Time
13 hours 9 minutes
Difficulty
Intermediate
CEU/CPE
13

Video Transcription

00:00
Oh, right, everybody, welcome to another penetration. Testing, execution Standard discussion today where you're in part two of Introduction to Scope
00:10
Now to pick up where we left off. We're going to finish by going through. How do we approach scoping with internal customers versus external customers and doing a review of a scoping case study? So with that, let's go ahead and pick up where we left off.
00:24
You are, You know, one of the lucky members of a security team who gets to do penetration testing.
00:32
You are likely to be aware of business processes. You are likely to be aware of system functions likely to be aware of management temperament for downtime and testing, and likely to be aware of various goals and objectives of different departments.
00:45
So that is kind of the prose of being attached to an internal team that does testing for one entity.
00:54
But you're likely to be more relaxed in scoping. You're likely to be biased in some cases, and you're likely not to properly document approvals. I can't tell you how many times I've run into instances where someone will send me a request and say, Hey, police can system X Y Z and see if there's anything we should be concerned off.
01:15
Okay, that's very open ended. And that system may not be the responsibility of my direct manager. They may not have the ability to speak on behalf of the business owner to do the testing, so we should approach
01:30
internal scoping and testing the same way that we approach external scoping and testing. We have rules of engagement. We have well defined scopes for in scope and out of scope items, and we communicate with the client in this case, the asset owner
01:49
when we're conducting testing and what it is that we're doing and get approval
01:55
to do that testing through written signature on a scope on project plan. If we don't do those things and something were to happen to a system that your manager does not have you no authority to test
02:08
or you do so on the behest of a sea level as a manager, and that sea level does not have direct
02:15
ownership of that system
02:17
and something happens, it rolls down the hill, as they say, and so you could be facing criminal charges. Termination at you know a za possibility. Administrative reprimands that could, you know, negatively impact your career with an organization your reputation. So
02:36
take internal customer scoping considerations. Justus, seriously, as you would external considerations as well.
02:43
Now the external customer scoping considerations are kind of the opposite of the internal. So you're not aware initially of why the testing needs to be done. Maybe nowhere. Business process is not aware of internal politics, and you may take the customers word on. Something is being in scope without seeking validation.
03:01
And that comes back to the example of a customer giving you our client giving you four I p addresses,
03:07
one of which they don't own or they can't test. Or maybe all four of them are for external systems. And, you know, they didn't give you the I. P address of a physical location that they own.
03:19
So with external customers, you need to be aware of what they're trying to achieve. You need to understand whether or not a party has authority to conduct testing on a system that they may not be the administrator. Our owner up.
03:36
My doing meets things. You can really cover yourself and protect yourself. If issues were to come up later, and it ensures that your scope is very thorough.
03:45
So let's touch on some case studies real quick and kind of wrap all of this up into a nice package as to why we want to focus so intense land scoping.
03:53
So we have a tester that conducted a port scan of a county system, which revealed significant vulnerabilities. His employer had engaged the counting in question, but out of embarrassment, the county reported the tester who was arrested.
04:06
And so this is a case where an entity was trying to merge with a larger entity
04:14
and upon conducting port scans and vulnerability scanning tests on the system, they want to merge
04:19
with the larger entity on
04:23
They were they were shocked. They were embarrassed and they called the state agency, and this tester was in fact arrested and charged with computer crimes because the system in question was providing a kind of a critical service. Any
04:39
interruption of that service, even if it was that it was slowed down by a fraction of the speed for a few seconds,
04:46
is considered a crime.
04:48
So, you know, not knowing what the scope looked like and not understanding what the contracts looked like one could hope that, you know, by thoroughly documenting the scope of service, that the system was in scope, that the testing was authorized
05:05
having very specific signatures of the individuals that manage
05:10
and have ownership of that system. Hopefully that protected this particular tester in that case, and hopefully they have that documentation present.
05:18
Now
05:19
the coal fire Iowa case is still a hot button topic, and it will likely shape the way we look at physical testing and scoping in the future. On this is still, you know, in the works, and I'm not going to speak too heavily on that. I don't want to be biased by any means. And,
05:39
of course, hindsight is 2027. We look it,
05:41
how something was conducted and what they said versus what someone else is saying. We could easily make an interpretation of that. So I always remember that, you know, hindsight is 2020.
05:53
So the contract interpretation has led to a lengthy and continued discussion on whether the testers had the ability to conduct physical testing in the manner in which it was conducted. And so there is some, he said. She said involved in this where a local agency that did not give
06:12
specific permission for the test
06:14
indicated that, you know, testing was conducted in a manner where tools and techniques were used that were out of scope.
06:20
But the larger agency that authorized the test, you know, kind of indicated that it was aware that the testing would be conducted. There were some questions on time limitations time ranges, tool used by passion of certain systems.
06:36
I don't want to get deeply into this because, you know, I don't want Thio really have an opinion on this other than it is a great case study
06:46
for why,
06:47
UM, involvement of the appropriate system owners appropriate representatives for a particular location or entity is present when these discussions air hand
07:00
and that all parties
07:02
who could make your life difficult are communicated with and aware that testing will take place. I can assure you that communicating with an official such as let's say, a chief of police about testing
07:18
one could make them
07:21
happy that you came to them and made them aware that the testing was going to take place, that you involved them in the discussion,
07:29
and that if something does come up there now aware and will not be may be as angry if something were to happen, especially if, you know, testing's conducted on a premise that a party is responsible for, and they're completely in the dark about that. One can imagine, especially in a political spectrum,
07:46
that individuals would be offended or hurt by this. Now
07:50
take into consideration that these case stays air based on US instances. S O. You know, you would definitely want to look for studies for your given country. You're given areas
08:03
and you know, laws and regulations differ from area to area. And none of this is by any means, legal advice. It's just a good example as to why we would want to be extremely thorough.
08:13
All right, So in summary today, we looked at how we approach scoping with internal versus external customers, and we did a review of some scoping case studies. So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.

Up Next

Penetration Testing Execution Standard (PTES)

In this course we will lay out the Penetration Testing Execution Standard (PTES) in all its phases and their application for business leaders and Security Professionals alike.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor