Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,270 --> 00:00:01,589 Instructor: Every organization has 2 00:00:01,589 --> 00:00:03,900 a different risk tolerance threshold. 3 00:00:03,900 --> 00:00:05,340 This risk tolerance threshold 4 00:00:05,340 --> 00:00:07,170 will become a big point of contention 5 00:00:07,170 --> 00:00:08,880 during the planning of the timing, 6 00:00:08,880 --> 00:00:11,490 the tempo and the scope of your engagement. 7 00:00:11,490 --> 00:00:13,308 If the organization is quite risk averse, 8 00:00:13,308 --> 00:00:15,420 you're gonna need to be extra careful 9 00:00:15,420 --> 00:00:18,000 not to cause any disruptions to their operations. 10 00:00:18,000 --> 00:00:20,130 And therefore, you might have a smaller scope 11 00:00:20,130 --> 00:00:22,950 and perform a very tightly controlled engagement. 12 00:00:22,950 --> 00:00:25,500 If, however, they have a higher risk tolerance, 13 00:00:25,500 --> 00:00:27,900 then the penetration tester may be given more leeway 14 00:00:27,900 --> 00:00:30,960 to conduct a larger scope or faster tempo engagement. 15 00:00:30,960 --> 00:00:32,820 Always remember, there are four things 16 00:00:32,820 --> 00:00:34,260 that can be done with risk: 17 00:00:34,260 --> 00:00:37,770 avoid, transfer, mitigate and accept. 18 00:00:37,770 --> 00:00:40,050 If an organization wants to avoid risk, 19 00:00:40,050 --> 00:00:41,730 they're gonna tightly control the engagement 20 00:00:41,730 --> 00:00:43,770 including the scope and the tempo. 21 00:00:43,770 --> 00:00:45,390 If they wanna transfer the risk, 22 00:00:45,390 --> 00:00:47,640 they may wanna move the risk to another entity 23 00:00:47,640 --> 00:00:49,440 such as making the penetration tester 24 00:00:49,440 --> 00:00:50,790 sign an agreement that states 25 00:00:50,790 --> 00:00:53,010 that if a system crashes during the assessment, 26 00:00:53,010 --> 00:00:54,120 the penetration tester 27 00:00:54,120 --> 00:00:55,860 is gonna be responsible for getting it fixed 28 00:00:55,860 --> 00:00:57,690 and paying for any damages 29 00:00:57,690 --> 00:00:59,730 or they may want us to mitigate the risk 30 00:00:59,730 --> 00:01:01,710 by only allowing the penetration tester 31 00:01:01,710 --> 00:01:04,200 to conduct that assessment during certain times, 32 00:01:04,200 --> 00:01:07,140 or they'll exclude testing from occurring on certain days 33 00:01:07,140 --> 00:01:09,330 such as during peak business hours. 34 00:01:09,330 --> 00:01:12,000 The organization can also simply accept the risk. 35 00:01:12,000 --> 00:01:13,800 If they have a high enough risk tolerance, 36 00:01:13,800 --> 00:01:15,517 that organization may just say, 37 00:01:15,517 --> 00:01:18,180 "Go ahead and start your penetration test anytime. 38 00:01:18,180 --> 00:01:19,350 We're willing to accept the risk 39 00:01:19,350 --> 00:01:21,690 of any downtime that you might cause." 40 00:01:21,690 --> 00:01:22,980 Now with the risk tolerance 41 00:01:22,980 --> 00:01:24,270 and the restrictions agreed upon 42 00:01:24,270 --> 00:01:26,820 by both the penetration tester and the client, 43 00:01:26,820 --> 00:01:29,520 it's now gonna be important to determine the exact impact 44 00:01:29,520 --> 00:01:30,600 of this tolerance 45 00:01:30,600 --> 00:01:33,690 and ensure that the organization understands it as well. 46 00:01:33,690 --> 00:01:35,100 You're gonna have to answer the question 47 00:01:35,100 --> 00:01:38,310 of what is the impact to operations if things go wrong? 48 00:01:38,310 --> 00:01:40,890 For example, if we begin a penetration test 49 00:01:40,890 --> 00:01:42,810 and we cause a server to trip offline, 50 00:01:42,810 --> 00:01:45,030 how is that going to affect the company? 51 00:01:45,030 --> 00:01:47,400 They're gonna have to consider this in their risk calculus 52 00:01:47,400 --> 00:01:49,860 by balancing the needs of conducting a full assessment 53 00:01:49,860 --> 00:01:52,740 against their needs to continue their business operations. 54 00:01:52,740 --> 00:01:55,110 As a part of this, they may exclude certain things 55 00:01:55,110 --> 00:01:56,970 from the scope of the engagement too. 56 00:01:56,970 --> 00:02:00,030 For example, if I hired you as a penetration tester, 57 00:02:00,030 --> 00:02:01,500 I might create a scope for you to test 58 00:02:01,500 --> 00:02:03,750 my company's internal network storage servers, 59 00:02:03,750 --> 00:02:06,270 our web servers, our internet connection, 60 00:02:06,270 --> 00:02:08,009 and all of our physical security 61 00:02:08,009 --> 00:02:10,889 but I might specifically exclude our email servers, 62 00:02:10,889 --> 00:02:12,030 our e-commerce servers, 63 00:02:12,030 --> 00:02:14,760 our public databases and our public Wi-Fi. 64 00:02:14,760 --> 00:02:16,710 Now that you understand your restrictions, 65 00:02:16,710 --> 00:02:19,230 you can then go and plan and build the engagement plan 66 00:02:19,230 --> 00:02:22,020 with those specific scoping limitations in mind. 67 00:02:22,020 --> 00:02:24,660 These different restrictions are gonna be placed upon you 68 00:02:24,660 --> 00:02:27,210 because of the risk that I, as your customer, 69 00:02:27,210 --> 00:02:30,150 am willing to accept during this particular engagement. 70 00:02:30,150 --> 00:02:32,250 Now your client organization's risk tolerance 71 00:02:32,250 --> 00:02:34,680 will directly affect the scope of our assessment 72 00:02:34,680 --> 00:02:37,560 but it will also impact our schedule and timing. 73 00:02:37,560 --> 00:02:38,970 How long will we be on the network 74 00:02:38,970 --> 00:02:40,470 conducting your assessment? 75 00:02:40,470 --> 00:02:42,240 Will the organizational network defenders 76 00:02:42,240 --> 00:02:44,490 be informed ahead of time of your schedule? 77 00:02:44,490 --> 00:02:45,540 Perhaps, they're gonna know 78 00:02:45,540 --> 00:02:47,340 that the penetration tester was hired 79 00:02:47,340 --> 00:02:48,390 and they're gonna attack some time 80 00:02:48,390 --> 00:02:49,890 within the next three months 81 00:02:49,890 --> 00:02:52,826 or maybe they're being provided with the exact date and hour 82 00:02:52,826 --> 00:02:55,050 for the attack window to occur. 83 00:02:55,050 --> 00:02:57,570 This, again, is negotiated during your engagement's planning 84 00:02:57,570 --> 00:02:59,400 and scoping phases. 85 00:02:59,400 --> 00:03:01,620 If the organization wants the penetration tester 86 00:03:01,620 --> 00:03:04,590 to participate as part of a red team/blue team engagement, 87 00:03:04,590 --> 00:03:05,850 then the defenders should be aware 88 00:03:05,850 --> 00:03:07,890 that the red team is planning to attack. 89 00:03:07,890 --> 00:03:10,440 However, if you wanna simulate a true threat actor 90 00:03:10,440 --> 00:03:11,940 during a penetration test, 91 00:03:11,940 --> 00:03:14,430 the defenders probably shouldn't be aware of that schedule 92 00:03:14,430 --> 00:03:16,950 or even that a penetration tester has been hired, 93 00:03:16,950 --> 00:03:18,810 but this, again, is up to the organization 94 00:03:18,810 --> 00:03:20,760 who hires you for that engagement. 95 00:03:20,760 --> 00:03:23,460 Once we identify any time and date restrictions, 96 00:03:23,460 --> 00:03:25,260 client stakeholder negotiations, 97 00:03:25,260 --> 00:03:28,110 and the total list of included and excluded targets, 98 00:03:28,110 --> 00:03:29,220 we can then build a schedule 99 00:03:29,220 --> 00:03:31,020 with the organization's trusted agent 100 00:03:31,020 --> 00:03:33,150 to decide how and when the penetration test 101 00:03:33,150 --> 00:03:34,770 is going to occur. 102 00:03:34,770 --> 00:03:37,770 Finally, you need to be wary of scope creep. 103 00:03:37,770 --> 00:03:40,560 This occurs when a client starts asking for more services 104 00:03:40,560 --> 00:03:43,200 than what was originally listed in a statement of work. 105 00:03:43,200 --> 00:03:45,540 If, for instance, we agreed to do 10 servers 106 00:03:45,540 --> 00:03:47,130 at the time of signing the contract 107 00:03:47,130 --> 00:03:48,720 and drafting up the scope of work, 108 00:03:48,720 --> 00:03:50,730 but now halfway through the assessment, 109 00:03:50,730 --> 00:03:53,460 you come back and ask us to scan another five servers, 110 00:03:53,460 --> 00:03:55,170 well, that's a big change in scope 111 00:03:55,170 --> 00:03:57,360 because it's a 50% increase. 112 00:03:57,360 --> 00:04:00,870 Also, this is gonna cost us additional time and resources. 