7MS #386: Interview with Ryan Manship and Dave Dobrotka - Part 4
11/01/19 • 84 min
SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!
I'm sorry it took me forever and a day to get this episode up, but I'm thrilled to share part 4 (the final chapter - for now anyways) of my interview with the red team guys, Ryan and Dave!
In today's episode we talk about:
- Running into angry system admins (that are either too fired up or not fired up enough)
- Being wrong without being ashamed
- When is it necessary to make too much noice to get caught during an engagement?
- What are the top 5 tools you run on every engagement?
- How do you deal with monthly test reports indefinitely being a copy/paste of the previous month's report?
- How do you deal with clients who scope things in such as way that the test is almost impossible to conduct?
- How do you deal with colleagues who take findings as their own when they talk with management?
- How do you work with clients who don't know why they want a test - except to check some sort of compliance checkmark?
- What is a typical average time to complete a pentest on a vendor (as part of a third-party vendor assessment)?
- How could a fresh grad get into a red team job?
- What do recruiters look for candidates seeking red team positions?
- If a red team is able to dump a whole database of hashes or bundle of local machine hashes, should they crack them?
- What do you do when you're contracted for a pentest, but on day one your realize the org is not at all ready for one?
- What's your favorite red team horror story?
SafePass.me is the only enterprise solution to protect organizations against credential stuffing and password spraying attacks. Visit safepass.me for more details, and tell them 7 Minute Security sent you to get a 10% discount!
I'm sorry it took me forever and a day to get this episode up, but I'm thrilled to share part 4 (the final chapter - for now anyways) of my interview with the red team guys, Ryan and Dave!
In today's episode we talk about:
- Running into angry system admins (that are either too fired up or not fired up enough)
- Being wrong without being ashamed
- When is it necessary to make too much noice to get caught during an engagement?
- What are the top 5 tools you run on every engagement?
- How do you deal with monthly test reports indefinitely being a copy/paste of the previous month's report?
- How do you deal with clients who scope things in such as way that the test is almost impossible to conduct?
- How do you deal with colleagues who take findings as their own when they talk with management?
- How do you work with clients who don't know why they want a test - except to check some sort of compliance checkmark?
- What is a typical average time to complete a pentest on a vendor (as part of a third-party vendor assessment)?
- How could a fresh grad get into a red team job?
- What do recruiters look for candidates seeking red team positions?
- If a red team is able to dump a whole database of hashes or bundle of local machine hashes, should they crack them?
- What do you do when you're contracted for a pentest, but on day one your realize the org is not at all ready for one?
- What's your favorite red team horror story?
Previous Episode
7MS #385: A Peek into the 7MS Mail Bag
Today's episode is brought to you by ITProTV. It’s never too late to start a new career in IT or move up the ladder, and ITProTV has you covered - from CompTIA and Cisco to EC-Council and VMWare. Get over 65 hours of IT training for free by visiting https://itpro.tv/7minute.
Today I'm joined by a very special guest: Mrs. 7MS! She joins me on a road trip to northern MN, reads me some questions from the 7MS mail bag, and we tackle them together (with a side order of commentary on weddings, overheating iPads, cheap hotels and the realization that this is likely the first - and only episode that Mrs. 7MS has ever listened to).
Links to things discussed this episode:
Wireless pentest certs:
- SEC617 - SANS course that covers wifi pentesting (with WPA enterprise attacks)
- Offensive Security Wireless Professional
Good/free pentest training options:
Free logging/alerting solutions for SMBs:
Next Episode
7MS #387: How to Succeed in Business Without Really Crying - Part 7
Today's episode features a few important changes to the tools and services I use to run 7MS:
- Docusign is out and (sort of) replaced with Proposify
- Voltage SecureMail is out and replaced by ShareFile
- Ninite is rad for keeping mobile pentest dropboxes automatically updated!
- Nessys_SortyMcSortleton has been updated to...you know...work
Additionally, we talk about a few biz-specific challenges:
- How do you (comfortably) talk about money with a client before the SOW hits their inbox?
- If you're a small security consultancy of 2-5 people, do you lie about your company size to impress the big client, or tell the truth and brag about the advantages a nimble team can bring?
If you like this episode you’ll love
Episode Comments
Generate a badge
Get a badge for your website that links back to this episode
<a href="https://goodpods.com/podcasts/7-minute-security-46574/7ms-386-interview-with-ryan-manship-and-dave-dobrotka-part-4-2277654"> <img src="https://storage.googleapis.com/goodpods-images-bucket/badges/generic-badge-1.svg" alt="listen to 7ms #386: interview with ryan manship and dave dobrotka - part 4 on goodpods" style="width: 225px" /> </a>
Copy