Penetration Testing: Part 2

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Now that we're at
00:00
our second section of penetration testing,
00:00
we're going to talk about
00:00
>> the degree of knowledge
00:00
>> that we expect our pen testers to have.
00:00
>> That's not always going to be the same,
00:00
it really depends on what our goals are,
00:00
and what type of exploit we're testing for.
00:00
We have to have a discussion
00:00
that's going to tie the goals of the business,
00:00
the organizational objectives
00:00
>> into the test that we conduct.
00:00
>> The first thing to look at is degree of knowledge.
00:00
What information are we giving to our pen testers?
00:00
Well, what type of attack are we simulating?
00:00
If we were to simulate somebody
00:00
>> from outside the organization
00:00
>> that has no direct
00:00
>> or specific knowledge of our company,
00:00
>> then we would have our pen testers
00:00
start with zero knowledge,
00:00
which basically means we're not giving them
00:00
any insider knowledge
00:00
>> and their job is to go out to the Internet
00:00
>> and other publicly available sources,
00:00
>> and see what they can find out,
00:00
and how they can take that information
00:00
>> and ultimately work towards
00:00
>> using that to breach their network.
00:00
>> There are a lot of publicly
00:00
>> available sources out there.
00:00
>> Just looking at job boards will tell you,
00:00
oh, they're looking for a Juniper Administrator.
00:00
Well, that tells me some information about
00:00
the firewall systems or routers
00:00
>> or whatever that they're using in the company.
00:00
>> I can also look for things like the who is database
00:00
>> that will take registered domain name,
00:00
>> and will provide information on the entity
00:00
>> that registered that domain name.
00:00
>> When you look at web pages sometimes,
00:00
you can find who the executives are
00:00
>> within that organization,
00:00
>> you can find things like store numbers
00:00
>> and you may be able to find certain types of jargon,
00:00
>> may be on the website so that you could pass
00:00
yourself off as a knowledgeable,
00:00
may be a co-employee who's knowledgeable,
00:00
so that I could use a social engineering attack.
00:00
That's the way the zero knowledge tests work.
00:00
Sometimes, the zero knowledge test
00:00
is also called the blind test.
00:00
The assessors just have publicly available information.
00:00
Now, sometimes,
00:00
we want to see what a regular user could do,
00:00
how much damage can my employees do?
00:00
They have some information about the network,
00:00
but they certainly don't have administrative passwords
00:00
>> so that high-level sensitive information,
00:00
>> so we would give our pen testers
00:00
>> a degree of partial knowledge
00:00
>> and we would emulate
00:00
>> what a basic user could find out.
00:00
>> Then sometimes,
00:00
>> we conduct a full knowledge test
00:00
>> where we turn over all the information
00:00
>> about our network to the pen testers,
00:00
>> including administrative passwords.
00:00
>> At that case, we want to find out
00:00
>> what could our administrators do, with damage.
00:00
>> We're testing to see,
00:00
do we have the checks and balances in place
00:00
>> so that we can withstand an attack
00:00
>> from external users or internal users.
00:00
>> Now, I mentioned that blind tests,
00:00
it was the same thing as a zero knowledge.
00:00
There's also a double-blind test,
00:00
where the assessors don't know
00:00
any information about our company
00:00
and our internal defense team doesn't know
00:00
>> that they're going to be under attack,
00:00
>> that a compromise is being attempted.
00:00
That'll give you a good idea of how quickly
00:00
our incident response team can respond
00:00
>> and how effectively.
00:00
>> But again, we may find our internal staff taking
00:00
steps like notifying authorities,
00:00
so we want to make sure that we
00:00
have protections in place.
00:00
Now, we also may have targeted test.
00:00
Before I bring a system onto the network,
00:00
we may conduct a test or an application.
00:00
When you talk about certifying applications or systems,
00:00
you're conducting a pen test to make sure
00:00
>> they meet the technical requirements of the product.
00:00
>> In this section,
00:00
>> we look at the various degrees of knowledge,
00:00
>> and that's tied into
00:00
how much information we allow our pen testers to have.
00:00
We can use zero knowledge tests to emulate
00:00
>> what an attacker from the Internet could do.
00:00
>> We can have partial knowledge tests
00:00
>> so that will emulate
00:00
>> what an internal user would be able to do.
00:00
>> Then full knowledge would mimic
00:00
an administrator's knowledge
00:00
>> so that we can make sure
00:00
>> we have to right checks and balances in place.
Up Next