Penetration Testing: Part 1

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Now, after looking at the
00:00
>> passive act of conducting vulnerability assessments,
00:00
>> now we're going to escalate
00:00
and attempt to exploit those vulnerabilities,
00:00
so that's exactly what's happening in pen testing.
00:00
The whole purpose is to find out can
00:00
these vulnerabilities truly be exploited?
00:00
Or is it something that
00:00
just appeared to be a vulnerability that really wasn't?
00:00
Or are there safeguards in place that
00:00
would protect that vulnerability from being exploited?
00:00
One of the most important things
00:00
before we start our Pentest
00:00
is to make sure that we have
00:00
permission to conduct a Pentest.
00:00
That permission is going to come to us through a
00:00
>> rules of engagement documents
00:00
>> signed off by senior management.
00:00
>> Then we're going to move into looking at
00:00
the steps of penetration testing.
00:00
Our purpose, like we said, is to find out,
00:00
can the vulnerabilities that we found
00:00
through vulnerability assessment be exploited?
00:00
Because that's not always the case.
00:00
Sometimes they're faults positives.
00:00
Sometimes there are compensatory controls
00:00
that we didn't really know were there.
00:00
If you want the best assessment
00:00
of whether or not your network
00:00
can be breached a Pentest
00:00
is really going to give you the best assessment,
00:00
we can document, we can analyze.
00:00
But if you want to know if it's really possible,
00:00
the best thing you can do is test.
00:00
Now when we do decide to conduct a Pentest,
00:00
that's not you and I
00:00
deciding we need to conduct a Pentest.
00:00
This usually comes from senior management,
00:00
and honestly it's usually tied to
00:00
laws and regulations and industry standards.
00:00
When we are selected to be part of
00:00
the Pentest team or to be
00:00
the project manager of the Pentest team,
00:00
whatever our role is chosen.
00:00
The first thing we do is we meet with
00:00
senior leadership and figure out what our goals are,
00:00
what the scope of the assessment is.
00:00
What are we trying to accomplish?
00:00
Are we trying to test against
00:00
industry standards or laws
00:00
regulations whatever our goals are.
00:00
Then also we need
00:00
in-writing with the scope of the assessment is.
00:00
From then we get
00:00
a document called the rules of engagement.
00:00
That is exactly what it sounds like it would be.
00:00
It is a document saying
00:00
>> these are the systems I can test.
00:00
>> These are the tools I can test.
00:00
These are the systems and
00:00
>> the times that are off limits.
00:00
>> Now of course, we don't want our rules of engagement
00:00
to be too clog out.
00:00
We don't want to say, well,
00:00
you can only test for
00:00
this 20 minute period and you can't use
00:00
any technical tools and because then you're
00:00
not going to get a very accurate assessment.
00:00
But we also have to make sure that we understand that
00:00
a Pentest can be
00:00
destructive to a network environment
00:00
or to an individual system.
00:00
I don't want somebody pen testing
00:00
the anesthesia server when I'm going under for surgery.
00:00
The rules of engagement gives
00:00
senior management the opportunity to
00:00
clearly spell out this is what's
00:00
allowed and what's not allowed,
00:00
and we get sign off on that document.
00:00
Because penetration testing is ethical hacking,
00:00
but it's only ethical if you have written permission,
00:00
so be very careful there.
00:00
That's considered to be our get out of jail free card.
00:00
When I say from senior management, usually
00:00
>> we're talking about senior executive management,
00:00
>> Chief Information Officer, Chief
00:00
Security Officer, Chief Technology Officer.
00:00
With the rules of engagement,
00:00
as I mentioned before,
00:00
we're going to list hosts,
00:00
usually by IP address or server names.
00:00
What addresses are to be tested and
00:00
specifically stressing any restricted hosts.
00:00
What testing techniques are acceptable.
00:00
Now again, with an attacker,
00:00
they have ranged to
00:00
whatever type of tool kit that they want to use.
00:00
But it's pen testers,
00:00
we have to make sure our top goal is going to
00:00
be to not disrupt business operations,
00:00
and so some tests will be disrupted.
00:00
We may have to do those off hours or
00:00
we may have to find other avenues.
00:00
Also, we want things documented like points of contact.
00:00
We want to make sure that law enforcement isn't
00:00
>> called in the event of this Pentest being detected.
00:00
>> A lot of planning goes into a Pentest to
00:00
make sure we have minimum business interruption.
00:00
Once we've collected our information from
00:00
the vulnerability assessment and we're now
00:00
ready to move to the Pentest,
00:00
there are certain steps
00:00
and as a matter of fact, I actually,
00:00
what's listed here, the first three steps
00:00
are really more vulnerability assessment.
00:00
We don't get to the Pentest really until Step 4.
00:00
Like we said before, discovery, enumeration,
00:00
vulnerability mapping, all
00:00
>> that's collecting information.
00:00
>> Now, at Step 4,
00:00
we try to exploit those weaknesses that we found,
00:00
and then we collect information,
00:00
we report to senior management.
00:00
We do not correct problems
00:00
>> that we found as pen testers.
00:00
>> We go straight to management with the report.
00:00
If there were anything especially
00:00
critical or significant,
00:00
we should have a documented procedure
00:00
of what we do in the event that we find something to,
00:00
we stop testing immediately report to management.
00:00
How is that handled?
00:00
Usually an attacker's going to follow these steps.
00:00
They start footprinting the network.
00:00
Then once they find the system,
00:00
they scan for ports,
00:00
try to map those vulnerabilities,
00:00
map services to port numbers,
00:00
and then at that point I
00:00
have enough information to exploit.
00:00
In this section we talked about pen testing as being
00:00
a more active set of steps so that
00:00
we can attempt to exploit vulnerabilities.
00:00
Really until you test,
00:00
you're not going to truly know the degree
00:00
of protection that you have in
00:00
place in whether or not it will be successful.
00:00
We also looked at the steps
00:00
>> and the pen testing process,
00:00
>> but we really saw they were merged together with
00:00
vulnerability assessment because usually
00:00
that's how it works.
00:00
We collect their vulnerabilities,
00:00
then we look to exploit them.
Up Next