WEBVTT 1 00:00:00.120 --> 00:00:03.520 Welcome curious minds to the deep dive. Have you ever 2 00:00:03.600 --> 00:00:07.799 paused to consider the silent, relentless battle unfolding every second 3 00:00:07.839 --> 00:00:08.800 in our digital world? 4 00:00:09.320 --> 00:00:12.000 It's a high stakes game. Really, How do the. 5 00:00:11.960 --> 00:00:14.519 Bad actors, the digital adversaries, how do they manage to 6 00:00:14.519 --> 00:00:18.120 slip past our defenses, breach our systems, get their hands 7 00:00:18.160 --> 00:00:21.160 on sensitive data? And just as crucially, how do the 8 00:00:21.199 --> 00:00:23.480 good guys, the digital defenders, how do they learn to 9 00:00:23.519 --> 00:00:26.920 anticipate those moves and lock down systems before it's too late. 10 00:00:27.440 --> 00:00:29.960 Today we're plunging right into the heart of that digital struggle. 11 00:00:29.960 --> 00:00:33.000 We're talking about security testing with a keen focus on 12 00:00:33.439 --> 00:00:36.240 penetration testing. Our guide for this deep dive is Robert 13 00:00:36.240 --> 00:00:40.039 Spenson's insightful book From Hacking to Report Writing, An Introduction 14 00:00:40.079 --> 00:00:41.840 to Security and Penetration testing. 15 00:00:42.159 --> 00:00:43.200 Really good stuff in here. 16 00:00:43.280 --> 00:00:45.640 Our mission, well, it's to take you on a complete 17 00:00:45.719 --> 00:00:48.560 journey right through the life cycle of a security test, 18 00:00:48.719 --> 00:00:51.840 from adopting the hacker mindset all the way to crafting 19 00:00:51.840 --> 00:00:54.640 that vital report, the one that ultimately helps organizations build 20 00:00:54.719 --> 00:00:58.240 robust digital defenses. We'll uncover the how and why behind 21 00:00:58.280 --> 00:01:02.159 finding digital weaknesses and believe the insights are pretty profound. 22 00:01:02.399 --> 00:01:04.719 Yeah. And what's truly fascinating about this field, I think 23 00:01:05.319 --> 00:01:08.760 is the delicate balance it strikes. It's really about leveraging 24 00:01:08.799 --> 00:01:13.280 offensive techniques, understanding precisely how an attacker thinks and operates, 25 00:01:13.519 --> 00:01:17.079 but crucially doing so for entirely defensive purposes. It's using 26 00:01:17.120 --> 00:01:21.280 the very tools of compromise to build stronger, more resilient 27 00:01:21.319 --> 00:01:22.040 digital walls. 28 00:01:22.079 --> 00:01:26.000 Absolutely, and to truly grasp why this proactive approach is 29 00:01:26.040 --> 00:01:28.840 so vital. Let's anchor ourselves with a real world example. 30 00:01:29.159 --> 00:01:32.480 Remember the VTech hack back in November twenty fifteen. This 31 00:01:32.599 --> 00:01:36.280 Hong Kong based company. They make electronic learning toys for kids. 32 00:01:36.359 --> 00:01:39.599 They suffered a massive breach. Millions of children's and parents data, 33 00:01:39.640 --> 00:01:43.480 user names, passwords, photos, even private messages all stolen and 34 00:01:43.519 --> 00:01:47.120 the root causes while a critical database code injection vulnerability 35 00:01:47.200 --> 00:01:51.120 and kind of astonishingly unencrypted information, it also highlighted that 36 00:01:51.159 --> 00:01:53.840 the toys themselves just weren't designed to communicate securely. 37 00:01:54.120 --> 00:01:57.000 Right. And what's profoundly alarming about a hack like VTech 38 00:01:57.519 --> 00:02:01.280 beyond the sheer volume of data stolen, is that it 39 00:02:01.319 --> 00:02:04.640 points to a fundamental flaw like right in the design. 