Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,120 --> 00:00:02,850
-: During your penetration test, you may also find a lot
2
00:00:02,850 --> 00:00:06,090
of confidential information about the target organization.
3
00:00:06,090 --> 00:00:08,070
Remember, it is your responsibility
4
00:00:08,070 --> 00:00:09,389
to safeguard this information
5
00:00:09,389 --> 00:00:11,520
and if you're able to access an area
6
00:00:11,520 --> 00:00:13,530
of their network you think you shouldn't be in,
7
00:00:13,530 --> 00:00:15,450
it's important to notify the trusted agent
8
00:00:15,450 --> 00:00:18,060
inside that organization immediately.
9
00:00:18,060 --> 00:00:19,470
You wanna be careful not to have
10
00:00:19,470 --> 00:00:22,200
the confidential information leak out onto the internet
11
00:00:22,200 --> 00:00:24,930
because if there's an unauthorized disclosure by accident,
12
00:00:24,930 --> 00:00:27,210
then your company could be held liable.
13
00:00:27,210 --> 00:00:30,060
Again, make sure your lawyer has properly drawn up
14
00:00:30,060 --> 00:00:32,850
your contracts to ensure your liability is limited
15
00:00:32,850 --> 00:00:34,710
in the case of accidental disclosures
16
00:00:34,710 --> 00:00:38,130
to minimize your exposure to fees and fines in this area.
17
00:00:38,130 --> 00:00:39,899
When you're conducting your penetration tests,
18
00:00:39,899 --> 00:00:41,310
you always need to ensure
19
00:00:41,310 --> 00:00:42,960
that you're complying with the requirements
20
00:00:42,960 --> 00:00:44,850
and performance standards that have been set forth
21
00:00:44,850 --> 00:00:46,891
in any of your contractual documents.
22
00:00:46,891 --> 00:00:48,930
This includes your statement of work,
23
00:00:48,930 --> 00:00:50,580
your master service agreements,
24
00:00:50,580 --> 00:00:52,080
your service-level agreements,
25
00:00:52,080 --> 00:00:53,970
and non-disclosure agreements.
26
00:00:53,970 --> 00:00:56,100
These documents help set forth the boundaries
27
00:00:56,100 --> 00:00:58,410
of your relationship with your client organization
28
00:00:58,410 --> 00:01:00,270
as well as the expectations that they should have
29
00:01:00,270 --> 00:01:02,670
for your team and the results you're gonna deliver
30
00:01:02,670 --> 00:01:04,620
at the end of the assessment.
31
00:01:04,620 --> 00:01:07,020
In your contracts and final documentation,
32
00:01:07,020 --> 00:01:08,880
you should always include any disclaimers
33
00:01:08,880 --> 00:01:11,499
and liability limitations to also protect yourself
34
00:01:11,499 --> 00:01:13,140
and your company.
35
00:01:13,140 --> 00:01:15,900
Now, all of these contractual documents should be reviewed
36
00:01:15,900 --> 00:01:18,900
by an attorney or lawyer before the client organization
37
00:01:18,900 --> 00:01:20,820
and your company signs them.
38
00:01:20,820 --> 00:01:22,320
Once both parties are comfortable
39
00:01:22,320 --> 00:01:25,140
with the terms of the contracts, then they should be signed
40
00:01:25,140 --> 00:01:27,390
and the engagement can officially begin.
41
00:01:27,390 --> 00:01:29,370
Remember, these contracts serve
42
00:01:29,370 --> 00:01:31,050
as your get outta jail free card
43
00:01:31,050 --> 00:01:33,120
in the case that the engagement goes poorly.
44
00:01:33,120 --> 00:01:35,460
So always ensure you have these signed documents,
45
00:01:35,460 --> 00:01:38,880
granting you permission before you begin your assessment.
46
00:01:38,880 --> 00:01:40,530
When you begin your engagement,
47
00:01:40,530 --> 00:01:42,180
always maintain your professionalism
48
00:01:42,180 --> 00:01:43,980
as a penetration tester.
