Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,360 --> 00:00:02,430 Instructor: Once the basic planning has been conducted, 2 00:00:02,430 --> 00:00:04,590 it's time for us to begin defining the scope 3 00:00:04,590 --> 00:00:06,510 of the upcoming engagement. 4 00:00:06,510 --> 00:00:08,189 Defining the scope starts broadly 5 00:00:08,189 --> 00:00:09,540 and then gets more detailed 6 00:00:09,540 --> 00:00:12,000 as we go throughout the scoping process. 7 00:00:12,000 --> 00:00:14,970 By properly scoping the engagement, everyone can understand 8 00:00:14,970 --> 00:00:16,860 what to expect during the assessment, 9 00:00:16,860 --> 00:00:19,080 what specific attributes will be included, 10 00:00:19,080 --> 00:00:20,910 and which will be excluded. 11 00:00:20,910 --> 00:00:23,850 This ensures a cost effective penetration test as well 12 00:00:23,850 --> 00:00:25,650 because the team will have a clear idea 13 00:00:25,650 --> 00:00:28,740 of what they should be focusing on during the engagement. 14 00:00:28,740 --> 00:00:29,610 To do this, 15 00:00:29,610 --> 00:00:32,100 the engagement's objectives need to first be well understood 16 00:00:32,100 --> 00:00:34,650 by both the client and the penetration tester, 17 00:00:34,650 --> 00:00:36,510 as it's gonna help define the overall scope 18 00:00:36,510 --> 00:00:37,710 of the assessment. 19 00:00:37,710 --> 00:00:39,990 Once the objectives and goals are understood, 20 00:00:39,990 --> 00:00:41,640 then the penetration tester can work 21 00:00:41,640 --> 00:00:43,740 with the client to determine which networks, 22 00:00:43,740 --> 00:00:46,560 cloud services, and applications are gonna be considered 23 00:00:46,560 --> 00:00:48,390 in scope of the engagement. 24 00:00:48,390 --> 00:00:51,450 First, we have the organization's networks to consider. 25 00:00:51,450 --> 00:00:53,670 These days, networks are difficult to define 26 00:00:53,670 --> 00:00:55,577 because of the rise of deperimeterization 27 00:00:55,577 --> 00:00:57,930 and the migration into the cloud. 28 00:00:57,930 --> 00:01:00,930 In the good old days, networks were much easier to define 29 00:01:00,930 --> 00:01:02,836 because most of the organization's resources 30 00:01:02,836 --> 00:01:05,940 sat behind their edge routers and their firewalls. 31 00:01:05,940 --> 00:01:08,107 So you could easily draw a line in the sand and say, 32 00:01:08,107 --> 00:01:10,620 "This is in scope, and this is out of scope." 33 00:01:10,620 --> 00:01:13,770 Unfortunately, the rise of wireless local area networks, 34 00:01:13,770 --> 00:01:16,440 VPN connections, and the migration into the cloud 35 00:01:16,440 --> 00:01:19,440 has really blurred the lines for us as penetration testers. 36 00:01:19,440 --> 00:01:22,110 So it's really important to take the time to discuss upfront 37 00:01:22,110 --> 00:01:24,690 with your client their exact architecture, 38 00:01:24,690 --> 00:01:27,390 if you're gonna be conducting a known environment test. 39 00:01:27,390 --> 00:01:29,970 Or at the very least, you should have some guidelines 40 00:01:29,970 --> 00:01:32,850 about what is and is not gonna be part of the engagement 41 00:01:32,850 --> 00:01:35,400 if you're doing an unknown environment test. 42 00:01:35,400 --> 00:01:37,380 Now, speaking of the migration to the cloud, 43 00:01:37,380 --> 00:01:38,550 you also need to determine 44 00:01:38,550 --> 00:01:40,723 if the company's cloud assets are gonna be considered 45 00:01:40,723 --> 00:01:43,410 in scope for the engagement as well. 46 00:01:43,410 --> 00:01:45,960 After all, just because you've migrated a server 47 00:01:45,960 --> 00:01:47,430 or service into the cloud, 48 00:01:47,430 --> 00:01:49,980 doesn't mean it's automatically well-protected. 49 00:01:49,980 --> 00:01:52,974 Instead, organizations are now asking penetration testers 50 00:01:52,974 --> 00:01:55,380 to test not only their local networks 51 00:01:55,380 --> 00:01:57,930 but also their cloud-based infrastructures and services 52 00:01:57,930 --> 00:01:59,940 to ensure they're in compliance. 53 00:01:59,940 --> 00:02:02,670 Cloud services are usually divide into categories, 54 00:02:02,670 --> 00:02:04,170 like software as a service, 55 00:02:04,170 --> 00:02:07,290 infrastructure as a service, and platform as a service. 56 00:02:07,290 --> 00:02:09,060 Now, under software as a service, 57 00:02:09,060 --> 00:02:10,380 the service provider is gonna provide 58 00:02:10,380 --> 00:02:13,170 the client organization with a complete solution. 59 00:02:13,170 --> 00:02:15,570 This includes the hardware, the operating system, 60 00:02:15,570 --> 00:02:17,220 and the software applications 61 00:02:17,220 --> 00:02:19,620 that are needed for the services to be delivered. 62 00:02:19,620 --> 00:02:21,508 For example, your target organization 63 00:02:21,508 --> 00:02:24,960 might be using Office 365 from Microsoft. 64 00:02:24,960 --> 00:02:27,390 This is a software as a service solution, 65 00:02:27,390 --> 00:02:30,030 and it allows the end users to access their email, 66 00:02:30,030 --> 00:02:31,986 Word documents, and PowerPoint presentations 67 00:02:31,986 --> 00:02:34,590 directly within their web browsers. 68 00:02:34,590 --> 00:02:36,690 Sometimes, though, an organization wants 69 00:02:36,690 --> 00:02:39,000 to build their entire infrastructure in the cloud, 70 00:02:39,000 --> 00:02:42,510 and for this, they're gonna use infrastructure as a service. 71 00:02:42,510 --> 00:02:45,360 This allows them to get the hardware, the operating system, 72 00:02:45,360 --> 00:02:47,100 and the backend server software 73 00:02:47,100 --> 00:02:49,500 all from the service provider and make it the benefit 74 00:02:49,500 --> 00:02:52,140 of dynamic allocation of additional resources, 75 00:02:52,140 --> 00:02:55,260 known as elasticity, whenever they need without the headache 76 00:02:55,260 --> 00:02:57,720 of a long term commitment or buying all that hardware 77 00:02:57,720 --> 00:02:59,940 and operating systems upfront. 78 00:02:59,940 --> 00:03:02,340 For example, an organization might contract 79 00:03:02,340 --> 00:03:04,080 for a new cloud-based web server 80 00:03:04,080 --> 00:03:05,910 toast their company's website on. 81 00:03:05,910 --> 00:03:07,650 The server might be built and hosted 82 00:03:07,650 --> 00:03:10,020 by the cloud service provider and come pre-installed 83 00:03:10,020 --> 00:03:12,990 with something like Linux and an Apache web server. 84 00:03:12,990 --> 00:03:14,520 Now, their web developers 85 00:03:14,520 --> 00:03:16,620 or programmers can create a custom application 86 00:03:16,620 --> 00:03:19,067 for their customers and run it through this web server 87 00:03:19,067 --> 00:03:20,190 without having to worry 88 00:03:20,190 --> 00:03:23,160 about the underlying operating system at hardware. 89 00:03:23,160 --> 00:03:24,870 The final type of service we have 90 00:03:24,870 --> 00:03:26,970 is known as platform as a service. 91 00:03:26,970 --> 00:03:29,460 Under this model, the third party cloud provider 92 00:03:29,460 --> 00:03:31,800 gives the organization the hardware and software 93 00:03:31,800 --> 00:03:34,620 that's needed for a specific service to operate. 94 00:03:34,620 --> 00:03:36,368 For example, let's say your organization 95 00:03:36,368 --> 00:03:38,970 wants to develop a new app for an iPhone, 96 00:03:38,970 --> 00:03:40,729 but they don't own a Mac OS X system 97 00:03:40,729 --> 00:03:42,450 to be able to compile it. 98 00:03:42,450 --> 00:03:44,670 Well, they might lease a development platform 99 00:03:44,670 --> 00:03:46,980 provided by a third party, and that's gonna allow them 100 00:03:46,980 --> 00:03:48,780 to perform this service for them. 101 00:03:48,780 --> 00:03:52,140 This would be considered a platform as a service model. 102 00:03:52,140 --> 00:03:54,510 Now, in summary, when you think about these models, 103 00:03:54,510 --> 00:03:56,520 remember that infrastructure as a service 104 00:03:56,520 --> 00:03:58,470 provides the organization with everything they need 105 00:03:58,470 --> 00:04:01,833 to run a given server, something like power, space, 106 00:04:01,833 --> 00:04:05,460 cooling, networking, firewalls, physical servers, 107 00:04:05,460 --> 00:04:07,200 and a virtualization layer. 108 00:04:07,200 --> 00:04:09,720 With platform as a service, the operating system 109 00:04:09,720 --> 00:04:12,540 and infrastructure is already added into that list as well 110 00:04:12,540 --> 00:04:15,870 as all the things you got with infrastructure as a service. 111 00:04:15,870 --> 00:04:18,209 This might include things like an Apache web server, 112 00:04:18,209 --> 00:04:20,610 MySQL database, programming languages, 113 00:04:20,610 --> 00:04:24,030 or even some custom-built software to help you make things. 114 00:04:24,030 --> 00:04:26,640 Now, the third layer is software as a service, 115 00:04:26,640 --> 00:04:28,800 and this is a hosted application that's add 116 00:04:28,800 --> 00:04:32,070 to the top of the infrastructure and platform portions. 117 00:04:32,070 --> 00:04:34,050 As you can see, software as a service 118 00:04:34,050 --> 00:04:35,760 is much closer to your end user 119 00:04:35,760 --> 00:04:39,150 than either platform or infrastructure as a service. 120 00:04:39,150 --> 00:04:40,290 Now, if the organization 121 00:04:40,290 --> 00:04:42,150 is using infrastructure as a service, 122 00:04:42,150 --> 00:04:43,410 that means they're also gonna have a lot 123 00:04:43,410 --> 00:04:45,300 of virtual machines that are operating out 124 00:04:45,300 --> 00:04:46,950 in the cloud that you may need to consider 125 00:04:46,950 --> 00:04:48,930 as part of your engagement scope. 126 00:04:48,930 --> 00:04:50,640 On the other hand, if they're using something 127 00:04:50,640 --> 00:04:53,122 like platform as a service, then the target organization 128 00:04:53,122 --> 00:04:55,500 may have created their own web applications 129 00:04:55,500 --> 00:04:58,110 and associate application programming interfaces, 130 00:04:58,110 --> 00:05:01,170 known as an API, and those might be in scope. 131 00:05:01,170 --> 00:05:03,000 Now, an application programming interface 132 00:05:03,000 --> 00:05:04,551 is a type of software intermediary 133 00:05:04,551 --> 00:05:07,620 that allows two applications to talk to each other. 134 00:05:07,620 --> 00:05:10,560 For example, every time you use an app like Facebook, 135 00:05:10,560 --> 00:05:11,700 send an instant message, 136 00:05:11,700 --> 00:05:13,500 or check the weather on your smartphone, 137 00:05:13,500 --> 00:05:16,380 you're actually using an API behind the scenes. 