Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,210 --> 00:00:02,310
-: Before you conduct a penetration test,
2
00:00:02,310 --> 00:00:04,830
it's imperative that you receive written permission
3
00:00:04,830 --> 00:00:06,840
from the target organization.
4
00:00:06,840 --> 00:00:08,940
This is what prevents a penetration tester
5
00:00:08,940 --> 00:00:10,680
also known as an ethical hacker
6
00:00:10,680 --> 00:00:13,680
or authorized hacker from going to prison.
7
00:00:13,680 --> 00:00:16,470
Ethical hackers and penetration testers are separated
8
00:00:16,470 --> 00:00:20,430
from the criminal unauthorized hackers by simply one thing.
9
00:00:20,430 --> 00:00:22,560
Permission. In the industry,
10
00:00:22,560 --> 00:00:23,580
we like to use the term
11
00:00:23,580 --> 00:00:26,640
for this written permission as our get outta jail free card
12
00:00:26,640 --> 00:00:29,040
because that's effectively what it is.
13
00:00:29,040 --> 00:00:31,320
This written permission should include the names
14
00:00:31,320 --> 00:00:34,200
of the company's organizations or individuals
15
00:00:34,200 --> 00:00:36,900
that are authorized to perform the penetration tests.
16
00:00:36,900 --> 00:00:39,128
It should also include what specific networks, hosts
17
00:00:39,128 --> 00:00:42,600
and applications are to be included in the test.
18
00:00:42,600 --> 00:00:43,650
It'll also include the period
19
00:00:43,650 --> 00:00:46,020
of time that the authorization is valid for
20
00:00:46,020 --> 00:00:47,970
and the proper data handling techniques
21
00:00:47,970 --> 00:00:49,500
that will be required.
22
00:00:49,500 --> 00:00:51,540
Additionally, the reporting guidelines
23
00:00:51,540 --> 00:00:53,550
and the list of people to communicate with,
24
00:00:53,550 --> 00:00:55,441
and the guidelines that state
25
00:00:55,441 --> 00:00:57,840
when a test should be terminated will also be included.
26
00:00:57,840 --> 00:00:59,280
It's always important to ensure that,
27
00:00:59,280 --> 00:01:00,990
your client is aware that certain types
28
00:01:00,990 --> 00:01:03,600
of testing during your engagement may cause damage
29
00:01:03,600 --> 00:01:06,840
to their systems or the information they house.
30
00:01:06,840 --> 00:01:08,910
While the penetration testers will always try
31
00:01:08,910 --> 00:01:10,710
to make the effort to protect the systems
32
00:01:10,710 --> 00:01:14,370
and their information, sometimes when a server is exploited,
33
00:01:14,370 --> 00:01:17,280
it can cause other services to go offline.
34
00:01:17,280 --> 00:01:19,530
For example, if I conducted an exploit
35
00:01:19,530 --> 00:01:21,240
against your authentication server,
36
00:01:21,240 --> 00:01:24,300
it may cause the users to be unable to log into your network
37
00:01:24,300 --> 00:01:26,730
or even authenticate with the email server.
38
00:01:26,730 --> 00:01:28,470
Both of these would have a direct impact
39
00:01:28,470 --> 00:01:31,440
on your business's operations during a busy work day.
40
00:01:31,440 --> 00:01:33,570
So, it's something that the client needs to be aware
41
00:01:33,570 --> 00:01:36,030
of before the engagement begins.
42
00:01:36,030 --> 00:01:37,710
Remember, written permission
43
00:01:37,710 --> 00:01:39,270
for your engagement is usually obtained
44
00:01:39,270 --> 00:01:41,700
as part of the contracting process.
45
00:01:41,700 --> 00:01:42,690
There are four types
46
00:01:42,690 --> 00:01:45,570
of legal contracts that are covered by the exam.
47
00:01:45,570 --> 00:01:47,100
This is the statement of work,
48
00:01:47,100 --> 00:01:50,190
the master service agreement, the service level agreement
49
00:01:50,190 --> 00:01:52,440
and the nondisclosure agreements.
50
00:01:52,440 --> 00:01:55,920
First, a statement of work or SOW.
51
00:01:55,920 --> 00:01:58,080
Statement of work is a formal document
52
00:01:58,080 --> 00:02:01,170
that details the task to be performed during an engagement.
53
00:02:01,170 --> 00:02:04,080
This document is gonna provide the penetration tester
54
00:02:04,080 --> 00:02:06,510
with what must be done to complete the assessment,
55
00:02:06,510 --> 00:02:08,250
what is not allowed to be done,
56
00:02:08,250 --> 00:02:11,280
and what work the company is willing to pay them for.
