break it and how can I break it is really going to give us a leg up over um not only just using the utilities and providing just a service to actually becoming that that professional pent tester and becoming that partner with whoever that organization is so it really is a science versus art kind of um discussion you have your science which is the critical thinking so where does this come from where is that Foo where is that Force where is that that ninja skill where does that really come from well as much science is

built in into everyday life whether it's the way that we apply you know we go to work most of the time we all go to work the same exact way why because we know that it works we know that we know our time we know exact we know the data behind it the the next part is that art so it took art to figure out what that route was it it took time to determine to test which way is the best way to go so the mystical overlap that makes us better testers is that middle ground it's that interacting with or assessing the specific data and applying our experiences our knowledge our our information across what we're trying to

do to answer that problem so the ability to look at a problem and ask questions and apply experience above over and outside of its face value is really key to becoming the best pen tester that you possibly can but it's also the way to really understand applications and it's what the black you know the bad guys black hats the real attackers are going to do every single day that they try to get into into an organization or an application so what is really the difference between uh Thinking Inside the Box versus outside the box what does that what does that mean what does it mean to think Inside the Box you have boundaries right okay what

else sck Norms stick sticking with the Norms right this is how we do it we've done it this way forever this works we know it works right anybody else what's that so it's like we said it's using those tried andrue practices it's doing what we know works because it works it's relying on the prior experiences to drive exactly what we're doing and not changing from that uh it's having that common understanding and support right because if it's the way that it's been done there's generally support to keep that going and not really look anywhere else because we know it works it's worked for us forever so why should we change how about outside the box what does that mean

innov Innovation

okayed doesn't right it's it's looking at what else can this do what this I understand that this is a search function right I know that it can uh tell me where I need to go but what else can it do anybody else no is everybody falling asleep what's that what if what if right what if I do this what if what will happen asking those questions are going to start giving you much deeper much better answers as far as what type of information what vulnerabilities what breaks what things are there that you can potentially play with as a pentester right so it it's accepting the risk of taking that next step out thinking outside the box can be sometimes scary

right if you all of a sudden know that for the last three years your organization has had AB C and D you've done this on every test but you know when you're on one of these you see something that's just a little bit different you see a better way to do it it can be scary to present that right because all of a sudden you know you're going against the norm you're you're making a squeaky wheel but the the ones that were thinkers those were the ones that actually started this industry they're the ones that fired off and said we know how to break this we thought out of the box from the beginning that's

what drives the pentest and the information security industry so when we have when we experience a problem we go through a natural process okay to determine what the problem is right first we say okay we have a problem and whether that's uh vulnerability whether that's breaking the application whether that's a break in the functionality we have something wrong right next step is to identify specifically what that is all right are we dealing with cross a scripting are we dealing with Brute Force attack against a password field what are what is the actual problem that we're dealing with the next thing is to start thinking about what else could this problem do okay well we know that

if we put a single tick or single quote in a search field and we get response from uh the database with a detailed database err what else can we do what can we probably do anybody else if we're getting a detailed air Message from from a database from a single quote what what else can we do anybody we can do other injections right right because we know that that that uh database is functioning so that it's processing that SQL statement without any controls right so now maybe we can automate this there's plenty of tools out there that can help us do this but maybe we can start gathering information maybe we can take that next step maybe

we can get what user that is currently the the application is currently using on that database maybe we can get the specific table or the database that we're sitting in maybe we can start getting actual username credent and credentials for that application user understanding and looking for those alternative Solutions or those alternative um outcomes starts to give us a broader picture of what could come of whatever we just found and then we start to choose and we start to focus on those alternative Solutions right if we know that we've got a single quote that causes an air message and we can start getting information well we can start focusing on pulling specific information right we're going to start targeting and

we're going to start using our knowledge and our experience to grab the banners we're going to start grabbing the detailed information specifically for tables and then we're going to go to columns and we're going to go to rows why do we do it like that because I know that when I've done this in the past this works much easier now I'm able to iterate through all of the data at a functional level and then what the next part is actually that action it's it's implementing that that action so now we now we get SQL map going now we get SQL ninja going I know that I'm specifically going for tables or what have you and we

know that we need to be authenticated right so what do we have to provide we have to provide our session information okay we have to provide our cookie values so we we know that if this is what we're going to go after we're going to start thinking about this ahead of time and then once we have everything together then we can evaluate what what the risk is right and once we understand what we where the break is what the problem is we understand the depth and understand what type of knowledge we're able to gain from that and we understand how far we can take it we can create that real world risk we can ex we can

