Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,120 --> 00:00:02,850 -: During your penetration test, you may also find a lot 2 00:00:02,850 --> 00:00:06,090 of confidential information about the target organization. 3 00:00:06,090 --> 00:00:08,070 Remember, it is your responsibility 4 00:00:08,070 --> 00:00:09,389 to safeguard this information 5 00:00:09,389 --> 00:00:11,520 and if you're able to access an area 6 00:00:11,520 --> 00:00:13,530 of their network you think you shouldn't be in, 7 00:00:13,530 --> 00:00:15,450 it's important to notify the trusted agent 8 00:00:15,450 --> 00:00:18,060 inside that organization immediately. 9 00:00:18,060 --> 00:00:19,470 You wanna be careful not to have 10 00:00:19,470 --> 00:00:22,200 the confidential information leak out onto the internet 11 00:00:22,200 --> 00:00:24,930 because if there's an unauthorized disclosure by accident, 12 00:00:24,930 --> 00:00:27,210 then your company could be held liable. 13 00:00:27,210 --> 00:00:30,060 Again, make sure your lawyer has properly drawn up 14 00:00:30,060 --> 00:00:32,850 your contracts to ensure your liability is limited 15 00:00:32,850 --> 00:00:34,710 in the case of accidental disclosures 16 00:00:34,710 --> 00:00:38,130 to minimize your exposure to fees and fines in this area. 17 00:00:38,130 --> 00:00:39,899 When you're conducting your penetration tests, 18 00:00:39,899 --> 00:00:41,310 you always need to ensure 19 00:00:41,310 --> 00:00:42,960 that you're complying with the requirements 20 00:00:42,960 --> 00:00:44,850 and performance standards that have been set forth 21 00:00:44,850 --> 00:00:46,891 in any of your contractual documents. 22 00:00:46,891 --> 00:00:48,930 This includes your statement of work, 23 00:00:48,930 --> 00:00:50,580 your master service agreements, 24 00:00:50,580 --> 00:00:52,080 your service-level agreements, 25 00:00:52,080 --> 00:00:53,970 and non-disclosure agreements. 26 00:00:53,970 --> 00:00:56,100 These documents help set forth the boundaries 27 00:00:56,100 --> 00:00:58,410 of your relationship with your client organization 28 00:00:58,410 --> 00:01:00,270 as well as the expectations that they should have 29 00:01:00,270 --> 00:01:02,670 for your team and the results you're gonna deliver 30 00:01:02,670 --> 00:01:04,620 at the end of the assessment. 31 00:01:04,620 --> 00:01:07,020 In your contracts and final documentation, 32 00:01:07,020 --> 00:01:08,880 you should always include any disclaimers 33 00:01:08,880 --> 00:01:11,499 and liability limitations to also protect yourself 34 00:01:11,499 --> 00:01:13,140 and your company. 35 00:01:13,140 --> 00:01:15,900 Now, all of these contractual documents should be reviewed 36 00:01:15,900 --> 00:01:18,900 by an attorney or lawyer before the client organization 37 00:01:18,900 --> 00:01:20,820 and your company signs them. 38 00:01:20,820 --> 00:01:22,320 Once both parties are comfortable 39 00:01:22,320 --> 00:01:25,140 with the terms of the contracts, then they should be signed 40 00:01:25,140 --> 00:01:27,390 and the engagement can officially begin. 41 00:01:27,390 --> 00:01:29,370 Remember, these contracts serve 42 00:01:29,370 --> 00:01:31,050 as your get outta jail free card 43 00:01:31,050 --> 00:01:33,120 in the case that the engagement goes poorly. 44 00:01:33,120 --> 00:01:35,460 So always ensure you have these signed documents, 45 00:01:35,460 --> 00:01:38,880 granting you permission before you begin your assessment. 46 00:01:38,880 --> 00:01:40,530 When you begin your engagement, 47 00:01:40,530 --> 00:01:42,180 always maintain your professionalism 48 00:01:42,180 --> 00:01:43,980 as a penetration tester. 49 00:01:43,980 --> 00:01:46,789 You should seek to complete your tasks and tests as quickly, 50 00:01:46,789 --> 00:01:49,800 efficiently, and effectively as possible. 51 00:01:49,800 --> 00:01:52,710 There are a lot of moving parts to a penetration test, 52 00:01:52,710 --> 00:01:54,540 so keeping good notes and documentation 53 00:01:54,540 --> 00:01:56,850 of your activities is going to be essential 54 00:01:56,850 --> 00:01:59,370 as this conducting proper time management. 55 00:01:59,370 --> 00:02:01,050 Now, time management occurs not only 56 00:02:01,050 --> 00:02:03,540 during the actual attack and exploitation phase 57 00:02:03,540 --> 00:02:05,850 but also during the planning and scoping phase, 58 00:02:05,850 --> 00:02:08,490 the information gathering and vulnerability scanning phase 59 00:02:08,490 --> 00:02:11,370 and the reporting and communication phases too. 60 00:02:11,370 --> 00:02:13,680 When you're working as a penetration tester, 61 00:02:13,680 --> 00:02:15,900 always focus on the tasks you're assigned. 62 00:02:15,900 --> 00:02:17,790 Try to avoid any distractions, 63 00:02:17,790 --> 00:02:20,130 ensure you're following the plan timeline, 64 00:02:20,130 --> 00:02:21,420 and keep any status meetings 65 00:02:21,420 --> 00:02:23,790 with the team short and to the point. 66 00:02:23,790 --> 00:02:26,370 As you will soon find out, there is always more work 67 00:02:26,370 --> 00:02:28,260 to be done than time available, 68 00:02:28,260 --> 00:02:30,870 so practicing these time management tips can really 69 00:02:30,870 --> 00:02:34,110 help you become more effective as a penetration tester. 70 00:02:34,110 --> 00:02:36,810 Now, during your penetration test, you're gonna have a lot 71 00:02:36,810 --> 00:02:38,520 of restrictions placed upon you 72 00:02:38,520 --> 00:02:41,070 based on the statement of work, the rules of engagement 73 00:02:41,070 --> 00:02:42,870 and the scope that was agreed upon 74 00:02:42,870 --> 00:02:44,700 with the client organization. 75 00:02:44,700 --> 00:02:46,338 Your team will be limited to performing only 76 00:02:46,338 --> 00:02:49,020 what is considered allowable tests. 77 00:02:49,020 --> 00:02:51,630 Now, these allowable tests help to further define the method 78 00:02:51,630 --> 00:02:54,960 of assessing the targets inside of the engagement scope. 79 00:02:54,960 --> 00:02:57,090 For example, the list of allowable tests 80 00:02:57,090 --> 00:02:59,250 might include things like social engineering, 81 00:02:59,250 --> 00:03:01,770 injection attacks, buffer overflows, 82 00:03:01,770 --> 00:03:03,480 and physical security testing. 83 00:03:03,480 --> 00:03:06,480 While at the same time, it may prohibit specific tests 84 00:03:06,480 --> 00:03:09,030 like a distributed denial of service attack. 85 00:03:09,030 --> 00:03:10,920 Your team must also adhere to the scope 86 00:03:10,920 --> 00:03:12,930 of the assessment as it was agreed upon 87 00:03:12,930 --> 00:03:15,540 with the client in your contractual documents. 88 00:03:15,540 --> 00:03:17,730 If a client attempts to have you expand your testing 89 00:03:17,730 --> 00:03:20,520 outside the agreed upon scope, you need to explain 90 00:03:20,520 --> 00:03:22,830 that you cannot do that due to legal reasons 91 00:03:22,830 --> 00:03:24,840 and that the scope must be officially changed 92 00:03:24,840 --> 00:03:26,910 in the contracts prior to you testing 93 00:03:26,910 --> 00:03:28,500 those additional systems. 