Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,240 --> 00:00:01,589 Speaker: Once the rules of engagement 2 00:00:01,589 --> 00:00:02,850 have been agreed upon, 3 00:00:02,850 --> 00:00:05,070 the type of assessment and strategy chosen 4 00:00:05,070 --> 00:00:07,440 and the scope has been defined and identified, 5 00:00:07,440 --> 00:00:08,790 it's now time to validate 6 00:00:08,790 --> 00:00:11,010 the scope of the engagement with the client. 7 00:00:11,010 --> 00:00:12,510 Validating the scope of the engagement 8 00:00:12,510 --> 00:00:14,610 involves confirming all of the requirements, 9 00:00:14,610 --> 00:00:17,100 the scope and the details of the engagement 10 00:00:17,100 --> 00:00:19,410 before you gain final approval and permission 11 00:00:19,410 --> 00:00:20,730 to move into the next phase 12 00:00:20,730 --> 00:00:22,230 and conduct information gathering 13 00:00:22,230 --> 00:00:24,180 and vulnerability scanning. 14 00:00:24,180 --> 00:00:26,820 Your penetration testing team should always ensure 15 00:00:26,820 --> 00:00:28,920 that the target organization has a good set 16 00:00:28,920 --> 00:00:31,860 of system backups and recovery procedures as well. 17 00:00:31,860 --> 00:00:33,420 This way, you can ensure that 18 00:00:33,420 --> 00:00:35,790 if something goes very wrong during the engagement, 19 00:00:35,790 --> 00:00:37,980 a partial or full recovery can be performed 20 00:00:37,980 --> 00:00:39,870 to restore operations. 21 00:00:39,870 --> 00:00:41,700 During the validation of the scope, 22 00:00:41,700 --> 00:00:44,400 your team should also verify that they know who to contact 23 00:00:44,400 --> 00:00:47,370 within the client organization if something goes wrong, 24 00:00:47,370 --> 00:00:50,310 something needs to be deconflicted, or if they discover 25 00:00:50,310 --> 00:00:53,100 an exceptionally high risk vulnerability. 26 00:00:53,100 --> 00:00:54,960 When you're validating the scope of the engagement 27 00:00:54,960 --> 00:00:57,810 with the client, you should also review all of the key areas 28 00:00:57,810 --> 00:01:00,420 from the statement of work and the rules of engagement 29 00:01:00,420 --> 00:01:02,880 to ensure that there are no areas of confusion. 30 00:01:02,880 --> 00:01:05,580 This will include a thorough review of several items 31 00:01:05,580 --> 00:01:08,700 including the scope and the in-scope target assets, 32 00:01:08,700 --> 00:01:10,170 what is excluded from the scope 33 00:01:10,170 --> 00:01:12,300 and what's considered out of bounds, 34 00:01:12,300 --> 00:01:14,910 what strategy will be used such as an unknown, 35 00:01:14,910 --> 00:01:17,580 partially known or known environment test, 36 00:01:17,580 --> 00:01:19,680 what the timeline will be for any testing, 37 00:01:19,680 --> 00:01:22,710 as well as any constraints placed upon your working hours, 38 00:01:22,710 --> 00:01:24,450 any restrictions or applicable laws 39 00:01:24,450 --> 00:01:26,220 that will apply to this engagement 40 00:01:26,220 --> 00:01:29,190 as well as any third party service providers, services 41 00:01:29,190 --> 00:01:31,470 or off-site locations that are being considered. 42 00:01:31,470 --> 00:01:34,200 And finally, the proper communication channels to use 43 00:01:34,200 --> 00:01:36,450 during the assessment in order to provide updates 44 00:01:36,450 --> 00:01:38,100 to key stakeholders. 45 00:01:38,100 --> 00:01:40,830 Now, once we have our discussion with the organization, 46 00:01:40,830 --> 00:01:42,840 we're going to find that certain applications, 47 00:01:42,840 --> 00:01:45,930 systems, networks and even users may be placed 48 00:01:45,930 --> 00:01:49,500 on the allowed or excluded target list for the engagement. 