13 hours 9 minutes
Hello and welcome to another penetration. Testing execution Standard discussion. Today we're going to be looking at the rules of engagement with respect to post exploitation Now. Quick disclaimer. The tools and techniques discussed in pee test videos can be used for system hacking.
Any tools discussed you used during the demonstrations or reviews should be researched and understood by the user.
Please research your laws and regulations regarding the use of such tools and techniques in your given area. Now
let's jump into Thio. Today's objectives were going to do a quick reiteration of rules of engagement and focusing on post exploitation.
We're going to discuss protecting the client,
and we're going to discuss protecting yourself.
While the scope defines what will be tested,
the rules of engagement defined how that test is to occur.
So these are two different aspects which need to be handled independently from each other. So your scope of work should not be your rules of engagement. Your rules of engagement should not be your scope of work. They should be two separate complimentary documents that help to guide you through the testing process and ensure that client expectations will be nipped Ahmet
and that no critical systems will be damaged in the process.
Now, with that, let's go ahead and jump into talking about protecting the clients.
So these air some general guidelines for protecting the client.
But by no means are they all encompassing. So do some additional research as well. If you feel that something's missing at it to the list so less agreed upon, do not modify service's, which the client deems critical to their infrastructure. That could cause downtime and loss of revenue. All modifications, including configuration changes, must be documented
if possible, at the conclusion of testing. Will talk about that in the cleanup phase. A detailed list of actions taken against compromise systems should be kept, do not include passwords and final reports and mask all sensitive data. Sets all day together should be destroyed once the client accepts the client. The final report
and no log should be removed, cleared or modified unless specifically authorized. In. Really,
this comes back to again making sure that the client's interests are not damaged, that their systems are not damaged, that data sets are not damaged and that if they have any compliance requirements that they have to adhere to. You don't violate those in the process of doing this review.
Now let's talk about protecting yourself. Well, we did the entire pre engagement interactions area where that was really focusing on you on contract language.
But let's reiterate all contracts or statements of work must be signed by both parties. That ensures that the parties with the authority to accept those scopes and statements of work have an awareness and have given you permission to do so. Which is not the same is a permission to test memo,
obtain a copy of the security policies that govern users of the company prior to starting the engagement Verified. The policies cover personal use of equipment, storage of personal data, ownership of data stored on company equipment. Very important.
Some organizations allow personnel to kind of co mingle work and personal life, and sometimes that results in photos being stored on systems, personal records being stored on systems.
And so if the employees
is storing that information there, and employer does not have the right to monitor it or doesn't specifically state so
and you intercept that information or take that information off the system that could be a violation of that person's privacy.
If the employer owns the equipment, monitors the equipment and indicates that all data on the system's belongs to the employer,
then as long as the rules of engagement and permission to test memo covers, taking snippets of data and doing things of that nature than it should be considered. Open season
useful Drive encryption for systems in removable media, where you're storing evidence and things of that nature so that if something were to happen or if a system were to be lost,
then you could feel comfortable that it is protected.
And then I would check laws concerning the capture of and storage of audio and video. It could be considered a violation of local or country wiretap laws, and so we don't want to again get ourselves into any hot water with that type of information capture. So just ensure that you're doing so within the parameters of the loan that you want
violating any of those in the process.
Now let's step into a quick check on learning true or false drive. Encryption slows down the testing process and should never be used
Well, if you need additional time to consider the question. Please pause the video, so this is definitely false. Drive. Encryption should always be used,
and it does not slow down the testing process. So this is a false statement you want. Always ensure that your encrypting your drives and encrypting your flash drives hard drives whatever the case may be, so that you can protect both York company's reputation and you can protect the client's information and
potentially their clients information, depending on what kind of information you get.
in summary, we had a high level discussion and reiteration of the rules of engagement. We discuss protecting the client. Something's weaken do they're like encrypting information on ensuring that we don't destroy logs and the things of that nature. And then how we go about protecting ourselves again, reiterating contract language rules of engagement,
in making sure that all of that is thoroughly documented and approved before we make any major changes to systems. So with that in mind, I want to thank you for your town today, and I look forward to seeing you again soon