Okay, So before we start pin testing Ah, we have to think about some things. You have to take some things into consideration. And probably one of the biggest things to consider is that penetration, testing and and vulnerability assessments to can be disruptive to critical systems on the network
and perhaps even the network itself.
So this isn't something we enter and lightly. This is not something that we take upon ourselves to do. Like we said, this is really hacking a system or a network, and you would be well with advised to make sure that at the very minimum, senior management is aware of this and usually
it. It comes as part of the organization's policy in practice.
But when we talk about penetration testing, the first thing we do want to do is meet with senior management and find out the goals. Why are we doing this? What's the purpose of this assessment? Because how we would pin test for certification and accreditation
might be very different than how we would do it is just a part of due care and diligence.
So the first step we meet with senior management, figure out the goal. The second step is we want a well documented rules of engagement. And in the rules of engagement, what we're going to specify is
I p address ranges were names of the systems to be tested, hours of testing hours that testing is excluded, what type of tools we can use in all of those details that limit what we can cannot do. As for the pin test
now, for those of you that have done pin testing, you've probably worked off of a statement of work cacao, and that's fine on this exam, you will always have a rules of engagement document.
And really, a statement of work should be much broader than all the detail that's necessary is part of the rules of engagement. So I would encourage you get templates out on the Web for these, But I would encourage youto add that to your list of documents so that you have a very well defined set of expectations.
And then the third pieces we want sign off from senior management,
right. This is kind of your get out of jail free card. So senior management acknowledges and gives permission to the pen test, and with that, they're the ones that wind of accepting all the risks associated with penetration test.
Now what we're looking to do is to determine if the system is able to rebuff an attack. Can it withstand an attack?
and the tester needs to remember that his job is to test and document not to correct, not to fix. So the tester tests and provides a report to senior management senior management than identifies the issues that they want to move forward with.
And a different entity is responsible for implementation
after going through the change control process. Remember, we've talked a lot about separation of duties and having the tester fixed problems that doesn't sit right out duties.
All right, so this is just the list of things you're gonna find on your rules of engagement. Like I said, I P addresses testing techniques when ah, points of contact. And you know who has to be contact making. You know, if we're gonna pin test a certain system, we may need to let law enforcement know,
but But it didn't break. Whatever the requirements are, they should be well documented
in the rules of engagement.
Now, earlier, I've talked about penetration testing and vulnerability assessments. Physical, administrative and technical. So so many times, we has I t people focusing on technical.
But like we've said, you know, if I if attacker can, can conduct a successful social engineering attack
and they could walk out of the server room with our server under their arm.
Ah, lot of the elements that we put into place don't really matter. So do we have good policies that being followed? Do we have good physical security? And then, yes, can. Our systems are network withstand technical attacks from an intruder.
All right, make sure when tested, you know, your job is to think like an attacker. So what we have to do is you know, we we can't follow the rules. We have to break the rules and water some things that that we can gain knowledge wise. Um, if we skip this policy, do we gain access?
You know, break the rules.
Also don't rely on a single method of attack and start with the path of least resistance users. Start your attacks with the users.
It only takes one to give out more information than they should to click on the Lincoln email toe let you into a secured facility. So start with your users and build from there.
Um, you know this bullet point? Don't rely exclusively on high tech tools. Exactly what I was talking about. The social engineering. Your goal, though, is never did damage. Right now, that doesn't mean that sometimes as a result of pen testing, something does. You know something, make it damage. But our gulf
never too damaged systems
don't overlook. Small weakness is for the big ones. Often it just takes a tiny toehold for an attacker to be successful. And then, uh, you know, once you've been pen testing for a while, you'll have a bag of tricks. You'll have a tool kit of the tools that you found to be most successful
in map, which I had mentioned earlier is a very good network scanning tool that's free, and we like free.
Ah jacks for network service is running scans, ports. And also when we talk about banner grabbing a lot of times, when a service opens, it displays a banner that may give information that perhaps it shouldn't