communicate that real world risk to that client or that application owner or that system owner to to allow them to understand not only why is this a break where the break is but what could potentially happen right and by actually working with that client or working with that organization you not only become an invaluable resource but you are able to learn through the process and apply that stuff later on in other tests so this really kind of starts to begin with um breaking the left brain and the way the left brain works and the way the right brain works okay so if we look at the left brain left brain follows logical patterns okay it is

objective rather than subjective it is time it is minute by minute it is hour by hour it is very sequenced this is very tool like it's very computer like it sees things as true or false black or white it sees the details it sees a specific Tree in a forest as opposed to seeing the whole Forest as what it is uh it also houses short-term memory okay so this is where all the stuff that you are going through and experienc each day that short-term memory is all stored in the left brain and it thinks critically perhaps negatively but it's the side that actually asks why okay versus the right brain the right brain follows intuitive's hunches this is is where the

emotion sets this is where the feeling is uh it creates patterns without following stepbystep process this is the uh the side that will look further outside the box as opposed to falling in with the guidelines this is the side that colors Outside the Lines okay it's subjective rather than objective it really looks at the whole piece so instead of viewing like the forest analogy before instead of viewing that Single Tree it sees that the entire Forest is orange so if the entire Forest is Orange it's probably fall it looks at a much broader and much more open um aspect to whatever the problem is as opposed to the left brain it thinks positively unconstrained by preconceived

ideas it it has no understanding of what the past was but it knows what it feels and it asks why not right cuz there you have the question of why and why will give you an answer but why not can sometimes be a much more difficult question right because if we have something or if we're going to do something and somebody goes well why why did you do it and you respond why not that's that's a much different question you know that's the that's the breaking the rules that's the coloring outside of the box that's that's the way to see what can and what can't be done very very much more than following the rules

right so if anybody was actually trying that there's your there's your answer so you can you can do that with four lines and and not break from the page so what are some of the positives and negatives about thinking outside the box anybody besides what's up there what are the what are the what are the good things about uh thinking outside the box why why is why is it that I'm up here and I'm saying we need to think outside the

box right it's it's the way the attackers think right it's it's that you know trying to break something as opposed to building it it's that real world Viewpoint of how an attacker is going to go about doing this as opposed to this was developed to do X Y and Z right who else yep you're unpredict right it it creates unpredictability right and by creating that unpredictability and doing something that wasn't developed you're going to probably end up causing a break somewhere those break are really what we're looking for okay when we're doing a pen test anybody else

yep right so uh basically you're you're constrained you know if you're inside that box you're constrained by those four corners that's as far as you can go right when you start thinking outside the box all of a sudden you get to that Innovation right that that Innovation that freeth thinking that next step that the the future that's that bleeding edge piece of where information security is how about the negative side what's bad about thinking outside the box come on this should be easier than the other question go

ahead

right so so if you actually just live outside that box you're you're not going to end up having a solid footing to stand on you're going to forget about things you're going to forget about little things you know all of a sudden you're so far ahead that those little things from you know 1998 or something like that is going to become a major issue without understanding the history history and without applying that uh inside the box that um that understanding that science piece of it you know you're going to not have a full picture and you're not going to be able to grasp onto every piece of it what are what are some of the other

negatives right so outside of the box thinkers don't always fun focus on what the standards are right they're they're not there to see that that constraint that that process that was put into place to get them to wherever it is right EAS to get it's much easier to get lost in go on tangent and find yourself four hours 10 hours eight hours later going I don't even remember how I got here so you know there's a lot of there's a lot of risk and there's a lot of things that are kind kind of scary when it comes to thinking out of the box but when we start molding and melting both of these types of brains both of

both of these thinking patterns we can start to apply a much Fuller testing uh Viewpoint into everything that that we do as a pen tester this is really that real world Viewpoint of the the whole problem the the vulnerability assessment the penetration test the exploitation and how that really plays the organization once we have that full spectrum Viewpoint we're able to take that next step and we're able to apply that across everything that we do so we begin to apply this to our testing and our vulnerability assessment by understanding the issue right that's their first step once we have the understanding we can Define what that problem is uh whether again it's SQL injection or cross-site scripting or

what have you we identify what the vulnerability or the type of problem we are faced with once we understand the problem we can then begin to look at where it is presented right if we have um brute forcing in a login page what are we going to probably look for what are we going to look for if we're going to try to do brute forcing in a login page usernames default usernames what else what else is what else do we use with usernames passwords right all right we're going to start we're going to start to try to enumerate through these if we know that we can submit with no access controls no lockout on a username

