Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,000 --> 00:00:01,290 Instructor: There are many different types 2 00:00:01,290 --> 00:00:03,450 of penetration tests and assessments, 3 00:00:03,450 --> 00:00:06,929 including goals-based, objectives-based, compliance-based, 4 00:00:06,929 --> 00:00:11,070 pre-merger, supply chain, and red team assessments. 5 00:00:11,070 --> 00:00:12,390 A goals-based assessment 6 00:00:12,390 --> 00:00:14,940 is designed with a specific goal in mind. 7 00:00:14,940 --> 00:00:16,980 In this case, the penetration tester 8 00:00:16,980 --> 00:00:19,680 may attempt to find as many unique ways as possible 9 00:00:19,680 --> 00:00:21,540 to achieve that specific goal, 10 00:00:21,540 --> 00:00:22,950 such as breaking into a facility 11 00:00:22,950 --> 00:00:24,960 to test its physical security. 12 00:00:24,960 --> 00:00:26,670 Now, for example, let's say a tester 13 00:00:26,670 --> 00:00:28,590 might want to come in through the front door. 14 00:00:28,590 --> 00:00:29,940 They might use social engineering 15 00:00:29,940 --> 00:00:31,740 and piggyback or tailgate in. 16 00:00:31,740 --> 00:00:33,180 They might jump over a fence 17 00:00:33,180 --> 00:00:35,280 or even pick a lock on the door. 18 00:00:35,280 --> 00:00:36,720 For a goals-based assessment, 19 00:00:36,720 --> 00:00:39,300 it really doesn't matter how they go about doing it 20 00:00:39,300 --> 00:00:40,530 as long as they're successful 21 00:00:40,530 --> 00:00:42,780 in trying to achieve that specific goal. 22 00:00:42,780 --> 00:00:46,710 In this example, gaining physical access to that facility. 23 00:00:46,710 --> 00:00:49,500 Next, we have objective-based assessments. 24 00:00:49,500 --> 00:00:51,210 Now, objective-based assessments 25 00:00:51,210 --> 00:00:53,130 are those where a tester seeks to ensure 26 00:00:53,130 --> 00:00:55,680 that the information remains secure. 27 00:00:55,680 --> 00:00:58,770 If this information is on a file server inside the facility, 28 00:00:58,770 --> 00:01:01,440 then there are many different ways to get that information. 29 00:01:01,440 --> 00:01:03,120 You could break in using physical methods 30 00:01:03,120 --> 00:01:04,410 to steal the hard drive. 31 00:01:04,410 --> 00:01:07,260 You could hack into the server using a server-side exploit. 32 00:01:07,260 --> 00:01:08,970 Or you could even use a phishing attack 33 00:01:08,970 --> 00:01:10,530 to gain access to a system 34 00:01:10,530 --> 00:01:12,900 by having the user click on a malicious link. 35 00:01:12,900 --> 00:01:15,750 Again, it really doesn't matter how we go about it 36 00:01:15,750 --> 00:01:16,770 as long as we make sure 37 00:01:16,770 --> 00:01:18,900 that the objective of the assessment is clear, 38 00:01:18,900 --> 00:01:21,420 ensuring that the information is safe from attack 39 00:01:21,420 --> 00:01:23,460 from as many sides as possible. 40 00:01:23,460 --> 00:01:25,440 For this reason, this type of testing 41 00:01:25,440 --> 00:01:27,270 is more similar to a real attack, 42 00:01:27,270 --> 00:01:29,310 because the penetration tester can be creative 43 00:01:29,310 --> 00:01:31,740 and try various methods for stealing that information. 44 00:01:31,740 --> 00:01:33,600 And really, they only have to be successful 45 00:01:33,600 --> 00:01:34,620 one time or one way 46 00:01:34,620 --> 00:01:37,230 to consider that they have met their objective. 47 00:01:37,230 --> 00:01:38,550 The third type of assessment 48 00:01:38,550 --> 00:01:40,677 is known as a compliance-based assessment, 49 00:01:40,677 --> 00:01:43,710 and this focuses on finding out if policies and regulations 50 00:01:43,710 --> 00:01:45,630 are being properly followed. 51 00:01:45,630 --> 00:01:47,910 This is one of the most common types of penetration tests 52 00:01:47,910 --> 00:01:49,830 that are conducted in our industry. 