hello and welcome to another penetration testing, execution Standard discussion. Today we're going to be looking at goals and primarily focusing on the goals from the testers standpoint.
Now, quick disclaimer pee test videos do cover tools that could be used for system hacking. So any time we discuss tools or demonstrate the use of those tools, they should be understood by the user prior to turning around and testing those tools themselves.
In addition, you would want to research any laws, standards or applicable regulations for you given area prior to using any tools shown during this course.
Now let's go over the goals or the objectives of this and a high level. So we're discussing what goals are today, and we're going to look at primary and secondary goals. From the perspective of the tester, we will talk about how client goals could get woven into this,
but overall, we're just going to touch on what the goals should be for the tester. And then we're going to discuss business analysis at a high level and how that should play into goals and how you should use that information to make a decision on what testing methodology or processor procedure, you will take a CE faras for the client.
Now what our goals. Well, by its definition, a goal is the object of a person's ambition or effort and aim or desired result. So goals should be identified by both parties. You know Tester as well as client for a tester.
Okay, the goal should be about identifying risk that will adversely impacted clients organization. The client may want to be compliant
with a particular standard. They may have a business relationship that will be strengthened by doing the test. They may have a particular product that they're looking to implement, and they need to have their environment tested prior to its implementation. And maybe they want to do some some assessment of
the solution as long as it again is on prim and it's owned
by them, and it's not managed, maintained by 1/3 party.
Then you know, those were things to consider when we're coming up with the goals for the engagement now, primary goals.
Okay, the primary goal of
a test should not be driven by compliance Now. This may differ. If you're the person that's paying for the test, you may your primary goal may be to be compliant,
but there are several justifications for discussing this from the testers perspective. First off, we should never let a client be confused about testing,
equaling, comply, equaling security. So if I'm compliant with the standard,
it doesn't mean that I'm secure.
Let's just, you know, we'll mention a particular organization without mentioning it here, that in the US that had a huge breach of credit card information, they were compliant with PC, Idea says.
But they weren't secure. They had some measures that were not taken, some weaknesses that were discovered. And then, you know, threat actors were able to remove credit card data from the environment because of that. So we should never let a client feel
that by conducting the test and being compliant that they are secure. That would be a false sense of security.
So while many organizations undergo testing because of compliance, it should not be the main goal of the test. So affirm may be hard to complete. A penetration test is part of PC idea, says requirements. But
just because they're doing it to be compliant with PC, Idea says, and that's their goal is to be compliant. Your goal is to the tester is to identify risk, to identify things that could be up concerned that could reduce the security standing of the organization or could put
information at risk. And so those are your primary goals.
They may not always aligned with what the client is wanting to do. But as long as you
performed the test against your goal set and that you're looking to reduce risk and
increase their security posture, then you should be able to align with most all primary goals that a client may have.
Now, secondary goals for us are related to compliance. And so in this case, we can say that, yes, the secondary goal of this test will be to make you compliant. It's not uncommon for primary and secondary goals to be closely related. So
an example Given PC idea says driven tests Getting the credit cards is the secondary goal
right? Compromising the system's identifying risk doing those things definitely his primary that would allow us to then get to credit card information and do things of that nature.
It's a tying. That breach of data to business or mission drivers of the organization is the primary goal
in the case of PC Idea says So being able to say that this will impact the organization, that this will increase your risk standing, that this success is the reason that we need to do X, y and Z as faras Implementing controls is definitely the primary goal. Secondary
also means something for compliance.
Um and i t So these folks are the secondary in this, so they have to do certain things and implement controls to, you know, be compliant. And, you know, the IittIe auditors looking at compliance but really primary goals get the attention of upper management. So the c i o c e o.
We're speaking their language when we talk about risk, and those folks should be risk averse or at least understand what their risk tolerance is and whether or not those testing results align with that level of risk tolerance.
So business analysis eyes definitely important. We want to understand the security standing of the organization. We want to understand their maturity level when we make a decision in respect to helping them to meet their goals and to be more secure and reduced risk. So,
before performing a penetration test. It's beneficial to determine the maturity level of the clients security posture. And there are several organizations which choose to jump, like right into penetration testing
before assessing really the maturity level of the organization.
Or they use a PIN test to assess the maturity level of the organization. And this really isn't the best first step customers with immature security program. It's often best for them to perform what we call a vulnerability analysis first, and so
we can do a review of policy and procedure. We could do a review of technical controls. We can determine with some very just high level scans what the overall posture is. You know, it doesn't make sense that if you have a ship per se and there is a massive leak
in the hole and that will sink the ship at some point, you're not going to pay attention to other problems. That leak is going to be the thing that you want to get rid of because it reduces the risk of the ship's sinking. So
if we are aware that there could be major issues if we're aware that certain ports are open, that shouldn't be if We're aware that policy and procedure is not up to par and that technical controls air, not implement minute and out of minimum, some best practice areas.
Then what is the actual benefit of doing a penetration test?
It could be No, it could be. We could already know that we could get into a system and that we know that they're going to be extremely vulnerable. So it's like shooting fish in a barrel
and that may seem fun. You may go, man. Yeah, finally, a win.
But really, you're not doing any service to the client
by getting into those systems and really, you're doing them a disservice. And so in these cases, we could recommend a vulnerability analysis and do some review of the business, provide them with some meaningful feedback, provide them value
right, and give them an incentive to return. Hey, you know, once you implement these controls, once you get these things tightened up, you really hard in these systems and we feel that we've done some things to mitigate risk.
It may be best to come back and then do a penetration test, cause now we'll have a good you know, tighter security posture and we won't have some of these non best practice things open are available to the world.
Now, take that as it may. You can do this as you choose. You can go straight to penetration. Testing is a business, but really the more bang for the buck and the likelihood of re incurring re occurring business would be higher in my mind if you provide that value to an organization and you helped to be a trusted adviser and guide them toward
this method versus just going straight into a penetration test.
So with that in mind, let's do a quick check on learning true
or false clients with a very immature security program. Never having conducted a penetration test should not do a vulnerability analysis first.
Okay, so they haven't done a pin test
But the program is so immature, there's really nothing there
A SZ faras is risk reduction effort on their part,
so they haven't done a pin test.
Why would you want to do that
before vulnerability analysis?
Well, you wouldn't and you wouldn't you? In this case, let's read it out.
So am I Immature security program
never conducted a PIN test should not do a vulnerability, announces first. In this case,
vulnerability analysis first. We want to do that prior to do it in penetration test. We just got done discussing that. So if you think
that a PIN test should come before vulnerability analysis in a mature organization
again, that's an opinion that you can hold.
But you're going to provide the best value by providing this service to a new organization prior to jumping into doing a full penetration test.
So with that in mind, let's go ahead and wrap this up with are some ring. So today we discussed what goals are. We just looked at a high level definition when what there's mean for a tester versus a climate organization. We looked at the primary goals for a tester being to reduce risk
and really the secondary goals being compliance. We want to get the credit card information,
but that is secondary. The breach itself and the risk that it that it has to the organization, the things that are are apparent as faras. Those
risks are should be addressed first, getting access to credit card data is secondary to that and then with business analysis, we have to remember that we want to look at the state of an organization and understand where it's at so we can provide optimal value with respect to the type of test we conduct.
So with that in mind, I want to thank you for your time today,
and I look forward to seeing you again soon.