57
00:02:11,280 --> 00:02:12,900
This is an important document
58
00:02:12,900 --> 00:02:15,330
because if you've been asked to test a hundred servers
59
00:02:15,330 --> 00:02:17,130
and you begin to conduct your assessment
60
00:02:17,130 --> 00:02:19,860
and then, the company asks you to test another five servers,
61
00:02:19,860 --> 00:02:21,630
this increases the scope.
62
00:02:21,630 --> 00:02:23,790
You should now require them to sign a change order
63
00:02:23,790 --> 00:02:26,850
or an addendum because those five servers were not part
64
00:02:26,850 --> 00:02:27,810
of the original statement
65
00:02:27,810 --> 00:02:30,000
of work that you were contracted to perform
66
00:02:30,000 --> 00:02:33,480
and they just increased your workload by at least 5%.
67
00:02:33,480 --> 00:02:35,520
The statement of work will usually contain a list
68
00:02:35,520 --> 00:02:38,340
of deliverables as well, such as the final report
69
00:02:38,340 --> 00:02:40,590
and the responsibilities of the penetration tester
70
00:02:40,590 --> 00:02:43,380
and the client, as well as the schedule, the timeline
71
00:02:43,380 --> 00:02:45,840
for payments and other terms that need to be agreed
72
00:02:45,840 --> 00:02:48,540
upon before the engagement begins.
73
00:02:48,540 --> 00:02:51,210
Second, we have a master service agreement.
74
00:02:51,210 --> 00:02:52,770
Now, a master service agreement,
75
00:02:52,770 --> 00:02:54,720
also known as an MSA is
76
00:02:54,720 --> 00:02:56,910
a specialized type of contract that's used
77
00:02:56,910 --> 00:02:58,080
by those who perform a lot
78
00:02:58,080 --> 00:03:00,360
of work for the same organization.
79
00:03:00,360 --> 00:03:02,400
A master service agreement is gonna act
80
00:03:02,400 --> 00:03:05,070
as a framework agreement where most of the terms are agreed
81
00:03:05,070 --> 00:03:08,190
upon upfront so that they can quickly issue new contracts
82
00:03:08,190 --> 00:03:09,420
by using a short statement
83
00:03:09,420 --> 00:03:11,354
of work to solidify any specific details
84
00:03:11,354 --> 00:03:13,470
for a new engagement.
85
00:03:13,470 --> 00:03:15,930
A master service agreement is normally gonna be used
86
00:03:15,930 --> 00:03:17,370
to govern future transactions
87
00:03:17,370 --> 00:03:18,750
and agreements with a client,
88
00:03:18,750 --> 00:03:20,730
and it usually contains any requirements
89
00:03:20,730 --> 00:03:22,740
that would be recurring in nature.
90
00:03:22,740 --> 00:03:25,500
For example, a master service agreement might state
91
00:03:25,500 --> 00:03:27,870
that the penetration tester has to be bonded
92
00:03:27,870 --> 00:03:30,750
and insured for up to $5 million in damages
93
00:03:30,750 --> 00:03:32,670
that they have certain permits, licenses
94
00:03:32,670 --> 00:03:35,070
or certifications, and that they accept payment
95
00:03:35,070 --> 00:03:36,930
on a net 60 term schedule
96
00:03:36,930 --> 00:03:39,330
which means that payment will be received 60 days
97
00:03:39,330 --> 00:03:41,460
after sending in an invoice.
98
00:03:41,460 --> 00:03:42,293
A good example
99
00:03:42,293 --> 00:03:44,400
of when a master service agreement will be used is
100
00:03:44,400 --> 00:03:47,070
if an organization hires a penetration testing firm
101
00:03:47,070 --> 00:03:48,480
to conduct quarterly assessments
102
00:03:48,480 --> 00:03:51,510
on their PCI DSS network infrastructure.
103
00:03:51,510 --> 00:03:54,540
This contract will specify the charge free assessment,
104
00:03:54,540 --> 00:03:56,490
the scope, and other details,
105
00:03:56,490 --> 00:03:59,820
but it's not gonna include specific permission, duration
106
00:03:59,820 --> 00:04:02,790
or timeline because that would be negotiated in a statement
107
00:04:02,790 --> 00:04:06,000
of work that's going out for each quarterly assessment.
108
00:04:06,000 --> 00:04:07,170
This drastically speeds
109
00:04:07,170 --> 00:04:09,270
up the contracting process because most
110
00:04:09,270 --> 00:04:11,730
of the details have already been agreed to upfront
111
00:04:11,730 --> 00:04:13,890
in the master service agreement.
