Who and Why?

00:00

hello and welcome to another discussion on the Pee test standard. So today we're going to be looking at the who and what with respect to who would use the Pee test standard and why they would, why they would choose. It may be over another standard. So

00:18

let's go ahead and talk about our disclaimer real quick,

00:21

and I'll explain why we do this. A cz well moving forward. So the pee test discussions are about hacking tools and methodology. Any tools discussed or used during the demonstrations should be researched and understood by the user.

00:37

Please research your laws and regulations regarding penetration testing for your given area.

00:41

While we're learning and having fun, we don't want to get into any trouble with the law.

00:48

Now let's go ahead and touch on some objectives real quick and what we hope to gain from our discussion today. So we want to discuss the who with respect to the pee test. So who its most applicable to and the why

01:03

we might use the pee test standard over other standards. So the who and why are the objectives of our discussion

01:11

today? So with that, let's jump real quick and two who would benefit from the Pee test standard.

01:18

So the Pee test standard is really for anyone that's interested in penetration testing. But specifically, we want to talk about folks like sock managers. So sock managers, you may wear multiple hats in your organization.

01:34

You may not. You may be specifically managing a group of security analysts,

01:38

or you may manage, like security testers and security analysts and penetration testers. Whatever the case may be, if you wear multiple hats, it would be beneficial to understand the standard in knowing that you have a methodology

01:53

that you use for delivering your service, whether it be to an internal party

02:00

or internal customer,

02:01

or to an external party, like a client or 1/3 party business.

02:07

Knowing at a high level what your people should be doing and how that should look will ensure that you're on top of those standards, dovetailing into whatever it is that your organization is trying to achieve. Or it may become the foundation for those standards. If they're not in place now,

02:23

now it's even more important for penetration. Testing leads, um, in that you're leading a team of pen testers on a regular basis, and so you may have folks from multiple backgrounds. So I've seen organizations that have a standard certain that you must have in order to be a penetration tester.

02:43

And I've seen where you know, they may look for experience and do a good interview, so it just depends on those areas.

02:47

But if you have folks that come from the background where they've gone through the C E. H track to become a pen tester or O S, C. P or some other type of pen testing training,

03:00

it's important to bring everything together and make sure that, you know, you've got a standard way that you're doing things and delivering things.

03:08

A person may have been taught

03:10

a different methodology. And so bringing those methodologies together under one roof and ensuring that your deliverables are consistent and effective is a key must. Now business owners, This is critical.

03:24

I've talked to business owners in the past,

03:28

and you know, there's always this discussion initially when there may not be a differentiator between what vulnerabilities gaining is

03:37

and what penetration testing is. And so there's a bit of education that happens there, you know. Do you want us to try to hack into things. Aren't you kind of just want to know what's out there based on a generic scan?

03:49

And that's usually where we start the conversation.

03:52

But for us, you know, as testers or managers or whatever the case may be, business owners that are providing the service is

03:59

we have to convey value in what we provide. And so in banking, retail, medical, you run into HIPPA. You run into PC I information cardholder data. You run into other bank regulations and things, that nature that required testing.

04:13

And so

04:15

if someone's just doing it and they're going through the motions to check a box and they don't really understand what's going on, they won't see value in the service. They just want to check a box. And so they go for the lowest common denominator, which results in at times, you know,

04:30

getting a test that may not be up to best practice, which isn't a ding on anybody. It's just there are different types of testers out there that provide different types of deliverables,

04:42

and so business owners should really take an interest

04:45

and understanding the high levels of the pee test standard so that you can determine, um, when you go to look at a tester, when you got to look at a firm that you're getting something that's in line with best practice and that you're going to get value

05:00

out of that deliverable, that you'll understand what it is that you're receiving, that you'll understand what it is that the testers

05:08

should be doing as they go through the motions of testing your infrastructure Web application,

05:14

whatever the case may be. If you don't have those things going on now and you're just paying for the check box, then you kind of get what you get.