113 00:04:00,870 --> 00:04:02,850 I recommend that you always place a contract 114 00:04:02,850 --> 00:04:04,440 in your master service agreement 115 00:04:04,440 --> 00:04:05,700 and your statement of work 116 00:04:05,700 --> 00:04:07,740 that either states that all changes must be submitted 117 00:04:07,740 --> 00:04:09,450 as an addendum to the contract 118 00:04:09,450 --> 00:04:11,880 or include a prearranged cost for expansion 119 00:04:11,880 --> 00:04:13,500 beyond the initial scope. 120 00:04:13,500 --> 00:04:15,567 Both of these measures will help to control scope creep 121 00:04:15,567 --> 00:04:18,060 for occurring during your engagements. 122 00:04:18,060 --> 00:04:20,459 Now remember, while it's easy for the organization 123 00:04:20,459 --> 00:04:21,329 to simply ask for us 124 00:04:21,329 --> 00:04:23,670 to scan another five servers, for example, 125 00:04:23,670 --> 00:04:26,610 they are gonna stop and think about that before they do it 126 00:04:26,610 --> 00:04:28,620 if you're telling them that each additional server 127 00:04:28,620 --> 00:04:30,390 will cost them another $1,000 128 00:04:30,390 --> 00:04:31,740 or whatever the value has been set 129 00:04:31,740 --> 00:04:34,950 inside of that master service agreement or scope of work. 130 00:04:34,950 --> 00:04:37,260 This, again, helps keep scope creep from occurring 131 00:04:37,260 --> 00:04:38,670 and it helps it from becoming excessive 132 00:04:38,670 --> 00:04:40,110 during your engagements. 133 00:04:40,110 --> 00:04:41,760 Anytime there is scope creep, 134 00:04:41,760 --> 00:04:44,490 document it as a change order to the statement of work. 135 00:04:44,490 --> 00:04:45,630 Make it clear to your client 136 00:04:45,630 --> 00:04:47,370 by stating how long it's gonna take, 137 00:04:47,370 --> 00:04:48,900 the resources necessary, 138 00:04:48,900 --> 00:04:49,980 and the additional cost 139 00:04:49,980 --> 00:04:52,320 to make that change to the scope occur. 140 00:04:52,320 --> 00:04:54,840 In addition to the client organization's requirements, 141 00:04:54,840 --> 00:04:56,190 there's also gonna be some restrictions 142 00:04:56,190 --> 00:04:57,450 that are placed upon you 143 00:04:57,450 --> 00:04:59,940 based on the location of the client organization, 144 00:04:59,940 --> 00:05:01,890 the location of the penetration tester, 145 00:05:01,890 --> 00:05:04,590 or the location of the third-party hosted services 146 00:05:04,590 --> 00:05:06,810 that may be in the scope of an engagement. 147 00:05:06,810 --> 00:05:09,360 Remember, each country, state, city and town 148 00:05:09,360 --> 00:05:12,120 has their own regulations and laws 149 00:05:12,120 --> 00:05:14,310 that could affect your penetration test. 150 00:05:14,310 --> 00:05:16,830 Now we're not gonna cover every law in this lesson, 151 00:05:16,830 --> 00:05:19,020 but instead, you need to be aware of the fact 152 00:05:19,020 --> 00:05:20,730 that there are restrictions out there 153 00:05:20,730 --> 00:05:22,380 based on the different locations involved 154 00:05:22,380 --> 00:05:24,300 in a given penetration test. 155 00:05:24,300 --> 00:05:26,040 For example, if you're conducting 156 00:05:26,040 --> 00:05:27,660 a penetration test in Europe, 157 00:05:27,660 --> 00:05:30,300 you need to be aware of the GDPR regulations 158 00:05:30,300 --> 00:05:31,410 and your requirement to adhere 159 00:05:31,410 --> 00:05:33,150 to proper data handling techniques 160 00:05:33,150 --> 00:05:35,460 for any data you obtain during the testing 161 00:05:35,460 --> 00:05:36,330 because it could contain 162 00:05:36,330 --> 00:05:38,400 privileged personally identifiable information 163 00:05:38,400 --> 00:05:41,220 on that organization's customers or users. 164 00:05:41,220 --> 00:05:43,800 There are some countries that actually view minor actions 165 00:05:43,800 --> 00:05:45,930 like port scanning and vulnerability scanning 166 00:05:45,930 --> 00:05:47,820 as a form of illegal hacking. 167 00:05:47,820 --> 00:05:49,980 Again, before you start an engagement, 168 00:05:49,980 --> 00:05:52,080 it's always best to consult with your lawyer 169 00:05:52,080 --> 00:05:54,270 especially before you accept your contract 170 00:05:54,270 --> 00:05:55,740 to ensure that you can legally perform 171 00:05:55,740 --> 00:05:57,540 all the services that you're offering 172 00:05:57,540 --> 00:05:59,160 based on the countries and the locations 173 00:05:59,160 --> 00:06:01,380 that are gonna be involved in that engagement. 174 00:06:01,380 --> 00:06:03,210 Finally, it's important to understand 175 00:06:03,210 --> 00:06:05,340 that even some of our penetration testing tools 176 00:06:05,340 --> 00:06:08,340 have restrictions placed upon them by different regulations. 177 00:06:08,340 --> 00:06:10,680 The best example of this is the export restrictions 178 00:06:10,680 --> 00:06:12,300 placed upon many of our tools 179 00:06:12,300 --> 00:06:15,300 due to the United States Export Administration Regulations 180 00:06:15,300 --> 00:06:16,383 known as the EAR. 181 00:06:17,340 --> 00:06:18,543 There's also another regulation 182 00:06:18,543 --> 00:06:21,420 that was created by 42 participating countries 183 00:06:21,420 --> 00:06:23,880 that implements export restrictions on technologies 184 00:06:23,880 --> 00:06:25,770 that they consider dual use. 185 00:06:25,770 --> 00:06:28,320 This is known as the Wassenaar Arrangement. 186 00:06:28,320 --> 00:06:29,280 Now the United States 187 00:06:29,280 --> 00:06:32,580 is actually one of those 42 participating countries as well. 188 00:06:32,580 --> 00:06:35,400 This arrangement essentially states that if a technology 189 00:06:35,400 --> 00:06:37,920 can be used by both a regular commercial setting 190 00:06:37,920 --> 00:06:39,630 and also used as a weapon, 191 00:06:39,630 --> 00:06:41,520 then the exportation of that technology 192 00:06:41,520 --> 00:06:43,410 may be outlawed by the US government 193 00:06:43,410 --> 00:06:46,620 or any of these 42 participating countries. 194 00:06:46,620 --> 00:06:48,810 A great example of this is encryption. 195 00:06:48,810 --> 00:06:51,270 Encryption is considered a dual-use technology 196 00:06:51,270 --> 00:06:53,490 and it's covered by the Wassenaar Arrangement. 197 00:06:53,490 --> 00:06:54,450 For a long time, 198 00:06:54,450 --> 00:06:56,670 many proxy could not use strong encryption 199 00:06:56,670 --> 00:07:00,660 like 128-bit AES because of this export restriction. 200 00:07:00,660 --> 00:07:02,700 If you are using a high level of encryption, 201 00:07:02,700 --> 00:07:04,140 you may need to check the restrictions 202 00:07:04,140 --> 00:07:07,140 regarding in which countries you may not use it from. 203 00:07:07,140 --> 00:07:09,930 For example, North Korea, Iran and others 204 00:07:09,930 --> 00:07:11,640 are on an export restriction list 205 00:07:11,640 --> 00:07:14,430 and you can't give them that type of technology. 206 00:07:14,430 --> 00:07:16,380 Another example is Wireshark 207 00:07:16,380 --> 00:07:19,350 which is a powerful open-source protocol analysis tool 208 00:07:19,350 --> 00:07:20,760 that can decrypt many different types 209 00:07:20,760 --> 00:07:21,990 of encryption protocols 210 00:07:21,990 --> 00:07:25,890 like IPSec, Kerberos, SSL and TLS. 211 00:07:25,890 --> 00:07:27,060 In some locations, 212 00:07:27,060 --> 00:07:29,220 it can be illegal to use a cell phone jammer, 213 00:07:29,220 --> 00:07:31,590 a Wi-Fi jammer, or even a lock-picking set 214 00:07:31,590 --> 00:07:33,570 as part of your penetration test. 215 00:07:33,570 --> 00:07:34,403 As you can see, 216 00:07:34,403 --> 00:07:36,300 many of our penetration testing tools 217 00:07:36,300 --> 00:07:38,910 can also be considered surveillance tools or weapons 218 00:07:38,910 --> 00:07:40,770 under this was Wassenaar Arrangement. 219 00:07:40,770 --> 00:07:42,180 And therefore, they're gonna fall 220 00:07:42,180 --> 00:07:43,950 under an export restriction. 221 00:07:43,950 --> 00:07:45,750 So it's important to consider this 222 00:07:45,750 --> 00:07:47,760 when you're dealing with your international clients 223 00:07:47,760 --> 00:07:51,090 because otherwise you could be subject to fines, fees, 224 00:07:51,090 --> 00:07:54,180 or even imprisonment for violating these export controls. 225 00:07:54,180 --> 00:07:56,610 Again, this is a case where consulting your attorney 226 00:07:56,610 --> 00:07:58,050 to ensure you stay out of trouble 227 00:07:58,050 --> 00:08:00,423 is well worth the attorney's consultation fee. 17266