Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,180 --> 00:00:01,140 Instructor: Most people know 2 00:00:01,140 --> 00:00:03,570 that hacking is a federal crime. 3 00:00:03,570 --> 00:00:06,120 Therefore, it's important for a penetration tester 4 00:00:06,120 --> 00:00:08,430 to be aware of the laws that deal with hacking 5 00:00:08,430 --> 00:00:11,820 because penetration testing is effectively hacking. 6 00:00:11,820 --> 00:00:14,310 There are local, state, and federal laws 7 00:00:14,310 --> 00:00:15,390 that you have to understand 8 00:00:15,390 --> 00:00:18,360 before starting your career as a penetration tester. 9 00:00:18,360 --> 00:00:20,460 Laws also vary from country to country, 10 00:00:20,460 --> 00:00:22,500 so if you're working on a penetration test 11 00:00:22,500 --> 00:00:24,270 for an international organization, 12 00:00:24,270 --> 00:00:26,070 you also have to check the local laws 13 00:00:26,070 --> 00:00:27,930 where you're conducting the attack from, 14 00:00:27,930 --> 00:00:29,430 as well as those of the country 15 00:00:29,430 --> 00:00:32,400 that the target organization is located within. 16 00:00:32,400 --> 00:00:34,560 Remember, always consult your attorney 17 00:00:34,560 --> 00:00:36,240 before you accept and attempt 18 00:00:36,240 --> 00:00:38,160 a penetration testing assignment, 19 00:00:38,160 --> 00:00:39,840 because if you do this wrong 20 00:00:39,840 --> 00:00:42,360 and you don't have the right legal framework in place, 21 00:00:42,360 --> 00:00:45,480 you could be arrested under local, state, federal, 22 00:00:45,480 --> 00:00:47,490 or even another country's laws. 23 00:00:47,490 --> 00:00:49,530 Plain and simple, talk to a lawyer 24 00:00:49,530 --> 00:00:52,620 and do everything legally within the bounds of the law. 25 00:00:52,620 --> 00:00:54,540 While penetration testing is hacking, 26 00:00:54,540 --> 00:00:57,360 it is more importantly hacking with permission. 27 00:00:57,360 --> 00:00:58,740 This is actually authorized 28 00:00:58,740 --> 00:01:01,230 under the law in most jurisdictions. 29 00:01:01,230 --> 00:01:03,990 Now, there are two main laws that affect penetration testers 30 00:01:03,990 --> 00:01:06,300 under the law inside the United States. 31 00:01:06,300 --> 00:01:10,230 Under United States Code Title 18, Chapter 47, 32 00:01:10,230 --> 00:01:15,230 Section 1029 and 1030, you're gonna find these two laws. 33 00:01:15,510 --> 00:01:17,370 Now for the PenTest+ exam, 34 00:01:17,370 --> 00:01:19,350 you don't have to memorize these laws. 35 00:01:19,350 --> 00:01:22,170 But as a penetration tester, it is incredibly important 36 00:01:22,170 --> 00:01:24,540 to understand what these two laws are. 37 00:01:24,540 --> 00:01:27,420 Now, the first law, known as Section 1029, 38 00:01:27,420 --> 00:01:28,920 is gonna be focused on fraud 39 00:01:28,920 --> 00:01:31,890 and relevant activity with access devices. 40 00:01:31,890 --> 00:01:34,590 It covers any technical or non-technical means 41 00:01:34,590 --> 00:01:37,380 of trying to bypass an authorization system. 42 00:01:37,380 --> 00:01:39,540 So as a penetration tester, 43 00:01:39,540 --> 00:01:41,730 you might be using a password-cracking tool 44 00:01:41,730 --> 00:01:43,350 in order to test the password strength 45 00:01:43,350 --> 00:01:45,780 of a company's password security policy. 46 00:01:45,780 --> 00:01:49,650 Technically, under section 1029, you are breaking the law 47 00:01:49,650 --> 00:01:51,060 because you're attempting to bypass 48 00:01:51,060 --> 00:01:52,740 an authentication system. 49 00:01:52,740 --> 00:01:55,230 Now, if you don't have permission to test these passwords, 50 00:01:55,230 --> 00:01:58,560 you could be charged and sent to jail as a computer hacker. 51 00:01:58,560 --> 00:02:00,930 Again, this is why it is vitally important 52 00:02:00,930 --> 00:02:04,170 to have permission from the organization in writing 53 00:02:04,170 --> 00:02:06,600 as part of your contract, rules of engagement, 54 00:02:06,600 --> 00:02:09,030 and other planning and scoping documents. 55 00:02:09,030 --> 00:02:11,790 Once the company invites you in and gives you permission, 56 00:02:11,790 --> 00:02:14,340 then it's no longer considered breaking the law. 57 00:02:14,340 --> 00:02:18,330 It now becomes penetration testing, not illegal hacking. 58 00:02:18,330 --> 00:02:20,850 The second law is known as Section 1030, 59 00:02:20,850 --> 00:02:22,200 which is focused on fraud 60 00:02:22,200 --> 00:02:24,330 and related activity with computers. 61 00:02:24,330 --> 00:02:26,550 This is loosely defined to include any device 62 00:02:26,550 --> 00:02:28,050 connected to a network. 63 00:02:28,050 --> 00:02:30,180 So if you own a smart television 64 00:02:30,180 --> 00:02:32,610 and it has a network connection to access Netflix, 65 00:02:32,610 --> 00:02:35,670 it is considered a computer for the purposes of this law. 66 00:02:35,670 --> 00:02:37,470 The same holds true for wearable devices 67 00:02:37,470 --> 00:02:39,690 like fitness trackers, smart watches, 68 00:02:39,690 --> 00:02:42,030 and even health information devices. 69 00:02:42,030 --> 00:02:44,490 Again, if we have permission in writing, 70 00:02:44,490 --> 00:02:46,860 then we can attempt to penetrate these devices. 71 00:02:46,860 --> 00:02:49,740 Otherwise, it's considered an illegal action. 72 00:02:49,740 --> 00:02:53,070 Now, there is one really interesting part of Section 1030 73 00:02:53,070 --> 00:02:54,930 that I think you need to be aware of. 74 00:02:54,930 --> 00:02:56,880 This component has the language in the law 75 00:02:56,880 --> 00:03:00,360 that speaks to the act of exceeding one's access rights. 76 00:03:00,360 --> 00:03:02,370 Now, for example, let's say an employee 77 00:03:02,370 --> 00:03:04,620 uses their authorized username and password 78 00:03:04,620 --> 00:03:07,020 to do things that go beyond the scope of their job. 79 00:03:07,020 --> 00:03:09,240 This is technically considered computer hacking 80 00:03:09,240 --> 00:03:10,740 under this section of the law 81 00:03:10,740 --> 00:03:13,140 and would be considered a criminal act. 82 00:03:13,140 --> 00:03:16,470 So if a system administrator uses their authorized username 83 00:03:16,470 --> 00:03:19,050 and password to read other people's email, 84 00:03:19,050 --> 00:03:21,510 this is actually a violation of that law 85 00:03:21,510 --> 00:03:23,700 and that person could go to jail. 86 00:03:23,700 --> 00:03:26,700 Employees, even those with a valid username and password 87 00:03:26,700 --> 00:03:28,260 issued to them from their company, 88 00:03:28,260 --> 00:03:31,590 are not authorized to use it in whatever way they want to. 89 00:03:31,590 --> 00:03:34,560 If they do, they could be considered an insider threat, 90 00:03:34,560 --> 00:03:36,750 and technically, they are breaking the law 91 00:03:36,750 --> 00:03:38,970 and are conducting computer hacking. 