Chapter 2 - The Modern Ninja

Abstract

The objective of this chapter is to understand that ninja had a very specific type of skillset, intended to keep them alive and successful in their era. At first glance, the application of ninja techniques, training, and ethics to penetration testing seems inappropriate to many within information system security. However, traditional methods of conducting penetration testing have some significant, and potentially insurmountable, obstacles in determining the effectiveness of a network's security posture, and efficacy of security training and policies designed to reduce risks of compromises. Current penetration test methodologies are not designed to teach unconventional methods of attack, which often are the most successful in infiltrating a network and avoiding detection; this makes unorthodox attacks the most dangerous to an organization, especially when conducted by those with malicious intent. To truly understand the risks faced by an organization requires a unique type of penetration test, where the penetration test engineer must be capable of examining attack vectors that are unconventional and radical, which requires the organization to perform threat modeling against all systems, including those that were created “in-house.” Once these threat models are understood, there must be unique ethical standards placed on the engineer; “best practices” and societal constraints imposed on the engineer (without truly examining the impact of those constraints on the engineer's ability to successfully detect risks) could significantly hamper the engineer's effectiveness, leaving corporations and countries exposed to real and exploitable vulnerabilities. By looking back into history and identifying commonalities between professional penetration testing and the ninja's mission of subverting the enemy's efforts through strategic employment of espionage, unconventional warfare, and guerilla warfare without detection, once can improve the ability to detect flaws within our client's overall security posture, thus making the family, community, and homeland safer.