13 hours 9 minutes
hello and welcome everyone to another penetration, Testing, execution, Standard discussion.
Today, we're going to be looking at how you should approach and use the course that will handle the pee test standard.
So let's jump right in.
Now, the reason that I'm going to continue to provide a disclaimer I know I said in the 1st 2 discussions that I would explain This
is that, um you know, you can come in in the middle of this course the end of this course, wherever it may be, you may only be interested in vulnerability analysis. You may only be interested in reporting. So I attached these disclaimers to any given discussion that we have because
use the learner has the flexibility to go to any one of my videos and watch them at any time. So
instead of giving a disclaimer at the beginning of my course, I now give disclaimers at the beginning of every video because I want to encourage you to kind of watch what you wanna watch, take in kind of an idea from start to finish, and then apply it if need be.
And so this disclaimer is going to be present at the beginning of the videos for the Pee test course.
So the Pee test does cover tools that utilize and provides information on system hacking. Any tools discussed or used during the demonstration, of course, should be, you know, researched and understood by the user. And please research your laws and regulations regarding the use of such tools in your given area. So the reason for each of these disclaimers
is to let you know that we may cover tools and techniques on system hacking
that any tools we discuss or demonstrate you should have a good understanding up before you run them. You should never run tools blindly, um or, you know, do a next next finish on an I P. That's not yours, because that can land you in trouble.
And then, you know you should understand whether or not certain encryption standards are allowed in your area, whether or not certain wireless testing tools are allowed in your area, whether or not password cracking is allowed or running, an inn map scan is allowed, so you should always take responsibility for your research and your actions,
and by doing so, that requires you to understand the laws and regulations for your giving area.
Now let's jump into the objectives for this particular discussion. So we're going to address how you should use the course in key areas that will be covered. So let's start with the idea. The idea behind the courses that I want you to be efficient, effective and use what you need to within the course.
So again, you may only need information from the area concerning pre engagement activity. You may be well rounded and have a defined standard for all other areas, but maybe you need to supplement any of the given areas that will discuss.
I want you to be efficient, effective with your town. Take away the components that you can supplement in your standards and then, you know, take the rest. Maybe watch it. And if it doesn't apply to your situation or scenario, you discard it.
I'm a fan of this because nothing is perfect, and the idea is that you may have or the standards that you may use, maybe better than whats offered in pee test.
So, you know, I always encourage folks to take the tools, techniques and things that we review
and apply them where it's applicable, and we're best fits your situation. Our scenario
now what are the seven core areas? Plus one that we're going to be looking at? Well, the seven core areas would be the pre engagement intelligence gathering threat, modeling, vulnerability, analysis, exploitation, post exploitation and reporting components
of the Pee test standard. The plus one, in this case would be the technical guidelines. Now the technical guidelines you don't have to know or review to understand the penetration testing standard thes guidelines provide some tools and high level information for each of the given areas within the pee test
that you can then go and apply or use if you don't have
otherwise, a tool at your disposal for use.
instead of showing you some images of each of the sections, what I'm going to do is navigate over to the site and I'm going to show you how the flow of this course will happen and what it is that will touch on and what will be adding to pee tests throughout this process. So let's go ahead over to our desktop.
Well, everybody here we are on the pin test standard dot org's site, home of the pin testing execution standard. Now, right out the gate, when we get to the home pages we discussed earlier, we've got the seven main sections that will be reviewing within our course.
Now the course is broken down pretty much as the areas are indexed
on the site, meaning if you go to pre engagement interactions,
you'll take note that over in the contents it has primary sections
and then subsections for each of the topic areas. Our discussions are going to be laid out so that we cover one discussion
per section. And the reason for that is is that, you know, overview is pretty small,
and so this May, if you were just reading this, take you two or three minutes. But what we plan to do is provide some real world scenarios and applicable information for maybe business owners and sock managers for each of these given areas. And so if you're on a time crunch and you just want to do a quick read on introduction to scope
or metrics for time estimation,
the information is here on the site for you to read and consume. What we're adding to this is we're going to discuss like general questions will go into each of the content areas under general questions. And we'll talk about how we apply these questions to an environment. How would we ascertain the information?
