Time
13 hours 9 minutes
Difficulty
Intermediate
CEU/CPE
13

Video Transcription

00:00
Hello and welcome to another penetration. Testing, execution Standard discussion. Today we're looking at the other side of the coin business process analysis. We just recently looked at business asset analysis,
00:12
and so we're going to jump into looking at business assets and time in the particular process pieces to give us an overall picture
00:20
of how the organization works and critical processes within that, so is a quick disclaimer. Pee Test videos do cover tools and techniques that could be used for system hacking. Any tools discussed or used during our demonstrations should be researched and understood by the user.
00:37
Please research your laws and regulations within your given area to ensure that the use of these tools or techniques
00:43
it does not land you in any trouble with the law. So let's go ahead and look at our objectives for today's particular discussion.
00:52
So we're going to look at what is business process analysis defining that and discussing it. We're going to look at and discuss technical infrastructure, supporting processes, information, asset supporting processes, human assets, supporting processes and third party integration and or usage of by process. So,
01:11
essentially, how does 1/3 party plug into our overall business and the
01:15
core processes that we need to function and operate.
01:19
So let's jump to our first slide on business process analysis and what that is. So in the business process analysis, we differentiate between critical business processes and non critical process is so for each category, the analysis is the same and consider the same elements. The main difference in is, as in waiting
01:40
the threat
01:41
from a critical business process or against a critical business process that is a sign with, as
01:48
opposed to a non critical one. So in this case, critical processes could be considered paywall processes shipping process sauce making process if you've got a secret sauce that you're making invoicing process, and the reason for that is
02:01
is if we can't invoice, we can't,
02:05
you know, get paid. If we can't get paid,
02:07
we can't do payroll. If payroll doesn't function, we can't pay people. We can't pay people. We can't make sauce if we can't make sauce, we can't do invoicing and do payroll. And if we can't make you know if we can't ship, we can't ship the sauce. We can't do the invoice and you can see where that would get convoluted and complicated.
02:24
And so one of my recommendations
02:28
as you look at the system
02:30
are you identifying asset? Let's just say it's asset A
02:32
and you're working on these different areas and identifying how they connect to system a map out. You know, there's payroll and invoicing tied to system A. And as you continue to look at these different areas within business process analysis, technical infrastructure, et cetera,
02:52
build you kind of a Web, or if you've got a tool that you use multi go.
02:55
You could just use that to kind of lay everything out our physio or there's open source components to that as well.
03:02
However, you want to map things out and lay things out for easy reference, I would definitely do so. Don't try to memorize everything and keep everything in your mind
03:12
now. Technical infrastructure supporting process. So when we're looking at that,
03:17
they're supported by infrastructure. Usually, business processes are and so this is things like computers, networks, processing, power PCs. Whatever the case may be, there's something that's tied into a critical business process. Somewhere. All of those elements have to be identified and map,
03:36
and that mapping should be clear
03:38
to be used later in the process when translating the threat model to the vulnerability, mapping and exploitation etcetera. So
03:45
when we're looking at per se payroll processing, we say that Workstation A, B and C provide payroll processing and server X Y Z is the primary payroll server.
03:58
So when we start to look a vulnerability analysis and exploitation routes and we're doing our overall threat modeling and we're scoring this particular system
04:08
or these systems, their level of criticality is elevated because they're tied to a particular process. That is, is that you know, if it were impacted or not available, it could impact the organization in a huge manner. And so we take all those things into account when we look at technical
04:28
infrastructure
04:30
now, information assets, unlike technical infrastructure information assets, are existing knowledge bases in the organization that are used to either reference or support critical business processes. And so such assets are usually identified in the business process already
04:47
and should be mapped alongside technical infrastructure
04:51
within your threat modeling exercise.
04:56
Now, human assets are essentially the people that make up the critical business processes, and so
05:05
when we're looking at any individuals within the organization kind of sticking with the payroll process. We need the payroll specialist
05:16
to make sure that the payroll process works
05:19
Okay, so if we don't have another resource trained
05:23
in the organization, cross trained or whatever the case may be to process payroll once a week once every other week, once a month. Whatever the case may be,
05:32
then that human element is critical
05:36
to the payroll process. And if that human element were impacted in some manner, then it could adversely affect the payroll process. So we have to note that
05:46
now,
05:47
third party integrations or tools like human assets supporting the process there could be third party involvement with the business process as well. And so it could be tricky to map out. But we should have both the human element, the technical element, the knowledge element
06:05
and then the cloud element, essentially, in this case
06:10
for this. So let's say that the system the work station we identified A is critical.
06:16
We've got
06:17
knowledge, information or documentation that's critical.
06:21
We've got the human element
06:25
that's critical, and then all of this information in the business
06:30
ties up to
06:31
a cloud based system or sad solution
06:35
that then allows payroll, toe happen and process.
06:40
So all of that is taken into consideration when we do our threat modeling, and we're mapping out risks to the organization and looking for potential attack vectors for things that are in scope with respect to critical systems.
06:53
So let's do a quick check on Lori.
06:56
Which of the following
06:58
is technical infrastructure
07:00
With respect to our, you know, when we're mapping out a process or something of that nature? Which of the following is considered technical infrastructure?
07:09
All right, well, if you need more time, please pause the video and take a moment to look. So the payroll specialist is a human asset and is not considered technical infrastructure. The says provider is considered third party,
07:26
so a workstation used for payroll could be considered technical infrastructure in an over all process or when we're evaluating technical infrastructure. That work station is considered a part of that. Members could be network
07:41
components. It could be the network itself. It could be processing power. It could be a state of workstation and server
07:46
that all falls into technical infrastructure. Within this business process. Analysis
07:53
now in summary, we discussed what business process analysis is. We look at some different areas such as technical infrastructure, information assets, human assets and third party integration or tools all coming together to support
08:11
business processes. And so each of these areas has to be considered when we're mapping out business processes. And when we're putting those processes against business assets
08:22
to build our overall threat model threat map or do a risk assessment, whatever the case may be there.
08:28
These are some core areas that you would want to look at and review within that business process analysis. So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.

Up Next

Penetration Testing Execution Standard (PTES)

In this course we will lay out the Penetration Testing Execution Standard (PTES) in all its phases and their application for business leaders and Security Professionals alike.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor