Overview of Control 20

00:00

everyone Welcome back to the core. So in the last module we wrapped up our discussion on incident response and management. And in the last video, we took a look at the incident response allowed

00:10

in this video. We're to talk through control number 20 which is about penetration test and red team exercises. So why even perform a pen test or perform Red team exercises? Well, number one. We can run vulnerability scanners all day long and then tell us a lot of different stuff about our network in our systems. However,

00:28

the question is, Are these actually exploitable by someone? So are these difficult to exploit? Are these easy? Are these actual risk to our organization? Because, really, all the vulnerability Skinner is doing is identifying hey, these air potential issues. We need to be able to verify that. Yes, these are issues that can be exploited,

00:47

and they will call. They will

00:49

affect your organization with X amount of dollars loss or they'll affected this way.

00:54

So that's the whole goal behind having the pen test and red team exercises.

01:00

So some controlled 20.1 is all about just establishing a penetration test program. Now, usually this is gonna be Groups two and 31 thing to keep in mind here is that even group to that has, like, dedicated I t assets. They may outsource pen testing

01:17

more frequently than Group three. For example, Group Three

01:21

might actually have their own pen testers on staff. They still may perform some kind of annual external pen tests, but a lot of time still have pen testers on staff. And, of course, Group one. It's really

01:34

you really don't need to pay the amount for a pen test, as is very small business owner. It's not practical for you, so really what you should be doing. If you've got actual systems, you're worried about it, not stuff up in the cloud.

01:45

Just run vulnerability scans, identify things that you deem is a risk and then move forward from there. But groups two or three or we're gonna be the primary ones using pen testers,

01:56

sub control 20.2.

01:59

That's why this where we want to conduct a regular external and internal pen test. So again, just going back to we find those vulnerabilities. But we want to actually make sure that these are things that could be exploited and that are a legitimate risk to our particular organization.

02:15

So control 23 kind of go back to a similar thing here, but performing periodic red team exercises pen test is for that limited period time, right? Usually

02:24

most of them, maybe a couple of weeks. Some are shorter than that some longer, but that's kind of that generalized thing there. And then the red team exercise air. Actually trying to test the blue team's defense is right without the bleed blue team known about it.

02:40

Some controlled 24 include tests for the presence of any unprotected system, information and artifacts. So again, going back to identifying anything on there that might be valuable to Attackers, right? So many things like network diagrams. Maybe your config files or configuration files,

02:59

even like old pen testing reports. If you've got, like old old reports in the past than my show, like from some vulnerabilities, this could be exploited and used against you documents or ah, like emails that maybe you have some passwords in them. Maybe like the pen testers emailed you

03:15

from a previous pen test that some of the passwords they found or something so any of that type of information. That's what we're talking about here.

03:24

Some control 25 created testbed for elements that are not typically tested in production. Eso, for example. Like, if you're working with I c. S skate, uh, you'll want to make sure that you're using, like, a test network to show. Hey,

03:38

this is what could happen. And just so the organization understands the risk in place that will, you're not breaking anything in production, cause a lot of times, if you're running traditional scanning tools like, for example, and map

03:52

in the critical infrastructure space, you may actually turn off or crash various systems. So just keep that in mind that in that type of space you're not normally gonna be using, you're not gonna normally be doing a traditional type of pen test job. This leave it like that.

04:09

So control 26 years vulnerability, scanning and pen testing

04:13

in concert, right, so combined. So, as I mentioned you scan you find vulnerabilities and then use the pen testing show you like, Yes, this could actually happen.

04:25

Make sure that the results from the pen tests are documented using open machine readable standards. So basically just make sure that it could be readable. And it's in a report format that can be sent to various executives presented to the board or even presented to technical managers. So just make sure that your reporting is accurate

04:42

and it's actually readable by those people that need to read it. So the stakeholders

04:47

and finally some control 20.8 control monitor the accounts that are associated with the pen testing kind of going back to the account control. We want to make sure that if there are accounts created for this pen test that we disable and get rid of those accounts after the pen test is complete,