Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,180 --> 00:00:01,140
Instructor: Most people know
2
00:00:01,140 --> 00:00:03,570
that hacking is a federal crime.
3
00:00:03,570 --> 00:00:06,120
Therefore, it's important for a penetration tester
4
00:00:06,120 --> 00:00:08,430
to be aware of the laws that deal with hacking
5
00:00:08,430 --> 00:00:11,820
because penetration testing is effectively hacking.
6
00:00:11,820 --> 00:00:14,310
There are local, state, and federal laws
7
00:00:14,310 --> 00:00:15,390
that you have to understand
8
00:00:15,390 --> 00:00:18,360
before starting your career as a penetration tester.
9
00:00:18,360 --> 00:00:20,460
Laws also vary from country to country,
10
00:00:20,460 --> 00:00:22,500
so if you're working on a penetration test
11
00:00:22,500 --> 00:00:24,270
for an international organization,
12
00:00:24,270 --> 00:00:26,070
you also have to check the local laws
13
00:00:26,070 --> 00:00:27,930
where you're conducting the attack from,
14
00:00:27,930 --> 00:00:29,430
as well as those of the country
15
00:00:29,430 --> 00:00:32,400
that the target organization is located within.
16
00:00:32,400 --> 00:00:34,560
Remember, always consult your attorney
17
00:00:34,560 --> 00:00:36,240
before you accept and attempt
18
00:00:36,240 --> 00:00:38,160
a penetration testing assignment,
19
00:00:38,160 --> 00:00:39,840
because if you do this wrong
20
00:00:39,840 --> 00:00:42,360
and you don't have the right legal framework in place,
21
00:00:42,360 --> 00:00:45,480
you could be arrested under local, state, federal,
22
00:00:45,480 --> 00:00:47,490
or even another country's laws.
23
00:00:47,490 --> 00:00:49,530
Plain and simple, talk to a lawyer
24
00:00:49,530 --> 00:00:52,620
and do everything legally within the bounds of the law.
25
00:00:52,620 --> 00:00:54,540
While penetration testing is hacking,
26
00:00:54,540 --> 00:00:57,360
it is more importantly hacking with permission.
27
00:00:57,360 --> 00:00:58,740
This is actually authorized
28
00:00:58,740 --> 00:01:01,230
under the law in most jurisdictions.
29
00:01:01,230 --> 00:01:03,990
Now, there are two main laws that affect penetration testers
30
00:01:03,990 --> 00:01:06,300
under the law inside the United States.
31
00:01:06,300 --> 00:01:10,230
Under United States Code Title 18, Chapter 47,
32
00:01:10,230 --> 00:01:15,230
Section 1029 and 1030, you're gonna find these two laws.
33
00:01:15,510 --> 00:01:17,370
Now for the PenTest+ exam,
34
00:01:17,370 --> 00:01:19,350
you don't have to memorize these laws.
35
00:01:19,350 --> 00:01:22,170
But as a penetration tester, it is incredibly important
36
00:01:22,170 --> 00:01:24,540
to understand what these two laws are.
37
00:01:24,540 --> 00:01:27,420
Now, the first law, known as Section 1029,
38
00:01:27,420 --> 00:01:28,920
is gonna be focused on fraud
39
00:01:28,920 --> 00:01:31,890
and relevant activity with access devices.
40
00:01:31,890 --> 00:01:34,590
It covers any technical or non-technical means
41
00:01:34,590 --> 00:01:37,380
of trying to bypass an authorization system.
42
00:01:37,380 --> 00:01:39,540
So as a penetration tester,
43
00:01:39,540 --> 00:01:41,730
you might be using a password-cracking tool
44
00:01:41,730 --> 00:01:43,350
in order to test the password strength
45
00:01:43,350 --> 00:01:45,780
of a company's password security policy.
46
00:01:45,780 --> 00:01:49,650
Technically, under section 1029, you are breaking the law
47
00:01:49,650 --> 00:01:51,060
because you're attempting to bypass
48
00:01:51,060 --> 00:01:52,740
an authentication system.