How would we go about asking for it? How would we store it, collect it, use it to scope things of that nature.
And so the benefit to you know, reviewing the content section on additional support based on hourly rates is that you may, you know, be able to simply read that this would be additional fees based on the scope of service, and that would be it.
But what will add to this in our pee test discussions in this specific area is some scenarios where organizations were bit by the scope creep and did not build in additional contractual obligations for hourly rate. Maybe they were.
You know, Abel Kant was able to get work done for $1000 that should have been worth five, but they didn't build in any additional, you know, hours into that
or, you know, you may have some physical penetration testing that you want to do, but you've never really scope that out. And so we're not just going to talk about the bullets and name them verbatim. But we're going to give real world instances as to why these things are important
and why we would be asking the questions. And so we're going to do that for every section. And so the
a particular section pre engagement is pretty lengthy. But if we go to something like threat modeling,
you'll notice that it's a little bit shorter. But the subject matter within threat modeling can be a little bit deeper with respect to business, asset analysis, business process analysis. And so we're not just going to read over the technical terminology or talk about, you know, verbatim, the language that's in each of these sections.
We're actually going to work to apply that to, you know, the perspective that a business owner would take in seeing this information as well as a sock manager again, a leader of a pen testing whatever the case may be.
And so we're going to do that for each of these given areas. Now, if you find that you only have an interest in post exploitation
and then within post exploitation, you on Lee want to hear about pillaging then I would recommend you go and watch the pillaging content so that you can get a deeper understanding of each of the sections within pillaging and vice versa. That's applicable to every other component of that as well.
the technical guidelines are the plus one to the course. Seven. That we're going to talk about where this will differ than the core areas is we're not going to touch on every component in the technical guidelines we won't do. Oh, sent and then talk about every tool, every technique, every piece of information within this.
What we'll do is we'll name maybe some noteworthy or key tools
and some key scenarios. Maybe we'll do some case study information that will provide against the tool like the harvester, or looking at lawsuits and things of that nature within an organization and how that could be used for testing.
And we'll give you some kind of tips and tricks on using some of the information within the technical guidelines. But this isn't being built out to be a penetration testing course and that we're going to teach you in that pound of pin test. We're teaching you about the standards some of these standards, in this case the pee test standard associated with pen testing
and some of the applicable tools for each of the core areas that could be used.
The goal is that by the end of the course, you have the ability to not only conduct a penetration test against a standard, whether it be pee test or another standard, but that you're also able to either, from a business perspective as a business leader, understand the value of penetration testing and be able to talk
in terms with a technical liaison or rep
on what you're expecting out of a penetration test and vice versa as a sock manager or a PIN test team lead or any other manner of management within. Maybe you know, a service provider relationship or a security service provider relationship. You'll be able to talk intelligently on the things that you want to see in your
offensive security testing or red team testing programs.
So keep that in mind as we go through the course that these were going to be the ways that we focus on the content in the way that we present it. So with that in mind, I'm going to go ahead and take us back over to our slides.
Oh, right, everybody, welcome back. So
in summary, you should now understand the core areas of focus for the pee test standard and what will be covering during our discussions? You should also have a sense of what we will be doing during the course again. We're not going to be teaching you how to do penetration testing.
If you wanna learn how to use in map or get an in depth review of something like show then or the use of burps Sweet,
then you'd want to look for some other course courses in discussions at this time.
Now, the goal of this particular course again is to give you a standard that you can either dovetail into a standard you're already using where maybe there's some gaps or you've developed it internally
or again. You're a business leader that's looking to better understand how penetration testing works, what value it brings to your organization and the high level details that you should be aware of when you're asking for quotes or information on penetration testing,
you want to see the value in penetration testing you don't want to just see it is another check box or an expense.
So in order to do so, you have to have a very foundational understanding of what penetration testing is and how it's approached and conducted.
So with those things in mind, if you're ready to jump in and understand the pee test standard, I want to say this. Thank you for your time.
And I look forward to seeing you again soon in our next discussion.