1
00:00:09,310 --> 00:00:16,420
Let us start with the new lecture in this lecture, we are going to cover the brain testing methodologies.

2
00:00:17,870 --> 00:00:26,510
The first is the all spent testing methodology, the testing is being developed as a part of the testing

3
00:00:26,510 --> 00:00:30,020
project of the open Web Application Security Project.

4
00:00:31,220 --> 00:00:37,160
It is not a complete methodology covering a full print listing, but it is focused only on the corporate

5
00:00:37,160 --> 00:00:39,500
testing phases of the Web application security.

6
00:00:40,710 --> 00:00:45,870
This guy provides a detailed discussion on the security assessment of the Web applications, as well

7
00:00:45,870 --> 00:00:53,010
as the deployment stack, including Web server configuration, it follows a black box investing approach

8
00:00:53,250 --> 00:00:55,020
and its comprehensive of what?

9
00:00:55,020 --> 00:01:01,440
And then there are also some guides on how, mainly in the form of listing the tools which can be used

10
00:01:01,560 --> 00:01:04,590
in each step and every step of prejudicing.

11
00:01:05,280 --> 00:01:11,610
The main is different with the website listing the information gathering, covering exposer assessment

12
00:01:11,730 --> 00:01:18,030
and deployment, fingerprinting, configuration and deployment management testing, which is assessing

13
00:01:18,030 --> 00:01:19,830
the server security configuration.

14
00:01:20,730 --> 00:01:27,000
The publication Securitising, which is listing a set of steps testing for specific Web apps and vulnerable,

15
00:01:27,000 --> 00:01:33,540
it is much more like identify management, testing, authentication, testing, authorities investing

16
00:01:33,810 --> 00:01:40,560
session management, listing, input validation, testing, testing for air handling, testing for cryptography,

17
00:01:40,830 --> 00:01:46,530
business logic testing, glancey testing, which looks for vulnerabilities such as our script execution,

18
00:01:46,800 --> 00:01:48,990
its Timal Allseas injection.

19
00:01:49,650 --> 00:01:56,780
The website community is very active, making this methodology as one of the best Mintern Comprehensive

20
00:01:56,820 --> 00:02:03,930
and UP-TO-DATE Technologies with many of print testing project nowadays, including some web apps.

21
00:02:04,230 --> 00:02:11,380
The website FESTINGER is definitely you should know and you should be familiar with the website listing

22
00:02:11,400 --> 00:02:16,380
are basically contains almost everything that you want best in a Web application.

23
00:02:16,950 --> 00:02:23,370
The methodology is comprehensive and it's designed by some of the best researchers in the world and

24
00:02:23,370 --> 00:02:30,300
open sort of security testing methodology manual or a search team and basically includes almost all

25
00:02:30,300 --> 00:02:32,670
the troops in the world in a penetration test.

26
00:02:33,270 --> 00:02:39,390
The methodology employed for penetration test is concise, yet it's cumbersome process which makes it

27
00:02:39,390 --> 00:02:42,390
difficult to implement it in our day to day lives.

28
00:02:43,330 --> 00:02:48,480
Penetration tests, despite being tedious, demands a great deal of money out of companies.

29
00:02:48,480 --> 00:02:56,460
Budgets for the competition, which often are not made by large organizations or as a CMM, has been

30
00:02:56,460 --> 00:03:03,390
primarily developed at a security auditing methodology assessing against regulatory and industry requirements.

31
00:03:03,930 --> 00:03:09,390
It is not meant to be used as a stand alone methodology, but rather to serve as a basis for developing

32
00:03:09,390 --> 00:03:13,350
one which is tailored towards the required regulations and frameworks.

33
00:03:14,100 --> 00:03:17,330
Next year, I assess if methodology.

34
00:03:18,090 --> 00:03:21,990
It stands for information systems security assessment framework.

35
00:03:22,620 --> 00:03:30,180
The I assess if methodology is supported by the Open Information Systems Security Group, although it

36
00:03:30,180 --> 00:03:33,540
is no longer maintained and therefore a bit out of date.

37
00:03:33,840 --> 00:03:39,270
One of its strengths is that it links individual penda steps with penetration testing tools.

38
00:03:39,900 --> 00:03:45,570
It aims to provide a comprehensive guide in conducting a apprentice and can be a good basis for developing

39
00:03:45,570 --> 00:03:47,190
your own custom meterology.