92 00:03:38,970 --> 00:03:41,850 Now, with that behind us, let's resume our coverage 93 00:03:41,850 --> 00:03:45,000 of the PenTest+ exam and talk about some legal concepts 94 00:03:45,000 --> 00:03:46,770 that you need to be aware of. 95 00:03:46,770 --> 00:03:49,920 Now, before you conduct a penetration test, as I said, 96 00:03:49,920 --> 00:03:52,470 it is imperative that you receive written permission 97 00:03:52,470 --> 00:03:54,270 from the target organization. 98 00:03:54,270 --> 00:03:56,460 This is what prevents a penetration tester, 99 00:03:56,460 --> 00:03:57,900 also known as an ethical hacker 100 00:03:57,900 --> 00:04:00,870 or authorized hacker, from going to prison. 101 00:04:00,870 --> 00:04:03,000 Ethical hackers and penetration testers 102 00:04:03,000 --> 00:04:05,460 are separated from criminal unauthorized hackers 103 00:04:05,460 --> 00:04:08,400 by one simple thing, and that is permission. 104 00:04:08,400 --> 00:04:09,780 When we get this written permission 105 00:04:09,780 --> 00:04:11,850 in our contract or our scope of work, 106 00:04:11,850 --> 00:04:14,130 we call this our get outta jail free card, 107 00:04:14,130 --> 00:04:16,709 because effectively, that's really what it is. 108 00:04:16,709 --> 00:04:18,360 Let's pretend that you are contracted 109 00:04:18,360 --> 00:04:20,970 to conduct a penetration test of Sony Pictures, 110 00:04:20,970 --> 00:04:23,670 but shortly after, the FBI shows up at your front door 111 00:04:23,670 --> 00:04:25,770 claiming that you hacked Sony Pictures. 112 00:04:25,770 --> 00:04:28,050 That would be a pretty bad day, right? 113 00:04:28,050 --> 00:04:29,820 Well, if you can provide them a copy 114 00:04:29,820 --> 00:04:31,350 of your signed written permission, 115 00:04:31,350 --> 00:04:33,870 usually found in your contract, your scope of work, 116 00:04:33,870 --> 00:04:35,250 or rules of engagement, 117 00:04:35,250 --> 00:04:37,770 you're not gonna be held liable for those actions. 118 00:04:37,770 --> 00:04:40,890 However, if you hack Sony Pictures without their permission, 119 00:04:40,890 --> 00:04:44,370 this is considered a computer crime under Section 1029 120 00:04:44,370 --> 00:04:46,470 and 1030 under the US code, 121 00:04:46,470 --> 00:04:48,600 and you could be heading off to prison. 122 00:04:48,600 --> 00:04:51,360 Now, as many organizations have migrated to the cloud, 123 00:04:51,360 --> 00:04:53,370 the need for gaining third party authorization 124 00:04:53,370 --> 00:04:55,560 has also increased dramatically. 125 00:04:55,560 --> 00:04:57,750 For example, let's pretend that I'm gonna hire you 126 00:04:57,750 --> 00:05:00,510 to assess my company's file storage solutions. 127 00:05:00,510 --> 00:05:03,060 During our planning and scoping discussions, you learn 128 00:05:03,060 --> 00:05:05,670 that I have an internal network-attached storage server 129 00:05:05,670 --> 00:05:07,980 in addition to a cloud-based solution. 130 00:05:07,980 --> 00:05:10,380 Now, in our discussions, we have scoped the assessment 131 00:05:10,380 --> 00:05:13,110 to include both the onsite file server solution 132 00:05:13,110 --> 00:05:14,790 and our cloud-based one. 133 00:05:14,790 --> 00:05:17,850 So we sign a contract, you head back to your office. 134 00:05:17,850 --> 00:05:20,490 Now, can you legally begin your assessment 135 00:05:20,490 --> 00:05:22,560 of our file storage solutions? 136 00:05:22,560 --> 00:05:25,560 Well, no, you can't because I don't have the ability 137 00:05:25,560 --> 00:05:28,230 to give you authorization to conduct a penetration test 138 00:05:28,230 --> 00:05:31,740 on my cloud-based one because I don't own those servers. 139 00:05:31,740 --> 00:05:33,810 If you began your assessment right now, 140 00:05:33,810 --> 00:05:36,480 you would actually be hacking my cloud service provider, 141 00:05:36,480 --> 00:05:38,100 and if you don't get permission from them 142 00:05:38,100 --> 00:05:41,220 before you begin your penetration test, well guess what? 143 00:05:41,220 --> 00:05:43,080 You could be found guilty of criminal hacking 144 00:05:43,080 --> 00:05:44,670 and you could go to jail. 145 00:05:44,670 --> 00:05:46,950 Now, it's not just my permission that you need, 146 00:05:46,950 --> 00:05:48,600 but you also need to obtain the permission 147 00:05:48,600 --> 00:05:50,970 of my cloud service provider as well. 148 00:05:50,970 --> 00:05:53,790 But don't worry, because cloud providers all know 149 00:05:53,790 --> 00:05:55,680 that penetration tests have to happen 150 00:05:55,680 --> 00:05:57,960 for compliance and regulatory reasons. 151 00:05:57,960 --> 00:05:59,280 To obtain their permission, 152 00:05:59,280 --> 00:06:01,980 simply do an online search for the cloud provider's name 153 00:06:01,980 --> 00:06:04,890 and the phrase "penetration testing permission." 154 00:06:04,890 --> 00:06:05,880 You're gonna find quickly 155 00:06:05,880 --> 00:06:08,400 that they have the proper online form for you to fill out 156 00:06:08,400 --> 00:06:10,500 to let them know your scope, your timeline, 157 00:06:10,500 --> 00:06:12,270 and the duration of the assessment. 158 00:06:12,270 --> 00:06:13,740 This allows the cloud provider 159 00:06:13,740 --> 00:06:15,180 to capture some of your details 160 00:06:15,180 --> 00:06:17,910 and notate that there will be an ongoing penetration test 161 00:06:17,910 --> 00:06:20,430 so that their own security teams are aware of that. 162 00:06:20,430 --> 00:06:22,260 Remember, you must get permission 163 00:06:22,260 --> 00:06:23,880 from the owners of the servers. 164 00:06:23,880 --> 00:06:25,140 So if the target organization 165 00:06:25,140 --> 00:06:26,910 is using cloud-based resources, 166 00:06:26,910 --> 00:06:28,200 then you have to obtain permission 167 00:06:28,200 --> 00:06:29,910 from both the target organization 168 00:06:29,910 --> 00:06:32,040 and the cloud service provider. 169 00:06:32,040 --> 00:06:34,380 During your penetration test, you may also find 170 00:06:34,380 --> 00:06:35,850 a lot of confidential information 171 00:06:35,850 --> 00:06:37,890 about your target organization. 172 00:06:37,890 --> 00:06:39,930 It's gonna be your responsibility to safeguard 173 00:06:39,930 --> 00:06:42,420 that information, and if you're able to access an area 174 00:06:42,420 --> 00:06:44,580 of their network that you think you shouldn't be in, 175 00:06:44,580 --> 00:06:47,190 it's also important that you notify the trusted agent 176 00:06:47,190 --> 00:06:49,830 inside that organization immediately. 177 00:06:49,830 --> 00:06:51,390 You also wanna be careful not to have 178 00:06:51,390 --> 00:06:53,850 confidential information leak out onto the internet 179 00:06:53,850 --> 00:06:56,250 because that would be considered an unauthorized disclosure 180 00:06:56,250 --> 00:06:59,790 by accident, and then your company may be held liable. 181 00:06:59,790 --> 00:07:01,380 Again, make sure your lawyer 182 00:07:01,380 --> 00:07:03,240 has properly drawn up your contracts 183 00:07:03,240 --> 00:07:04,920 to ensure that your liability is limited 184 00:07:04,920 --> 00:07:08,010 in case of accidental disclosures to minimize your exposure 185 00:07:08,010 --> 00:07:10,590 to fees and fines in this area. 186 00:07:10,590 --> 00:07:12,030 Additionally, it's important 187 00:07:12,030 --> 00:07:13,710 for you to protect the information you gather 188 00:07:13,710 --> 00:07:16,650 about the vulnerabilities in that organization's network. 