1
00:00:09,810 --> 00:00:16,020
In the last lecture, we saw the few terms of hacking now in this lecture, we will see what is up and

2
00:00:16,020 --> 00:00:19,460
testing when the assessment and vapidity.

3
00:00:19,920 --> 00:00:21,430
So let's get started.

4
00:00:22,620 --> 00:00:27,590
What is happening to test a penetration test is a subclass of ethical hacking.

5
00:00:28,170 --> 00:00:35,340
It compromises of a set of methods and procedures that aim at testing and protecting an organization's

6
00:00:35,340 --> 00:00:36,030
security.

7
00:00:37,010 --> 00:00:44,000
The penetration tests prove helpful in finding penalties in an organization and check with an attacker

8
00:00:44,000 --> 00:00:49,850
will be able to exploit them to gain unauthorized access to an asset penetration.

9
00:00:49,850 --> 00:00:56,840
Testing is a method of evaluating the security of an information system or network by simulating an

10
00:00:56,840 --> 00:01:00,500
attack to find out when the reality is that an attacker could exploit.

11
00:01:01,770 --> 00:01:07,950
It exposes the gaps in the security model of an organization and helps organizations reach a balance

12
00:01:08,220 --> 00:01:14,640
between technical powers and business functionality from the perspective of potential security breaches

13
00:01:15,090 --> 00:01:18,540
that can help in disaster recovery and business continuity planning.

14
00:01:19,470 --> 00:01:25,830
It stimulates methods used by intruders to gain unauthorized access to an organization's network systems

15
00:01:26,160 --> 00:01:32,460
and then compromises them and involves using proprietary and open source tools to conduct test.

16
00:01:33,570 --> 00:01:39,900
Apart from automated techniques, penetration involves manual techniques for conducting targeted testing

17
00:01:40,170 --> 00:01:47,220
on specific systems to ensure that there are no security flaws that previously might have gone undetected.

18
00:01:48,180 --> 00:01:50,930
So why are these tests important?

19
00:01:51,770 --> 00:01:57,720
It cyberattacks becoming the norm is more important than ever before to undertake regular vulnerability

20
00:01:57,720 --> 00:02:04,620
scanning and penetration testing, to identify vulnerabilities and ensure on a regular basis that cyber

21
00:02:04,620 --> 00:02:05,670
controls are working.

22
00:02:06,690 --> 00:02:11,160
Penetration testing looks at when the abilities and will try and to exploit them.

23
00:02:11,930 --> 00:02:14,910
The testing is often stopped when the objective is achieved.

24
00:02:15,210 --> 00:02:18,300
That is when an access to a network has been gained.

25
00:02:18,960 --> 00:02:22,380
This means there can be other experts when it is not tested.

26
00:02:23,980 --> 00:02:29,230
Organizations need to conduct regular testing of the systems for the following key reasons.

27
00:02:30,480 --> 00:02:36,930
To determine the weakness in the infrastructure or applications and people in order to develop controls,

28
00:02:37,800 --> 00:02:44,160
to ensure controls have been implemented and effective, this will provide assurance to information

29
00:02:44,160 --> 00:02:52,440
security and senior management, then to the applications that are often the avenues of attack, that

30
00:02:52,440 --> 00:02:59,760
is, people who can make mistakes despite best practices in software development and lastly, to value

31
00:02:59,940 --> 00:03:06,750
system efficiency and to discover new bugs in existing software so that they can be patched and adapted

32
00:03:06,750 --> 00:03:07,890
to people complaints.

33
00:03:09,430 --> 00:03:16,390
The worst situation is to have an exploitable vulnerability within a company application or people that

34
00:03:16,390 --> 00:03:23,290
you are not aware of as the attackers will be probing your assets, even you are not breaches unless

35
00:03:23,290 --> 00:03:26,950
publicized by the attackers can go undetected for months.

36
00:03:27,250 --> 00:03:32,820
And that is why carrying out frequent penetration tests are important for an organization.

37
00:03:33,700 --> 00:03:37,030
Now, the next question is what is on the assessment?

38
00:03:37,150 --> 00:03:37,930
That is a view.

39
00:03:38,590 --> 00:03:44,920
You might have a question that in the last couple of minutes we saw that penetration testing also involves

40
00:03:44,920 --> 00:03:46,210
finding out when their abilities.

41
00:03:46,630 --> 00:03:49,950
But vulnerability assessment is different here.

42
00:03:49,960 --> 00:03:57,070
The main goal is to figure out the vulnerabilities only we do not exploit vulnerabilities in our liberty

43
00:03:57,070 --> 00:03:58,030
assessment test.

44
00:03:59,230 --> 00:04:07,180
V is a process to run and identify, detect and classify the security loopholes and applications, websites,

45
00:04:07,180 --> 00:04:12,670
computers, networks, information technology systems and communication systems.

46
00:04:13,590 --> 00:04:20,580
I have used the word identify, detect and classify, and therefore this is the major difference between

47
00:04:20,580 --> 00:04:27,750
a vulnerability assessment and a penetration testing, a minor loophole in a network can put your entire

48
00:04:27,750 --> 00:04:31,280
system at risk and let all your information out.

49
00:04:31,920 --> 00:04:39,120
The loopholes allow third parties to access and explicitly steal and exploit the database and information

50
00:04:39,120 --> 00:04:40,620
of your entire network system.

51
00:04:41,660 --> 00:04:48,140
Volatility management is the process of prioritizing, identifying, classifying and then mitigating

52
00:04:48,140 --> 00:04:49,280
software vulnerabilities.

53
00:04:50,150 --> 00:04:57,080
Penetration testing, however, is an active process and requires ethical hackers with profound knowledge

54
00:04:57,080 --> 00:04:58,640
of networking and hacking.

55
00:04:59,660 --> 00:05:01,160
Now you may get confused.

56
00:05:01,550 --> 00:05:04,400
Is there any difference between the anonymity?

57
00:05:04,760 --> 00:05:08,660
Because the two terminologies are often used as vapid.

58
00:05:09,110 --> 00:05:10,620
But yes, there is a difference.

59
00:05:11,290 --> 00:05:18,260
Oftentimes, when the assessment is confused with the penetration testing, however, those terms have

60
00:05:18,260 --> 00:05:21,950
completely different meanings in a vulnerability assessment.

61
00:05:22,310 --> 00:05:29,450
Our goal is to figure out all the vulnerabilities in NSW and then document them accordingly in a penetration

62
00:05:29,450 --> 00:05:29,830
test.

63
00:05:30,020 --> 00:05:36,820
However, we need to stimulate as an attacker to see if we are actually able to exploit that one already

64
00:05:37,130 --> 00:05:43,220
and then document the findings that were exploited and the ones that turned out to be false positives.

65
00:05:44,230 --> 00:05:50,710
Another differences is availability assessment is aimed at identifying known vulnerabilities in the

66
00:05:50,710 --> 00:05:57,040
organization's infrastructure, whereas a penetration test, on the other hand, evaluates the security

67
00:05:57,040 --> 00:06:00,430
of an asset by running a series of planned attacks.

68
00:06:00,640 --> 00:06:07,810
The goal of finding an exploding when the greatest vulnerability assessment does not actually exploit

69
00:06:07,810 --> 00:06:13,630
the vulnerabilities, but it identifies and considers the overall security management processes.

70
00:06:14,200 --> 00:06:19,090
But in a penetration test, these vulnerabilities are exploited to see the results.

71
00:06:20,350 --> 00:06:25,990
In other words, the vulnerability assessment is a part of the penetration testing process, but the

72
00:06:25,990 --> 00:06:33,430
actual exploitation in the next phase of the penetration testing cycle, penetration testing is more

73
00:06:33,430 --> 00:06:40,750
complete process and goes as follows, like information gathering, footprinting vulnerability assessment,

74
00:06:41,260 --> 00:06:43,110
exploitation and then reporting.

75
00:06:43,540 --> 00:06:48,400
So you can find that VA is actually a subset of penetration testing.

76
00:06:49,030 --> 00:06:52,380
And then we'll see the different rules of engagement.

77
00:06:53,050 --> 00:06:59,710
Every penetration test you do would compromise of rules of engagement, which basically defines how

78
00:06:59,710 --> 00:07:06,730
open this would be laid out, what methodology would be used and start and end date, the milestones,

79
00:07:07,090 --> 00:07:11,320
the goals of the penetration test, the liabilities and responsibilities.

80
00:07:12,340 --> 00:07:18,880
All of them have to be mutually agreed upon by both the customer and the representative before the penetration

81
00:07:18,880 --> 00:07:19,730
test is started.

82
00:07:20,530 --> 00:07:24,610
So after this course, you can do a proper penetration test.

83
00:07:24,610 --> 00:07:28,510
And before doing that, you must apply these rules of engagement.

84
00:07:28,780 --> 00:07:32,890
So make sure you listen to these points very carefully.

85
00:07:33,550 --> 00:07:40,180
The first one of the agreements, a proper permission to hack that is authorization.

86
00:07:40,630 --> 00:07:44,230
And the nondisclosure agreement should be signed by both the parties.

87
00:07:45,100 --> 00:07:51,250
No, you cannot directly go and hack a random website before taking prior permission in ethical hacking.

88
00:07:51,520 --> 00:07:57,640
It is a common practice to take the permission first before testing any organization or website.

89
00:07:58,820 --> 00:08:06,500
Scope the scope of the engagement and what part of the organizations must be tested, then the project

90
00:08:06,500 --> 00:08:10,100
duration, including both the start and the end date.

91
00:08:11,070 --> 00:08:17,670
The methodology to be used for conducting a penetration test, then the goals of penetration test.

92
00:08:18,800 --> 00:08:24,650
Then the allowed and disallowed techniques with denial of service testing should be performed on, not

93
00:08:24,890 --> 00:08:28,160
by the large scale injection should be performed or not, and much more.

94
00:08:29,360 --> 00:08:36,110
Finally, the liabilities and responsibilities which are decided ahead of time as an intrusion test,

95
00:08:36,340 --> 00:08:43,100
you might break into something that should not be accessible, causing a denial of service, and then

96
00:08:43,100 --> 00:08:46,610
you might access sensitive information such as credit cards.

97
00:08:47,050 --> 00:08:51,380
Therefore, liabilities should be defined prior to the engagement.

98
00:08:52,100 --> 00:08:57,260
So make sure you follow all these points before starting a penetration test.

99
00:08:58,520 --> 00:09:04,520
In the next lecture, we will see the different types of testing methodologies that are used to carry

100
00:09:04,520 --> 00:09:06,670
out penetration tests in today's world.