49
00:01:52,740 --> 00:01:55,230
Now, if you don't have permission to test these passwords,
50
00:01:55,230 --> 00:01:58,560
you could be charged and sent to jail as a computer hacker.
51
00:01:58,560 --> 00:02:00,930
Again, this is why it is vitally important
52
00:02:00,930 --> 00:02:04,170
to have permission from the organization in writing
53
00:02:04,170 --> 00:02:06,600
as part of your contract, rules of engagement,
54
00:02:06,600 --> 00:02:09,030
and other planning and scoping documents.
55
00:02:09,030 --> 00:02:11,790
Once the company invites you in and gives you permission,
56
00:02:11,790 --> 00:02:14,340
then it's no longer considered breaking the law.
57
00:02:14,340 --> 00:02:18,330
It now becomes penetration testing, not illegal hacking.
58
00:02:18,330 --> 00:02:20,850
The second law is known as Section 1030,
59
00:02:20,850 --> 00:02:22,200
which is focused on fraud
60
00:02:22,200 --> 00:02:24,330
and related activity with computers.
61
00:02:24,330 --> 00:02:26,550
This is loosely defined to include any device
62
00:02:26,550 --> 00:02:28,050
connected to a network.
63
00:02:28,050 --> 00:02:30,180
So if you own a smart television
64
00:02:30,180 --> 00:02:32,610
and it has a network connection to access Netflix,
65
00:02:32,610 --> 00:02:35,670
it is considered a computer for the purposes of this law.
66
00:02:35,670 --> 00:02:37,470
The same holds true for wearable devices
67
00:02:37,470 --> 00:02:39,690
like fitness trackers, smart watches,
68
00:02:39,690 --> 00:02:42,030
and even health information devices.
69
00:02:42,030 --> 00:02:44,490
Again, if we have permission in writing,
70
00:02:44,490 --> 00:02:46,860
then we can attempt to penetrate these devices.
71
00:02:46,860 --> 00:02:49,740
Otherwise, it's considered an illegal action.
72
00:02:49,740 --> 00:02:53,070
Now, there is one really interesting part of Section 1030
73
00:02:53,070 --> 00:02:54,930
that I think you need to be aware of.
74
00:02:54,930 --> 00:02:56,880
This component has the language in the law
75
00:02:56,880 --> 00:03:00,360
that speaks to the act of exceeding one's access rights.
76
00:03:00,360 --> 00:03:02,370
Now, for example, let's say an employee
77
00:03:02,370 --> 00:03:04,620
uses their authorized username and password
78
00:03:04,620 --> 00:03:07,020
to do things that go beyond the scope of their job.
79
00:03:07,020 --> 00:03:09,240
This is technically considered computer hacking
80
00:03:09,240 --> 00:03:10,740
under this section of the law
81
00:03:10,740 --> 00:03:13,140
and would be considered a criminal act.
82
00:03:13,140 --> 00:03:16,470
So if a system administrator uses their authorized username
83
00:03:16,470 --> 00:03:19,050
and password to read other people's email,
84
00:03:19,050 --> 00:03:21,510
this is actually a violation of that law
85
00:03:21,510 --> 00:03:23,700
and that person could go to jail.
86
00:03:23,700 --> 00:03:26,700
Employees, even those with a valid username and password
87
00:03:26,700 --> 00:03:28,260
issued to them from their company,
88
00:03:28,260 --> 00:03:31,590
are not authorized to use it in whatever way they want to.
89
00:03:31,590 --> 00:03:34,560
If they do, they could be considered an insider threat,
90
00:03:34,560 --> 00:03:36,750
and technically, they are breaking the law
91
00:03:36,750 --> 00:03:38,970
and are conducting computer hacking.
92
00:03:38,970 --> 00:03:41,850
Now, with that behind us, let's resume our coverage
93
00:03:41,850 --> 00:03:45,000
of the PenTest+ exam and talk about some legal concepts
94
00:03:45,000 --> 00:03:46,770
that you need to be aware of.
