13 hours 9 minutes
Hello and welcome to another penetration testing execution Standard discussion. Today we're going to briefly discuss finding relevant news within the threat modeling section of the Pee test standard. Now is a quick disclaimer. We do have some tools and techniques that we may discuss
that could be used for system hacking.
Any tools discussed, used or demonstrated should be researched and understood by the user. Please research all applicable laws and regulations within your given area regarding the use of such tools or techniques to ensure that you don't get into any trouble with the law. Now today's objectives are pretty brief.
We're just going to discuss the pee test definition of comparable news
and discuss search results for some relevant examples that we pulled out
and how we would go about doing that.
So relevant news of comparable organizations as laid out in order to provide a complete threat, model ah, comparison to other organizations with the same industry vertical should be provided. It should be inclusive of any relevant incidents or news related to such organizations and the challenges they face.
Such a comparison is used to validate the threat model and offer a baseline for the organization to compare itself to
taking into account that this publicly available information on Lee represents a portion of the actual threat and incident three compared, organization will actually face you could actually face.
So essentially, we're going to use some Google fu to attempt to find relevant and somewhat current data on how other organizations were impacted
and so an example given here. So we did a quick search for manufacturing plant hacked in. So let's say you're looking at manufacturing. So I did a Google search for manufacturing plant hacked.
We've got a search result for March
that so locker Goga the ransomware crippling industrial firms on DSO it goes into something's there about ran somewhere. We've got an aluminum plant him by ransomware So this is likely, um,
the same or one of the same organizations ransomware forces, aluminum manufacture, trying to shut down.
So this all looks to be relatively current and related to the same organization. So if I were working with the manufacturer of aluminum or some other product, we could demonstrate how ransomware could potentially impact them or model how ransomware could affect them
in a similar manner to this particular aluminum manufacturing giant. And so that would be
a good resource to use in that case. And then we use something that is maybe a little less known. But we did a search term for the last year,
and we did florist shop at cause hey, who thinks that? Okay, I'm doing some security testing. I'm a major florist railing. Somebody's gonna hack me. Well, apparently there was in June, some relevant news
about a floor shop losing money
and floor shot loses 24,000 attacks on Shopify. And so this could be relevant depending on what type of third party tool
the client is using. Maybe they're using Shopify as a part of the review. And so we now have a reference point for how that third parties particular incident could be detrimental to other florists or to an entity and maybe a similar service type vertical, so search results
can be hit or miss. I would try to focus on search results within the last two years,
but really, if you could get something within the last 12 months, that would be best, because that's going to be more relevant as you get further and further back in the search history. Like, you know, 10 years ago,
the attack methods have changed the tools of change, the protections of change,
so it may not be as relevant. You could potentially apply maybe some of the methodology that an attacker used that was reported
to the scenario. But I wouldn't focuses heavily on the tools because a decade later we should have protections in place or mitigating factors in place through maybe automated tools or something of that nature.
So in summary, we discussed the pee test definition of comparable news,
and we discussed some search results for relevant examples again trying to focus on things within the last 12 months trying to focus on similar verticals. And that way you know, the information is relevant to the party. It's relevant to the client. You know, you don't want to do search for hacks on car dealerships,
and you're dealing with the doctor's office.
You don't want to look for hacks on accounting firms, and you're dealing with a bakery or a manufacturer of canned goods or et cetera. Whatever the case may be, you want to try to keep it vertical specific industry specific, so it hits close to home,
and you can really model the particular threats to that organization. So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.