94 00:03:28,500 --> 00:03:30,660 This will help protect you and your company 95 00:03:30,660 --> 00:03:33,510 from liability and potential legal issues. 96 00:03:33,510 --> 00:03:35,520 Also, when it comes to scope, 97 00:03:35,520 --> 00:03:37,740 you need to be careful to limit the invasiveness 98 00:03:37,740 --> 00:03:41,010 of your engagement based upon the agreed upon scope. 99 00:03:41,010 --> 00:03:42,810 In coordination with your client, 100 00:03:42,810 --> 00:03:44,258 you need to identify any sensitive 101 00:03:44,258 --> 00:03:47,640 or mission critical systems that should either be excluded, 102 00:03:47,640 --> 00:03:51,510 avoided or only targeted for specific types of attacks. 103 00:03:51,510 --> 00:03:54,840 For example, you may be able to conduct an SQL injection 104 00:03:54,840 --> 00:03:57,900 against a targeted credit card processor's database server 105 00:03:57,900 --> 00:03:59,670 but you may be prohibited 106 00:03:59,670 --> 00:04:01,680 from using a buffer overflow exploit 107 00:04:01,680 --> 00:04:03,690 because that might be considered too invasive 108 00:04:03,690 --> 00:04:06,660 or dangerous for that mission critical system. 109 00:04:06,660 --> 00:04:08,280 During a particular engagement, 110 00:04:08,280 --> 00:04:09,840 it's also important to limit the use 111 00:04:09,840 --> 00:04:13,050 of specific tools for different types of engagements. 112 00:04:13,050 --> 00:04:13,950 Now, for example, 113 00:04:13,950 --> 00:04:16,918 if you're conducting a PCI DSS compliance scan, 114 00:04:16,918 --> 00:04:19,110 you may be required to use certain tools 115 00:04:19,110 --> 00:04:20,760 for that part of the engagement. 116 00:04:20,760 --> 00:04:22,980 Conversely, if you're conducting a HIPAA 117 00:04:22,980 --> 00:04:25,170 or GDPR compliance assessment, 118 00:04:25,170 --> 00:04:27,960 you're gonna use different tools and techniques for those. 119 00:04:27,960 --> 00:04:30,990 Always use the right tool for the right type of engagement 120 00:04:30,990 --> 00:04:33,210 and don't carry data from one client's network 121 00:04:33,210 --> 00:04:34,710 into another client's network 122 00:04:34,710 --> 00:04:37,200 as you move from engagement to engagement. 123 00:04:37,200 --> 00:04:39,780 Additionally, you need to recognize other restrictions 124 00:04:39,780 --> 00:04:41,220 that may be placed on you 125 00:04:41,220 --> 00:04:44,130 whether those are technically-based or location-based. 126 00:04:44,130 --> 00:04:45,810 For example, if you're assessing 127 00:04:45,810 --> 00:04:47,580 a car manufacturer's network, 128 00:04:47,580 --> 00:04:49,680 they may place certain limitations on the different types 129 00:04:49,680 --> 00:04:52,140 of tests or the locations for different tests 130 00:04:52,140 --> 00:04:54,450 based on their unique industrial control systems 131 00:04:54,450 --> 00:04:55,283 that are being connected 132 00:04:55,283 --> 00:04:57,600 to their operational technology networks. 133 00:04:57,600 --> 00:04:59,790 Now, a different client may have a legacy system 134 00:04:59,790 --> 00:05:01,710 that still runs an older operating system 135 00:05:01,710 --> 00:05:03,070 like an embedded version of Windows 136 00:05:03,070 --> 00:05:05,220 and that would simply fail if it was tested 137 00:05:05,220 --> 00:05:07,650 with some of our modern automated scanning tools 138 00:05:07,650 --> 00:05:09,200 during a penetration test. 139 00:05:09,200 --> 00:05:11,820 During these situations, you need to make sure 140 00:05:11,820 --> 00:05:13,530 you're discussing them carefully with the client 