49
00:01:43,980 --> 00:01:46,789
You should seek to complete your tasks and tests as quickly,
50
00:01:46,789 --> 00:01:49,800
efficiently, and effectively as possible.
51
00:01:49,800 --> 00:01:52,710
There are a lot of moving parts to a penetration test,
52
00:01:52,710 --> 00:01:54,540
so keeping good notes and documentation
53
00:01:54,540 --> 00:01:56,850
of your activities is going to be essential
54
00:01:56,850 --> 00:01:59,370
as this conducting proper time management.
55
00:01:59,370 --> 00:02:01,050
Now, time management occurs not only
56
00:02:01,050 --> 00:02:03,540
during the actual attack and exploitation phase
57
00:02:03,540 --> 00:02:05,850
but also during the planning and scoping phase,
58
00:02:05,850 --> 00:02:08,490
the information gathering and vulnerability scanning phase
59
00:02:08,490 --> 00:02:11,370
and the reporting and communication phases too.
60
00:02:11,370 --> 00:02:13,680
When you're working as a penetration tester,
61
00:02:13,680 --> 00:02:15,900
always focus on the tasks you're assigned.
62
00:02:15,900 --> 00:02:17,790
Try to avoid any distractions,
63
00:02:17,790 --> 00:02:20,130
ensure you're following the plan timeline,
64
00:02:20,130 --> 00:02:21,420
and keep any status meetings
65
00:02:21,420 --> 00:02:23,790
with the team short and to the point.
66
00:02:23,790 --> 00:02:26,370
As you will soon find out, there is always more work
67
00:02:26,370 --> 00:02:28,260
to be done than time available,
68
00:02:28,260 --> 00:02:30,870
so practicing these time management tips can really
69
00:02:30,870 --> 00:02:34,110
help you become more effective as a penetration tester.
70
00:02:34,110 --> 00:02:36,810
Now, during your penetration test, you're gonna have a lot
71
00:02:36,810 --> 00:02:38,520
of restrictions placed upon you
72
00:02:38,520 --> 00:02:41,070
based on the statement of work, the rules of engagement
73
00:02:41,070 --> 00:02:42,870
and the scope that was agreed upon
74
00:02:42,870 --> 00:02:44,700
with the client organization.
75
00:02:44,700 --> 00:02:46,338
Your team will be limited to performing only
76
00:02:46,338 --> 00:02:49,020
what is considered allowable tests.
77
00:02:49,020 --> 00:02:51,630
Now, these allowable tests help to further define the method
78
00:02:51,630 --> 00:02:54,960
of assessing the targets inside of the engagement scope.
79
00:02:54,960 --> 00:02:57,090
For example, the list of allowable tests
80
00:02:57,090 --> 00:02:59,250
might include things like social engineering,
81
00:02:59,250 --> 00:03:01,770
injection attacks, buffer overflows,
82
00:03:01,770 --> 00:03:03,480
and physical security testing.
83
00:03:03,480 --> 00:03:06,480
While at the same time, it may prohibit specific tests
84
00:03:06,480 --> 00:03:09,030
like a distributed denial of service attack.
85
00:03:09,030 --> 00:03:10,920
Your team must also adhere to the scope
86
00:03:10,920 --> 00:03:12,930
of the assessment as it was agreed upon
87
00:03:12,930 --> 00:03:15,540
with the client in your contractual documents.
88
00:03:15,540 --> 00:03:17,730
If a client attempts to have you expand your testing
89
00:03:17,730 --> 00:03:20,520
outside the agreed upon scope, you need to explain
90
00:03:20,520 --> 00:03:22,830
that you cannot do that due to legal reasons
91
00:03:22,830 --> 00:03:24,840
and that the scope must be officially changed
92
00:03:24,840 --> 00:03:26,910
in the contracts prior to you testing
93
00:03:26,910 --> 00:03:28,500
those additional systems.
