So why do we try to teach our young hackers with lack of imagination? Because being the Dungeon Master is hard work, takes time/passion and a deep understanding of 'the rules'. Gamification, while a nasty buzzword, does have applications to the real world of penetration testing.
The Real World...Doesn't Have to Be Like This |
First The Problem
The most often compliant I hear about 'bad pentesting' is the lack of real world context or just a basic Nessus report (*shudder*). Other problems include- Too Many Constraints
- "We want a pentest, just without client side attacks, web app, social engineering, physical attacks, phishing, etc.
- Generic Technical Skills
- IT folks trying to test, enterprise folks trying to test non-enterprise
- Pentests That Aren't
- Check the box pentests (to meet NIST, whatever)
- Vulnerability assessments called pentests (buzzword)
Gaming Mindset As a Solution
There are a number of benefits that both directly and indirectly common pentest problems. Mainly, it allows the tester to elevate themselves above that of 'button pusher' and become more involved. The tester/player now takes into context:
- The System Environment - The Game World
- The Users / Admin / Attacker - The Cast
- The Team Leads (Target and Team) - The Dungeon Masters
From here, your newbie sword of pwnage that knocks over the imp outside the castle gates can have a tangible relation to the overall quest/campaign.
HAIL! You Do 67 dmg. Imp Vaporizes |
Tomorrow I'll delve into the bag of cats that is my mindmap on this, introducing concepts of campaigning, setting, quests, NPC, PCs, and raids? Going to be fun.
LFM Mage Spec'd Metasploit
It is truly a well-researched content and excellent wording. I got so engaged in this material that I couldn’t wait reading. I am impressed with your work and skill. Thanks. Brass Dice
ReplyDelete