and password field we're going to start catering exactly what we're what we're going to do right we're going to start focusing on word list we're going to start focusing our our text why do why are we going to start focusing this why are we going to start that process of focusing on One Thing versus another because our previous experiences right this is where we're starting to bring those two pieces together so we can begin to look through our resources using Google Fu we can start looking at every possible angle that we can do research on um are there known exploits out there is there only a little bit of information about what we're talking about uh you know where is that problem

and and where is it presented within the application can give us our next step and then we clearly Define what we have to do whether this is a fix for it for our Builders or whether this is the exploit for it as our Breakers this is where we really Define what our next step is and understand how we go about doing the next process so this is the science side of the of the problem solving this is the science side of when we're applying critical thinking next step is to actually create the ideas this is the art side this is the fun stuff this is the stuff stuff that we get to smile every time we get

we get to play right so say we have SQL ejection again what can we do with that okay if I have SQL injection what can I we're just talking plain old blank old SQL injection no Fancy no nothing what what am I able to get from a database if I have SQL injection what kind of information more specific usernames passwords right what okay but generally you're going to get columns table names you're going to get the contents of that information right you're able to get the current user you're able to possibly span into other database T databases on that database server right there's a lot of information that you can you can get from SQL injection outside of just

causing an error right because that's part of it but being able to understand what that data is and actually use that data is where we start to look at the art of it so once we have our list and we can begin testing and start playing with it and bringing out our paint brushes right all our tools are paintbrushes this is where the Brilliance of not being a tool uh really becomes you know the brightest this is where we can start to see how one piece plays to another if we have a crossframe or clickjacking uh vulnerability and we have uh cross site scripting that's also there all you know those might you know crossframe scripting might find be found

as a medium vulnerability on some reports or something you know whereas you might look at some tool and you have cross- site scripting that was gained from there now you start looking at uh the different aspects and how you can bring those together this is where that true uh real world mentality that out of the box thinking comes into play so we know what our EXP experience has and what we've seen in the past we can apply feeling right how many tools out there can can apply feeling none that's a human quality so if we see something and we see the way that an application is interacting and time after time we see something that just doesn't look right

sometimes we'll get a feeling and start chasing down and start looking at that specific problem because we might think that there's something there good or bad you may get lost down you know in that world of out of the box for a while but it allows us to think about and get an idea outside of just what that technical data is so to understand what we see and to be able to act on it without requiring a script or play-by-play instru instructions separates Great testers from everyone else the ability to look outside the box and not have to go step by step is really what makes great testers versus everyone else they it's what differentiates those

black hats that are successful that aren't sitting in a jail cell somewhere from everybody else this is where our experience our feeling our thoughts directly interact with that science of our data okay uh to understand what we see and to be able to act on it without requiring all that is going to make us that much better that much higher level that much more full tester as a whole so and then once we have our data right we have all of our data we have our feelings we have our ideas we have the understanding of both sides this is where we start the learning phase this is where we can understand what we have what the risk and the impact is we

can determine whether the impact is going to cost the organization money or if it's just going to hit users or what have you we can determine what problems need to be fixed right this is where we can work to decide if this if this level of risk is acceptable or if it doesn't pose that big of an impact if it's exploited this is also where we get to take the knowledge from our experiences and plan how we go to the next step so all of a sudden we've had this done we we've worked with an organization we've done the pen test and we've got we've now fig have to work with them to figure out how to remediate that and by

understanding not only the fact of that break and not only understanding the the the problem and everything but understanding that remediation will give you a much deeper knowledge and a much deeper understanding as as a pent tester that will again play into your next test play into your next experiences so this is all common sense stuff right right I mean we all do this anyway we spend why spend the last you know 50 minutes talking about this this is stuff that we should know normally well the way that the world works today is about speed and lowest cost and thought is expensive thinking outside the box thinking of new ways thinking of innovation is expensive every security vendor out

there will have some sort of marketing piece about how fast and how cheap they can find every vulnerability in in your organization every vulnerability in your application right they have the methodology down to a science that they know that they can repeat everything Time After Time After Time After Time After Time it's the way that the security industry is going so it's that that cost that that value that um that speed versus cost initiative is going to start pushing the thinkers away because all of a sudden if you start start forcing that in the in the Box thinking in an industry that was developed and and started by out of the-box thinkers it starts closing that box off so the

information security industry was made by those blazing neut Trails daring to think for themselves they were the critical thinkers they were the the road pavers you know it's much harder to make a your own Road okay but to take that step to go all the way into that dark point at the horizon who knows where you're going to get right and it takes somebody with some balls to actually make that step but that's why we love to do what we do so much right that's why for each and every one of us that are in the indust in uh information security industry this isn't just a hobby it's not just a job it's not just a career