112
00:04:13,890 --> 00:04:16,718
The third type of contract we have is called an SLA
113
00:04:16,718 --> 00:04:19,050
or service level agreement.
114
00:04:19,050 --> 00:04:21,180
Now, a service level agreement is a commitment
115
00:04:21,180 --> 00:04:23,070
between a service provider, in this case
116
00:04:23,070 --> 00:04:25,560
a penetration tester, and a client.
117
00:04:25,560 --> 00:04:27,990
The SLA would include not only the description
118
00:04:27,990 --> 00:04:30,450
of the services to be provided under this contract
119
00:04:30,450 --> 00:04:33,180
and their expected service levels, but also metrics
120
00:04:33,180 --> 00:04:35,430
by which the services are gonna be measured,
121
00:04:35,430 --> 00:04:37,950
the duties and responsibilities of each party,
122
00:04:37,950 --> 00:04:40,890
the remedies or penalties for a breach of that SLA
123
00:04:40,890 --> 00:04:43,920
and a protocol for adding or removing metrics.
124
00:04:43,920 --> 00:04:45,900
A service level agreement is commonly used
125
00:04:45,900 --> 00:04:47,340
for security as a service type
126
00:04:47,340 --> 00:04:49,980
of products or penetration testing services.
127
00:04:49,980 --> 00:04:51,030
For example,
128
00:04:51,030 --> 00:04:52,770
I had a friend who owned a small penetration
129
00:04:52,770 --> 00:04:55,950
testing firm that provided both penetration testing services
130
00:04:55,950 --> 00:04:58,110
and remediation services.
131
00:04:58,110 --> 00:05:00,120
For his penetration testing services,
132
00:05:00,120 --> 00:05:02,700
he used an overarching master service agreement
133
00:05:02,700 --> 00:05:04,140
with each of his clients,
134
00:05:04,140 --> 00:05:05,580
and then, they would issue a statement
135
00:05:05,580 --> 00:05:08,250
of work for each engagement during that year.
136
00:05:08,250 --> 00:05:09,630
Now, in addition to this,
137
00:05:09,630 --> 00:05:12,750
he also had an SLA and that SLA stated that
138
00:05:12,750 --> 00:05:15,330
his firm would remediate any vulnerabilities that were found
139
00:05:15,330 --> 00:05:17,460
during the penetration test within seven days
140
00:05:17,460 --> 00:05:19,410
of their discovery if they were categorized
141
00:05:19,410 --> 00:05:22,299
as a category two vulnerability or in three days
142
00:05:22,299 --> 00:05:25,710
if it was considered a category one vulnerability.
143
00:05:25,710 --> 00:05:27,300
Now, I've also seen some outside
144
00:05:27,300 --> 00:05:29,880
in scanning products that continually scan your website
145
00:05:29,880 --> 00:05:31,140
or network and provide you
146
00:05:31,140 --> 00:05:33,540
with a weekly report of your vulnerabilities.
147
00:05:33,540 --> 00:05:35,370
This type of service also usually comes
148
00:05:35,370 --> 00:05:37,500
with a service level agreement.
149
00:05:37,500 --> 00:05:39,600
The fourth type of contract we have is known
150
00:05:39,600 --> 00:05:42,510
as a non-disclosure agreement or NDA.
151
00:05:42,510 --> 00:05:45,330
Now, a nondisclosure agreement is a legal document
152
00:05:45,330 --> 00:05:47,610
that's gonna stipulate that the parties will not share
153
00:05:47,610 --> 00:05:49,800
confidential information, knowledge
154
00:05:49,800 --> 00:05:53,160
or materials with unauthorized third parties.
155
00:05:53,160 --> 00:05:54,720
You should expect to sign an NDA
156
00:05:54,720 --> 00:05:58,140
for every penetration test that you're ever gonna perform.
157
00:05:58,140 --> 00:06:00,240
These non-disclosure agreements are a form
158
00:06:00,240 --> 00:06:02,130
of legal contract that are gonna outline
159
00:06:02,130 --> 00:06:04,350
the confidential material or information
160
00:06:04,350 --> 00:06:06,840
that you may be exposed to during the engagement
161
00:06:06,840 --> 00:06:10,020
and what restrictions are being placed on that material.
162
00:06:10,020 --> 00:06:12,600
If, for example, we're hired to assess the security
163
00:06:12,600 --> 00:06:14,883
of Marvel Studios, we can't go and take a copy
164
00:06:14,883 --> 00:06:17,130
of the new Guardians of the Galaxy movie
165
00:06:17,130 --> 00:06:20,460
and distribute it to the internet without breaking that NDA.