05:23

Service providers and security service providers. This is really from a standpoint of service development and delivery. Again meeting customer expectations, meeting client expectations, meeting internal expectations,

05:39

and having a standard

05:41

that you can reference with respect to your techniques or with respect to your processes makes it that much more credible

05:49

and standardized with respect to delivering across the organization. If you have something that's and hot

05:57

in that each person delivers a report or does the work in a way that's a little bit different than the other,

06:03

that doesn't scale very well. And so all of these individuals definitely benefit from having access to this standard and being able to use it in a myriad of different ways. Whether it be to understand what an organization should be doing to deliver service

06:20

or how they, as the organization should be modeling their service is and delivering their service is

06:28

now,

06:29

let's do a quick check on learning.

06:30

So this is a scenario based question. I want you to take the time to think about you know what would be a time where the standard wouldn't be applicable because there are definitely, you know, points to be made for its use, but there could be reasons to not use it. So take a moment to think about this,

06:49

and then we'll discuss

06:53

All right, Well, if you need more time, please pause the video and continue to ponder. But we're gonna go ahead and jump right in.

07:00

So no shoe fits every foot, right? One size does not fit. Also, the pee test standard does have some times where it may not be necessary or it may not be used. So if you've got government entities

07:15

that follow n'est and want something done against NIST.

07:17

Not all components in the pee test standard male I'd witnessed. And so if they need something out of this than you would need to follow the penetration testing guidelines for n'est you've also got P C I. D. S s.

07:31

And so it's got some requirements and section 11 that have to do with conducting a pen test. And the, you know, council has a standard that they've put out for conducting penetration tests for testing segments for doing things of that nature with respect the cardholder data.

07:49

You've also got fed ramp, which is, you know, got its standards as well. And it's, you know, government related as faras testing and doing things of that nature. So you have to remember

08:01

that this standard is very flexible and that you conduct tell it into your processes and procedures. But it may not be a one size fits all all the time, So it's good to be familiar with the other standards that are out on the market so that you can ensure

08:15

when those conversations come up about Well, hey, my organization needs to follow, you know, missed 800

08:20

1 15 or we need P. C I. D. S s related testing done, and it needs to be very specific to what they're expecting. So when were audited? We don't have any issues.

08:31

You need to make sure that your read up on those standards as well. But again, the pee test standard can be applicable to a number of areas outside of nest and PC I as well.

08:43

Now let's talk about the why we would use the standard. So this is important because, you know, it's like, Why would you buy a certain type of car? Why would you see one doctor over the other? Well, their benefits return on investment, whatever the case may be.

09:00

So the standard is more accessible. All right, So you confined.

09:03

I missed. You know, the next standard for pin test that you can find the PC I standard. It's behind Cem Cem walls that require you to fill out some information. Or maybe you have to do some searching for it.

09:13

But if I search P tests and Google, even though the Nets standards and Google, they come right up. But these standards are kind of easy to navigate. They're easy to follow on the website. The language they use is pretty concise and clear. And so that's beneficial and big when we're working with a nontechnical audience that could be business owners and things of that nature.

09:31

Likewise, if you're a manager of a group of technicians or pen testers,

09:37

you know it would not be feasible for you to know everything about everything. All the terminology associate with pin testing all of the terminology and application in security analysis, all the terminology and application for, you know, malware, reverse engineering.

09:52

If you knew everything about everything, I would have to question that because no one knows everything. And so making the language simple and easy to follow makes it easier for you to understand it and apply it. Now. The guidelines are comprehensive, so it helps testers to adhere the best practices, which again

10:13

we may get different practices, different standards from different organizations. You could take four different penetration testers put him in a room. They've got four different backgrounds, four different tracks that they followed to get there. They're good at their jobs,

10:26

but they're not standardized in the way that you know they may have their own standard,

10:31

but does that standard aligned with the organization

10:35

and don't tell into what you're hoping to deliver. And so it's easy to follow and easy to see where they conduct tell those things in and have that collective standard

10:45

now. One thing that I don't always see that comes up with respect to penetration Testing