53 00:01:49,830 --> 00:01:52,860 For example, if an organization takes credit cards, 54 00:01:52,860 --> 00:01:56,010 they have to follow the rules for PCIDSS. 55 00:01:56,010 --> 00:01:57,870 All the major credit card processors 56 00:01:57,870 --> 00:02:00,690 like Visa, MasterCard, and American Express 57 00:02:00,690 --> 00:02:03,300 have all agreed to set up regulations and policies 58 00:02:03,300 --> 00:02:06,060 that require a regular scanning of a checklist of items 59 00:02:06,060 --> 00:02:08,100 if that organization is going to be allowed 60 00:02:08,100 --> 00:02:10,710 to process or store customer credit cards. 61 00:02:10,710 --> 00:02:12,480 In this type of penetration test, 62 00:02:12,480 --> 00:02:14,340 the objectives are clearly defined 63 00:02:14,340 --> 00:02:16,950 and the penetration tester can utilize a checklist 64 00:02:16,950 --> 00:02:19,380 to verify that everything is properly scanned 65 00:02:19,380 --> 00:02:21,150 and found to be secure. 66 00:02:21,150 --> 00:02:24,210 This checklist may include things like password policies, 67 00:02:24,210 --> 00:02:27,540 data isolation policies, limiting network storage access, 68 00:02:27,540 --> 00:02:29,460 key management, and so on. 69 00:02:29,460 --> 00:02:31,080 The objectives are always clearly stated 70 00:02:31,080 --> 00:02:32,490 in this type of a test. 71 00:02:32,490 --> 00:02:34,620 Other examples of compliance-based assessments 72 00:02:34,620 --> 00:02:36,750 include GDPR, HIPAA, 73 00:02:36,750 --> 00:02:40,440 Sarbanes-Oxley, and GLBA compliance audits. 74 00:02:40,440 --> 00:02:43,650 A pre-merger assessment is our fourth type of assessment. 75 00:02:43,650 --> 00:02:45,840 A pre-merger assessment is gonna be conducted 76 00:02:45,840 --> 00:02:47,040 between two companies 77 00:02:47,040 --> 00:02:48,630 before they merge with each other 78 00:02:48,630 --> 00:02:51,420 during a period of time known as due diligence. 79 00:02:51,420 --> 00:02:53,760 During this timeframe, each company is gonna look 80 00:02:53,760 --> 00:02:56,640 at the other company's financial records, personnel records, 81 00:02:56,640 --> 00:02:58,080 and often they'll require 82 00:02:58,080 --> 00:03:00,360 a third party penetration testing firm 83 00:03:00,360 --> 00:03:02,310 to assess the other company's network, 84 00:03:02,310 --> 00:03:03,810 with their permission, of course, 85 00:03:03,810 --> 00:03:05,610 in order to determine if a merger 86 00:03:05,610 --> 00:03:07,830 and the interconnection of those two networks 87 00:03:07,830 --> 00:03:09,960 could weaken the overall cybersecurity posture 88 00:03:09,960 --> 00:03:11,580 of either company. 89 00:03:11,580 --> 00:03:13,140 Another type of penetration test 90 00:03:13,140 --> 00:03:15,390 is known as a supply chain assessment. 91 00:03:15,390 --> 00:03:17,160 Now, a supply chain assessment occurs 92 00:03:17,160 --> 00:03:19,230 when a company requires its suppliers 93 00:03:19,230 --> 00:03:20,910 to ensure that they've met a given level 94 00:03:20,910 --> 00:03:22,530 of cybersecurity requirements 95 00:03:22,530 --> 00:03:24,480 before you'll do business with them. 96 00:03:24,480 --> 00:03:26,520 As a professional penetration tester, 97 00:03:26,520 --> 00:03:28,320 it's always gonna be important to be careful 98 00:03:28,320 --> 00:03:29,670 with this type of assessment 99 00:03:29,670 --> 00:03:31,920 and gain permission from both the organizations 100 00:03:31,920 --> 00:03:33,240 that are asking for the assessment 101 00:03:33,240 --> 00:03:34,740 and the one you're assessing 102 00:03:34,740 --> 00:03:36,900 prior to conducting that assessment. 103 00:03:36,900 --> 00:03:38,670 As a third party organization, 104 00:03:38,670 --> 00:03:40,230 that penetration testing company 105 00:03:40,230 --> 00:03:42,930 cannot simply start hacking an organization's supplier 106 00:03:42,930 --> 00:03:44,370 to see if they're secure. 