Penetration Testing - Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Course
Time
8 hours 25 minutes
Difficulty
Advanced
CEU/CPE
9
Video Transcription
00:00
>> Now that we're at
00:00
our second section of penetration testing,
00:00
we're going to talk about the degree of
00:00
knowledge that we expect our pen testers to have.
00:00
That's not always going to be the same,
00:00
it really depends on what our goals are
00:00
and what type of exploit we're testing for.
00:00
We have to have a discussion
00:00
that's going to tie the goals of the business,
00:00
the organizational objectives,
00:00
into the test that we conduct.
00:00
The first thing to look at is the degree of knowledge.
00:00
What information are we giving to our pen testers?
00:00
Well, what type of attack or we simulated.
00:00
If we were to simulate
00:00
somebody from outside the organization
00:00
that has no direct or specific knowledge of our company,
00:00
then we would have a pen tester
00:00
start with zero knowledge.
00:00
Which basically means we're not giving
00:00
them any insider knowledge,
00:00
and their job is to go out to the Internet and
00:00
other publicly available sources and see what they
00:00
can find out and how they can take that information
00:00
and ultimately work towards
00:00
using that to breach our network.
00:00
There are a lot of publicly available sources out there.
00:00
Just looking at job boards will tell you,
00:00
okay, they're looking for a juniper administrator.
00:00
Well, that tells me some information about
00:00
the firewall systems or
00:00
routers or whatever that they're using in the company.
00:00
I can also look for things like the who's database that
00:00
is registered to the main name and will
00:00
provide information on the entity
00:00
that registered that domain name.
00:00
When you look at web pages,
00:00
sometimes you can find who
00:00
the executives are within that organization.
00:00
You can find things like store numbers and you may be
00:00
able to find certain types of jargon,
00:00
maybe on the website so that you could pass
00:00
yourself off as a knowledgeable,
00:00
maybe a co-employee who's
00:00
knowledgeable so that I
00:00
could use a social engineering attack.
00:00
That's the way the zero-knowledge tests work.
00:00
Sometimes the zero-knowledge test
00:00
is also called the blind test.
00:00
The assessors just have publicly available information.
00:00
Now, sometimes we
00:00
want to see what a regular user could do.
00:00
How much damage can my employees do?
00:00
They have some information about the network,
00:00
but they certainly don't have
00:00
administrative passwords or that
00:00
high-level sensitive information,
00:00
so we would give
00:00
our pen testers a degree of partial knowledge.
00:00
We would emulate what a basic user could find out.
00:00
Then sometimes we conduct
00:00
a full knowledge test where we turn over
00:00
all the information about our network to
00:00
the pen testers, including administrative passwords.
00:00
At that case, we want to find out what could
00:00
our administrators do, what damage.
00:00
We're testing to see,
00:00
do we have the checks and
00:00
balances in place so that we can
00:00
withstand an attack from
00:00
external users or internal users.
00:00
Now, I mentioned the blind test
00:00
was the same thing as a zero-knowledge.
00:00
There's also a double-blind test where
00:00
the assessors don't know anything and any information
00:00
about our company and
00:00
our internal defense team
00:00
doesn't know that they're going to be under attack,
00:00
that a compromise is being attempted.
00:00
That'll give you a good idea of how quickly
00:00
our incident response team
00:00
can respond and how effectively.
00:00
But again, we may find
00:00
our internal staff taking
00:00
steps like notifying authorities.
00:00
We want to make sure that we have protections in place.
00:00
Now, we also may have a targeted test.
00:00
Before I bring a system onto the network,
00:00
we may conduct a test or an application.
00:00
When you talk about certifying applications or systems,
00:00
you're conducting a pen test to make sure they
00:00
meet the technical requirements of the product.
00:00
In this section, we looked at
00:00
the various degrees of knowledge
00:00
and that's tied into
00:00
how much information we allow our pen testers to have.
00:00
We can use a zero-knowledge test to
00:00
emulate what an attacker from the Internet could do.
00:00
We can have partial knowledge tests.
00:00
That will emulate what
00:00
an internal user would be able to do.
00:00
Then full knowledge would mimic
00:00
an administrator's knowledge so that we can make
00:00
sure we have the right checks and balances in place.
Up Next