189 00:07:16,650 --> 00:07:18,300 For example, you're gonna find 190 00:07:18,300 --> 00:07:19,950 major vulnerabilities sometimes, 191 00:07:19,950 --> 00:07:21,600 and if you find a major vulnerability 192 00:07:21,600 --> 00:07:23,160 in a public-facing server, 193 00:07:23,160 --> 00:07:24,840 you'll want to inform the trusted agent 194 00:07:24,840 --> 00:07:27,120 in that organization immediately. 195 00:07:27,120 --> 00:07:28,590 You should also keep that information 196 00:07:28,590 --> 00:07:31,380 close hold within your team and the trusted agent 197 00:07:31,380 --> 00:07:32,730 within that organization 198 00:07:32,730 --> 00:07:34,650 to ensure that only privileged personnel, 199 00:07:34,650 --> 00:07:36,570 such as the IT director and their staff, 200 00:07:36,570 --> 00:07:38,580 are informed of this major vulnerability, 201 00:07:38,580 --> 00:07:40,080 so it's less likely to be exploited 202 00:07:40,080 --> 00:07:41,940 before it can be remediated. 203 00:07:41,940 --> 00:07:44,160 To ensure confidentiality and professionalism 204 00:07:44,160 --> 00:07:47,130 in your penetration testing team, each of your members 205 00:07:47,130 --> 00:07:49,590 should have a background check conducted on them. 206 00:07:49,590 --> 00:07:51,060 Now, being a penetration tester 207 00:07:51,060 --> 00:07:53,250 is gonna put you into a trusted position, 208 00:07:53,250 --> 00:07:55,320 so there's gonna be organizations that hire you 209 00:07:55,320 --> 00:07:57,840 and they need to know that you are trustworthy. 210 00:07:57,840 --> 00:07:59,880 They might ask for copies of your credentials, 211 00:07:59,880 --> 00:08:02,700 your certifications, and your educational transcripts 212 00:08:02,700 --> 00:08:04,170 to ensure you have the knowledge required 213 00:08:04,170 --> 00:08:06,630 to perform the work of a penetration tester, 214 00:08:06,630 --> 00:08:09,570 but they're also gonna conduct a background check on you 215 00:08:09,570 --> 00:08:12,030 that includes criminal history, driving history, 216 00:08:12,030 --> 00:08:13,350 and a credit check. 217 00:08:13,350 --> 00:08:15,900 If you have a criminal record or a felony conviction, 218 00:08:15,900 --> 00:08:18,630 this is gonna be a disqualifier for a lot of positions 219 00:08:18,630 --> 00:08:20,640 with penetration testing organizations, 220 00:08:20,640 --> 00:08:22,860 but not necessarily all of them. 221 00:08:22,860 --> 00:08:25,170 Now, as your team conducts its penetration tests, 222 00:08:25,170 --> 00:08:28,200 sometimes you're gonna discover that the target organization 223 00:08:28,200 --> 00:08:31,530 may have already been breached by a real world threat actor. 224 00:08:31,530 --> 00:08:33,659 If you find evidence of a real attack, 225 00:08:33,659 --> 00:08:35,490 you should immediately stop what you're doing 226 00:08:35,490 --> 00:08:36,960 and report it to a trusted agent 227 00:08:36,960 --> 00:08:38,970 within the target organization. 228 00:08:38,970 --> 00:08:40,919 Alternatively, if you make a mistake 229 00:08:40,919 --> 00:08:43,200 and you scan the wrong IP range or network, 230 00:08:43,200 --> 00:08:44,370 you also need to stop 231 00:08:44,370 --> 00:08:46,590 and immediately notify your team leader 232 00:08:46,590 --> 00:08:48,180 because scanning the wrong target 233 00:08:48,180 --> 00:08:50,550 could lead to legal issues for your team. 234 00:08:50,550 --> 00:08:54,750 Finally, let's talk about fees, fines, and criminal charges. 