40 00:02:05.239 --> 00:02:08.800 This wasn't some super sophisticated zero day exploit. It was 41 00:02:08.840 --> 00:02:12.520 about basic security principles just being completely missed ignored. Really, 42 00:02:12.599 --> 00:02:15.840 it properly performed security test before that breach, it would 43 00:02:15.840 --> 00:02:18.879 almost certainly have uncovered. These frankly glaring weaknesses made the 44 00:02:18.919 --> 00:02:21.599 attack far hard, maybe even prevented it altogether. It's a 45 00:02:21.639 --> 00:02:23.840 stark lesson, isn't it, in the value of security by 46 00:02:23.879 --> 00:02:27.400 design versus just, you know, security as an afterthought, and. 47 00:02:27.280 --> 00:02:31.159 That leads us to a fundamental truth. Really, vulnerabilities are well, 48 00:02:31.319 --> 00:02:35.479 they're everywhere modern complex computer systems. They're constantly interacting with 49 00:02:35.560 --> 00:02:40.080 uncontrolled external systems users. This inherent complexity means achieving one 50 00:02:40.159 --> 00:02:43.360 hundred percent security is quite frankly impossible. 51 00:02:43.360 --> 00:02:43.919 It just is. 52 00:02:44.199 --> 00:02:47.000 Think of it like this, Maybe imagine a dusty road 53 00:02:47.080 --> 00:02:51.000 connecting two villages centuries ago, good enough for simple transport, right, 54 00:02:51.439 --> 00:02:53.879 but then as traffic grew, it became a busy city 55 00:02:53.919 --> 00:02:58.439 street packed with intersections, crosswalks, strains. All these security features 56 00:02:58.439 --> 00:03:01.639 were layered on after the road's core purpose transport was established. 57 00:03:01.919 --> 00:03:05.280 In the digital world, security often becomes that afterthought, bolted 58 00:03:05.280 --> 00:03:08.039 on instead of being integral to the initial design and it's. 59 00:03:07.879 --> 00:03:11.439 Crucial to understand it's not just malicious hackers exploiting these weaknesses. 60 00:03:11.840 --> 00:03:15.319 Take the Slammer worm two thousand and three. This was 61 00:03:15.360 --> 00:03:18.080 the fastest computer worm in history. In fact, something like 62 00:03:18.159 --> 00:03:22.319 ninety percent of vulnerable servers online within ten minutes. Ten 63 00:03:22.360 --> 00:03:25.960 minutes it brought so many mission critical systems just grinding 64 00:03:26.000 --> 00:03:28.800 to a halt, and not because of some cunning new exploit. No, 65 00:03:29.280 --> 00:03:31.479 it took advantage of a vulnerability for which a patch 66 00:03:31.560 --> 00:03:34.879 had been readily available for six months. This just drives 67 00:03:34.879 --> 00:03:38.039 on the point that basic cyber hygiene like patch management, 68 00:03:38.319 --> 00:03:41.759 is incredibly important. Its absence allowed a known fixable weakness 69 00:03:41.759 --> 00:03:43.280 to cause just widespread chaos. 70 00:03:43.400 --> 00:03:43.879 So if we. 71 00:03:43.840 --> 00:03:47.680 Boil it down, what exactly is a security test? Robert 72 00:03:47.680 --> 00:03:51.719 Spenson emphasizes that it's a type of vulnerability assessment where 73 00:03:51.719 --> 00:03:53.800 a tester actively takes on the role of a hacker. 74 00:03:54.080 --> 00:03:57.360 They meticulously try to break into an organization's IT environment, 75 00:03:57.479 --> 00:04:01.879 uncover vulnerabilities, and then importantly provide concrete suggestions for fixing 76 00:04:01.919 --> 00:04:05.120 them before a real attack can occur. It's leveraging offensive 77 00:04:05.159 --> 00:04:09.199 knowledge for defensive gain, simple as that almost And who 78 00:04:09.240 --> 00:04:10.319 are these individuals? 79 00:04:10.719 --> 00:04:12.240 The ones wielding. 80 00:04:11.759 --> 00:04:15.719 Digital tools for good or sometimes for ill. The landscape 81 00:04:15.759 --> 00:04:19.439 of hackers is incredibly diverse, each with their own motivations, 82 00:04:19.480 --> 00:04:20.399 their own methods. 83 00:04:20.639 --> 00:04:21.800 Okay, so at the highest. 