Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,210 --> 00:00:02,310 -: Before you conduct a penetration test, 2 00:00:02,310 --> 00:00:04,830 it's imperative that you receive written permission 3 00:00:04,830 --> 00:00:06,840 from the target organization. 4 00:00:06,840 --> 00:00:08,940 This is what prevents a penetration tester 5 00:00:08,940 --> 00:00:10,680 also known as an ethical hacker 6 00:00:10,680 --> 00:00:13,680 or authorized hacker from going to prison. 7 00:00:13,680 --> 00:00:16,470 Ethical hackers and penetration testers are separated 8 00:00:16,470 --> 00:00:20,430 from the criminal unauthorized hackers by simply one thing. 9 00:00:20,430 --> 00:00:22,560 Permission. In the industry, 10 00:00:22,560 --> 00:00:23,580 we like to use the term 11 00:00:23,580 --> 00:00:26,640 for this written permission as our get outta jail free card 12 00:00:26,640 --> 00:00:29,040 because that's effectively what it is. 13 00:00:29,040 --> 00:00:31,320 This written permission should include the names 14 00:00:31,320 --> 00:00:34,200 of the company's organizations or individuals 15 00:00:34,200 --> 00:00:36,900 that are authorized to perform the penetration tests. 16 00:00:36,900 --> 00:00:39,128 It should also include what specific networks, hosts 17 00:00:39,128 --> 00:00:42,600 and applications are to be included in the test. 18 00:00:42,600 --> 00:00:43,650 It'll also include the period 19 00:00:43,650 --> 00:00:46,020 of time that the authorization is valid for 20 00:00:46,020 --> 00:00:47,970 and the proper data handling techniques 21 00:00:47,970 --> 00:00:49,500 that will be required. 22 00:00:49,500 --> 00:00:51,540 Additionally, the reporting guidelines 23 00:00:51,540 --> 00:00:53,550 and the list of people to communicate with, 24 00:00:53,550 --> 00:00:55,441 and the guidelines that state 25 00:00:55,441 --> 00:00:57,840 when a test should be terminated will also be included. 26 00:00:57,840 --> 00:00:59,280 It's always important to ensure that, 27 00:00:59,280 --> 00:01:00,990 your client is aware that certain types 28 00:01:00,990 --> 00:01:03,600 of testing during your engagement may cause damage 29 00:01:03,600 --> 00:01:06,840 to their systems or the information they house. 30 00:01:06,840 --> 00:01:08,910 While the penetration testers will always try 31 00:01:08,910 --> 00:01:10,710 to make the effort to protect the systems 32 00:01:10,710 --> 00:01:14,370 and their information, sometimes when a server is exploited, 33 00:01:14,370 --> 00:01:17,280 it can cause other services to go offline. 34 00:01:17,280 --> 00:01:19,530 For example, if I conducted an exploit 35 00:01:19,530 --> 00:01:21,240 against your authentication server, 36 00:01:21,240 --> 00:01:24,300 it may cause the users to be unable to log into your network 37 00:01:24,300 --> 00:01:26,730 or even authenticate with the email server. 38 00:01:26,730 --> 00:01:28,470 Both of these would have a direct impact 39 00:01:28,470 --> 00:01:31,440 on your business's operations during a busy work day. 40 00:01:31,440 --> 00:01:33,570 So, it's something that the client needs to be aware 41 00:01:33,570 --> 00:01:36,030 of before the engagement begins. 42 00:01:36,030 --> 00:01:37,710 Remember, written permission 43 00:01:37,710 --> 00:01:39,270 for your engagement is usually obtained 44 00:01:39,270 --> 00:01:41,700 as part of the contracting process. 45 00:01:41,700 --> 00:01:42,690 There are four types 46 00:01:42,690 --> 00:01:45,570 of legal contracts that are covered by the exam. 47 00:01:45,570 --> 00:01:47,100 This is the statement of work, 48 00:01:47,100 --> 00:01:50,190 the master service agreement, the service level agreement 49 00:01:50,190 --> 00:01:52,440 and the nondisclosure agreements. 50 00:01:52,440 --> 00:01:55,920 First, a statement of work or SOW. 51 00:01:55,920 --> 00:01:58,080 Statement of work is a formal document 52 00:01:58,080 --> 00:02:01,170 that details the task to be performed during an engagement. 53 00:02:01,170 --> 00:02:04,080 This document is gonna provide the penetration tester 54 00:02:04,080 --> 00:02:06,510 with what must be done to complete the assessment, 55 00:02:06,510 --> 00:02:08,250 what is not allowed to be done, 56 00:02:08,250 --> 00:02:11,280 and what work the company is willing to pay them for. 57 00:02:11,280 --> 00:02:12,900 This is an important document 58 00:02:12,900 --> 00:02:15,330 because if you've been asked to test a hundred servers 59 00:02:15,330 --> 00:02:17,130 and you begin to conduct your assessment 60 00:02:17,130 --> 00:02:19,860 and then, the company asks you to test another five servers, 61 00:02:19,860 --> 00:02:21,630 this increases the scope. 62 00:02:21,630 --> 00:02:23,790 You should now require them to sign a change order 63 00:02:23,790 --> 00:02:26,850 or an addendum because those five servers were not part 64 00:02:26,850 --> 00:02:27,810 of the original statement 65 00:02:27,810 --> 00:02:30,000 of work that you were contracted to perform 66 00:02:30,000 --> 00:02:33,480 and they just increased your workload by at least 5%. 67 00:02:33,480 --> 00:02:35,520 The statement of work will usually contain a list 68 00:02:35,520 --> 00:02:38,340 of deliverables as well, such as the final report 69 00:02:38,340 --> 00:02:40,590 and the responsibilities of the penetration tester 70 00:02:40,590 --> 00:02:43,380 and the client, as well as the schedule, the timeline 71 00:02:43,380 --> 00:02:45,840 for payments and other terms that need to be agreed 72 00:02:45,840 --> 00:02:48,540 upon before the engagement begins. 73 00:02:48,540 --> 00:02:51,210 Second, we have a master service agreement. 74 00:02:51,210 --> 00:02:52,770 Now, a master service agreement, 75 00:02:52,770 --> 00:02:54,720 also known as an MSA is 76 00:02:54,720 --> 00:02:56,910 a specialized type of contract that's used 77 00:02:56,910 --> 00:02:58,080 by those who perform a lot 78 00:02:58,080 --> 00:03:00,360 of work for the same organization. 79 00:03:00,360 --> 00:03:02,400 A master service agreement is gonna act 80 00:03:02,400 --> 00:03:05,070 as a framework agreement where most of the terms are agreed 81 00:03:05,070 --> 00:03:08,190 upon upfront so that they can quickly issue new contracts 82 00:03:08,190 --> 00:03:09,420 by using a short statement 83 00:03:09,420 --> 00:03:11,354 of work to solidify any specific details 84 00:03:11,354 --> 00:03:13,470 for a new engagement. 85 00:03:13,470 --> 00:03:15,930 A master service agreement is normally gonna be used 86 00:03:15,930 --> 00:03:17,370 to govern future transactions 87 00:03:17,370 --> 00:03:18,750 and agreements with a client, 88 00:03:18,750 --> 00:03:20,730 and it usually contains any requirements 89 00:03:20,730 --> 00:03:22,740 that would be recurring in nature. 90 00:03:22,740 --> 00:03:25,500 For example, a master service agreement might state 91 00:03:25,500 --> 00:03:27,870 that the penetration tester has to be bonded 92 00:03:27,870 --> 00:03:30,750 and insured for up to $5 million in damages 93 00:03:30,750 --> 00:03:32,670 that they have certain permits, licenses 94 00:03:32,670 --> 00:03:35,070 or certifications, and that they accept payment 95 00:03:35,070 --> 00:03:36,930 on a net 60 term schedule 96 00:03:36,930 --> 00:03:39,330 which means that payment will be received 60 days 97 00:03:39,330 --> 00:03:41,460 after sending in an invoice. 98 00:03:41,460 --> 00:03:42,293 A good example 99 00:03:42,293 --> 00:03:44,400 of when a master service agreement will be used is 100 00:03:44,400 --> 00:03:47,070 if an organization hires a penetration testing firm 101 00:03:47,070 --> 00:03:48,480 to conduct quarterly assessments 102 00:03:48,480 --> 00:03:51,510 on their PCI DSS network infrastructure. 103 00:03:51,510 --> 00:03:54,540 This contract will specify the charge free assessment, 104 00:03:54,540 --> 00:03:56,490 the scope, and other details, 105 00:03:56,490 --> 00:03:59,820 but it's not gonna include specific permission, duration 106 00:03:59,820 --> 00:04:02,790 or timeline because that would be negotiated in a statement 107 00:04:02,790 --> 00:04:06,000 of work that's going out for each quarterly assessment. 108 00:04:06,000 --> 00:04:07,170 This drastically speeds 109 00:04:07,170 --> 00:04:09,270 up the contracting process because most 110 00:04:09,270 --> 00:04:11,730 of the details have already been agreed to upfront 111 00:04:11,730 --> 00:04:13,890 in the master service agreement. 112 00:04:13,890 --> 00:04:16,718 The third type of contract we have is called an SLA 113 00:04:16,718 --> 00:04:19,050 or service level agreement. 114 00:04:19,050 --> 00:04:21,180 Now, a service level agreement is a commitment 115 00:04:21,180 --> 00:04:23,070 between a service provider, in this case 116 00:04:23,070 --> 00:04:25,560 a penetration tester, and a client. 117 00:04:25,560 --> 00:04:27,990 The SLA would include not only the description 118 00:04:27,990 --> 00:04:30,450 of the services to be provided under this contract 119 00:04:30,450 --> 00:04:33,180 and their expected service levels, but also metrics 120 00:04:33,180 --> 00:04:35,430 by which the services are gonna be measured, 121 00:04:35,430 --> 00:04:37,950 the duties and responsibilities of each party, 122 00:04:37,950 --> 00:04:40,890 the remedies or penalties for a breach of that SLA 123 00:04:40,890 --> 00:04:43,920 and a protocol for adding or removing metrics. 124 00:04:43,920 --> 00:04:45,900 A service level agreement is commonly used 125 00:04:45,900 --> 00:04:47,340 for security as a service type 126 00:04:47,340 --> 00:04:49,980 of products or penetration testing services. 127 00:04:49,980 --> 00:04:51,030 For example, 128 00:04:51,030 --> 00:04:52,770 I had a friend who owned a small penetration 129 00:04:52,770 --> 00:04:55,950 testing firm that provided both penetration testing services 130 00:04:55,950 --> 00:04:58,110 and remediation services. 131 00:04:58,110 --> 00:05:00,120 For his penetration testing services, 132 00:05:00,120 --> 00:05:02,700 he used an overarching master service agreement 133 00:05:02,700 --> 00:05:04,140 with each of his clients, 134 00:05:04,140 --> 00:05:05,580 and then, they would issue a statement 135 00:05:05,580 --> 00:05:08,250 of work for each engagement during that year. 136 00:05:08,250 --> 00:05:09,630 Now, in addition to this, 137 00:05:09,630 --> 00:05:12,750 he also had an SLA and that SLA stated that 138 00:05:12,750 --> 00:05:15,330 his firm would remediate any vulnerabilities that were found 139 00:05:15,330 --> 00:05:17,460 during the penetration test within seven days 140 00:05:17,460 --> 00:05:19,410 of their discovery if they were categorized 141 00:05:19,410 --> 00:05:22,299 as a category two vulnerability or in three days 142 00:05:22,299 --> 00:05:25,710 if it was considered a category one vulnerability. 143 00:05:25,710 --> 00:05:27,300 Now, I've also seen some outside 144 00:05:27,300 --> 00:05:29,880 in scanning products that continually scan your website 145 00:05:29,880 --> 00:05:31,140 or network and provide you 146 00:05:31,140 --> 00:05:33,540 with a weekly report of your vulnerabilities. 147 00:05:33,540 --> 00:05:35,370 This type of service also usually comes 148 00:05:35,370 --> 00:05:37,500 with a service level agreement. 149 00:05:37,500 --> 00:05:39,600 The fourth type of contract we have is known 150 00:05:39,600 --> 00:05:42,510 as a non-disclosure agreement or NDA. 151 00:05:42,510 --> 00:05:45,330 Now, a nondisclosure agreement is a legal document 152 00:05:45,330 --> 00:05:47,610 that's gonna stipulate that the parties will not share 153 00:05:47,610 --> 00:05:49,800 confidential information, knowledge 154 00:05:49,800 --> 00:05:53,160 or materials with unauthorized third parties. 155 00:05:53,160 --> 00:05:54,720 You should expect to sign an NDA 156 00:05:54,720 --> 00:05:58,140 for every penetration test that you're ever gonna perform. 157 00:05:58,140 --> 00:06:00,240 These non-disclosure agreements are a form 158 00:06:00,240 --> 00:06:02,130 of legal contract that are gonna outline 159 00:06:02,130 --> 00:06:04,350 the confidential material or information 160 00:06:04,350 --> 00:06:06,840 that you may be exposed to during the engagement 161 00:06:06,840 --> 00:06:10,020 and what restrictions are being placed on that material. 162 00:06:10,020 --> 00:06:12,600 If, for example, we're hired to assess the security 163 00:06:12,600 --> 00:06:14,883 of Marvel Studios, we can't go and take a copy 164 00:06:14,883 --> 00:06:17,130 of the new Guardians of the Galaxy movie 165 00:06:17,130 --> 00:06:20,460 and distribute it to the internet without breaking that NDA. 166 00:06:20,460 --> 00:06:22,080 That means we're gonna suffer the penalties 167 00:06:22,080 --> 00:06:24,660 for doing so and breaching our NDA. 168 00:06:24,660 --> 00:06:26,754 Now, furthermore, we can't go out and tell everybody 169 00:06:26,754 --> 00:06:29,550 about an organization's vulnerabilities that we discovered 170 00:06:29,550 --> 00:06:30,930 during our assessment either 171 00:06:30,930 --> 00:06:33,360 because that would break our NDA. 172 00:06:33,360 --> 00:06:36,827 If you break an NDA, you're gonna be subject to fines, fees 173 00:06:36,827 --> 00:06:39,540 and even have your contract canceled depending 174 00:06:39,540 --> 00:06:41,430 on how the NDA is written. 175 00:06:41,430 --> 00:06:43,770 Now, just like an organization will almost always 176 00:06:43,770 --> 00:06:46,200 ask us to sign a non-disclosure agreement, 177 00:06:46,200 --> 00:06:48,750 we should also ask them to sign one too. 178 00:06:48,750 --> 00:06:50,760 Your version of an NDA should require that 179 00:06:50,760 --> 00:06:54,270 the organization not release our proprietary techniques. 180 00:06:54,270 --> 00:06:55,890 The way we conduct our assessments 181 00:06:55,890 --> 00:06:57,990 or even copies of our reports, 182 00:06:57,990 --> 00:07:00,360 all of these are considered the intellectual property 183 00:07:00,360 --> 00:07:01,890 of the penetration tester 184 00:07:01,890 --> 00:07:04,500 and we don't want them being shared with our competitors. 185 00:07:04,500 --> 00:07:07,860 By using NDAs between the penetration tester and the client, 186 00:07:07,860 --> 00:07:09,840 both sides are basically saying, 187 00:07:09,840 --> 00:07:12,630 I'll keep your secrets and you keep mine. 188 00:07:12,630 --> 00:07:15,060 These nondisclosure agreements are put in place to help 189 00:07:15,060 --> 00:07:18,480 ensure confidentiality during our penetration tests. 190 00:07:18,480 --> 00:07:20,490 Confidentiality is the principle and practice 191 00:07:20,490 --> 00:07:23,880 of keeping sensitive information private, unless the owner 192 00:07:23,880 --> 00:07:26,378 or custodian of that data gives explicit consent 193 00:07:26,378 --> 00:07:29,310 for it to be shared with another party. 194 00:07:29,310 --> 00:07:31,290 During the planning stage of an engagement, 195 00:07:31,290 --> 00:07:33,420 your team needs to gain a clear understanding 196 00:07:33,420 --> 00:07:34,800 of what data is sensitive 197 00:07:34,800 --> 00:07:37,350 to that organization that you're gonna be testing 198 00:07:37,350 --> 00:07:39,870 and how you can best protect it. 199 00:07:39,870 --> 00:07:42,210 For example, if your engagement is scoped, 200 00:07:42,210 --> 00:07:44,430 so that you must download a copy of the database 201 00:07:44,430 --> 00:07:47,100 in order to prove the data exfiltration was possible, 202 00:07:47,100 --> 00:07:48,510 then you also need to ensure 203 00:07:48,510 --> 00:07:51,540 that you exfiltrate it over a secure and encrypted channel 204 00:07:51,540 --> 00:07:52,710 that you encrypt the database 205 00:07:52,710 --> 00:07:54,360 when it's at rest on your system 206 00:07:54,360 --> 00:07:58,050 and you protect it from being exposed to any third parties. 207 00:07:58,050 --> 00:08:00,480 A big part of confidentiality is making sure 208 00:08:00,480 --> 00:08:03,360 that all the data you collect before, during, 209 00:08:03,360 --> 00:08:05,790 and after your penetration test is properly 210 00:08:05,790 --> 00:08:07,590 secured and handled. 211 00:08:07,590 --> 00:08:09,960 This usually involves encrypting the data at rest, 212 00:08:09,960 --> 00:08:12,210 in transit and in processing. 213 00:08:12,210 --> 00:08:13,860 Once the assessment is concluded, 214 00:08:13,860 --> 00:08:16,080 you're also gonna need to securely wipe your systems 215 00:08:16,080 --> 00:08:17,910 of all the client sensitive data 216 00:08:17,910 --> 00:08:20,260 to ensure it doesn't fall into the wrong hands. 16764