this all started as a passion for something for figuring out something for finding the problem finding that answer to why and why not that's why we got into the industry so it's it's a love of that game right that's why we're all here this whole thing is just a big game whether you're playing cat and mouse against you and every other attacker out there or trying to figure out all the puzzle pieces to whatever application uh security assessment that you're doing it's all a game so how do I become a critical thinker okay how how do we go from looking at everything in Black and White to starting to take that step outside of the box first it's asking those

pertinent questions it's asking it not only of you but using your resources ask those around you ask those other people use use the internet we I mean b most of us were born on the internet they it's it's there as a resource as much as as it can be you know junk assessing statements in arguments things that you know a client might say about the way that a vulnerability was found or something that was reported understanding the flip side of that and why an organization might see something as important might give you another Viewpoint developing a sense of observation and curiosity again that why why not right we start asking both of those questions and you start to get a

much bigger picture and and everything starts opening up exam examine the beliefs right examine what those assumptions those opinions those feelings assess what those mean not only to when you're making that question or when you're making that assessment or assumption but see look at those other options and what else could happen within that by listening carefully listening is one of the key things that um a lot of critical thinkers do extremely well to listen to hear is almost more important if not more important than trying to define or trying to figure it out for yourself by placing your words over something if you can ask somebody else's opinion ask somebody else's Viewpoint and find out

that information and then you can take all of those different viewpoints and figure out a middle ground you'll be at a much better place than if you were just there the solely trying to define something it goes without saying observing it with an open mind if You observe something or if you look at something with an open mind you're able to look at many many many different aspects as opposed to something just for what it is share the ideas open that up so you say okay here's my ideas this is what I think is the problem this is what I think can go and let others and take that other people's opinions or perspective into play because the way

that you see it you know and you apply 100,000 different viewpoints use a forum or if you have a specific team you know made up of four or five people use those other viewpoints to try to get to that that ass or to get to that point where you can get to an answer all of a sudden it might be a much bigger picture than just whatever you saw at first at face value and engage in active reading and listening active reading and listening always being that learner always trying to strive to gain more knowledge that's going to make you the best critical thinker and always trying to get to that next step which is really that passion

that I was talking about that's going to make you the best pentester out there so thinking outside the box the the critical thinking this is what drives us this is what truly fuels every piece of our industry every piece of our passion we just need to make sure that we're always asking those questions right striving to find out what striving to find out why how why uh and make sure we fight to make sure that the information security industry really is that bleeding edge uh leader as a supporter for for critical thinkers the more we standardize the more we script the more that uh we constrict the industry down to cost time streamlining the farther behind the real world threat

we become if we don't stir the emotion and fuel the thinkers and hackers and crackers and everyone out there in a former function that they can process and they can work they will find an outlet for their creativity and their to tools and talents somewhere they can either be on our side or we can we can end up playing this game against them so pen testing hacking information security it's not about being in the Box it's not about Following the Leader it and it's not about and doing it the way that that we have always done it it's it's not about sitting there and sitting here just thinking about it and it's about doing it it's about taking that next

step being a critical thinker being a leader the next ninja is in your hands you guys are the future of the information security industry every single one of you sitting here believe and love what you do for real because that's going to be the the passion that truly drives the information security industry that's where the future is if we let the streamlined we let the the Box constrain and hold the information security industry it's going to go one place and that's only into those Corners be that critical thinker you know when you make a mistake learn from the mistake a mistake is only a mistake if you didn't learn something from it if it was if it was a mistake and you actually

took something and you learned something it's research it's not a mistake right so I want to come here and as much as I enjoy hearing myself talk I mean obviously I've been doing this for a little while now so you know this is this is all about me and it's not about you guys I know but uh I want to come next year and I want to see you guys your guys' talks you know you guys are the industry leaders you are the ones that drive where this goes you're the ones that are going to make those next steps and be the leaders in the information security industry it's not anybody that's here today it's it's

where it's going tomorrow you know the future really is uh the ninjas it's it's where you guys want to go you are all the future ninjas whether you're up here now whether you're up here in the future you drive that so I want to thank you guys for spending the last you know hour with me putting up with me up here drwing on um and uh really truly it if we apply critical thinking and and we think outside the box and we start to not only mold that with the science of it we're going to have an industry that will go on forever but actually stand a chance so any questions or anything uh these are my uh

details feel free to send me an email question hit me up on Twitter what have you um I try to get to it as much as POS anybody have any questions in here right now no everyone sleeping I would be too all right thank you guys very much it's been a pleasure to be [Applause] here