84 00:04:21.560 --> 00:04:24.639 Level, you've got state sponsored actors. These groups, they strive 85 00:04:24.680 --> 00:04:27.120 to operate way below the radar, backed by immense funding 86 00:04:27.199 --> 00:04:31.160 national resources, their attacks are increasingly becoming a cornerstone of 87 00:04:31.240 --> 00:04:33.680 national defense. Really, think about China's Unit sixty one three 88 00:04:33.800 --> 00:04:37.959 ninety eight, widely believed to have systematically stolen terabytes terabytes 89 00:04:38.079 --> 00:04:42.319 trade secrets from US companies, or the infamous stux networm, 90 00:04:42.439 --> 00:04:45.279 thought to be a joint US Israel effort right designed 91 00:04:45.319 --> 00:04:47.720 not just to steal data, but to physically damine Iran's 92 00:04:47.759 --> 00:04:53.040 nuclear centrifuges. That ability to translate digital action into real 93 00:04:53.079 --> 00:04:56.399 world physical destruction that really sets some of these operations 94 00:04:56.439 --> 00:04:58.120 apart exactly. 95 00:04:58.480 --> 00:05:01.439 And what's particularly challenging with state sponsored actors is their 96 00:05:01.480 --> 00:05:05.199 patients and their persistence. They often conduct these long term campaigns, 97 00:05:05.199 --> 00:05:08.600 we call them advanced persistent threads or apts. They brow 98 00:05:08.720 --> 00:05:12.319 deep into networks over months, years, sometimes to achieve their objectives. 99 00:05:12.319 --> 00:05:16.079 They have virtually unlimited resources, unlimited time. It makes them 100 00:05:16.079 --> 00:05:18.600 exceptionally difficult to detect and defend against. 101 00:05:18.720 --> 00:05:22.199 Okay, so that's one type. Next we encounter computer criminals. 102 00:05:22.560 --> 00:05:25.279 These guys are driven primarily by financial gain. They follow 103 00:05:25.319 --> 00:05:29.279 the money, and these days that flows heavily through digital transactions. Obviously, 104 00:05:29.600 --> 00:05:34.399 think of Alexander andreevag Panin and Hamzabendoladge, the developers of the. 105 00:05:34.360 --> 00:05:35.360 Spy i botnet. 106 00:05:35.639 --> 00:05:37.920 They were sentenced to a combine twenty four years for 107 00:05:38.000 --> 00:05:41.600 selling malware, malware that stole over three million dollars from 108 00:05:41.759 --> 00:05:45.120 like one point four million computers worldwide. Their botnet toolkit 109 00:05:45.160 --> 00:05:47.600 made it disturbingly easy for others to commit fraud on 110 00:05:47.639 --> 00:05:49.560 a massive scale just by the kit. 111 00:05:49.720 --> 00:05:52.920 Point click Scary stuff and you have activists, right. 112 00:05:53.000 --> 00:05:53.600 Activists. 113 00:05:54.160 --> 00:05:57.319 These individuals are motivated more by protests a desire for 114 00:05:57.399 --> 00:06:00.800 public visibility. They use digital tools as a modern form 115 00:06:00.800 --> 00:06:03.519 of demonstration. Instead of picket signs, they might use denial 116 00:06:03.519 --> 00:06:08.720 of service attacks or website defacement. A striking, even kind 117 00:06:08.759 --> 00:06:12.160 of humorous example is a nineteen ninety six CIA website defacement. 118 00:06:12.240 --> 00:06:15.199 Remember that visitors were greeted with welcome to the Central 119 00:06:15.199 --> 00:06:18.600 Stupidity Agency. That message even made it onto CNN. 120 00:06:18.639 --> 00:06:19.279 Their goal is. 121 00:06:19.279 --> 00:06:22.600 Maximum exposure for their message. Whatever it is, getting the 122 00:06:22.600 --> 00:06:25.240 message out there is key for them. Then, perhaps the 123 00:06:25.279 --> 00:06:28.480 most insidious and maybe the most difficult threat to foresee 124 00:06:28.519 --> 00:06:33.279 and manage is the insider. These individuals already possess legitimate access, 125 00:06:33.600 --> 00:06:38.000 which often renders traditional perimeter defenses well less effective. Edward 126 00:06:38.000 --> 00:06:41.079 Snowden is arguably the most well known insider in history. 