Guests: Ed Skoudis, Alex Horan, Ron Gula, Weasel

Once upon a time a big bad pen tester gets a contract with 3 little pigs, Inc. On the first test, he huffs, and he puffs and blows down the network made of straw. On the next test, you build it out of sticks, and you get the same result (everyone now, he huffs and he puffs and he…). On the next test, you build your network out of bricks, and the big bad pen tester shows up with a wrecking ball, knocks down the house and presents you with an invoice.

(strange sci-fi sound)

In a parallel universe, the big bad pen tester contracts with 3 little pigs inc. The first test the straw house gets knocked down rather fast. But 3 little pigs Inc. gets a report outlining the weaknesses in construction along with recommendations for improvement. The knocking down of the house was a mere simulation, and they are given an opportunity to add a layer to the network, of sticks. The next test the big pad pen tester has to huff and puff, and huff and puff again, simulating another network destruction. No harm is really done, so the process repeats, until a wall of bricks is built. Now the only big bad person able to get through has to really work at it, too much huffing and puffing, and decides to go rob the three little bears instead, using their APT, and eating their IP.

What benefits to you receive from a "good" penetration test and what are the qualities of a "good" penetration test? If someone were to give you a "penetration test", then run a couple of automated tools and provide the stock report, is this a bad thing in all cases? If we don't test our defenses in a controlled experiment, how do we really know they work? Lets say a penetration tester is conducting an internal penetration test, and finds out quickly that more than 50 servers have missing patches for vulnerabilities that lead to a reliable shell. What is the benefit of the penetration test from this point?