95
00:03:46,770 --> 00:03:49,920
Now, before you conduct a penetration test, as I said,
96
00:03:49,920 --> 00:03:52,470
it is imperative that you receive written permission
97
00:03:52,470 --> 00:03:54,270
from the target organization.
98
00:03:54,270 --> 00:03:56,460
This is what prevents a penetration tester,
99
00:03:56,460 --> 00:03:57,900
also known as an ethical hacker
100
00:03:57,900 --> 00:04:00,870
or authorized hacker, from going to prison.
101
00:04:00,870 --> 00:04:03,000
Ethical hackers and penetration testers
102
00:04:03,000 --> 00:04:05,460
are separated from criminal unauthorized hackers
103
00:04:05,460 --> 00:04:08,400
by one simple thing, and that is permission.
104
00:04:08,400 --> 00:04:09,780
When we get this written permission
105
00:04:09,780 --> 00:04:11,850
in our contract or our scope of work,
106
00:04:11,850 --> 00:04:14,130
we call this our get outta jail free card,
107
00:04:14,130 --> 00:04:16,709
because effectively, that's really what it is.
108
00:04:16,709 --> 00:04:18,360
Let's pretend that you are contracted
109
00:04:18,360 --> 00:04:20,970
to conduct a penetration test of Sony Pictures,
110
00:04:20,970 --> 00:04:23,670
but shortly after, the FBI shows up at your front door
111
00:04:23,670 --> 00:04:25,770
claiming that you hacked Sony Pictures.
112
00:04:25,770 --> 00:04:28,050
That would be a pretty bad day, right?
113
00:04:28,050 --> 00:04:29,820
Well, if you can provide them a copy
114
00:04:29,820 --> 00:04:31,350
of your signed written permission,
115
00:04:31,350 --> 00:04:33,870
usually found in your contract, your scope of work,
116
00:04:33,870 --> 00:04:35,250
or rules of engagement,
117
00:04:35,250 --> 00:04:37,770
you're not gonna be held liable for those actions.
118
00:04:37,770 --> 00:04:40,890
However, if you hack Sony Pictures without their permission,
119
00:04:40,890 --> 00:04:44,370
this is considered a computer crime under Section 1029
120
00:04:44,370 --> 00:04:46,470
and 1030 under the US code,
121
00:04:46,470 --> 00:04:48,600
and you could be heading off to prison.
122
00:04:48,600 --> 00:04:51,360
Now, as many organizations have migrated to the cloud,
123
00:04:51,360 --> 00:04:53,370
the need for gaining third party authorization
124
00:04:53,370 --> 00:04:55,560
has also increased dramatically.
125
00:04:55,560 --> 00:04:57,750
For example, let's pretend that I'm gonna hire you
126
00:04:57,750 --> 00:05:00,510
to assess my company's file storage solutions.
127
00:05:00,510 --> 00:05:03,060
During our planning and scoping discussions, you learn
128
00:05:03,060 --> 00:05:05,670
that I have an internal network-attached storage server
129
00:05:05,670 --> 00:05:07,980
in addition to a cloud-based solution.
130
00:05:07,980 --> 00:05:10,380
Now, in our discussions, we have scoped the assessment
131
00:05:10,380 --> 00:05:13,110
to include both the onsite file server solution
132
00:05:13,110 --> 00:05:14,790
and our cloud-based one.
133
00:05:14,790 --> 00:05:17,850
So we sign a contract, you head back to your office.
134
00:05:17,850 --> 00:05:20,490
Now, can you legally begin your assessment
135
00:05:20,490 --> 00:05:22,560
of our file storage solutions?
136
00:05:22,560 --> 00:05:25,560
Well, no, you can't because I don't have the ability
137
00:05:25,560 --> 00:05:28,230
to give you authorization to conduct a penetration test
138
00:05:28,230 --> 00:05:31,740
on my cloud-based one because I don't own those servers.
