Explore a comprehensive guide to Identity and Access Management (IAM) pen testing in this 58-minute conference talk from BSides Cleveland 2018. Delve into lessons learned from a decade of data breaches, attack surface analysis, and the eight-step pen testing process. Examine user lifecycle management, traditional roles, and OSINT gathering techniques. Learn about password spraying, social engineering attack scenarios, and self-service password management. Discover strategies to analyze and reduce external attack surfaces, tighten admin privileges, and implement effective detection mechanisms. Gain insights on misdirection tactics and reinforce fundamental security principles to enhance your organization's IAM defenses.
Overview
Syllabus
Intro
FS: LESSONS LEARNED FROM A DECADE OF DATA BREACHES
LET'S TALK ATTACK SURFACE
PEN TESTING TEN EIGHT STEP PROCESS
TLA'S AND FLA'S
USER LIFECYCLE
WHO (TRADITIONALLY) DOES WHAT!
OSINT GATHERING
DOCUMENT METADATA
WHAT ARE WE LOOKING FOR AGAIN?
PASSWORD SPRAYING
SOCIAL ENGINEERING (SE)
SE ATTACK SCENARIOS
PASSWORD SELF-SERVICE
SELF-REGISTRATION
ANALYZE YOUR EXTERNAL ATTACK SURFACE
REDUCE SAID ATTACK SURFACE
TIGHTEN UP ADMIN PRIVILEGES
DETECTION IS KING
MISDIRECTION
FUNDAMENTALS FTW