235 00:08:54,750 --> 00:08:57,540 As a penetration tester, you are in a risky business 236 00:08:57,540 --> 00:08:58,860 if you don't have all your paperwork 237 00:08:58,860 --> 00:09:01,140 and processes in the proper order. 238 00:09:01,140 --> 00:09:04,080 Remember, you always wanna get your get outta jail free card 239 00:09:04,080 --> 00:09:05,940 up front and discuss your engagements 240 00:09:05,940 --> 00:09:08,400 thoroughly with your clients before beginning. 241 00:09:08,400 --> 00:09:09,510 During your planning, 242 00:09:09,510 --> 00:09:11,850 you need to think through different scenarios as well, 243 00:09:11,850 --> 00:09:13,080 especially if you're gonna be doing 244 00:09:13,080 --> 00:09:15,000 physical penetration testing. 245 00:09:15,000 --> 00:09:16,650 For example, if I hired you 246 00:09:16,650 --> 00:09:19,080 to conduct a physical penetration test in my office 247 00:09:19,080 --> 00:09:20,940 and the security guard catches you in the act, 248 00:09:20,940 --> 00:09:22,290 what is gonna happen? 249 00:09:22,290 --> 00:09:23,670 Are they gonna call the police? 250 00:09:23,670 --> 00:09:25,740 Are they gonna try to tackle you to the ground? 251 00:09:25,740 --> 00:09:28,260 If you're gonna be doing physical penetration testing, 252 00:09:28,260 --> 00:09:31,440 I recommend you always have your way out planned in advance. 253 00:09:31,440 --> 00:09:33,450 For example, if you get caught, 254 00:09:33,450 --> 00:09:35,730 do you have the head of security on speed dial? 255 00:09:35,730 --> 00:09:37,290 Do you have a letter signed by the CEO 256 00:09:37,290 --> 00:09:39,090 stating that this was an authorized test 257 00:09:39,090 --> 00:09:40,740 or something else entirely? 258 00:09:40,740 --> 00:09:43,050 Whatever it is, you need to plan for it. 259 00:09:43,050 --> 00:09:45,480 And as you plan and then scope the assessment, 260 00:09:45,480 --> 00:09:48,000 you need to make sure the process is clearly understood 261 00:09:48,000 --> 00:09:50,220 by all of those who need to be involved. 262 00:09:50,220 --> 00:09:52,740 For example, if the statement of work states 263 00:09:52,740 --> 00:09:54,510 to conduct physical penetration testing 264 00:09:54,510 --> 00:09:57,090 of our exterior defenses using various means, 265 00:09:57,090 --> 00:09:59,310 that is probably a bit too generic. 266 00:09:59,310 --> 00:10:01,170 Instead, you might state something 267 00:10:01,170 --> 00:10:04,200 like "conduct lock picking" or "fence jumping" 268 00:10:04,200 --> 00:10:05,940 or whatever it's gonna be. 269 00:10:05,940 --> 00:10:08,310 This makes it much clearer and if you get caught, 270 00:10:08,310 --> 00:10:10,140 when you pull out that get outta jail free card, 271 00:10:10,140 --> 00:10:11,280 that permission letter, 272 00:10:11,280 --> 00:10:13,500 people are gonna understand why you're there. 273 00:10:13,500 --> 00:10:15,540 Now, remember, the thing that separates us 274 00:10:15,540 --> 00:10:17,790 from malicious actors is permission. 275 00:10:17,790 --> 00:10:20,220 Get permission throughout the entire process 276 00:10:20,220 --> 00:10:22,380 and especially before any major events, 277 00:10:22,380 --> 00:10:24,960 such as a DDoS attack or a stress testing 278 00:10:24,960 --> 00:10:26,730 or physical penetration test. 279 00:10:26,730 --> 00:10:29,430 If you don't, you could face fines, fees, 280 00:10:29,430 --> 00:10:30,843 or even criminal charges. 281 00:10:32,132 --> 00:10:34,158 (machine buzzing) 21692