Time
14 hours 43 minutes
Difficulty
Advanced
CEU/CPE
15

Video Transcription

00:01
Hello, everybody. And welcome to episode number 46 off the penetration testing, simulation, module reporting and next steps. My name is Alejandro Gonna and I'll be instructor for today's session.
00:13
The learning our objectives of decision is to understand the main steps you need to follow after you finished your penetration test and apply techniques to successfully report on demonstrate your penetration testing work. So let's get down to business, shall we?
00:31
Ah,
00:32
in this video, I will try to talk to you like I'm the customer. Like I just received. Just handed me the final report fold you off all your work. And you know all the penetration testing. And, you know, I need to find out what you have to do later.
00:51
If I actually do that, you might be able to understand
00:54
what the customer is expecting from the report. What the customers feeling from that report? I mean, what to do? What to do? I expect us as the customer from from you after, if you finish your pan test. I know with this cars that all of this should be in place and agreed between the parties. I mean, the decline and yourself
01:14
Um
01:15
from the very beginning of the process, however, here will try to give you son some tips to actually fulfill that other honest spoken a great men or contract that there's between
01:27
the penetration tester and the customer. If you hear me again Ah,
01:33
as the customer or saying that like things that I'm like, I'm the customer eyes because I'm planning to, you know, like maybe employment to check what I'm planning to check in your report. If I use this,
01:46
you know,
01:47
massive. You might be, you know, get an idea I've had because the customers, actually, what do you got the customers expecting for you And have you actually create that report?
01:59
So having a penetration tester rich your own. You know, your count Jules, get root, own you, pound you and whatever phrasing you use it Sze something you know that gets you thinking the point of penetration test is to find where you're vulnerable so you can improve. Now.
02:17
This might be the perspective because you know the customer when we say customer, we tend to think of
02:23
that's the one person because one person with one you know, hire you or paying you you know the customer and the customer during several departments, and one of them is I t I t might not feel, you know that, like you're trying to help them, because, remember, you're basically basically exploiting their defenses.
02:43
So they've I feel attacked, and they might feel
02:46
I know this is this sounds emotional, but believe me, from experience, I gotta tell you, uh,
02:53
leaving, like everybody would have smiled fails is kind of hard, but it is what gets you rehired or, you know, they they pick up the farm six months later, O r. You know, one move later. I don't know, dependent
03:09
on the regulations, but they will call you again because, you know,
03:15
they feel like you were there there, partner. You were there there. Do you know, advisor at the end? I'll I always ask them the i t personal time. And so I'm I'm here to help you. I mean, I don't see me. Ah, So now editor or something like that,
03:34
I'm here to help you.
03:35
Ah, What? You preferred me telling you, you know, exploiting your differences and actually telling you how to fix them or someone outside You know about the guy trying to explode your defendant differences and not telling you and steal your information because of the n. Uh,
03:53
someone will try to explode you
03:54
and someone will defeat one or two differences, that's for sure. That's why you know, security in depth eyes is so important because, you know, you have to put layer after layer off security to actually don't reduce the risk. But that's the point. You have to tell it, I t guys or, you know,
04:15
infrastructure guys, they administer. The system sees happening. Guys,
04:18
whatever the department's called,
04:20
you have to tell him that you're their friend. You have to, you know, you know,
04:27
try to convince them that you're there to help them. And you know that. You know, it's better you than the other person outside without any good intentions. Um, you know, if it means the customer, I will plan to check. You know
04:46
what you have done.
04:46
Ah,
04:48
I will. You know, try to check your findings. You actually get, you know, the PAN test, you know, true Evelyn ability assessment that you actually ran with Inability Scanner. Where the people that performed the panthers competent, uh,
05:05
you know, the I delayed you test or system realistically, because that's still the thing. I have seen people that take a penetration test for for, like, 100 piece or something like that into maybe one day that that's impossible. I mean, all you can do in that time is maybe it's con ports and maybe check for pulling abilities,