49 00:01:49,500 --> 00:01:52,440 Now, an allowed list contains a list of authorized targets 50 00:01:52,440 --> 00:01:54,150 while an excluded list contains a list 51 00:01:54,150 --> 00:01:56,460 of unauthorized targets that we can't go after 52 00:01:56,460 --> 00:01:58,020 during our engagement. 53 00:01:58,020 --> 00:02:00,960 Many organizations have numerous boundary defenses 54 00:02:00,960 --> 00:02:03,030 such as unified threat management systems, 55 00:02:03,030 --> 00:02:05,460 firewalls, intrusion prevention systems 56 00:02:05,460 --> 00:02:07,320 that could block your access from the internet 57 00:02:07,320 --> 00:02:09,660 when you're conducting a penetration test. 58 00:02:09,660 --> 00:02:12,240 These systems are most commonly used to allow 59 00:02:12,240 --> 00:02:14,880 or prevent outsiders from accessing the network 60 00:02:14,880 --> 00:02:17,250 and operate by listing the IP addresses 61 00:02:17,250 --> 00:02:19,440 or ports in the access control list 62 00:02:19,440 --> 00:02:22,410 as either permitted allowed or denied. 63 00:02:22,410 --> 00:02:24,570 Now, depending on the scope of your assessment, 64 00:02:24,570 --> 00:02:25,860 your target organization 65 00:02:25,860 --> 00:02:28,050 may allow your penetration testing system 66 00:02:28,050 --> 00:02:30,579 to be placed into an allow list to bypass some 67 00:02:30,579 --> 00:02:33,030 or all of these boundary defenses. 68 00:02:33,030 --> 00:02:35,490 For example, if the organization wants you 69 00:02:35,490 --> 00:02:37,320 to conduct an internal assessment, 70 00:02:37,320 --> 00:02:39,780 they might allow you to have a VPN connection directly 71 00:02:39,780 --> 00:02:42,720 into their network by placing you into an allow list 72 00:02:42,720 --> 00:02:44,760 in order to simulate what an insider threat 73 00:02:44,760 --> 00:02:47,220 or authorized user might be able to accomplish 74 00:02:47,220 --> 00:02:48,660 during an attack. 75 00:02:48,660 --> 00:02:51,600 On the other hand, the organization may be more interested 76 00:02:51,600 --> 00:02:54,600 in seeing if you're able to bypass their external firewalls 77 00:02:54,600 --> 00:02:56,340 and their intrusion prevention systems 78 00:02:56,340 --> 00:02:58,110 during an external assessment. 79 00:02:58,110 --> 00:03:00,330 In this case, they're not going to add our systems 80 00:03:00,330 --> 00:03:03,240 to their allow list or allow us to bypass them directly 81 00:03:03,240 --> 00:03:05,640 and instead they'll make us work for it. 82 00:03:05,640 --> 00:03:06,780 Another concern is that 83 00:03:06,780 --> 00:03:08,550 if the organization's network defenders 84 00:03:08,550 --> 00:03:11,670 catch your penetration testing team during your assessment, 85 00:03:11,670 --> 00:03:13,890 they could add your systems to their block list. 86 00:03:13,890 --> 00:03:15,120 And effectively block us 87 00:03:15,120 --> 00:03:17,790 from directly accessing their systems anymore. 88 00:03:17,790 --> 00:03:19,410 This could require us to find a new way 89 00:03:19,410 --> 00:03:21,120 to bypass their boundary defenses 90 00:03:21,120 --> 00:03:23,190 in order to break into that network. 91 00:03:23,190 --> 00:03:25,560 Now, if time is running out during your assessment, 92 00:03:25,560 --> 00:03:27,390 you may need to talk with a trusted agent 93 00:03:27,390 --> 00:03:30,390 within the organization to have them unblock your systems 94 00:03:30,390 --> 00:03:33,300 or even a you to the allow list within the boundary device 95 00:03:33,300 --> 00:03:35,550 so that you can continue to meet the other objectives 96 00:03:35,550 --> 00:03:36,960 of the penetration test 97 00:03:36,960 --> 00:03:39,360 if those boundary devices are becoming too difficult 98 00:03:39,360 --> 00:03:41,310 to bypass or exploit. 