Hackers, Security Pros Talk Penetration Testing, Social Engineering
CIO.com goes undercover (sort of) at GrrCon, the Midwest's premier conference on penetration testing and software security, to learn about cloud security, hacking, lock picking and more.
Wed, October 24, 2012
It's less likely that you've heard of GrrCon, the Grand Rapids, Mich.-based hacking and penetration conference. The event drew 850 attendees in this, its second year, charging as little as $85 per attendee—or $280 for the "VIP Pass" that provided attendees a front-row seat (and power cords) at the keynotes and access to Ping Pong, Foosball, video games and snacks in the speakers' lounge.
Best Defense Against Hackers: Good Offense
The conference brought together security professionals to talk about how to harden systems and detect intrusion, conduct penetration testing and teach attack techniques to compromise, and gain access to, a system.
In a twist, the opening keynote speaker, Kevin Johnson of Secure Ideas (motto: "Professionally Evil"), is unable to attend, so a pseudo-anonymous hacker known as "atlas of D00m" gives the talk in his place. By the end of the talk, I am honestly not sure if Johnson is atlas—and I am not about to try the local "free" wireless to find out.
His main point: penetration testing needs to happen, and it should be folded into an overall security policy. In other words, pen testing will find defects, and, when testing occurs again in six months, those defects should not show up again because they have been fixed. In addition, "atlas" points out that compromised users are embarrassed users and will be the biggest advocates for security in the organization for the foreseeable future.
After the keynote, I check out the lockpicking demonstration. The conference set up a table with free lockpicking tools and held a competition the following day.
In addition, there's a penetration testing "capture the flag" contest. Kurt Rhoades, a local IT technician, shows me how he is using backtrack Linux and a tool called nmap to discover servers on the private network. After discovering the servers' IP addresses, he uses nmap again to scan their ports, find open services and metasploit to find and run attacks.