Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,240 --> 00:00:01,589
Speaker: Once the rules of engagement
2
00:00:01,589 --> 00:00:02,850
have been agreed upon,
3
00:00:02,850 --> 00:00:05,070
the type of assessment and strategy chosen
4
00:00:05,070 --> 00:00:07,440
and the scope has been defined and identified,
5
00:00:07,440 --> 00:00:08,790
it's now time to validate
6
00:00:08,790 --> 00:00:11,010
the scope of the engagement with the client.
7
00:00:11,010 --> 00:00:12,510
Validating the scope of the engagement
8
00:00:12,510 --> 00:00:14,610
involves confirming all of the requirements,
9
00:00:14,610 --> 00:00:17,100
the scope and the details of the engagement
10
00:00:17,100 --> 00:00:19,410
before you gain final approval and permission
11
00:00:19,410 --> 00:00:20,730
to move into the next phase
12
00:00:20,730 --> 00:00:22,230
and conduct information gathering
13
00:00:22,230 --> 00:00:24,180
and vulnerability scanning.
14
00:00:24,180 --> 00:00:26,820
Your penetration testing team should always ensure
15
00:00:26,820 --> 00:00:28,920
that the target organization has a good set
16
00:00:28,920 --> 00:00:31,860
of system backups and recovery procedures as well.
17
00:00:31,860 --> 00:00:33,420
This way, you can ensure that
18
00:00:33,420 --> 00:00:35,790
if something goes very wrong during the engagement,
19
00:00:35,790 --> 00:00:37,980
a partial or full recovery can be performed
20
00:00:37,980 --> 00:00:39,870
to restore operations.
21
00:00:39,870 --> 00:00:41,700
During the validation of the scope,
22
00:00:41,700 --> 00:00:44,400
your team should also verify that they know who to contact
23
00:00:44,400 --> 00:00:47,370
within the client organization if something goes wrong,
24
00:00:47,370 --> 00:00:50,310
something needs to be deconflicted, or if they discover
25
00:00:50,310 --> 00:00:53,100
an exceptionally high risk vulnerability.
26
00:00:53,100 --> 00:00:54,960
When you're validating the scope of the engagement
27
00:00:54,960 --> 00:00:57,810
with the client, you should also review all of the key areas
28
00:00:57,810 --> 00:01:00,420
from the statement of work and the rules of engagement
29
00:01:00,420 --> 00:01:02,880
to ensure that there are no areas of confusion.
30
00:01:02,880 --> 00:01:05,580
This will include a thorough review of several items
31
00:01:05,580 --> 00:01:08,700
including the scope and the in-scope target assets,
32
00:01:08,700 --> 00:01:10,170
what is excluded from the scope
33
00:01:10,170 --> 00:01:12,300
and what's considered out of bounds,
34
00:01:12,300 --> 00:01:14,910
what strategy will be used such as an unknown,
35
00:01:14,910 --> 00:01:17,580
partially known or known environment test,
36
00:01:17,580 --> 00:01:19,680
what the timeline will be for any testing,
37
00:01:19,680 --> 00:01:22,710
as well as any constraints placed upon your working hours,
38
00:01:22,710 --> 00:01:24,450
any restrictions or applicable laws
39
00:01:24,450 --> 00:01:26,220
that will apply to this engagement
40
00:01:26,220 --> 00:01:29,190
as well as any third party service providers, services
41
00:01:29,190 --> 00:01:31,470
or off-site locations that are being considered.
42
00:01:31,470 --> 00:01:34,200
And finally, the proper communication channels to use
43
00:01:34,200 --> 00:01:36,450
during the assessment in order to provide updates
44
00:01:36,450 --> 00:01:38,100
to key stakeholders.
45
00:01:38,100 --> 00:01:40,830
Now, once we have our discussion with the organization,
46
00:01:40,830 --> 00:01:42,840
we're going to find that certain applications,
47
00:01:42,840 --> 00:01:45,930
systems, networks and even users may be placed
48
00:01:45,930 --> 00:01:49,500
on the allowed or excluded target list for the engagement.
49
00:01:49,500 --> 00:01:52,440
Now, an allowed list contains a list of authorized targets
50
00:01:52,440 --> 00:01:54,150
while an excluded list contains a list
51
00:01:54,150 --> 00:01:56,460
of unauthorized targets that we can't go after
52
00:01:56,460 --> 00:01:58,020
during our engagement.
53
00:01:58,020 --> 00:02:00,960
Many organizations have numerous boundary defenses
54
00:02:00,960 --> 00:02:03,030
such as unified threat management systems,
55
00:02:03,030 --> 00:02:05,460
firewalls, intrusion prevention systems
56
00:02:05,460 --> 00:02:07,320
that could block your access from the internet
57
00:02:07,320 --> 00:02:09,660
when you're conducting a penetration test.
58
00:02:09,660 --> 00:02:12,240
These systems are most commonly used to allow
59
00:02:12,240 --> 00:02:14,880
or prevent outsiders from accessing the network
60
00:02:14,880 --> 00:02:17,250
and operate by listing the IP addresses
61
00:02:17,250 --> 00:02:19,440
or ports in the access control list
62
00:02:19,440 --> 00:02:22,410
as either permitted allowed or denied.
63
00:02:22,410 --> 00:02:24,570
Now, depending on the scope of your assessment,
64
00:02:24,570 --> 00:02:25,860
your target organization
65
00:02:25,860 --> 00:02:28,050
may allow your penetration testing system
66
00:02:28,050 --> 00:02:30,579
to be placed into an allow list to bypass some
67
00:02:30,579 --> 00:02:33,030
or all of these boundary defenses.
68
00:02:33,030 --> 00:02:35,490
For example, if the organization wants you
69
00:02:35,490 --> 00:02:37,320
to conduct an internal assessment,
70
00:02:37,320 --> 00:02:39,780
they might allow you to have a VPN connection directly
71
00:02:39,780 --> 00:02:42,720
into their network by placing you into an allow list
72
00:02:42,720 --> 00:02:44,760
in order to simulate what an insider threat
73
00:02:44,760 --> 00:02:47,220
or authorized user might be able to accomplish
74
00:02:47,220 --> 00:02:48,660
during an attack.
75
00:02:48,660 --> 00:02:51,600
On the other hand, the organization may be more interested
76
00:02:51,600 --> 00:02:54,600
in seeing if you're able to bypass their external firewalls
77
00:02:54,600 --> 00:02:56,340
and their intrusion prevention systems
78
00:02:56,340 --> 00:02:58,110
during an external assessment.
79
00:02:58,110 --> 00:03:00,330
In this case, they're not going to add our systems
80
00:03:00,330 --> 00:03:03,240
to their allow list or allow us to bypass them directly
81
00:03:03,240 --> 00:03:05,640
and instead they'll make us work for it.
82
00:03:05,640 --> 00:03:06,780
Another concern is that
83
00:03:06,780 --> 00:03:08,550
if the organization's network defenders
84
00:03:08,550 --> 00:03:11,670
catch your penetration testing team during your assessment,
85
00:03:11,670 --> 00:03:13,890
they could add your systems to their block list.
86
00:03:13,890 --> 00:03:15,120
And effectively block us
87
00:03:15,120 --> 00:03:17,790
from directly accessing their systems anymore.
88
00:03:17,790 --> 00:03:19,410
This could require us to find a new way
89
00:03:19,410 --> 00:03:21,120
to bypass their boundary defenses
90
00:03:21,120 --> 00:03:23,190
in order to break into that network.
91
00:03:23,190 --> 00:03:25,560
Now, if time is running out during your assessment,
92
00:03:25,560 --> 00:03:27,390
you may need to talk with a trusted agent
93
00:03:27,390 --> 00:03:30,390
within the organization to have them unblock your systems
94
00:03:30,390 --> 00:03:33,300
or even a you to the allow list within the boundary device
95
00:03:33,300 --> 00:03:35,550
so that you can continue to meet the other objectives
96
00:03:35,550 --> 00:03:36,960
of the penetration test
97
00:03:36,960 --> 00:03:39,360
if those boundary devices are becoming too difficult
98
00:03:39,360 --> 00:03:41,310
to bypass or exploit.
