Penetration Testing - Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Sign up with Google
Sign up with Apple
Sign up with Microsoft
View all SSO options

Already have an account? Sign In »

CRISC
Course
Difficulty
Intermediate
Video Transcription
00:00
>> Now, after looking at
00:00
the passive act of conducting vulnerability assessments,
00:00
now we're going to escalate and
00:00
attempt to exploit those vulnerabilities.
00:00
That's exactly what's happening in pen testing.
00:00
The whole purpose is to find out can
00:00
these vulnerabilities truly be exploited?
00:00
Or is it something that just
00:00
appeared to be vulnerability that really wasn't?
00:00
Or are there safeguards in place
00:00
that would protect that vulnerability
00:00
from being exploited?
00:00
One of the most important things before we start
00:00
our pen test is to make
00:00
sure that we have permission to conduct a pen test,
00:00
and that permission is going to come
00:00
to us through a rules of
00:00
engagement documents signed off by senior management.
00:00
Then we're going to move into looking at
00:00
the steps of penetration testing.
00:00
Our purpose, like we said, it's to find out,
00:00
can the vulnerabilities that we found
00:00
through vulnerability assessment be exploited?
00:00
Because that's not always the case,
00:00
sometimes they're fault positives,
00:00
sometimes they are compensatory controls
00:00
that we didn't really know were there.
00:00
If you want the best assessment of whether or
00:00
not your network can be breached,
00:00
a pen test is really going
00:00
to give you the best assessment.
00:00
We can document, we can analyze,
00:00
but if you want to know if it's really possible,
00:00
the best thing you can do is test.
00:00
Now when we do decide to conduct a pen test,
00:00
that's not you and I
00:00
deciding we need to conduct a pen test.
00:00
This usually comes from senior management,
00:00
and honestly it's usually tied to
00:00
laws and regulations and industry standards.
00:00
When we are selected to be part of
00:00
the pen test team or to be
00:00
the project manager of the pen test team,
00:00
whatever our role is chosen,
00:00
the first thing we do is we meet with
00:00
senior leadership and figure out what our goals are,
00:00
what the scope of the assessment is?
00:00
What are we trying to accomplish?
00:00
Are we trying to test against industry standards,
00:00
or laws, regulations, whatever goals are.
00:00
Then also we need in
00:00
writing what the scope of the assessment is.
00:00
From then, we get
00:00
a document called the rules of engagement.
00:00
That is exactly what it sounds like it would be.
00:00
It is a document saying,
00:00
these are the systems I can test,
00:00
these are the tools I can test,
00:00
these are the systems and the times that are off limits.
00:00
Now of course, we don't want our rules of engagement to
00:00
be too clogged down.
00:00
We don't want to say, "Well,
00:00
you can only test for this 20 minute period,
00:00
and you can't use any technical tools,"
00:00
because then you're not going to get
00:00
a very accurate assessment.
00:00
But we also have to make sure that we understand that
00:00
a pen test can be
00:00
destructive to a network environment
00:00
or to an individual system.
00:00
I don't want somebody pen testing
00:00
the anesthesia server when I'm going under for surgery.
00:00
The rules of engagement gives senior management
00:00
the opportunity to clearly spell out,
00:00
this is what's allowed and this is what's not allowed,
00:00
and we get to sign off on that document.
00:00
Because penetration testing is ethical hacking,
00:00
but it's only ethical if you have written permission.
00:00
Be very careful there.
00:00
That's considered to be our get out of jail free card.
00:00
When I say from senior management,
00:00
ideally, we're talking
00:00
about senior executive management,
00:00
Chief Information Officer, Chief
00:00
Security Officer, Chief Technology Officer.
00:00
With the rules of engagement,
00:00
as I mentioned before,
00:00
we're going to list hosts,
00:00
usually by IP address or server names.
00:00
What addresses are to be tested and
00:00
specifically stressing any restricted hosts.
00:00
What testing techniques are acceptable.
00:00
Now again, with an attacker,
00:00
they have ranged to
00:00
whatever type of tool kit that they want to use.
00:00
But as pen testers,
00:00
we have to make sure our top goal is going to
00:00
be to not disrupt business operations.
00:00
Some tests will be
00:00
disrupted so we may have to do those off hours,
00:00
or we may have to find other avenues.
00:00
Also, we want things documented,
00:00
like points of contact.
00:00
We want to make sure that law enforcement
00:00
isn't called in the event
00:00
of this pen test being detected.
00:00
A lot of planning goes into a pen test to
00:00
make sure we have minimum business interruption.
00:00
Once we've collected our information from
00:00
the vulnerability assessment and we're now
00:00
ready to move to the pen test,
00:00
there are certain steps.
00:00
As a matter of fact, actually, what's listed here,
00:00
the first three steps are
00:00
really more vulnerability assessment,
00:00
and we don't get to the pen test really until step 4.
00:00
Like we said before, discovery, enumeration,
00:00
vulnerability mapping, all that's collecting information.
00:00
Now at step 4,
00:00
we try to exploit those weaknesses that we found,
00:00
and then we collect information,
00:00
we report to senior management.
00:00
We do not correct problems that we found as pen testers,
00:00
we go straight to management with the report.
00:00
If there were anything especially
00:00
critical or significant,
00:00
we should have a documented procedure
00:00
of what we do in the event that we find something.
00:00
Do we stop testing immediately,
00:00
report to management,
00:00
how is that handled?
00:00
Usually an attacker is going to follow these steps.
00:00
They start footprinting the network,
00:00
then once they find the system,
00:00
they scan for port,
00:00
try to map those vulnerabilities,
00:00
map services to port numbers,
00:00
and then at that point I
00:00
have enough information to exploit.
00:00
In this section,
00:00
we talked about pen testing as being a more active set of
00:00
steps so that we can attempt to exploit vulnerabilities.
00:00
Really until you test,
00:00
you're not going to truly know
00:00
the degree of protection that you have in place,
00:00
and whether or not it will be successful.
00:00
We also looked that the steps in
00:00
the pen testing process we're really small,
00:00
they were merged together with
00:00
vulnerability assessment because usually
00:00
that's how it works.
00:00
We collect our vulnerabilities,
00:00
then we look to exploit them.
Up Next
Penetration Testing - Part 2
Monitoring
Configuration and Change Management
Third-Party Governance
Cloud Integration
View All
Instructed By
Kelly Handerhan

Kelly Handerhan

Senior Instructor
Similar Content
Linux Hardening
Course
Linux Hardening
Are you a Linux systems administrator seeking to learn the best practices for securing your ...
12CEUs
ISACA Certified in Risk and Information Systems Control (CRISC)
Practice Test
ISACA Certified in Risk and Information Systems Control (CRISC)
Demonstrate your expertise in identifying and managing IT risk within an enterprise and in implementing ...
IoT Product Security
Course
IoT Product Security
4.67
As with the regular Internet, the Internet of Things (IoT) is increasingly targeted in malicious ...
8CEUs