107 00:03:44,370 --> 00:03:46,170 Instead, you must get permission 108 00:03:46,170 --> 00:03:47,580 from the owner of the network, 109 00:03:47,580 --> 00:03:49,890 which in this case would be the supplier, 110 00:03:49,890 --> 00:03:52,020 even though the person who's paying you, your client, 111 00:03:52,020 --> 00:03:54,660 might be the other organization. 112 00:03:54,660 --> 00:03:56,430 If permission is granted, however, 113 00:03:56,430 --> 00:03:58,080 and it's within the bounds of the contract 114 00:03:58,080 --> 00:03:59,310 and the statement of work, 115 00:03:59,310 --> 00:04:00,660 then the penetration tester 116 00:04:00,660 --> 00:04:02,700 should attempt to break into the supply chain 117 00:04:02,700 --> 00:04:05,820 because oftentimes the supply chain is the weakest link 118 00:04:05,820 --> 00:04:08,580 in a large enterprise or organization. 119 00:04:08,580 --> 00:04:12,060 For example, a major retailer, Target, in the United States 120 00:04:12,060 --> 00:04:14,010 actually suffered a major security breach 121 00:04:14,010 --> 00:04:15,990 of their network several years ago. 122 00:04:15,990 --> 00:04:17,490 Instead of the criminal threat actors 123 00:04:17,490 --> 00:04:19,890 going after Target's networks directly though, 124 00:04:19,890 --> 00:04:21,269 they exploited a vulnerability 125 00:04:21,269 --> 00:04:23,250 at one of Target's smaller suppliers, 126 00:04:23,250 --> 00:04:25,380 which was an air condition supply company, 127 00:04:25,380 --> 00:04:27,600 and their network security was much weaker 128 00:04:27,600 --> 00:04:28,770 but it was still interconnected 129 00:04:28,770 --> 00:04:31,470 into the more secure network owned by Target. 130 00:04:31,470 --> 00:04:33,600 Now, criminals are always gonna seek the path 131 00:04:33,600 --> 00:04:34,860 of least resistance, 132 00:04:34,860 --> 00:04:36,720 and therefore it's important to ensure 133 00:04:36,720 --> 00:04:38,160 a high cybersecurity posture 134 00:04:38,160 --> 00:04:40,260 for any organizational network you have 135 00:04:40,260 --> 00:04:42,570 and verify the trustworthiness and security 136 00:04:42,570 --> 00:04:43,813 of any of the supplier networks 137 00:04:43,813 --> 00:04:45,120 that are gonna interconnect 138 00:04:45,120 --> 00:04:47,430 into your organizational network. 139 00:04:47,430 --> 00:04:49,050 The final type of engagement we have 140 00:04:49,050 --> 00:04:50,760 is called a red team assessment, 141 00:04:50,760 --> 00:04:53,070 which is the execution of a penetration test 142 00:04:53,070 --> 00:04:54,690 against the organizational network 143 00:04:54,690 --> 00:04:57,360 by its own internal penetration testers. 144 00:04:57,360 --> 00:05:00,630 These penetration testers are also known as the red team, 145 00:05:00,630 --> 00:05:01,680 and they're gonna be authorized 146 00:05:01,680 --> 00:05:03,390 to conduct security exercises 147 00:05:03,390 --> 00:05:04,800 that are on a production network, 148 00:05:04,800 --> 00:05:07,320 a virtualized environment, or both. 149 00:05:07,320 --> 00:05:09,780 The red team are often considered the offensive side 150 00:05:09,780 --> 00:05:11,370 of the cybersecurity industry, 151 00:05:11,370 --> 00:05:14,340 while our blue team is considered the defensive side. 152 00:05:14,340 --> 00:05:16,560 If the red team is tasked with conducting the assessment 153 00:05:16,560 --> 00:05:18,030 in a virtualized environment, 154 00:05:18,030 --> 00:05:19,860 then the organization is also gonna require 155 00:05:19,860 --> 00:05:22,230 their network defenders and cybersecurity analysts 156 00:05:22,230 --> 00:05:23,370 to connect into that environment 157 00:05:23,370 --> 00:05:25,470 and participate as the defenders 158 00:05:25,470 --> 00:05:27,780 for the engagement as the blue team. 159 00:05:27,780 --> 00:05:29,730 Often, there'll also be a white team 160 00:05:29,730 --> 00:05:31,230 to oversee this engagement, 161 00:05:31,230 --> 00:05:32,490 and they act as the referee 162 00:05:32,490 --> 00:05:34,440 and ensure the red team is playing fairly 163 00:05:34,440 --> 00:05:35,804 as well as determining if the blue team 164 00:05:35,804 --> 00:05:38,190 is able to observe and stop the attacks 165 00:05:38,190 --> 00:05:39,840 that the red team is throwing. 166 00:05:39,840 --> 00:05:42,270 These engagements will serve as a form of war gaming 167 00:05:42,270 --> 00:05:44,400 that allows both the attackers and defenders 168 00:05:44,400 --> 00:05:45,720 to increase their own skill 169 00:05:45,720 --> 00:05:47,790 by conducting and observing real world attacks 170 00:05:47,790 --> 00:05:50,100 in an isolated virtual environment. 171 00:05:50,100 --> 00:05:52,200 Now, once the type of assessment is chosen, 172 00:05:52,200 --> 00:05:53,033 the team will meet 173 00:05:53,033 --> 00:05:54,930 with the client organization's stakeholders 174 00:05:54,930 --> 00:05:56,220 to determine which strategy 175 00:05:56,220 --> 00:05:58,140 they're gonna use during the engagement. 176 00:05:58,140 --> 00:06:00,690 Now, there are three common strategies that we can use. 177 00:06:00,690 --> 00:06:02,580 There is unknown environment testing, 178 00:06:02,580 --> 00:06:04,320 partially known environment testing, 179 00:06:04,320 --> 00:06:06,240 and known environment testing. 180 00:06:06,240 --> 00:06:07,800 An unknown environment test 181 00:06:07,800 --> 00:06:10,050 refers to the assessment where the penetration tester 182 00:06:10,050 --> 00:06:12,450 has no prior knowledge of the target organization 183 00:06:12,450 --> 00:06:13,860 or their network. 184 00:06:13,860 --> 00:06:15,420 This simulates an outside attack 185 00:06:15,420 --> 00:06:17,490 from the perspective of an external hacker 186 00:06:17,490 --> 00:06:20,490 and focuses solely on what an external attacker could see 187 00:06:20,490 --> 00:06:23,220 while completely ignoring an insider threat. 188 00:06:23,220 --> 00:06:25,560 This type of assessment does require more time 189 00:06:25,560 --> 00:06:28,260 and is therefore usually gonna be much more expensive 190 00:06:28,260 --> 00:06:29,640 than a partially known environment 191 00:06:29,640 --> 00:06:31,740 or a known environment assessment. 192 00:06:31,740 --> 00:06:33,510 In an unknown environment test, 193 00:06:33,510 --> 00:06:36,450 the penetration tester is gonna need to spend a lot of time 194 00:06:36,450 --> 00:06:39,210 doing information gathering and vulnerability scanning 195 00:06:39,210 --> 00:06:41,010 in order to learn all about the network 196 00:06:41,010 --> 00:06:43,260 and how to best exploit its weaknesses. 197 00:06:43,260 --> 00:06:45,780 The biggest benefit of an unknown environment test 198 00:06:45,780 --> 00:06:47,040 is that the penetration tester 199 00:06:47,040 --> 00:06:48,630 conducts the entire engagement 200 00:06:48,630 --> 00:06:50,490 as if they were an actual threat actor 201 00:06:50,490 --> 00:06:52,740 by scanning for available network resources, 202 00:06:52,740 --> 00:06:55,680 identifying live hosts, scanning for open ports, 203 00:06:55,680 --> 00:06:57,390 and fingerprinting running services 204 00:06:57,390 --> 00:07:00,150 before they actually exploit any of the assets, 205 00:07:00,150 --> 00:07:03,120 just like a real unauthorized attacker would. 206 00:07:03,120 --> 00:07:04,980 Now, a partially known environment test 207 00:07:04,980 --> 00:07:06,870 is the most common type of assessment, 208 00:07:06,870 --> 00:07:09,660 and it entails partial knowledge of the target organization 209 00:07:09,660 --> 00:07:11,044 and their information systems. 210 00:07:11,044 --> 00:07:13,170 For example the organization 211 00:07:13,170 --> 00:07:16,020 may provide the penetration tester with their IP range 212 00:07:16,020 --> 00:07:17,970 to ensure they're only probing their networks 213 00:07:17,970 --> 00:07:20,820 and not some other organization's network by mistake. 214 00:07:20,820 --> 00:07:22,410 This type of test may also be used 215 00:07:22,410 --> 00:07:23,730 to simulate an insider threat 216 00:07:23,730 --> 00:07:25,770 who has minimal knowledge of the organization, 217 00:07:25,770 --> 00:07:27,690 like a regular employee would. 218 00:07:27,690 --> 00:07:29,730 For instance, the penetration tester 219 00:07:29,730 --> 00:07:31,380 may be asked to go on site, 220 00:07:31,380 --> 00:07:33,330 they'll be given a username and password, 221 00:07:33,330 --> 00:07:34,920 and they'll be able to conduct their assessment 222 00:07:34,920 --> 00:07:35,790 from the perspective 223 00:07:35,790 --> 00:07:38,730 of an authenticated standard employee user account. 224 00:07:38,730 --> 00:07:41,490 The assessor can then see what kind of data could be taken, 225 00:07:41,490 --> 00:07:43,770 what servers are subject to privilege escalation, 226 00:07:43,770 --> 00:07:45,480 and other types of issues that are common 227 00:07:45,480 --> 00:07:47,100 to insider threats. 228 00:07:47,100 --> 00:07:48,600 A partially known environment test 229 00:07:48,600 --> 00:07:49,741 allows the penetration tester 230 00:07:49,741 --> 00:07:51,510 to decrease the amount of time spent 231 00:07:51,510 --> 00:07:53,220 in the information gathering phase, 232 00:07:53,220 --> 00:07:55,200 and therefore it allows them to spend more time 233 00:07:55,200 --> 00:07:58,620 identifying potential vulnerabilities and exploiting them. 234 00:07:58,620 --> 00:08:00,330 A potentially known environment test 235 00:08:00,330 --> 00:08:03,660 is also commonly used to test web applications and APIs 236 00:08:03,660 --> 00:08:05,400 for different security vulnerabilities 237 00:08:05,400 --> 00:08:06,930 by giving the penetration tester 238 00:08:06,930 --> 00:08:09,930 some information about the application or API, 239 00:08:09,930 --> 00:08:11,700 such as its internal functionality 240 00:08:11,700 --> 00:08:13,410 and the basic inputs and outputs, 241 00:08:13,410 --> 00:08:15,690 but not the entire source code. 242 00:08:15,690 --> 00:08:17,250 Now, the third type we have 243 00:08:17,250 --> 00:08:19,380 is called a known environment test, 244 00:08:19,380 --> 00:08:21,660 and a known environment test is an assessment 245 00:08:21,660 --> 00:08:23,190 in which the penetration tester 246 00:08:23,190 --> 00:08:25,860 is given all the details about the organization, 247 00:08:25,860 --> 00:08:29,370 the network, the systems, and the underlying architecture. 248 00:08:29,370 --> 00:08:30,750 As part of the contract, 249 00:08:30,750 --> 00:08:34,230 the assessor might be given network diagrams, IP addresses, 250 00:08:34,230 --> 00:08:37,440 versions of operating systems, and services that they use. 251 00:08:37,440 --> 00:08:39,840 We would also receive a full copy of the source code 252 00:08:39,840 --> 00:08:41,400 and associated documentation 253 00:08:41,400 --> 00:08:45,150 if we're gonna be doing a web application or API assessment. 254 00:08:45,150 --> 00:08:47,310 When conducting a known environment test, 255 00:08:47,310 --> 00:08:49,530 the penetration tester is able to spend more time 256 00:08:49,530 --> 00:08:51,480 probing for vulnerabilities and exploits 257 00:08:51,480 --> 00:08:52,890 without having to spend as much time 258 00:08:52,890 --> 00:08:54,540 in the information gathering phase, 259 00:08:54,540 --> 00:08:55,680 because all the details 260 00:08:55,680 --> 00:08:58,530 have already been provided in a truly transparent manner. 261 00:08:59,589 --> 00:09:01,954 (upbeat music) 19526