05:26
but, you know, trying to exploit
05:28
100 be pacing one day. That's just impossible. So, yeah, off this, there will be questions that I will ask myself as the customer, and you and I will ask Ask you at the penetration tester. So some main things I will do as the customer is too. Hopes I didn't.
05:48
It's going to go black sort of it that I read the report. I will read the report since the point off a fantasist to prove their board needs to be actionable. Do I have to understand that I understand your findings. Can you, uh, can I recreate? Ah,
06:08
your findings are
06:09
If not, I might be contact you because at the end, you know, I just want to make sure that I can actually recreate what you found. Um,
06:18
if I don't, you know, You don't have to give me your suit. Your secrets just have to yell guide me so I can actually recreate that. And you know, that way I will see you again as my partner and you know not not Assad. External contractor, something it out. But you will be like my friend, right? Trying to help me.
06:39
Ah,
06:40
After that, I will make plan. Now that's the tricky part because, you know, you give the report to the customer and that's it. But you know, I will. I will recommend you to board the extra mile and, you know, try to help them to make a plan after your Baptist.
06:56
You know, there's a debate on whether the *** should have recommendations or what specifically specifically change, because sometimes it is easy to know what to change. Okay, just upgrade. The operating system is up. Great. This tool. Just apply this patch or something
07:13
for other times. It's more complicated, and pen testers tends to
07:16
a boy given recommendation because because if that recommendation doesn't work, then it is bent his fault, right? Unfortunately, that I know that's not that's not it, and that's not, you know, fair. But that's how the customer sees it. So you know the customer. We always find someone to blame. And unfortunately,
07:36
you know, the contractor is the easy one,
07:39
Daisy target to blame. So, yeah, but, you know, in this case, tried to help the customer to make a plan R have to implement that or old, you know how to implement fixes for all the findings from from your pan test. And, you know, this could be tricky, because at the end, you might find, you know,
07:59
like, 700 vulnerabilities. And you have you exploited, like,
08:03
I know 50 of them or something like that, Uh,
08:07
so you could be overwhelmed. The customer could be overwhelmed, and it will. You know that it is easy to get distracted when you're overwhelmed. I mean, it's better not to do something and, you know, just ignored all the other fixes because you have too many fixes to apply. And, you know, it is impossible to play them.
08:26
So again, help the customer to make a plan on, uh, one
08:31
key. Factoring here is risk if you, you know, exploited. Maybe 20 servers or 50 servers. Ask them. Okay. Do you have any business impact analysis on those servers. Do you know how you know how likely is? You know,
08:50
what's the cost of you losing the server? Basically, that's one of the main questions West. The cost of you losing the server. Okay, It's not to say for me it's a solution, for example, on my money, commerce and I sell stuff online. So he's not the same for me to lose the Web server because that's, you know, the worst servant and the database server.
09:09
Because that's where my entire business is based on
09:13
that to lose at about the printer server or maybe kind of the applications of other server. You know, it's not the same for me. So I might start in the Web server, and the daughter of a surfer applied the fixes you recommended me to do. So, yeah, you know, make a plan at risk will help you to narrow down
09:31
what the activities should be performed first.
09:33
Ah, and what activities could be, you know, led to let that ex waker the next month or whatever, but yeah, risk is a really key factor in here. And you should consider that when you're even reporting or create your report or us helping the customer to create the plan. Now, um,
09:50
you know, start small and go big again. Applied maybe one change per day or upgrades first or something like that. Automated task first, something like that. The thing is not to overwhelm the customer and and throw them really cool. Neat Report that, you know,
10:11
you and I can understand the girl were technical,
10:13
but maybe a CEO or a CFO will not understand. So in your grief executive report or something that I started with, you know, turns like risk how much it will cost you two maybe lose this or stuff like that. I know this seems like a
10:28
extra step, because it is it is actually an extra step, their firms dedicated to actually assess risk and stuff like that. So you can just ask the customer. Hey, do you have a risk plan? Do you have a business impact analysis that I can take a look at it? It's just for me to realize how How can I tailored the report so you can
10:48
you know better, get better actions too, you know,
10:52
performed fix our drop fixes that will recommend you. I don't want you to start playing fixes in service that not so critical for you or for your business. So I want you to you know, Taylor, the report. So I can tell you what fixes should be applied first. On what what service do you need to focus on
11:11
right away
11:11
and know Not only the report will have the customer. It will help. You know, it will help you to give a better image and more professional image in front of the customer. And believe me, if you use districts among other takes up tricks, you will,
11:28
you know, um
11:30
I understand, from from one panthers to it, the other you will, you will get that call six months later or something like that. And, you know,
11:39
just a little the report, so the customer cannot actually lose you. Ah, and the customer, you know,
11:48
you know, it's not like, overwhelmed or distracted, or they see, like, an unrealistic approach. And, you know, maybe
11:56
the customer will feel that they will never have time to apply that because at the end, not letting things drop is some is problematic. I have found that secure real eyes to be one of the worst things in late and three things were up because, you know,
12:16
there's always another alert.
12:18
There's a next supercritical origin task unit. Think, Take care off. You know,
12:26
there's a new model word. There's a new tool. There's a new exploit. There's a new technology. There's a new frost came there's, You know, there's always something new in cybersecurity. So, uh, you know, drop in this plan or not actually performing this plan is I have seen it too many times
12:46
s o f Those are, You know, some advice is that I can give you two, actually, so you can close this these
12:54
*** successfully. And obviously, if you use all this lingo like risk business impact analysis and everything that we discussed in this video during your final presentation maybe where the CEO is presented, believe me, you, you know, hit a home run when finishing your penetration test.
13:15
Why you should consider risk were important. Your findings Well, because risk at the end is, you know, probability versus impact on. And if you actually use risk for for reporting, you will tell the customer. Okay, I know, But if you lose this,
13:33
which is He has a high probability because I I exploited so easily
13:37
on. And it's critical for your business because this business impact analysis say so, uh, so this includes, you know, higher risk. So I will. I highly recommend you to start fixing this servers or this applications or whatever first, and then you can move to the other fixes.
13:56
In this video, we learn what steps need to consider what is that we need to consider after our pen test. And we discussed some things the customer is expecting from that final report.
14:07
Ah, supplemental materials were circled back to the hackers playbook tree. It has some good tips, so you can actually close your penetration testing successfully and experience experience. I cannot, you know, I cannot give you any reference specific reference in this one.
14:24
Thes are just things that I'm trying to give you from my past experience. I have been in this field for more than 30 years,
14:31
so and this a specific penetration testing field for more than 10 years. So believe me. Ah,
14:39
you know, God, there are a lot of experience dealing with customers dealing with angry I t minor years dealing with into a response teams the dealing with Hartono benders, their bodies, the cloud providers. You know, I'm just trying to give you all, you know, some basic tips.
14:56
The weekend, You know, I will let sure that I liked
15:01
to share with you off looking forward. And next year we'll wrap things up and, you know, we'll see all the contact we have seen so far. And we will close the cars. Obviously, I will give you my contact. If you have any questions, you can always reach to me. Please do so
15:18
and you know we can start. That's caution. And maybe I can share more
15:22
more tips with you. It may be some life experiences. Experiences in the penetration testing field. Well, that's it for today, folks. I hope you enjoyed the media and talk to you soon.

Up Next

Offensive Penetration Testing

This is a deep course about penetration testing. In this course, you’ll learn from basic to the most advanced and modern techniques to find vulnerabilities through information gathering, create and/or use exploits and be able to escalate privileges in order to test your information systems defenses.

Instructed By

Instructor Profile Image
Alejandro Guinea
CERT Regional Director
Instructor