10:50

is as a manager or a business owner. Payment terms were huge. How we scope things is huge. Rules of engagement are huge. How we communicate and reporting best practices. These air just a few areas

11:03

that

11:05

can determine the success or failure of the penetration testing engagement. So knowing how you pay and when you pay is big for a business owner. Understanding how you scope in what you scope is big for the manager of the engagement, because if we don't scope in engagement accordingly, then

11:22

you know the client gets a good deal and that they don't have to pay a lot of money for it. And we get the rough into that because we didn't scope it the right way and we're working Overtime

11:31

Rules of engagement are great because we don't want to go to jail. We don't want to make a mistake that lands us in trouble or hot water gets us put on new 6 12 or wherever, wherever you get your news from. And we become the poster child for why we need to have rules of engagement in a contract.

11:48

How we communicate is huge, because

11:52

if we run into problems or issues, we want to know who we should talk to and how we communicate that information and then reporting best practices.

12:00

Standardized reporting,

12:01

how we deliver information, whether it be technical or business related, whether it be risk scores, whatever the case may be. A standard layout for reporting is the key for organizations to scale and have a repeatable process for delivering

12:18

penetration, testing work. And so each of your penetration testers does something a bit differently

12:24

that's not scalable. That's not going to be, you know, best for long term growth in best practice. So and if you've got to business owners that talk to each other and you do a test for one business and then another test for another business, and they compare deliverables because their bodies

12:41

and they discovered that there's a stark difference in how you reported on their their information and how it looked and was laid out versus the other.

12:48

That might raise some eyebrows and be of concern to them.

12:52

Now the standard is flexible, so you don't have to do everything within it as faras. If you've already got some standards, processes and procedures you conduct, tell the standard into it and have it supplement or ah, enhance what it is that you're already doing.

13:09

So that's great as well. It gives you a multitude of tools in the technical guidelines that we'll talk about that you could use during testing. And again, it's really there to help you find kind of what the industry using and what's a great way to conduct these tests. And then it provides transparency for business owners.

13:28

I can't stand

13:30

talking to a business owner who talked to somebody and maybe a sales department,

13:35

and they feel like it's magic or voodoo like they're not sure what they're getting in, what the process is, and it's way over their head. And they don't understand the terminology.

13:45

Business owners who feel that way, even if their internal clients you're serving the executive team or higher level members of like the C I o.

13:54

They still may not understand what it is that you're doing and be able to comprehend the value that you're providing to that organization. So being able to show them that and explain that and communicate that is going to be critical to success when it comes to penetration testing?

14:09

No,

14:11

let's do a quick check on learning. So take a moment to look at which of the following was not a benefit of pee test that we discussed here today.

14:24

All right, you can pause the video if you need more time

14:26

now.

14:28

Providing transparency for business owners was a benefit that we discussed. So the testing standard is in language that's easy to understand, an easy to follow, and we'll give business owners some confidence in what you're doing. From a testing standpoint,

14:43

the standard is very accessible. You consistently find it on Google and open the main page, and everything that you would need is right there ready for use evey easy to navigate.

14:54

It helps testers at here the best practices, and so all three of those things are

15:01

definitely benefits. What is not a benefit is that it does not make testing cheap it does not make testing cheaper. If anything, it helps you to better scope tests

15:13

and better, you know, Bye bye, Better scoping You could drive costs down, but it could also drive cost up, depending on the environment, which could save your your folks time, effort, energy and heartache.

15:24

You know, if they underscore something and then have to work extra hours to do so

15:28

well.

15:30

In summary today, we discussed the persons that would benefit most from the pennant test pin testing execution standard. So we talked about sock managers, business owners. Penetration testing leads

15:43

individuals that need to be involved in developing the standard for their organization and the standard of delivery

15:50

to their internal or external clients. And then we discuss some of the benefits of the standard, its flexibility, ease of access to the standard. Andrea Lee. It's simple language in that it's easy to follow an easy to understand, no matter what level you're at from a technical standpoint.