1
00:00:00,390 --> 00:00:08,190
‫Before beginning a pen test, the parties should enter into a contract indicating exactly what the pen

2
00:00:08,190 --> 00:00:11,460
‫testers will do and will not do.

3
00:00:12,120 --> 00:00:22,080
‫And the range of IP addresses, subnet computers, networks or devices that will be the subject of the

4
00:00:22,080 --> 00:00:22,770
‫pen test.

5
00:00:24,190 --> 00:00:30,940
‫The pen tester should obtain a get out of jail free card from the customer, specifically indicating

6
00:00:31,210 --> 00:00:38,410
‫not only did the pen testing is authorized, but also indicating that the customer has the legal authority

7
00:00:38,410 --> 00:00:40,120
‫to authorize the pen test.

8
00:00:41,620 --> 00:00:44,140
‫Big distinction and very important.

9
00:00:45,480 --> 00:00:51,780
‫If a cloud customer authorizes a pen tester to test their network in the cloud, this does not mean

10
00:00:51,780 --> 00:00:54,750
‫that the cloud provider has authorized the test.

11
00:00:55,410 --> 00:00:59,940
‫The cloud provider could go after the pen tester for unauthorized access.

12
00:01:01,460 --> 00:01:03,600
‫A non-disclosure agreement and the.

13
00:01:04,960 --> 00:01:07,480
‫It's also known as a confidentiality agreement.

14
00:01:08,360 --> 00:01:14,660
‫It's a legal contract between the pen tester and the system owner that outlines confidential material

15
00:01:14,900 --> 00:01:21,590
‫knowledge or information that the parties wish to share with one another for certain purposes, but

16
00:01:21,590 --> 00:01:25,070
‫wish to restrict access to or by third parties.

17
00:01:25,850 --> 00:01:31,970
‫As I mentioned before, you will probably access the most critical and confidential data of the system

18
00:01:31,970 --> 00:01:32,240
‫owner.

19
00:01:32,600 --> 00:01:36,500
‫So this agreement is very important, especially for the system owner.

20
00:01:37,750 --> 00:01:43,120
‫Now, since penetration tests are very important for cybersecurity, it would be very good to have some

21
00:01:43,120 --> 00:01:50,920
‫standards while performing the test steps, and thankfully we have several organizations and consortiums

22
00:01:50,920 --> 00:01:52,360
‫to identify the standards.

23
00:01:53,260 --> 00:01:56,260
‫The best known ones are.

24
00:01:57,160 --> 00:02:06,100
‫PCI DSS says it's the payment card industry data security standard, PCI DSS is the worldwide payment

25
00:02:06,100 --> 00:02:13,150
‫card industry data security standard that was set up to help businesses process card payments securely

26
00:02:13,330 --> 00:02:14,740
‫and reduce card fraud.

27
00:02:15,490 --> 00:02:20,320
‫Sad but true fact here that money seems to be the most important thing for human beings.

28
00:02:20,740 --> 00:02:24,610
‫So these guys identify the standards of cyber security.

29
00:02:26,080 --> 00:02:30,400
‫OWASP is the open Web application security project.

30
00:02:31,290 --> 00:02:37,770
‫As a worldwide, not for profit charitable organization focused on improving the security of software

31
00:02:38,280 --> 00:02:42,500
‫so you can find standards of application security right here.

32
00:02:44,490 --> 00:02:51,420
‫Protests, penetration testing, execution, the standard was started as the brainchild of six information

33
00:02:51,420 --> 00:02:58,350
‫security consultants attempting to address deficiencies in the penetration testing community in 2009.

34
00:02:59,330 --> 00:03:04,700
‫Peters helps penetration testers adhere to best practices, so check them out.

35
00:03:06,610 --> 00:03:12,550
‫Oh, double s t double m Open-Source security testing methodology manual.

36
00:03:13,550 --> 00:03:21,440
‫Is methodology to test the operational security of physical locations, workflow, human security testing,

37
00:03:21,950 --> 00:03:27,590
‫physical security testing, wireless security testing, telecommunications, security testing, data,

38
00:03:27,590 --> 00:03:31,670
‫network security testing and compliance.

39
00:03:33,030 --> 00:03:41,340
‫Nest, the National Institute of Standards and Technology, it's a physical sciences laboratory and

40
00:03:41,340 --> 00:03:44,880
‫a non regulatory agency of the United States Department of Commerce.

41
00:03:45,420 --> 00:03:50,010
‫Its mission is to promote innovation and industrial competitiveness.

42
00:03:50,640 --> 00:03:52,770
‫They're very good at defining standards, so.

43
00:03:54,280 --> 00:04:01,210
‫SBA 800 Dash one one five is a technical guide to information security, testing and assessment.

44
00:04:02,270 --> 00:04:09,080
‫The purpose of this document is to assist organizations in planning and conducting technical information,

45
00:04:09,080 --> 00:04:17,180
‫security tests and examinations, analyzing findings and developing mitigation strategies.