WEBVTT

00:00.000 --> 00:01.950
>> Hello. In this section,

00:01.950 --> 00:03.120
we'll talk a little bit about

00:03.120 --> 00:06.090
vulnerability assessments
and penetration tests.

00:06.090 --> 00:07.710
This is where we
find out whether

00:07.710 --> 00:10.930
our systems are configured
the way they need to be.

00:11.660 --> 00:14.805
Starting with
vulnerability assessments.

00:14.805 --> 00:16.860
These are passive activities.

00:16.860 --> 00:18.870
What that means is
the person conducting

00:18.870 --> 00:20.655
them is looking for
vulnerabilities,

00:20.655 --> 00:22.815
but is not attempting
to create an exploit.

00:22.815 --> 00:24.570
On the test, you might see

00:24.570 --> 00:27.090
references to the least
intrusive method.

00:27.090 --> 00:29.040
Well, a vulnerability scan,

00:29.040 --> 00:30.120
it's going to be much less

00:30.120 --> 00:32.400
intrusive than a
penetration test.

00:32.400 --> 00:35.430
They're pointing you
to that direction,

00:35.430 --> 00:37.920
so what we're doing here is in

00:37.920 --> 00:41.295
vulnerability scan is looking
for known vulnerabilities.

00:41.295 --> 00:44.720
These are things like weak
passwords, open ports,

00:44.720 --> 00:46.670
unpatched systems, things that

00:46.670 --> 00:48.920
shouldn't be on the
network, but are.

00:48.920 --> 00:52.900
For example, unauthorized
wireless access points.

00:52.900 --> 00:55.800
Now, an attacker would
want this information.

00:55.800 --> 00:59.255
These scans can be used
for good or for evil.

00:59.255 --> 01:01.460
Tools that we can use includes

01:01.460 --> 01:04.145
sniffers and intrusion
detection systems.

01:04.145 --> 01:06.680
These things examine traffic
on the network that is

01:06.680 --> 01:09.545
going to a specific host
or network segment.

01:09.545 --> 01:12.840
They look for encrypted
traffic and so forth.

01:15.110 --> 01:17.900
Now once we gather
that information

01:17.900 --> 01:19.475
from a vulnerability scan,

01:19.475 --> 01:21.920
we can then move in
as pen testers and do

01:21.920 --> 01:22.940
the active portion of

01:22.940 --> 01:26.440
the test where we can try
to create an exploit.

01:26.440 --> 01:29.000
For example, maybe I see

01:29.000 --> 01:31.235
that a port 80 is
open on a system.

01:31.235 --> 01:34.090
Can I send malware
in through port 80?

01:34.090 --> 01:36.290
Now, pen testing is often

01:36.290 --> 01:38.090
referred to as ethical hacking,

01:38.090 --> 01:40.835
but it's only ethical
if you have permission.

01:40.835 --> 01:43.235
You want permission
from senior management

01:43.235 --> 01:45.395
as high up as you can get it.

01:45.395 --> 01:48.950
Now, when you meet with
leadership to talk about this,

01:48.950 --> 01:50.510
you'll have them
complete a document

01:50.510 --> 01:52.535
called the rules of engagement.

01:52.535 --> 01:55.700
Many of us have worked off
of this statement of work,

01:55.700 --> 01:58.925
and that can be fine for
most things but a pen test,

01:58.925 --> 02:01.070
you want to separate
document that specifies

02:01.070 --> 02:03.595
what can be used and
what can't be used.

02:03.595 --> 02:05.385
What are the rules
of engagement,

02:05.385 --> 02:07.025
what servers can be scanned.

02:07.025 --> 02:08.725
What tools can be used?

02:08.725 --> 02:10.770
During what hours
can the test occur?

02:10.770 --> 02:12.180
Are there exceptions?

02:12.180 --> 02:14.060
You want to make sure
you aren't scanning the

02:14.060 --> 02:16.280
anesthesia server right
in the middle of surgery,

02:16.280 --> 02:18.320
for example, that sign off from

02:18.320 --> 02:21.930
senior leadership will
protect you in the process.

02:22.700 --> 02:26.270
Now, the way the steps
of pen testing work,

02:26.270 --> 02:28.720
There's obviously planning
that goes into it.

02:28.720 --> 02:31.970
As a matter of fact, vulnerability
assessments are where

02:31.970 --> 02:33.469
you gather a lot of information

02:33.469 --> 02:35.095
you'll be using in the pen test.

02:35.095 --> 02:37.410
That's the discovery piece.

02:37.410 --> 02:39.135
Then the actual exploit.

02:39.135 --> 02:41.180
We're using various
tools to comprise

02:41.180 --> 02:44.060
a system or inject
malware and so forth.

02:44.060 --> 02:46.370
But a lot of times,
the system we gain

02:46.370 --> 02:48.530
access to is not
our desired target.

02:48.530 --> 02:51.020
A lot of times we gain

02:51.020 --> 02:54.215
access to one system and then
pivot to another system.

02:54.215 --> 02:57.320
For example, you gain access
to John Smith's accounts.

02:57.320 --> 02:58.640
That way you can pivot to

02:58.640 --> 03:01.220
the domain controller
or DNS server.

03:01.220 --> 03:03.350
Anytime you talk about pivoting,

03:03.350 --> 03:06.025
that means you're shifting
to the real target.

03:06.025 --> 03:08.000
Then of course, at the end of

03:08.000 --> 03:10.760
the pen test you
report on how it went.

03:10.760 --> 03:14.645
A pen testers job is to
test, is not correct.

03:14.645 --> 03:17.180
We don't fix problems
as a pen tester.

03:17.180 --> 03:19.645
We simply test and report.

03:19.645 --> 03:23.390
Now how much knowledge
will your pen tester have?

03:23.390 --> 03:25.160
Well, it depends on what type of

03:25.160 --> 03:27.700
tests you want your
pen testers to do.

03:27.700 --> 03:31.190
With the black-box text
you don't tell your

03:31.190 --> 03:34.415
pen testing team any information
about the organization.

03:34.415 --> 03:36.860
They have to figure
out by researching

03:36.860 --> 03:40.160
your organization from
publicly available sources.

03:40.160 --> 03:43.280
This phase is referred
to as reconnaissance,

03:43.280 --> 03:44.690
is really stimulates how

03:44.690 --> 03:45.890
an external attacker could

03:45.890 --> 03:48.815
operate to try to
exploit your system.

03:48.815 --> 03:51.110
A partial knowledge pen test

03:51.110 --> 03:54.110
simulates what a regular
user might be able to do.

03:54.110 --> 03:56.630
The team has some
information about the target

03:56.630 --> 03:59.135
and it's simulating an
internal user attack.

03:59.135 --> 04:00.860
But they don't have
full access to

04:00.860 --> 04:04.040
everything like a system
administrator would have.

04:04.040 --> 04:07.040
A full knowledge test is
where the pen testers are

04:07.040 --> 04:08.360
stimulating what an internal

04:08.360 --> 04:10.375
system administrator could do.

04:10.375 --> 04:12.020
They have intimate knowledge of

04:12.020 --> 04:14.750
the target and they have
full access as well.

04:14.750 --> 04:16.640
You really need to test all of

04:16.640 --> 04:18.050
these scenarios because you

04:18.050 --> 04:20.910
can't predict where the
threats may come from.