Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,000 --> 00:00:01,980
-: In this section of the course,
2
00:00:01,980 --> 00:00:04,019
we're gonna cover the various considerations
3
00:00:04,019 --> 00:00:06,840
that you need to think of when scoping and engagement.
4
00:00:06,840 --> 00:00:08,370
Now, when we use the term scope
5
00:00:08,370 --> 00:00:10,110
in the world of penetration testing,
6
00:00:10,110 --> 00:00:13,110
we're referring to the combined objectives and requirements
7
00:00:13,110 --> 00:00:15,030
needed to complete an engagement.
8
00:00:15,030 --> 00:00:16,470
From a business perspective,
9
00:00:16,470 --> 00:00:17,880
it's important that both the client
10
00:00:17,880 --> 00:00:20,910
and the penetration tester knows what is and is not
11
00:00:20,910 --> 00:00:22,950
in the scope of a given engagement.
12
00:00:22,950 --> 00:00:25,920
For example, if I hire you to perform a penetration test
13
00:00:25,920 --> 00:00:28,440
of my website, we need to agree upfront
14
00:00:28,440 --> 00:00:29,910
what portions of the website
15
00:00:29,910 --> 00:00:31,860
you're gonna conduct your assessment against
16
00:00:31,860 --> 00:00:33,960
and what type of tools and techniques
17
00:00:33,960 --> 00:00:36,540
you're gonna be allowed to use against my website.
18
00:00:36,540 --> 00:00:39,720
For example, I might allow you to conduct an SQL ejection
19
00:00:39,720 --> 00:00:41,460
against my learning management system
20
00:00:41,460 --> 00:00:42,960
but I'm not gonna allow you
21
00:00:42,960 --> 00:00:44,760
to do a distributed denial of service attack
22
00:00:44,760 --> 00:00:46,230
against my servers.
23
00:00:46,230 --> 00:00:47,700
Now, the reason isn't that I'm afraid
24
00:00:47,700 --> 00:00:50,340
of you taking my servers offline, but instead
25
00:00:50,340 --> 00:00:53,010
it's that we use an elastic cloud-based architecture,
26
00:00:53,010 --> 00:00:55,650
and if you start to run a DDoS attack against my servers
27
00:00:55,650 --> 00:00:58,410
they're gonna automatically spin up new compute instances
28
00:00:58,410 --> 00:01:00,210
to service all that new load.
29
00:01:00,210 --> 00:01:03,330
This would in turn really increased my cloud hosting costs
30
00:01:03,330 --> 00:01:04,163
for that month
31
00:01:04,163 --> 00:01:06,210
and it really doesn't gimme any valuable information
32
00:01:06,210 --> 00:01:07,740
during the penetration test.
33
00:01:07,740 --> 00:01:09,960
So I'm gonna make that off limits.
34
00:01:09,960 --> 00:01:10,890
Now, on the other hand,
35
00:01:10,890 --> 00:01:12,840
if I wanted to stress test our systems
36
00:01:12,840 --> 00:01:15,840
and see just how large of a DDoS attack we could withstand
37
00:01:15,840 --> 00:01:17,250
then maybe we would agree to put that
38
00:01:17,250 --> 00:01:19,110
back into the scope of the assessment.
39
00:01:19,110 --> 00:01:21,090
But for most penetration tests,
40
00:01:21,090 --> 00:01:23,640
you're simply not gonna be allowed to do a DDoS attack
41
00:01:23,640 --> 00:01:26,010
because it could either harm the organization's business
42
00:01:26,010 --> 00:01:29,400
or it'll simply waste a lot of their time and resources.
43
00:01:29,400 --> 00:01:31,170
So in this section of the course,
44
00:01:31,170 --> 00:01:33,090
we're really gonna focus on scoping
45
00:01:33,090 --> 00:01:36,120
which is part of domain one: planning and scoping.
46
00:01:36,120 --> 00:01:36,960
This section,
47
00:01:36,960 --> 00:01:39,360
we're gonna be covering parts of objectives, 1.1,
48
00:01:39,360 --> 00:01:43,170
1.2 and 1.3 that we didn't cover in the last section.
