Penetration Testing - Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Now, after looking at
00:00
the passive act of conducting vulnerability assessments,
00:00
now we're going to escalate and
00:00
attempt to exploit those vulnerabilities.
00:00
That's exactly what's happening in pen testing.
00:00
The whole purpose is to find out can
00:00
these vulnerabilities truly be exploited?
00:00
Or is it something that just
00:00
appeared to be vulnerability that really wasn't?
00:00
Or are there safeguards in place
00:00
that would protect that vulnerability
00:00
from being exploited?
00:00
One of the most important things before we start
00:00
our pen test is to make
00:00
sure that we have permission to conduct a pen test,
00:00
and that permission is going to come
00:00
to us through a rules of
00:00
engagement documents signed off by senior management.
00:00
Then we're going to move into looking at
00:00
the steps of penetration testing.
00:00
Our purpose, like we said, it's to find out,
00:00
can the vulnerabilities that we found
00:00
through vulnerability assessment be exploited?
00:00
Because that's not always the case,
00:00
sometimes they're fault positives,
00:00
sometimes they are compensatory controls
00:00
that we didn't really know were there.
00:00
If you want the best assessment of whether or
00:00
not your network can be breached,
00:00
a pen test is really going
00:00
to give you the best assessment.
00:00
We can document, we can analyze,
00:00
but if you want to know if it's really possible,
00:00
the best thing you can do is test.
00:00
Now when we do decide to conduct a pen test,
00:00
that's not you and I
00:00
deciding we need to conduct a pen test.
00:00
This usually comes from senior management,
00:00
and honestly it's usually tied to
00:00
laws and regulations and industry standards.
00:00
When we are selected to be part of
00:00
the pen test team or to be
00:00
the project manager of the pen test team,
00:00
whatever our role is chosen,
00:00
the first thing we do is we meet with
00:00
senior leadership and figure out what our goals are,
00:00
what the scope of the assessment is?
00:00
What are we trying to accomplish?
00:00
Are we trying to test against industry standards,
00:00
or laws, regulations, whatever goals are.
00:00
Then also we need in
00:00
writing what the scope of the assessment is.
00:00
From then, we get
00:00
a document called the rules of engagement.
00:00
That is exactly what it sounds like it would be.
00:00
It is a document saying,
00:00
these are the systems I can test,
00:00
these are the tools I can test,
00:00
these are the systems and the times that are off limits.
00:00
Now of course, we don't want our rules of engagement to
00:00
be too clogged down.
00:00
We don't want to say, "Well,
00:00
you can only test for this 20 minute period,
00:00
and you can't use any technical tools,"
00:00
because then you're not going to get
00:00
a very accurate assessment.
00:00
But we also have to make sure that we understand that
00:00
a pen test can be
00:00
destructive to a network environment
00:00
or to an individual system.
00:00
I don't want somebody pen testing
00:00
the anesthesia server when I'm going under for surgery.
00:00
The rules of engagement gives senior management
00:00
the opportunity to clearly spell out,
00:00
this is what's allowed and this is what's not allowed,
00:00
and we get to sign off on that document.
00:00
Because penetration testing is ethical hacking,
00:00
but it's only ethical if you have written permission.
00:00
Be very careful there.
00:00
That's considered to be our get out of jail free card.
00:00
When I say from senior management,
00:00
ideally, we're talking
00:00
about senior executive management,
00:00
Chief Information Officer, Chief
00:00
Security Officer, Chief Technology Officer.
00:00
With the rules of engagement,
00:00
as I mentioned before,
00:00
we're going to list hosts,
00:00
usually by IP address or server names.
00:00
What addresses are to be tested and
00:00
specifically stressing any restricted hosts.
00:00
What testing techniques are acceptable.
00:00
Now again, with an attacker,
00:00
they have ranged to
00:00
whatever type of tool kit that they want to use.
00:00
But as pen testers,
00:00
we have to make sure our top goal is going to
00:00
be to not disrupt business operations.
00:00
Some tests will be
00:00
disrupted so we may have to do those off hours,
00:00
or we may have to find other avenues.
00:00
Also, we want things documented,
00:00
like points of contact.
00:00
We want to make sure that law enforcement
00:00
isn't called in the event
00:00
of this pen test being detected.
00:00
A lot of planning goes into a pen test to
00:00
make sure we have minimum business interruption.
00:00
Once we've collected our information from
00:00
the vulnerability assessment and we're now
00:00
ready to move to the pen test,
00:00
there are certain steps.
00:00
As a matter of fact, actually, what's listed here,
00:00
the first three steps are
00:00
really more vulnerability assessment,
00:00
and we don't get to the pen test really until step 4.
00:00
Like we said before, discovery, enumeration,
00:00
vulnerability mapping, all that's collecting information.
00:00
Now at step 4,
00:00
we try to exploit those weaknesses that we found,
00:00
and then we collect information,
00:00
we report to senior management.
00:00
We do not correct problems that we found as pen testers,
00:00
we go straight to management with the report.
00:00
If there were anything especially
00:00
critical or significant,
00:00
we should have a documented procedure
00:00
of what we do in the event that we find something.
00:00
Do we stop testing immediately,
00:00
report to management,
00:00
how is that handled?
00:00
Usually an attacker is going to follow these steps.
00:00
They start footprinting the network,
00:00
then once they find the system,
00:00
they scan for port,
00:00
try to map those vulnerabilities,
00:00
map services to port numbers,
00:00
and then at that point I
00:00
have enough information to exploit.
00:00
In this section,
00:00
we talked about pen testing as being a more active set of
00:00
steps so that we can attempt to exploit vulnerabilities.
00:00
Really until you test,
00:00
you're not going to truly know
00:00
the degree of protection that you have in place,
00:00
and whether or not it will be successful.
00:00
We also looked that the steps in
00:00
the pen testing process we're really small,
00:00
they were merged together with
00:00
vulnerability assessment because usually
00:00
that's how it works.
00:00
We collect our vulnerabilities,
00:00
then we look to exploit them.
Up Next