138 00:05:16,380 --> 00:05:19,350 For this reason, it's really important to identify any web 139 00:05:19,350 --> 00:05:21,600 or mobile applications that may become part 140 00:05:21,600 --> 00:05:23,340 of the scope of your engagement. 141 00:05:23,340 --> 00:05:25,650 If your team is asked to conduct a penetration test 142 00:05:25,650 --> 00:05:28,110 against the company's web or mobile application, 143 00:05:28,110 --> 00:05:29,010 you should clarify 144 00:05:29,010 --> 00:05:31,560 and define some basic guidelines upfront. 145 00:05:31,560 --> 00:05:33,450 For example, can you ask the client 146 00:05:33,450 --> 00:05:34,770 to provide a discrete volume 147 00:05:34,770 --> 00:05:36,390 of the total number of web pages 148 00:05:36,390 --> 00:05:38,700 that you're gonna be expected to test or analyze? 149 00:05:38,700 --> 00:05:40,860 Or maybe they're gonna give you a percentage. 150 00:05:40,860 --> 00:05:42,780 Let's say you were hired by Facebook. 151 00:05:42,780 --> 00:05:44,760 You would be unable to test their entire website 152 00:05:44,760 --> 00:05:48,210 for every possible page combination, so instead, 153 00:05:48,210 --> 00:05:50,040 they may state that you need to conduct an assessment 154 00:05:50,040 --> 00:05:53,010 on at least 1% of their total pages. 155 00:05:53,010 --> 00:05:55,230 If you're conducting application testing, 156 00:05:55,230 --> 00:05:57,000 you should also ask for the various roles 157 00:05:57,000 --> 00:05:58,860 that are used by that application 158 00:05:58,860 --> 00:06:00,150 and then ask what permission levels 159 00:06:00,150 --> 00:06:01,800 are assigned to each role. 160 00:06:01,800 --> 00:06:03,300 This will allow you to run the assessment 161 00:06:03,300 --> 00:06:05,610 against the application as a regular end user, 162 00:06:05,610 --> 00:06:08,520 a privileged user, or an administrative, or root user 163 00:06:08,520 --> 00:06:09,821 to test the effects of what each type 164 00:06:09,821 --> 00:06:13,110 of user can do against that given application. 165 00:06:13,110 --> 00:06:15,144 Personally, I find it best to gather information 166 00:06:15,144 --> 00:06:17,610 on which applications are gonna be tested, 167 00:06:17,610 --> 00:06:19,590 what platforms are gonna be used on, 168 00:06:19,590 --> 00:06:20,940 and what specific scenarios 169 00:06:20,940 --> 00:06:22,710 the organization is worried about 170 00:06:22,710 --> 00:06:25,140 when you're defining the scope for the engagement. 171 00:06:25,140 --> 00:06:27,720 For example, do they want us to test their web app, 172 00:06:27,720 --> 00:06:29,490 their Android app, or their iPhone app, 173 00:06:29,490 --> 00:06:31,200 or all three of those? 174 00:06:31,200 --> 00:06:32,127 This is important to understand 175 00:06:32,127 --> 00:06:34,579 because doing all three will drastically increase 176 00:06:34,579 --> 00:06:36,750 the scope of the assessment. 177 00:06:36,750 --> 00:06:38,680 The bottom line is that you need to properly identify 178 00:06:38,680 --> 00:06:41,880 what is hosted locally on the organization's network, 179 00:06:41,880 --> 00:06:44,490 what's being hosted in the cloud, and what's being hosted 180 00:06:44,490 --> 00:06:47,310 or processed by a web or mobile application. 181 00:06:47,310 --> 00:06:49,440 Once you identify that, you can then work 182 00:06:49,440 --> 00:06:51,360 on defining a target list with that client 183 00:06:51,360 --> 00:06:53,820 to clearly dictate what assets are in scope 184 00:06:53,820 --> 00:06:54,990 and which ones are out of scope 185 00:06:54,990 --> 00:06:57,369 for your particular engagement. 186 00:06:57,369 --> 00:06:59,779 (light upbeat music) 14530