49
00:01:43,170 --> 00:01:44,850
And this will also complete our coverage
50
00:01:44,850 --> 00:01:46,710
of all of the domain one objectives
51
00:01:46,710 --> 00:01:49,350
that will be covered on your PenTest+ exam.
52
00:01:49,350 --> 00:01:51,360
This includes objective 1.1,
53
00:01:51,360 --> 00:01:52,950
which states that you must be able to compare
54
00:01:52,950 --> 00:01:56,100
and contrast governance, risk and compliance concepts.
55
00:01:56,100 --> 00:01:59,250
Objective 1.2, that states you must be able to explain
56
00:01:59,250 --> 00:02:00,450
the importance of scoping
57
00:02:00,450 --> 00:02:02,940
and organizational or customer requirements.
58
00:02:02,940 --> 00:02:06,090
An objective 1.3, that states given a scenario
59
00:02:06,090 --> 00:02:08,520
you must demonstrate an ethical hacking mindset
60
00:02:08,520 --> 00:02:11,250
by maintaining professionalism and integrity.
61
00:02:11,250 --> 00:02:13,890
As we begin this section, we're gonna first talk about
62
00:02:13,890 --> 00:02:15,900
how you can define the scope of an engagement
63
00:02:15,900 --> 00:02:18,150
by working with your client to determine what will
64
00:02:18,150 --> 00:02:20,730
and won't be covered during a penetration test.
65
00:02:20,730 --> 00:02:22,680
It is always important that you have defined
66
00:02:22,680 --> 00:02:25,680
and agreed to the proper scope before any technical portions
67
00:02:25,680 --> 00:02:28,140
of your penetration test have begun.
68
00:02:28,140 --> 00:02:31,230
Then we're gonna move into the types of devices, systems
69
00:02:31,230 --> 00:02:33,720
and programs that may be added to your target list
70
00:02:33,720 --> 00:02:35,430
when you're scoping your engagement.
71
00:02:35,430 --> 00:02:38,670
This includes things like wireless networks, IP ranges,
72
00:02:38,670 --> 00:02:41,820
domains, APIs, physical locations,
73
00:02:41,820 --> 00:02:43,950
internal targets, external targets
74
00:02:43,950 --> 00:02:46,170
and targets that are either first party hosted
75
00:02:46,170 --> 00:02:48,210
or third party hosted.
76
00:02:48,210 --> 00:02:50,820
Next, we're gonna move into identifying the restrictions
77
00:02:50,820 --> 00:02:53,340
that may be placed upon you during an engagement,
78
00:02:53,340 --> 00:02:55,230
things like geographic restrictions,
79
00:02:55,230 --> 00:02:57,330
the types of tools you can and cannot use,
80
00:02:57,330 --> 00:02:58,530
and the different laws
81
00:02:58,530 --> 00:03:00,750
that may affect your penetration tests.
82
00:03:00,750 --> 00:03:03,510
After that, we're gonna discuss the rules of engagement
83
00:03:03,510 --> 00:03:05,910
that you're gonna need to follow along with a discussion
84
00:03:05,910 --> 00:03:07,350
of the different types of assessments
85
00:03:07,350 --> 00:03:09,330
that you and your client may agree to use
86
00:03:09,330 --> 00:03:10,830
during this engagement.
87
00:03:10,830 --> 00:03:12,780
We're also gonna discuss the methods that you can use
88
00:03:12,780 --> 00:03:15,030
to validate the scope of the engagement.
89
00:03:15,030 --> 00:03:17,400
Finally, we're gonna discuss the different limitations
90
00:03:17,400 --> 00:03:19,590
that could be placed on the penetration tester
91
00:03:19,590 --> 00:03:22,740
for this engagement and the necessity of gaining permission
92
00:03:22,740 --> 00:03:24,840
from the client before and during
93
00:03:24,840 --> 00:03:27,930
different parts of the engagement to avoid fees, fines
94
00:03:27,930 --> 00:03:29,850
or possible criminal charges.
95
00:03:29,850 --> 00:03:32,580
So let's continue our coverage of domain one
96
00:03:32,580 --> 00:03:35,480
with scoping and engagement in this section of the course.
7416
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.