141 00:05:13,530 --> 00:05:15,772 in advance to clearly identify any restrictions 142 00:05:15,772 --> 00:05:18,812 that you might need to add to your team's engagement plan. 143 00:05:18,812 --> 00:05:21,852 For example, in a previous organization I worked at, 144 00:05:21,852 --> 00:05:25,200 we were conducting penetration tests against numerous legacy 145 00:05:25,200 --> 00:05:27,660 and ICS SCADA systems within our organization 146 00:05:27,660 --> 00:05:29,220 and we decided to hire 147 00:05:29,220 --> 00:05:31,410 some outside penetration testing team members 148 00:05:31,410 --> 00:05:33,960 to supplement our internal pen testers. 149 00:05:33,960 --> 00:05:36,000 Now, to protect the systems and the networks, 150 00:05:36,000 --> 00:05:38,340 we had an approved list of commercial, open source, 151 00:05:38,340 --> 00:05:41,220 and proprietary tools that were authorized for use 152 00:05:41,220 --> 00:05:43,620 by our penetration testers who are gonna be assigned 153 00:05:43,620 --> 00:05:45,600 to work on those specific systems. 154 00:05:45,600 --> 00:05:47,520 In their contracts, we provide a list 155 00:05:47,520 --> 00:05:49,380 of all the approved tools that we had 156 00:05:49,380 --> 00:05:51,570 and added a clause that stated this. 157 00:05:51,570 --> 00:05:54,240 If additional tools are needed for a specific test, 158 00:05:54,240 --> 00:05:56,900 the penetration tester must submit the tool for review 159 00:05:56,900 --> 00:05:59,511 along with the request for approval, with the rationale 160 00:05:59,511 --> 00:06:02,100 for why a tool on the existing approved tool list 161 00:06:02,100 --> 00:06:04,380 cannot meet the testing requirements. 162 00:06:04,380 --> 00:06:06,750 Any tool not listed on the approved tool list 163 00:06:06,750 --> 00:06:08,940 cannot be used on the production network 164 00:06:08,940 --> 00:06:12,390 without written approval from the chief technology officer. 165 00:06:12,390 --> 00:06:14,940 So as you can see, there are many different places 166 00:06:14,940 --> 00:06:17,160 where restrictions and limitations will be placed 167 00:06:17,160 --> 00:06:19,260 on your penetration testing teams. 168 00:06:19,260 --> 00:06:21,630 Remember, it is better to ask permission 169 00:06:21,630 --> 00:06:23,400 than to beg forgiveness when it comes 170 00:06:23,400 --> 00:06:25,470 to the world of penetration testing. 171 00:06:25,470 --> 00:06:28,440 My philosophy is that, if permission isn't in writing, 172 00:06:28,440 --> 00:06:30,090 it really didn't happen. 173 00:06:30,090 --> 00:06:31,410 I've been bitten too many times 174 00:06:31,410 --> 00:06:33,150 by people giving their verbal approval 175 00:06:33,150 --> 00:06:34,970 for my teams to go run and exploit 176 00:06:34,970 --> 00:06:37,650 only to have them yelling at us 30 minutes later 177 00:06:37,650 --> 00:06:39,210 when their network defense teams begin 178 00:06:39,210 --> 00:06:40,950 to see negative effects that were caused 179 00:06:40,950 --> 00:06:42,570 by that same exploit. 180 00:06:42,570 --> 00:06:45,480 It is always better to be safe rather than sorry. 181 00:06:45,480 --> 00:06:48,120 So take the extra time needed to get the written approval 182 00:06:48,120 --> 00:06:50,520 before you officially begin your engagement 183 00:06:50,520 --> 00:06:52,140 and then you can move safely 184 00:06:52,140 --> 00:06:54,580 into your information gathering, vulnerability scanning, 185 00:06:54,580 --> 00:06:57,453 creating your attacks, and running your exploits. 186 00:06:58,732 --> 00:07:00,846 (cool music) 14471