99
00:03:41,310 --> 00:03:42,420
This should be accounted for
100
00:03:42,420 --> 00:03:44,070
during your planning for the engagement
101
00:03:44,070 --> 00:03:46,320
by thinking about possible security exceptions
102
00:03:46,320 --> 00:03:49,260
that you may need to ask for as a contingency.
103
00:03:49,260 --> 00:03:51,990
Many organizations have a lot of different security devices
104
00:03:51,990 --> 00:03:54,930
on their networks, including intrusion prevention systems,
105
00:03:54,930 --> 00:03:58,500
web application firewalls, network access control systems,
106
00:03:58,500 --> 00:04:01,140
certificate pinning, and company policies.
107
00:04:01,140 --> 00:04:04,080
Depending on which policies and systems are being utilized,
108
00:04:04,080 --> 00:04:06,720
the penetration tester may need to ask for an exception
109
00:04:06,720 --> 00:04:08,550
to be allowed into one of those systems
110
00:04:08,550 --> 00:04:10,650
to be able to conduct their penetration test
111
00:04:10,650 --> 00:04:13,110
and be able to connect fully to that network.
112
00:04:13,110 --> 00:04:15,390
For example, maybe the penetration tester
113
00:04:15,390 --> 00:04:17,160
was hired to test the application
114
00:04:17,160 --> 00:04:19,079
behind the web application firewall
115
00:04:19,079 --> 00:04:20,910
and not the firewall itself.
116
00:04:20,910 --> 00:04:22,710
In this case, adding an exception
117
00:04:22,710 --> 00:04:25,830
to the web application firewall to allow them to bypass it
118
00:04:25,830 --> 00:04:28,350
would become a reasonable request.
119
00:04:28,350 --> 00:04:30,690
Finally, you need to realize that some networks,
120
00:04:30,690 --> 00:04:33,420
as part of their network access control or NAC,
121
00:04:33,420 --> 00:04:35,790
do require a digital certificate to be installed
122
00:04:35,790 --> 00:04:37,500
on the network device prior to it
123
00:04:37,500 --> 00:04:39,210
being able to connect to the network.
124
00:04:39,210 --> 00:04:41,430
We call this certificate pining.
125
00:04:41,430 --> 00:04:44,250
Now, if they do, you may need to ask the organization
126
00:04:44,250 --> 00:04:45,420
to provide you with an exception
127
00:04:45,420 --> 00:04:47,280
to their certificate pinning policy.
128
00:04:47,280 --> 00:04:49,710
In which case, the organization could provide you,
129
00:04:49,710 --> 00:04:52,260
as the PenTester, an authorized digital certificate
130
00:04:52,260 --> 00:04:54,180
for your workstation in order for you
131
00:04:54,180 --> 00:04:55,410
to connect to their network
132
00:04:55,410 --> 00:04:57,480
without tripping their NAC sensors.
133
00:04:57,480 --> 00:05:00,060
Again, it depends on what they're trying to focus on
134
00:05:00,060 --> 00:05:01,290
during this engagement.
135
00:05:01,290 --> 00:05:03,270
If they're not trying to test the NAC sensor,
136
00:05:03,270 --> 00:05:05,310
it'll be okay to bypass it.
137
00:05:05,310 --> 00:05:06,480
Now, as with a lot of things
138
00:05:06,480 --> 00:05:08,130
in the planning and scoping stages,
139
00:05:08,130 --> 00:05:10,800
there really is no right or wrong answer here.
140
00:05:10,800 --> 00:05:13,200
Other than what you have negotiated and agreed upon
141
00:05:13,200 --> 00:05:14,940
between your penetration testing team
142
00:05:14,940 --> 00:05:16,473
and your client organization.
10995
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.