40
00:03:48,210 --> 00:03:55,860
I assess if breaks the testing process in the three phases planning and preparation, assessment reporting

41
00:03:55,860 --> 00:03:58,440
clean up and destroy the artifacts.

42
00:03:59,280 --> 00:04:01,530
The first phase is planning and preparation.

43
00:04:02,260 --> 00:04:08,520
This phase is brief and only describes the steps, the exchange initial information plan and prepare

44
00:04:08,520 --> 00:04:09,030
the test.

45
00:04:09,450 --> 00:04:14,910
It emphasizes the need for a formal assessment agreement to sign before any testing begins.

46
00:04:15,390 --> 00:04:16,890
The next phase is assessment.

47
00:04:17,490 --> 00:04:23,730
This is the more useful phase is relatively detailed and even describes some of the testing tools to

48
00:04:23,730 --> 00:04:24,270
be used.

49
00:04:24,930 --> 00:04:32,670
Targets are described as networks whose applications and databases to some extent it is out of date

50
00:04:32,670 --> 00:04:33,660
and not complete.

51
00:04:34,630 --> 00:04:41,020
And the third phase is reporting this phase discusses the communication channels and types of reports

52
00:04:41,140 --> 00:04:47,950
in the project, the final part of the framework is quite brief and focuses on removing any artifacts

53
00:04:47,950 --> 00:04:49,420
leftover from the pen test.

54
00:04:50,080 --> 00:04:56,620
It leaves the protester free to choose, like how to encrypt, sanitize and destroy data created during

55
00:04:56,620 --> 00:04:57,340
the pen test.

56
00:04:58,510 --> 00:05:01,310
Next is the end estimate trilogy.

57
00:05:02,170 --> 00:05:09,490
The federal government developed the NIST Cybersecurity Framework in 2013 to respond to the increased

58
00:05:09,490 --> 00:05:15,280
threat of cyberattacks on the critical U.S. infrastructure, including energy production facilities,

59
00:05:15,490 --> 00:05:18,580
water supplies, communications systems and many more.

60
00:05:19,670 --> 00:05:27,590
The backbone of the NIST framework is five core functions structure, the single and logical process.

61
00:05:28,130 --> 00:05:34,940
First is the identified process to identify phase is where we develop an organizational understanding

62
00:05:34,940 --> 00:05:38,720
of the risks that threaten your systems, assets and data.

63
00:05:39,320 --> 00:05:45,770
Gaining this understanding requires a careful analysis of the connections between each component, documenting

64
00:05:45,770 --> 00:05:50,150
how assets move through your systems and how they get accessed by the stuff.

65
00:05:50,900 --> 00:05:58,280
Next is to protect the product fees is very deploy safeguards to limit the impact of potential cyber

66
00:05:58,280 --> 00:06:02,080
security even and includes both digital and physical predictions.

67
00:06:02,870 --> 00:06:04,250
Next is the latest.

68
00:06:04,760 --> 00:06:11,180
As the name implies, dysfunction includes all the processes and procedures for detecting cybersecurity

69
00:06:11,180 --> 00:06:20,150
anomalies and making sure that those events are properly understood for the response, organizations

70
00:06:20,150 --> 00:06:26,990
must also implement processes to properly and quickly respond to cybersecurity even after it has been

71
00:06:26,990 --> 00:06:30,230
detected, and the last is to recover.

72
00:06:31,010 --> 00:06:38,240
The final function of the NIST cybersecurity methodology is to recover, which refers to the ability

73
00:06:38,240 --> 00:06:44,390
to provide resilience after cyber attack and recover any capabilities or services that may have been

74
00:06:44,390 --> 00:06:45,040
affected.

75
00:06:46,470 --> 00:06:53,700
The NIST framework isn't the compliance standard, it was designed to guide the work of competent cybersecurity

76
00:06:53,700 --> 00:06:54,380
professionals.

77
00:06:54,900 --> 00:07:01,680
Unlike a compliance standard, there's no regulatory body that will verify whether your company is properly

78
00:07:01,680 --> 00:07:03,450
implementing the NIST.

79
00:07:04,170 --> 00:07:08,910
Nor is the standard design we followed using the NIST methodology.

80
00:07:09,600 --> 00:07:14,190
In the next video, we are going to see three categories of ethical hacking.

81
00:07:14,460 --> 00:07:17,460
Black box, white box and gray box.