139
00:05:31,740 --> 00:05:33,810
If you began your assessment right now,
140
00:05:33,810 --> 00:05:36,480
you would actually be hacking my cloud service provider,
141
00:05:36,480 --> 00:05:38,100
and if you don't get permission from them
142
00:05:38,100 --> 00:05:41,220
before you begin your penetration test, well guess what?
143
00:05:41,220 --> 00:05:43,080
You could be found guilty of criminal hacking
144
00:05:43,080 --> 00:05:44,670
and you could go to jail.
145
00:05:44,670 --> 00:05:46,950
Now, it's not just my permission that you need,
146
00:05:46,950 --> 00:05:48,600
but you also need to obtain the permission
147
00:05:48,600 --> 00:05:50,970
of my cloud service provider as well.
148
00:05:50,970 --> 00:05:53,790
But don't worry, because cloud providers all know
149
00:05:53,790 --> 00:05:55,680
that penetration tests have to happen
150
00:05:55,680 --> 00:05:57,960
for compliance and regulatory reasons.
151
00:05:57,960 --> 00:05:59,280
To obtain their permission,
152
00:05:59,280 --> 00:06:01,980
simply do an online search for the cloud provider's name
153
00:06:01,980 --> 00:06:04,890
and the phrase "penetration testing permission."
154
00:06:04,890 --> 00:06:05,880
You're gonna find quickly
155
00:06:05,880 --> 00:06:08,400
that they have the proper online form for you to fill out
156
00:06:08,400 --> 00:06:10,500
to let them know your scope, your timeline,
157
00:06:10,500 --> 00:06:12,270
and the duration of the assessment.
158
00:06:12,270 --> 00:06:13,740
This allows the cloud provider
159
00:06:13,740 --> 00:06:15,180
to capture some of your details
160
00:06:15,180 --> 00:06:17,910
and notate that there will be an ongoing penetration test
161
00:06:17,910 --> 00:06:20,430
so that their own security teams are aware of that.
162
00:06:20,430 --> 00:06:22,260
Remember, you must get permission
163
00:06:22,260 --> 00:06:23,880
from the owners of the servers.
164
00:06:23,880 --> 00:06:25,140
So if the target organization
165
00:06:25,140 --> 00:06:26,910
is using cloud-based resources,
166
00:06:26,910 --> 00:06:28,200
then you have to obtain permission
167
00:06:28,200 --> 00:06:29,910
from both the target organization
168
00:06:29,910 --> 00:06:32,040
and the cloud service provider.
169
00:06:32,040 --> 00:06:34,380
During your penetration test, you may also find
170
00:06:34,380 --> 00:06:35,850
a lot of confidential information
171
00:06:35,850 --> 00:06:37,890
about your target organization.
172
00:06:37,890 --> 00:06:39,930
It's gonna be your responsibility to safeguard
173
00:06:39,930 --> 00:06:42,420
that information, and if you're able to access an area
174
00:06:42,420 --> 00:06:44,580
of their network that you think you shouldn't be in,
175
00:06:44,580 --> 00:06:47,190
it's also important that you notify the trusted agent
176
00:06:47,190 --> 00:06:49,830
inside that organization immediately.
177
00:06:49,830 --> 00:06:51,390
You also wanna be careful not to have
178
00:06:51,390 --> 00:06:53,850
confidential information leak out onto the internet
179
00:06:53,850 --> 00:06:56,250
because that would be considered an unauthorized disclosure
180
00:06:56,250 --> 00:06:59,790
by accident, and then your company may be held liable.
181
00:06:59,790 --> 00:07:01,380
Again, make sure your lawyer
182
00:07:01,380 --> 00:07:03,240
has properly drawn up your contracts
183
00:07:03,240 --> 00:07:04,920
to ensure that your liability is limited
184
00:07:04,920 --> 00:07:08,010
in case of accidental disclosures to minimize your exposure
185
00:07:08,010 --> 00:07:10,590
to fees and fines in this area.
186
00:07:10,590 --> 00:07:12,030
Additionally, it's important
187
00:07:12,030 --> 00:07:13,710
for you to protect the information you gather
188
00:07:13,710 --> 00:07:16,650
about the vulnerabilities in that organization's network.
189
00:07:16,650 --> 00:07:18,300
For example, you're gonna find
190
00:07:18,300 --> 00:07:19,950
major vulnerabilities sometimes,
191
00:07:19,950 --> 00:07:21,600
and if you find a major vulnerability
192
00:07:21,600 --> 00:07:23,160
in a public-facing server,
193
00:07:23,160 --> 00:07:24,840
you'll want to inform the trusted agent
194
00:07:24,840 --> 00:07:27,120
in that organization immediately.
195
00:07:27,120 --> 00:07:28,590
You should also keep that information
196
00:07:28,590 --> 00:07:31,380
close hold within your team and the trusted agent
197
00:07:31,380 --> 00:07:32,730
within that organization
198
00:07:32,730 --> 00:07:34,650
to ensure that only privileged personnel,
199
00:07:34,650 --> 00:07:36,570
such as the IT director and their staff,
200
00:07:36,570 --> 00:07:38,580
are informed of this major vulnerability,
201
00:07:38,580 --> 00:07:40,080
so it's less likely to be exploited
202
00:07:40,080 --> 00:07:41,940
before it can be remediated.
203
00:07:41,940 --> 00:07:44,160
To ensure confidentiality and professionalism
204
00:07:44,160 --> 00:07:47,130
in your penetration testing team, each of your members
205
00:07:47,130 --> 00:07:49,590
should have a background check conducted on them.
206
00:07:49,590 --> 00:07:51,060
Now, being a penetration tester
207
00:07:51,060 --> 00:07:53,250
is gonna put you into a trusted position,
208
00:07:53,250 --> 00:07:55,320
so there's gonna be organizations that hire you
209
00:07:55,320 --> 00:07:57,840
and they need to know that you are trustworthy.
210
00:07:57,840 --> 00:07:59,880
They might ask for copies of your credentials,
211
00:07:59,880 --> 00:08:02,700
your certifications, and your educational transcripts
212
00:08:02,700 --> 00:08:04,170
to ensure you have the knowledge required
213
00:08:04,170 --> 00:08:06,630
to perform the work of a penetration tester,
214
00:08:06,630 --> 00:08:09,570
but they're also gonna conduct a background check on you
215
00:08:09,570 --> 00:08:12,030
that includes criminal history, driving history,
216
00:08:12,030 --> 00:08:13,350
and a credit check.
217
00:08:13,350 --> 00:08:15,900
If you have a criminal record or a felony conviction,
218
00:08:15,900 --> 00:08:18,630
this is gonna be a disqualifier for a lot of positions
219
00:08:18,630 --> 00:08:20,640
with penetration testing organizations,
220
00:08:20,640 --> 00:08:22,860
but not necessarily all of them.
221
00:08:22,860 --> 00:08:25,170
Now, as your team conducts its penetration tests,
222
00:08:25,170 --> 00:08:28,200
sometimes you're gonna discover that the target organization
223
00:08:28,200 --> 00:08:31,530
may have already been breached by a real world threat actor.
224
00:08:31,530 --> 00:08:33,659
If you find evidence of a real attack,
225
00:08:33,659 --> 00:08:35,490
you should immediately stop what you're doing
226
00:08:35,490 --> 00:08:36,960
and report it to a trusted agent
227
00:08:36,960 --> 00:08:38,970
within the target organization.
228
00:08:38,970 --> 00:08:40,919
Alternatively, if you make a mistake
229
00:08:40,919 --> 00:08:43,200
and you scan the wrong IP range or network,
230
00:08:43,200 --> 00:08:44,370
you also need to stop
231
00:08:44,370 --> 00:08:46,590
and immediately notify your team leader
232
00:08:46,590 --> 00:08:48,180
because scanning the wrong target
233
00:08:48,180 --> 00:08:50,550
could lead to legal issues for your team.
234
00:08:50,550 --> 00:08:54,750
Finally, let's talk about fees, fines, and criminal charges.
235
00:08:54,750 --> 00:08:57,540
As a penetration tester, you are in a risky business
236
00:08:57,540 --> 00:08:58,860
if you don't have all your paperwork
237
00:08:58,860 --> 00:09:01,140
and processes in the proper order.
238
00:09:01,140 --> 00:09:04,080
Remember, you always wanna get your get outta jail free card
239
00:09:04,080 --> 00:09:05,940
up front and discuss your engagements
240
00:09:05,940 --> 00:09:08,400
thoroughly with your clients before beginning.
241
00:09:08,400 --> 00:09:09,510
During your planning,
242
00:09:09,510 --> 00:09:11,850
you need to think through different scenarios as well,
243
00:09:11,850 --> 00:09:13,080
especially if you're gonna be doing
244
00:09:13,080 --> 00:09:15,000
physical penetration testing.
245
00:09:15,000 --> 00:09:16,650
For example, if I hired you
246
00:09:16,650 --> 00:09:19,080
to conduct a physical penetration test in my office
247
00:09:19,080 --> 00:09:20,940
and the security guard catches you in the act,
248
00:09:20,940 --> 00:09:22,290
what is gonna happen?
249
00:09:22,290 --> 00:09:23,670
Are they gonna call the police?
250
00:09:23,670 --> 00:09:25,740
Are they gonna try to tackle you to the ground?
251
00:09:25,740 --> 00:09:28,260
If you're gonna be doing physical penetration testing,
252
00:09:28,260 --> 00:09:31,440
I recommend you always have your way out planned in advance.
253
00:09:31,440 --> 00:09:33,450
For example, if you get caught,
254
00:09:33,450 --> 00:09:35,730
do you have the head of security on speed dial?
255
00:09:35,730 --> 00:09:37,290
Do you have a letter signed by the CEO
256
00:09:37,290 --> 00:09:39,090
stating that this was an authorized test
257
00:09:39,090 --> 00:09:40,740
or something else entirely?
258
00:09:40,740 --> 00:09:43,050
Whatever it is, you need to plan for it.
259
00:09:43,050 --> 00:09:45,480
And as you plan and then scope the assessment,
260
00:09:45,480 --> 00:09:48,000
you need to make sure the process is clearly understood
261
00:09:48,000 --> 00:09:50,220
by all of those who need to be involved.
262
00:09:50,220 --> 00:09:52,740
For example, if the statement of work states
263
00:09:52,740 --> 00:09:54,510
to conduct physical penetration testing
264
00:09:54,510 --> 00:09:57,090
of our exterior defenses using various means,
265
00:09:57,090 --> 00:09:59,310
that is probably a bit too generic.
266
00:09:59,310 --> 00:10:01,170
Instead, you might state something
267
00:10:01,170 --> 00:10:04,200
like "conduct lock picking" or "fence jumping"
268
00:10:04,200 --> 00:10:05,940
or whatever it's gonna be.
269
00:10:05,940 --> 00:10:08,310
This makes it much clearer and if you get caught,
270
00:10:08,310 --> 00:10:10,140
when you pull out that get outta jail free card,
271
00:10:10,140 --> 00:10:11,280
that permission letter,
272
00:10:11,280 --> 00:10:13,500
people are gonna understand why you're there.
273
00:10:13,500 --> 00:10:15,540
Now, remember, the thing that separates us
274
00:10:15,540 --> 00:10:17,790
from malicious actors is permission.
275
00:10:17,790 --> 00:10:20,220
Get permission throughout the entire process
276
00:10:20,220 --> 00:10:22,380
and especially before any major events,
277
00:10:22,380 --> 00:10:24,960
such as a DDoS attack or a stress testing
278
00:10:24,960 --> 00:10:26,730
or physical penetration test.
279
00:10:26,730 --> 00:10:29,430
If you don't, you could face fines, fees,
280
00:10:29,430 --> 00:10:30,843
or even criminal charges.
281
00:10:32,132 --> 00:10:34,158
(machine buzzing)
21692
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.