99 00:03:41,310 --> 00:03:42,420 This should be accounted for 100 00:03:42,420 --> 00:03:44,070 during your planning for the engagement 101 00:03:44,070 --> 00:03:46,320 by thinking about possible security exceptions 102 00:03:46,320 --> 00:03:49,260 that you may need to ask for as a contingency. 103 00:03:49,260 --> 00:03:51,990 Many organizations have a lot of different security devices 104 00:03:51,990 --> 00:03:54,930 on their networks, including intrusion prevention systems, 105 00:03:54,930 --> 00:03:58,500 web application firewalls, network access control systems, 106 00:03:58,500 --> 00:04:01,140 certificate pinning, and company policies. 107 00:04:01,140 --> 00:04:04,080 Depending on which policies and systems are being utilized, 108 00:04:04,080 --> 00:04:06,720 the penetration tester may need to ask for an exception 109 00:04:06,720 --> 00:04:08,550 to be allowed into one of those systems 110 00:04:08,550 --> 00:04:10,650 to be able to conduct their penetration test 111 00:04:10,650 --> 00:04:13,110 and be able to connect fully to that network. 112 00:04:13,110 --> 00:04:15,390 For example, maybe the penetration tester 113 00:04:15,390 --> 00:04:17,160 was hired to test the application 114 00:04:17,160 --> 00:04:19,079 behind the web application firewall 115 00:04:19,079 --> 00:04:20,910 and not the firewall itself. 116 00:04:20,910 --> 00:04:22,710 In this case, adding an exception 117 00:04:22,710 --> 00:04:25,830 to the web application firewall to allow them to bypass it 118 00:04:25,830 --> 00:04:28,350 would become a reasonable request. 119 00:04:28,350 --> 00:04:30,690 Finally, you need to realize that some networks, 120 00:04:30,690 --> 00:04:33,420 as part of their network access control or NAC, 121 00:04:33,420 --> 00:04:35,790 do require a digital certificate to be installed 122 00:04:35,790 --> 00:04:37,500 on the network device prior to it 123 00:04:37,500 --> 00:04:39,210 being able to connect to the network. 124 00:04:39,210 --> 00:04:41,430 We call this certificate pining. 125 00:04:41,430 --> 00:04:44,250 Now, if they do, you may need to ask the organization 126 00:04:44,250 --> 00:04:45,420 to provide you with an exception 127 00:04:45,420 --> 00:04:47,280 to their certificate pinning policy. 128 00:04:47,280 --> 00:04:49,710 In which case, the organization could provide you, 129 00:04:49,710 --> 00:04:52,260 as the PenTester, an authorized digital certificate 130 00:04:52,260 --> 00:04:54,180 for your workstation in order for you 131 00:04:54,180 --> 00:04:55,410 to connect to their network 132 00:04:55,410 --> 00:04:57,480 without tripping their NAC sensors. 133 00:04:57,480 --> 00:05:00,060 Again, it depends on what they're trying to focus on 134 00:05:00,060 --> 00:05:01,290 during this engagement. 135 00:05:01,290 --> 00:05:03,270 If they're not trying to test the NAC sensor, 136 00:05:03,270 --> 00:05:05,310 it'll be okay to bypass it. 137 00:05:05,310 --> 00:05:06,480 Now, as with a lot of things 138 00:05:06,480 --> 00:05:08,130 in the planning and scoping stages, 139 00:05:08,130 --> 00:05:10,800 there really is no right or wrong answer here. 140 00:05:10,800 --> 00:05:13,200 Other than what you have negotiated and agreed upon 141 00:05:13,200 --> 00:05:14,940 between your penetration testing team 142 00:05:14,940 --> 00:05:16,473 and your client organization. 10995