166
00:06:20,460 --> 00:06:22,080
That means we're gonna suffer the penalties
167
00:06:22,080 --> 00:06:24,660
for doing so and breaching our NDA.
168
00:06:24,660 --> 00:06:26,754
Now, furthermore, we can't go out and tell everybody
169
00:06:26,754 --> 00:06:29,550
about an organization's vulnerabilities that we discovered
170
00:06:29,550 --> 00:06:30,930
during our assessment either
171
00:06:30,930 --> 00:06:33,360
because that would break our NDA.
172
00:06:33,360 --> 00:06:36,827
If you break an NDA, you're gonna be subject to fines, fees
173
00:06:36,827 --> 00:06:39,540
and even have your contract canceled depending
174
00:06:39,540 --> 00:06:41,430
on how the NDA is written.
175
00:06:41,430 --> 00:06:43,770
Now, just like an organization will almost always
176
00:06:43,770 --> 00:06:46,200
ask us to sign a non-disclosure agreement,
177
00:06:46,200 --> 00:06:48,750
we should also ask them to sign one too.
178
00:06:48,750 --> 00:06:50,760
Your version of an NDA should require that
179
00:06:50,760 --> 00:06:54,270
the organization not release our proprietary techniques.
180
00:06:54,270 --> 00:06:55,890
The way we conduct our assessments
181
00:06:55,890 --> 00:06:57,990
or even copies of our reports,
182
00:06:57,990 --> 00:07:00,360
all of these are considered the intellectual property
183
00:07:00,360 --> 00:07:01,890
of the penetration tester
184
00:07:01,890 --> 00:07:04,500
and we don't want them being shared with our competitors.
185
00:07:04,500 --> 00:07:07,860
By using NDAs between the penetration tester and the client,
186
00:07:07,860 --> 00:07:09,840
both sides are basically saying,
187
00:07:09,840 --> 00:07:12,630
I'll keep your secrets and you keep mine.
188
00:07:12,630 --> 00:07:15,060
These nondisclosure agreements are put in place to help
189
00:07:15,060 --> 00:07:18,480
ensure confidentiality during our penetration tests.
190
00:07:18,480 --> 00:07:20,490
Confidentiality is the principle and practice
191
00:07:20,490 --> 00:07:23,880
of keeping sensitive information private, unless the owner
192
00:07:23,880 --> 00:07:26,378
or custodian of that data gives explicit consent
193
00:07:26,378 --> 00:07:29,310
for it to be shared with another party.
194
00:07:29,310 --> 00:07:31,290
During the planning stage of an engagement,
195
00:07:31,290 --> 00:07:33,420
your team needs to gain a clear understanding
196
00:07:33,420 --> 00:07:34,800
of what data is sensitive
197
00:07:34,800 --> 00:07:37,350
to that organization that you're gonna be testing
198
00:07:37,350 --> 00:07:39,870
and how you can best protect it.
199
00:07:39,870 --> 00:07:42,210
For example, if your engagement is scoped,
200
00:07:42,210 --> 00:07:44,430
so that you must download a copy of the database
201
00:07:44,430 --> 00:07:47,100
in order to prove the data exfiltration was possible,
202
00:07:47,100 --> 00:07:48,510
then you also need to ensure
203
00:07:48,510 --> 00:07:51,540
that you exfiltrate it over a secure and encrypted channel
204
00:07:51,540 --> 00:07:52,710
that you encrypt the database
205
00:07:52,710 --> 00:07:54,360
when it's at rest on your system
206
00:07:54,360 --> 00:07:58,050
and you protect it from being exposed to any third parties.
207
00:07:58,050 --> 00:08:00,480
A big part of confidentiality is making sure
208
00:08:00,480 --> 00:08:03,360
that all the data you collect before, during,
209
00:08:03,360 --> 00:08:05,790
and after your penetration test is properly
210
00:08:05,790 --> 00:08:07,590
secured and handled.
211
00:08:07,590 --> 00:08:09,960
This usually involves encrypting the data at rest,
212
00:08:09,960 --> 00:08:12,210
in transit and in processing.
213
00:08:12,210 --> 00:08:13,860
Once the assessment is concluded,
214
00:08:13,860 --> 00:08:16,080
you're also gonna need to securely wipe your systems
215
00:08:16,080 --> 00:08:17,910
of all the client sensitive data
216
00:08:17,910 --> 00:08:20,260
to ensure it doesn't fall into the wrong hands.
16764
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.