Time
12 hours 41 minutes
Difficulty
Advanced
CEU/CPE
13

Video Description

In this module we take a deeper dive into penetration testing. We begin by pointing out that since vulnerability assessments and pen testing can be disruptive, certain precautions and administrative steps must be undertaken prior to testing. This requires alerting senior management and getting their sign off. In addition, it is vital that policies and procedures set forth by the organization be understood and followed and that well-defined goals for the testing be identified and tracked. We underscore the scope of the tester's responsibilities during testing. A tester's mandate is to determine if a system can withstand an attack. The tester tests and documents. Testers are not responsible for resolving any vulnerability issues they discover! This falls under the important security principle of the separation of duties. A successful pen tester must not only be knowledgeable about technology, but must also be creative. The tester must think like an attacker. This is a case where it's OK to break the rules! Crafty tactics such as social engineering and sniffing out the path of least resistance are key to being an effective pen tester. We offer a final word of advice to aspiring pen testers: don't overlook small weaknesses as these can often lead to big failures!

Video Transcription

00:04
Okay, So before we start pin testing Ah, we have to think about some things. You have to take some things into consideration. And probably one of the biggest things to consider is that penetration, testing and and vulnerability assessments to can be disruptive to critical systems on the network
00:22
and perhaps even the network itself.
00:25
So this isn't something we enter and lightly. This is not something that we take upon ourselves to do. Like we said, this is really hacking a system or a network, and you would be well with advised to make sure that at the very minimum, senior management is aware of this and usually
00:42
it. It comes as part of the organization's policy in practice.
00:46
But when we talk about penetration testing, the first thing we do want to do is meet with senior management and find out the goals. Why are we doing this? What's the purpose of this assessment? Because how we would pin test for certification and accreditation
01:02
might be very different than how we would do it is just a part of due care and diligence.
01:07
So the first step we meet with senior management, figure out the goal. The second step is we want a well documented rules of engagement. And in the rules of engagement, what we're going to specify is
01:19
I p address ranges were names of the systems to be tested, hours of testing hours that testing is excluded, what type of tools we can use in all of those details that limit what we can cannot do. As for the pin test
01:38
now, for those of you that have done pin testing, you've probably worked off of a statement of work cacao, and that's fine on this exam, you will always have a rules of engagement document.
01:49
And really, a statement of work should be much broader than all the detail that's necessary is part of the rules of engagement. So I would encourage you get templates out on the Web for these, But I would encourage youto add that to your list of documents so that you have a very well defined set of expectations.
02:08
And then the third pieces we want sign off from senior management,
02:13
right. This is kind of your get out of jail free card. So senior management acknowledges and gives permission to the pen test, and with that, they're the ones that wind of accepting all the risks associated with penetration test.
02:29
Now what we're looking to do is to determine if the system is able to rebuff an attack. Can it withstand an attack?
02:36
Um,
02:38
and the tester needs to remember that his job is to test and document not to correct, not to fix. So the tester tests and provides a report to senior management senior management than identifies the issues that they want to move forward with.
02:57
And a different entity is responsible for implementation
03:00
after going through the change control process. Remember, we've talked a lot about separation of duties and having the tester fixed problems that doesn't sit right out duties.
03:12
All right, so this is just the list of things you're gonna find on your rules of engagement. Like I said, I P addresses testing techniques when ah, points of contact. And you know who has to be contact making. You know, if we're gonna pin test a certain system, we may need to let law enforcement know,
03:30
but But it didn't break. Whatever the requirements are, they should be well documented
03:36
in the rules of engagement.
03:38
Now, earlier, I've talked about penetration testing and vulnerability assessments. Physical, administrative and technical. So so many times, we has I t people focusing on technical.
03:52
But like we've said, you know, if I if attacker can, can conduct a successful social engineering attack
03:59
and they could walk out of the server room with our server under their arm.
04:03
Ah, lot of the elements that we put into place don't really matter. So do we have good policies that being followed? Do we have good physical security? And then, yes, can. Our systems are network withstand technical attacks from an intruder.
04:20
All right, make sure when tested, you know, your job is to think like an attacker. So what we have to do is you know, we we can't follow the rules. We have to break the rules and water some things that that we can gain knowledge wise. Um, if we skip this policy, do we gain access?
04:40
You know, break the rules.
04:42
Also don't rely on a single method of attack and start with the path of least resistance users. Start your attacks with the users.
04:53
It only takes one to give out more information than they should to click on the Lincoln email toe let you into a secured facility. So start with your users and build from there.
05:05
Um, you know this bullet point? Don't rely exclusively on high tech tools. Exactly what I was talking about. The social engineering. Your goal, though, is never did damage. Right now, that doesn't mean that sometimes as a result of pen testing, something does. You know something, make it damage. But our gulf
05:25
never too damaged systems
05:27
or, of course, data
05:29
don't overlook. Small weakness is for the big ones. Often it just takes a tiny toehold for an attacker to be successful. And then, uh, you know, once you've been pen testing for a while, you'll have a bag of tricks. You'll have a tool kit of the tools that you found to be most successful
05:46
in map, which I had mentioned earlier is a very good network scanning tool that's free, and we like free.
05:53
Ah jacks for network service is running scans, ports. And also when we talk about banner grabbing a lot of times, when a service opens, it displays a banner that may give information that perhaps it shouldn't

Up Next

ISC2 CISSP

Our free online CISSP (8 domains) training covers topics ranging from operations security, telecommunications, network and internet security, access control systems and methodology and business continuity planning.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor