What is the Penetration Testing Execution Standard (PTES)?

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

13 hours 9 minutes
Video Transcription
Hello and welcome to this penetration testing, execution standard Course moving forward we're going to refer to this is pee test to make it simple. So you may be asking yourself What is it? What is the pee test standard?
Well, before we get into that, let me make a quick disclaimer. The pee test videos do cover and may cover tools that could be used for system hacking. Now, this isn't going to be the focus of the standard, but there are some technical guidelines where we may touch on tools and discuss their purpose.
Any tools discussed or used during any demonstrations should be researched and understood by the user.
Please research your laws and regulations regarding the use of such tools as well as penetration testing within your given area. While we're having fun, we don't want to get into any trouble with the law.
Now, before we get started, I want you to know a little bit about me. Eso We're going to just spend a little time as possible talking about me.
So I've got over six years of cybersecurity, auditing, management and security testing experience and four years of Experience and Systems Administration and classroom instruction. I hold some academic achievements as faras an MBA and M s I S T m and information systems and technology.
And a few of my security certifications include the L S, C, P C I S S P and C E h.
A few hobbies and I hold isn't love gaming. I love reading on a myriad of different topics, whether it be business or technical topics or, you know, new compliance requirements, whatever it may be, even fictional, you know, readings as well one of that time and wanna have some fun.
And I also love trying new foods. And so I'll be your guide on this journey through the pee test standard.
So what is the objective of this particular discussion? Well, today I'm going to provide you just, ah, high level overview of the pee test standard. We're gonna look at the site together, just give you a feel for what we're looking at and where it's located,
and then we're going to start breaking down each of those areas and their technical guidelines systematically.
Now, a little history. The penetration testing execution standard was brought about
to bring business owners valuable information on conducting a penetration test
that would bring value to their organization. And so
what the hope was here is that
there were a lot of times when I sit down with a business owner or where I sit down with an executive who doesn't know the difference between a penetration test and a vulnerability assessment or scan their you know, they might confuse terminology between audits and assessments, things of that nature.
And so this standard comes about so that a business owner can easily go about and find reference materials that allow them to understand the deliver ble that they will receive from the practitioner. Now you know, it is
indicated that not all practitioners using the same standards their standards that NIST provides that PC I provides that other organizations provide.
And so the practitioner may have to align their framework with the pee test standard. If the business owner makes the determination that that's what they want to use is ah kind of baseline for the service is that they'll receive. And so this discussion and what will go through in the pee test standard is also beneficial to
service providers
and that it would allow them to scope their engagement, using common language that the business owner would understand.
So that is the overall kind of goal of the Pee test standard is to bring about this measure in which a business owner and a practitioner can sit down and dovetail their understanding of the engagement together. The business owner understands the value that they're going to get out of the work.
The service provider understands what the expectations are and has a clear pathway to meeting those expectations
now just to give you an idea of some of the contributors are not gonna go line by line here. But there were a range of individuals that were represented in this from financial service provider, security, vendor sectors and beyond, as well as some community contributions and, you know, comments and feedback.
And so some notables or tenable security in guard. Amazon Rapid seven
Random Storm There's a number of other consultants that air mixed in here is well, all of these individuals coming together to again create a common standard that benefits both the business owners and seeking penetration. Testing service is as well as the security practitioner and being able to easily road map
their service with respect to each of the phases that we will discuss
now something that may be beneficial for those of you that are visual learners. And I will kind of show you this and pulled it up when we walk through everything here in a moment.
But they did publish a mind map, and essentially you could look at this mind map and see every bit of content that they were developing, how they were developing it and laying it out. And so I do like mine maps from a creation standpoint, when you get ready to, you know, maybe create an internal standard when you're trying to map out a process
when you're trying to develop new processes or procedures, or maybe testing techniques
or even software development.
There are ways other ways than this to do that. But mine maps were really great. If you're just tryingto rough ball ideas out there and get the general content body out a cz quickly as possible, you know the purpose of a draft is to get it out there and to get it kind of into existence, not so much for it to be perfect. So
I will touch on this as we go through the standard, we're gonna look at the site here in a moment,
and I'm gonna walk you through some of the key areas and f a Q areas and stuff. I kind of get you familiar with the site that ways we're going through the remainder of the discussions and the course you'll be able to follow along, navigate and see those areas with respect to where the Pee test standard is is kept on the web.
So with that in mind, let's go ahead and jump over to our desktop.
All right, everybody, welcome to the desktop. So as indicated, I just went into Google and did a quick search for pee test
and the top area here you'll have the penetration testing execution standards. So that is pee test ash standard dot or GE. So when we go in here,
this brings up a pretty simple page, and it gives you the high level organization of the standard. Now we're going to get into each of these areas, and we're gonna talk about, um, you know what we're looking at with respect to the content of the standard and what each of these areas mean
the goal here that will discuss the who and why. And, you know, some of our next discussions will be covering
what we're going to be doing with this and the direction that we're going to take. So right out the gate, when you come to the main site, you have a high level organization of the standard, gives you a breakdown of the seven main sections that has those laid out here is well and then technical guidelines which
are not in depth in depth with respect to doing each of these areas. But it provides some general thought points, some tools
in some areas that you can look to fulfill each of those areas. And so we'll touch on those when we're in the respective sections discussing the skill areas
and what will be working on now if you want to view source information right here at the top,
it has some additional details here
and then history is kind of, as things are changed on the standard, you can see some of that information here as well.
Now the FAA Q page
has some of the information that we had covered is well as, um
general information. If you want to look at the mind map,
there's a link down here at the bottom of the page that you can click
and you have tohave free mind is the name of the software is free to download,
and it gives you this mind map that you can review, and so it's quite extensive.
At the center of that is the standard, and then as you go to each area, let's say intelligence gathering, which is over here.
As you can see, it breaks it down into like over gathering human, if applicable here. So key employees things, that nature and each of these. So this is like the core
line here. And then, as you go into each,
it breaks it down into subsections essentially and breaks down each information piece, all of which are represented in the technical guidelines. Again, we're not going to touch on every single point in the mind map. We're going to hit the high level like intelligence gathering will talk about oh, sent in some of the different areas within this and again.
We'll get into the who and why here shortly,
but we'll talk about for say individual and employees, and we'll talk about some of these different areas within open source intelligence gathering, target selection. And so, as you can see here, they've done a great job of laying this out.
It's a pretty extensive mind map, so if you kinda zoom out here, you can see that it's quite large. But essentially, this is is kind of the bones of the standard where you can go in and see
kind of the thought process and where everything's at. Within that
also, the tool that I'm showing you here. Fremont is also great. If you're again into creating processes or doing things of that nature, and you need a tool that's gonna help youto lay everything out and be kind of
what's the word I'm looking for like you. You've got a plan to what you're doing there. So that'll be a great tour you could use Busy out.
Now, Um, the main page on the left hand side here takes you back to this area,
and as you click into each of the standard areas, it lays out the actual standard components again. We're going to go into each of these and talk about both the business aspects as well as if you're like a sock manager or a manager of a security team, why these areas are important and what we're going to be doing. I mean the goal.
The goal over all of the practical pen testing course is that you be able to speak from a management perspective on each of these areas that you be able to direct penetration testers,
teams of pin testers, a CZ well, as talk from a business perspective, with clients, customers, internal parties, whatever the case may be about what it is that you're doing. And you know why you have to discuss these particular areas and so you can go back to the main page in time and go into the additional areas.
Now the technical guidelines again. This is to help you define procedures within penetration, testing and how you will accomplish those areas. Now, not everything's going to be applicable here,
but again, if you don't have kind of ah standard if you've got a team of pen testers and each penetration tester does things a little bit differently,
this is a great way to start to talk about bringing that together and standardizing that now for larger organizations, it's likely that you already have some type of standard in place, whether it be spoken or unspoken. But it never hurts to come back and look at, you know, different guidelines and standards and kind of see where you can
piecemeal things or maybe even used the standard
in in its entirety. And so the technical guidelines are broken down into tools required, and then it gets into information. Or I'm sorry into intelligence gathering
touches on some tools vulnerability, analysis, exploitation.
And so it breaks down each of those areas reporting there's post exploitation. And so if, for example, in well again, touch on this in each section. If you want to do something with the invulnerability analysis and you're looking for Web application scanners, it doesn't give you an in depth
set of instructions on how to do those areas. It more so gives you some general technical guidelines, some tools, things that you would look for in using those tools
and what you may do to achieve those particular components of the penetration test. And so this is a very good resource again, if you're trying to either build a standard for your organization and how you do testing. Or if you're trying to maybe Dove tell what you're doing now into,
um, you know, a recognized standard.
This is definitely the way to go.
And so the other thing I wanted to show you here is
when you search for pee test, the other thing that I like is that it is listed with a WASP. And so I do like a lost man. They're testing methodologies and things of that nature. But if you wanted to get a better idea of some other standards as well, they mentioned this 800 won 15 the penetration testing frame or of the execution standard that we're going over.
They hit on the PC idea says testing guidelines as well.
So there are a number of other frameworks out there. Some are purely technical in their approach. Some are a little more high level in their approach. And so, you know there is no one right or wrong way to do it.
As long as you have some sort of God line and some sort of methodology that you're using, that you can explain to a customer or that you could point
the party to that that is receiving the service, and they could understand what they're getting and the value of that and compare it to the methodology
that's ultimately the goal.
So with all of this, let's go ahead and jump back over to our slides.
All right, everybody, welcome back. So you may be surprised, but we're getting ready to do a quick check on learning. So who is the Pee test most applicable to In this case? We're picking, too. So go ahead and take a moment to review the choices
and make a decision.
All right, now, you could pause the video if you need more time. So let's go through the choices. So the 1st 2 Web application designer and marketing directors, while these individuals may take advantage of a penetration test, Or maybe they interact with folks who conduct penetration testing,
they may not be the actual managers or purchasers of the test,
so we're going to say that neither of these parties would be the most applicable to using or being aware of the pee test standard.
Now managers of penetration testers. That is a big check because these folks need to understand what it is that's being delivered, how it's being delivered, why it's being delivered, the way it's being delivered
and being able to present that information to the stakeholder shareholders, business owners, clientele
of that tester, so definitely beneficial there. And then, as we indicated, business owners definitely benefit from understanding the pee test standard because they can then sit down and have an educated conversation where the provider on their pen testing methodologies
and steps in tools and things of that nature at a high level
to ensure that they're going to get the value that they want out of the test. So with that in mind, managers of penetration testers and business owners are the most applicable when it comes to using the pee test standard in this particular case.
So let's go through a quick summary.
In conclusion, we discussed the high level history of the Pee test standard. We discussed the contributors of the Pee test standard and noticed that they were across multiple industries and vectors within the cybersecurity frames, frameworks and organizations and things of that nature.
We discussed the mind map and its location, which could be beneficial into giving you a high level overview of the pee test standard and being able to see how it was developed.
And again, that tool is available for free, eh? So, you know, if you've got some processed cheese or standards of things that you're trying to lay out, that could be beneficial to you as well. And then we looked at the P test site,
ran through the technical God's, showed you how we're going to go through the different summary areas and how to view different tools and things that nature associated which he eat with each of those standard areas.
So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon.
Up Next