94
00:03:28,500 --> 00:03:30,660
This will help protect you and your company
95
00:03:30,660 --> 00:03:33,510
from liability and potential legal issues.
96
00:03:33,510 --> 00:03:35,520
Also, when it comes to scope,
97
00:03:35,520 --> 00:03:37,740
you need to be careful to limit the invasiveness
98
00:03:37,740 --> 00:03:41,010
of your engagement based upon the agreed upon scope.
99
00:03:41,010 --> 00:03:42,810
In coordination with your client,
100
00:03:42,810 --> 00:03:44,258
you need to identify any sensitive
101
00:03:44,258 --> 00:03:47,640
or mission critical systems that should either be excluded,
102
00:03:47,640 --> 00:03:51,510
avoided or only targeted for specific types of attacks.
103
00:03:51,510 --> 00:03:54,840
For example, you may be able to conduct an SQL injection
104
00:03:54,840 --> 00:03:57,900
against a targeted credit card processor's database server
105
00:03:57,900 --> 00:03:59,670
but you may be prohibited
106
00:03:59,670 --> 00:04:01,680
from using a buffer overflow exploit
107
00:04:01,680 --> 00:04:03,690
because that might be considered too invasive
108
00:04:03,690 --> 00:04:06,660
or dangerous for that mission critical system.
109
00:04:06,660 --> 00:04:08,280
During a particular engagement,
110
00:04:08,280 --> 00:04:09,840
it's also important to limit the use
111
00:04:09,840 --> 00:04:13,050
of specific tools for different types of engagements.
112
00:04:13,050 --> 00:04:13,950
Now, for example,
113
00:04:13,950 --> 00:04:16,918
if you're conducting a PCI DSS compliance scan,
114
00:04:16,918 --> 00:04:19,110
you may be required to use certain tools
115
00:04:19,110 --> 00:04:20,760
for that part of the engagement.
116
00:04:20,760 --> 00:04:22,980
Conversely, if you're conducting a HIPAA
117
00:04:22,980 --> 00:04:25,170
or GDPR compliance assessment,
118
00:04:25,170 --> 00:04:27,960
you're gonna use different tools and techniques for those.
119
00:04:27,960 --> 00:04:30,990
Always use the right tool for the right type of engagement
120
00:04:30,990 --> 00:04:33,210
and don't carry data from one client's network
121
00:04:33,210 --> 00:04:34,710
into another client's network
122
00:04:34,710 --> 00:04:37,200
as you move from engagement to engagement.
123
00:04:37,200 --> 00:04:39,780
Additionally, you need to recognize other restrictions
124
00:04:39,780 --> 00:04:41,220
that may be placed on you
125
00:04:41,220 --> 00:04:44,130
whether those are technically-based or location-based.
126
00:04:44,130 --> 00:04:45,810
For example, if you're assessing
127
00:04:45,810 --> 00:04:47,580
a car manufacturer's network,
128
00:04:47,580 --> 00:04:49,680
they may place certain limitations on the different types
129
00:04:49,680 --> 00:04:52,140
of tests or the locations for different tests
130
00:04:52,140 --> 00:04:54,450
based on their unique industrial control systems
131
00:04:54,450 --> 00:04:55,283
that are being connected
132
00:04:55,283 --> 00:04:57,600
to their operational technology networks.
133
00:04:57,600 --> 00:04:59,790
Now, a different client may have a legacy system
134
00:04:59,790 --> 00:05:01,710
that still runs an older operating system
135
00:05:01,710 --> 00:05:03,070
like an embedded version of Windows
136
00:05:03,070 --> 00:05:05,220
and that would simply fail if it was tested
137
00:05:05,220 --> 00:05:07,650
with some of our modern automated scanning tools
138
00:05:07,650 --> 00:05:09,200
during a penetration test.
139
00:05:09,200 --> 00:05:11,820
During these situations, you need to make sure
140
00:05:11,820 --> 00:05:13,530
you're discussing them carefully with the client
141
00:05:13,530 --> 00:05:15,772
in advance to clearly identify any restrictions
142
00:05:15,772 --> 00:05:18,812
that you might need to add to your team's engagement plan.
143
00:05:18,812 --> 00:05:21,852
For example, in a previous organization I worked at,
144
00:05:21,852 --> 00:05:25,200
we were conducting penetration tests against numerous legacy
145
00:05:25,200 --> 00:05:27,660
and ICS SCADA systems within our organization
146
00:05:27,660 --> 00:05:29,220
and we decided to hire
147
00:05:29,220 --> 00:05:31,410
some outside penetration testing team members
148
00:05:31,410 --> 00:05:33,960
to supplement our internal pen testers.
149
00:05:33,960 --> 00:05:36,000
Now, to protect the systems and the networks,
150
00:05:36,000 --> 00:05:38,340
we had an approved list of commercial, open source,
151
00:05:38,340 --> 00:05:41,220
and proprietary tools that were authorized for use
152
00:05:41,220 --> 00:05:43,620
by our penetration testers who are gonna be assigned
153
00:05:43,620 --> 00:05:45,600
to work on those specific systems.
154
00:05:45,600 --> 00:05:47,520
In their contracts, we provide a list
155
00:05:47,520 --> 00:05:49,380
of all the approved tools that we had
156
00:05:49,380 --> 00:05:51,570
and added a clause that stated this.
157
00:05:51,570 --> 00:05:54,240
If additional tools are needed for a specific test,
158
00:05:54,240 --> 00:05:56,900
the penetration tester must submit the tool for review
159
00:05:56,900 --> 00:05:59,511
along with the request for approval, with the rationale
160
00:05:59,511 --> 00:06:02,100
for why a tool on the existing approved tool list
161
00:06:02,100 --> 00:06:04,380
cannot meet the testing requirements.
162
00:06:04,380 --> 00:06:06,750
Any tool not listed on the approved tool list
163
00:06:06,750 --> 00:06:08,940
cannot be used on the production network
164
00:06:08,940 --> 00:06:12,390
without written approval from the chief technology officer.
165
00:06:12,390 --> 00:06:14,940
So as you can see, there are many different places
166
00:06:14,940 --> 00:06:17,160
where restrictions and limitations will be placed
167
00:06:17,160 --> 00:06:19,260
on your penetration testing teams.
168
00:06:19,260 --> 00:06:21,630
Remember, it is better to ask permission
169
00:06:21,630 --> 00:06:23,400
than to beg forgiveness when it comes
170
00:06:23,400 --> 00:06:25,470
to the world of penetration testing.
171
00:06:25,470 --> 00:06:28,440
My philosophy is that, if permission isn't in writing,
172
00:06:28,440 --> 00:06:30,090
it really didn't happen.
173
00:06:30,090 --> 00:06:31,410
I've been bitten too many times
174
00:06:31,410 --> 00:06:33,150
by people giving their verbal approval
175
00:06:33,150 --> 00:06:34,970
for my teams to go run and exploit
176
00:06:34,970 --> 00:06:37,650
only to have them yelling at us 30 minutes later
177
00:06:37,650 --> 00:06:39,210
when their network defense teams begin
178
00:06:39,210 --> 00:06:40,950
to see negative effects that were caused
179
00:06:40,950 --> 00:06:42,570
by that same exploit.
180
00:06:42,570 --> 00:06:45,480
It is always better to be safe rather than sorry.
181
00:06:45,480 --> 00:06:48,120
So take the extra time needed to get the written approval
182
00:06:48,120 --> 00:06:50,520
before you officially begin your engagement
183
00:06:50,520 --> 00:06:52,140
and then you can move safely
184
00:06:52,140 --> 00:06:54,580
into your information gathering, vulnerability scanning,
185
00:06:54,580 --> 00:06:57,453
creating your attacks, and running your exploits.
186
00:06:58,732 --> 00:07:00,846
(cool music)
14471
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.