Scoping Meeting Part 1

00:01

Hello and welcome to another penetration testing execution Standard discussion.

00:07

Today we're going to be looking at the section pertaining to the scoping meaning in the pre engagement interactions section. So before we get started, let's do a quick disclaimer.

00:19

So the pee test videos do cover tools that could be used for system hacking. Any tools discussed or used during the demonstration should be researched or understood by the user. Please research your laws and regulations regarding the use of such tools in your given area.

00:35

While we wanna have fun and learn in the same vein, we also want to ensure that we stay out of trouble with the law.

00:42

So let's go ahead and look at our objectives for this particular discussion.

00:47

So today we want to understand the components of a non disclosure agreement, so we're not going to get into deep details. But we'll talk about non disclosure agreements at a high level. We want to understand the intention of the scoping meeting.

01:02

We're gonna talk about what that will entail, as well as topics on avoiding tangents, dealing with suspicion, avoided assumptions, and then we will round everything out with a quick discussion on understanding regional considerations. So with that, let's go ahead and step into our non disclosure agreement area.

01:22

So a non disclosure agreement is essentially a contract to which the parties agreed to not disclose information covered by the agreement. And so that is critical when we're talking about proprietary information or sensitive information, etcetera.

01:38

And so typically these agreements will protect or work to protect confidential information.

01:46

And it is usually pertaining to information that may be kind of secret sauce. And so, you know, the seasons that go into, like here we've got, you know, Kentucky Fried Chicken they may not want to disclose, or if they're going to disclose their secret ingredients. They may not want you to be aware of that.

02:02

It may be software that's proprietary to a testing firm or something of that nature that you'll be reviewing.

02:09

And so sections that you'll typically find in a non disclosure agreement are the definitions and exclusions of confidential information. So what is considered in this case to be secret sauce

02:23

obligations for all parties that are involved, so people's or parties

02:28

and then Tom periods Now, unless you are on attorney or ah, counselor with respect to the law. I would always suggest that you seek the advice of counsel when signing or creating such documents. And the reason for that is

02:46

these sections, while typical, are really up to negotiation by both parties. And so, you know, if you do business with an organization that says you cannot discuss anything involving our business for your lifetime,

03:01

well, I mean, that may be acceptable depending on the information or what it is that you're doing. And so it always makes sense to have any legally binding document reviewed by counsel to ensure that it's both in the interest of the party that you're serving

03:16

is well as yourself. And it doesn't put you at any, you know, kind of undue risk. You always want to make sure that the risk isn't isn't something that you're, you know, maybe not willing to stomach for that particular engagement.

03:28

No,

03:29

let's go ahead and jump into that. Once we get through the non disclosure agreement, we want to start looking at our scoping meeting. And so there are really two parts to the scoping meaning Okay, so in the 1st 1 what we're going to do is determine what it is that the client needs. And so a big part of that

03:49

is what is it that you're trying to achieve? What is it that you need, and so that could then determine what it is that we're going to do with respect to testing. So are we doing physical testing? Is that network centric? Is it Web application centric? Is it wireless centric

04:04

that all will need to be dictated in that kind of first meeting? And really, this doesn't need to be,

04:12

you know, a two hour long affair.

04:14

Really, It needs to be done, probably in about 30 minutes. You should be able to walk away with pertinent information and essentially come up with a rough order of magnitude. And the goal of that rough order of magnitude

04:29

is essentially that you're going thio attempt to come up with what it is that the work will look like and what it is that you'll be doing.

04:36

And there may be, in this case, some initial assumptions that are made. But

04:42

you know, nothing is going to be definitive is of yet you're trying to come up essentially in this first meeting with an idea of what it is that you know will be achieved and what kind of work it is that you'll be doing

04:51

now. Once you step away with then information, you'll eventually come back for part two of the meeting. So in this particular meeting, you should have already established the rough order of magnitude, and you should kind of understand what it is that you're doing. The goal of the second meeting is to validate assumptions.

05:11

And so this validation of assumptions is where we're going to explicitly understand what is within the scope, what is within the range. What is it that we're testing

05:20

exactly and verifying that the customer owns all targets within the environment. And so these are just a few examples of some particular targets,

05:30

but the sky is the limit they could have. Custom Web applications could be a mail server. It could be any number of things within this scope of service or this testing range that the Kleiner customer may want you to review. So your job as the tester

05:49

is to ensure that we walk away from this meeting with an exact understanding of what is going to be in the scope and then We will refine

06:00

that rough order of magnitude into a scope that will then you know better justify what the cost will be. Well, better align with goals and things of that nature, which we'll talk about later,

06:12

and then it'll allow you to better designate the actual rules of engagement on stuff like that. But until you come up with the exact systems that will be tested and all of that is explicitly defined, it would be dangerous to make any assumptions

06:30

and to move forward with any testing prior to doing those things.

06:33

Now there's some key areas that we want to talk about when we're looking at doing a scoping meeting, and the first of those is avoiding tangents. Now, a lot of times

06:45

what you'll run into. His folks do want t kind of contribute and have some small talk. But tangents, air really conversations or topics that do not contribute to the meeting goals, which

06:58

it's okay to ask how someone's family is doing. It's okay to, you know, engage in a little small talk between kind of getting everything done. But the line share of the meeting should not be, you know, laden with small talk, and so by its its actual definition,

07:16

a tangent is a different line of thought or action. So if you start talking about Web applications in the 1st 5 minutes of the meeting, and the goal is to understand what what the Web application looks like and what it is that you'll be testing,

07:32

and then the customer client starts to veer away from that and talk about topics related to the network. But maybe not so much the Web application. Well, if the goal of the conversation again, we're looking at the goal. If the goal of the meeting was to discuss the whim application

07:51

and you know what it is that they're hoping to achieve through the service you're providing, and then they start to talk about their network and the network really doesn't have any tie into the Web application. While it may be relevant to a degree, you know, to have knowledge about the network or what it is that the Web application sits on,

08:11

if it's not going to contribute to the scope, if it's not contributing to the overall goal being met,

08:18

then it is considered a tangent. So ways to avoid This

08:22

is to have clear objectives for the meaning. So when you go into the meeting, the first thing that you want to do is define the objective of the meeting, so that can be done and supported by our second bullet, which is Do you have an agenda

08:37

that you provide prior to the meeting? And you reiterate that agenda when the meeting starts as well as concludes? And so these 1st 2 things were critical.

08:46

You really can't have an agenda for the scope meeting if you don't have a clear objectives in mind for the meeting. So by coming up with those objectives, you define an agenda for the meeting and provide that well ahead of time, and then you you as the tester or the person that is managing the team

09:05

should facilitate the meeting and lead any discussions throughout the meeting.

09:09

If you allow other parties to lead the meeting or run the meeting, you could very quickly find yourself on a tangent or talking about topics that are not contributing to the overall goal of the meeting. So the best way to avoid tangents within a meeting is to essentially

09:26

have those three things laid out prior to the meeting and then stick to the measure going through it

09:31

again. Small talk isn't a bad thing,

09:35

but it can't run the meeting. It can't be the only thing you do.

09:39

All right, everybody. So today we finished out the first part of our scoping meeting discussion. So we discussed the components of a non disclosure agreement and the intention of the scoping meeting covering our first objective techniques for avoiding tangents. When we get back into port, to will finish the other components of the intention of the scoping meaning

09:56

and regional considerations. So with that in mind, I want to thank you for your time today,