127 00:06:41.199 --> 00:06:44.160 While working as a contractor for the NSA, he gained 128 00:06:44.199 --> 00:06:48.120 access to and then released an unprecedented amount of classified data, 129 00:06:48.160 --> 00:06:51.040 including things like the daily interception of six hundred million 130 00:06:51.120 --> 00:06:55.360 communications spying on foreign leaders. Now, regardless of whether you 131 00:06:55.480 --> 00:06:58.720 view his actions as whistleblowing or treason, his impact as 132 00:06:58.759 --> 00:07:04.680 an insider was a fundamentally changed the conversation around government surveillance, and. 133 00:07:04.639 --> 00:07:07.480 The difficulty with insiders really lies in that challenge of 134 00:07:07.519 --> 00:07:10.360 building trust models. It's tricky. How do you monitor someone 135 00:07:10.360 --> 00:07:14.639 who legitimately needs access to sensitive information without creating a 136 00:07:14.680 --> 00:07:17.639 surveillance state within your own organization. It requires a different 137 00:07:17.639 --> 00:07:21.040 approach to security, one focus more on behavior analysis granular 138 00:07:21.040 --> 00:07:23.839 access control rather than just looking at external threats. 139 00:07:23.959 --> 00:07:24.480 Good point. 140 00:07:25.120 --> 00:07:27.120 Finally, at the other end of the spectrum, we have 141 00:07:27.160 --> 00:07:30.120 script kitties. These are individuals who use pre made tools 142 00:07:30.120 --> 00:07:33.360 and scripts written by others, often without a deep understanding 143 00:07:33.399 --> 00:07:35.800 of how they work or frankly, the consequences. 144 00:07:36.279 --> 00:07:38.759 But don't let their lack of technical depth fool you. 145 00:07:38.959 --> 00:07:41.120 Like someone who doesn't understand the mechanics of a car 146 00:07:41.160 --> 00:07:43.759 can still cause an accident, right, a script kitty can 147 00:07:43.759 --> 00:07:47.560 reach significant damage. Michael Kelce or Mafia Boy, he was 148 00:07:47.639 --> 00:07:51.040 just fourteen years old back in two thousand, launched devastating 149 00:07:51.079 --> 00:07:54.600 denial of service attacks against some major websites like Amazon, Fifa, 150 00:07:54.639 --> 00:07:59.000 dot Com, eBay, all using easily downloaded tools. He later 151 00:07:59.040 --> 00:08:01.480 claimed he was unaware of the dangers, but the impact 152 00:08:02.079 --> 00:08:02.680 very real. 153 00:08:02.920 --> 00:08:04.759 Yeah, underestimating them can be a mistake. 154 00:08:05.040 --> 00:08:09.600 So when we look across all these categories, state sponsored criminals, activists, insiders, 155 00:08:09.600 --> 00:08:13.480 script kds, what's the overarching takeaway? It seems clear that 156 00:08:13.519 --> 00:08:16.240 the human element remains the most probable source of intentional 157 00:08:16.240 --> 00:08:20.519 disruption in computer systems, whether it's spreading malware, activism, phishing attacks. 158 00:08:20.839 --> 00:08:23.920 Understanding these motivations is really key to building effective defenses. 159 00:08:24.160 --> 00:08:26.600 Absolutely, it's not just about the technology, it's about the 160 00:08:26.639 --> 00:08:27.480 people behind it. 161 00:08:27.560 --> 00:08:30.199 Okay, So now that we have a clearer picture of 162 00:08:30.240 --> 00:08:33.759 why security testing matters and who the players are. Let's 163 00:08:33.799 --> 00:08:36.440 shift our focus. Let's talk about the art of the 164 00:08:36.480 --> 00:08:41.039 penetration test itself. It's actually a highly structured process, from 165 00:08:41.039 --> 00:08:44.360 the initial concept right through to the final crucial report. 166 00:08:44.879 --> 00:08:48.000 It all kicks off with what Senson calls the initialization phase. 167 00:08:48.440 --> 00:08:51.399 This is when an organization first considers a security test. 168 00:08:51.840 --> 00:08:55.039 They start asking that fundamental question, how safe. 169 00:08:54.799 --> 00:08:55.519 Are we really? 170 00:08:55.879 --> 00:08:58.519 That first step is crucial acknowledging. You need to ask 171 00:08:58.559 --> 00:08:59.799 the question exactly. 172 00:09:00.120 --> 00:09:03.399 From there, a critical step is setting the scope. This 173 00:09:03.480 --> 00:09:07.200 needs to be crystal clear, thoroughly verified to prevent what's 174 00:09:07.200 --> 00:09:11.080 called scope creep. Imagine a tester hired for, say, for 175 00:09:11.279 --> 00:09:15.120 database servers. During reconnaissance, they discover a dozen more insecure 176 00:09:15.200 --> 00:09:18.600 servers belonging to other departments if they're then asked to 177 00:09:18.639 --> 00:09:21.320 test all of them without adjusting the timeline. While it 178 00:09:21.360 --> 00:09:24.159 often leads to lower quality testing overall, you just spread 179 00:09:24.159 --> 00:09:26.919 yourself too thin and linked tightly to scope. There's the 180 00:09:27.000 --> 00:09:30.519 absolute necessity of the well they call it the get 181 00:09:30.519 --> 00:09:31.639 out of jail free cards. 182 00:09:31.720 --> 00:09:33.720 Ah. Yes, the essential document it is. 183 00:09:33.799 --> 00:09:37.279 It's the written, legally binding permission required for a security 184 00:09:37.320 --> 00:09:41.679 tester to quote break into an organization systems mimicking a 185 00:09:41.720 --> 00:09:44.639 real attacker. It must be signed by someone with proper 186 00:09:44.639 --> 00:09:48.759 authority before any testing commences. No signature, no test period, 187 00:09:49.000 --> 00:09:49.440 and that. 188 00:09:49.440 --> 00:09:53.080 Legal documentation the scope that get out of jail free card. 189 00:09:53.720 --> 00:09:57.559 It's completely non negotiable. Without it, even the most ethical 190 00:09:57.559 --> 00:10:00.639 penetration test could easily be viewed as a and an act. 191 00:10:00.759 --> 00:10:04.279 It also protects the client right by clearly defining what 192 00:10:04.480 --> 00:10:09.279 is and isn't being tested, manages exteptations, prevents unintended consequences. 193 00:10:10.000 --> 00:10:11.360 It's vital for both sides. 194 00:10:11.480 --> 00:10:13.600 Okay, so when we talk about how much information a 195 00:10:13.639 --> 00:10:16.360 tester has at the outset, we often use these color 196 00:10:16.399 --> 00:10:19.799 codes for security tests. White box testing means the tester 197 00:10:19.919 --> 00:10:23.840 has full access to internal info, network diagrams, maybe source 198 00:10:23.879 --> 00:10:27.639 codes and configurations everything. It's very time efficient because you 199 00:10:27.679 --> 00:10:30.120 know where to look, but it's less realistic as a 200 00:10:30.159 --> 00:10:33.960 true external hacker. Simulation. On the opposite end is black 201 00:10:34.000 --> 00:10:37.480 box testing. Here the tester starts with minimal information, maybe 202 00:10:37.519 --> 00:10:41.240 just a company name, truly mimicking an external attacker. This 203 00:10:41.320 --> 00:10:44.120 is the most realistic simulation, but as fence And points out, 204 00:10:44.159 --> 00:10:47.679 it's often unnecessarily time consuming and therefore expensive. 205 00:10:47.799 --> 00:10:49.799 There's a lot of guesswork involved, and. 206 00:10:49.720 --> 00:10:52.960 That guesswork factor in black box testing you can have 207 00:10:53.039 --> 00:10:57.000 real consequences. K Spenson tells this story. It's quite something. 208 00:10:57.360 --> 00:10:59.720 A black box test where the tester was given just 209 00:10:59.720 --> 00:11:03.000 a company name and an emergency contact. That's it. They 210 00:11:03.080 --> 00:11:06.360 used old Airon database information that's the registry for IPA 211 00:11:06.360 --> 00:11:09.320 addresses to find ips, which led them to believe in 212 00:11:09.399 --> 00:11:12.039 IP address and Madrid still belonged to their client. They 213 00:11:12.039 --> 00:11:15.200 found a terribly outdated Sambo file sharing service running there, 214 00:11:15.600 --> 00:11:20.000 connected easily with administrators both username and password. Found gigabytes 215 00:11:20.039 --> 00:11:24.480 of database backups, payroll user data, even a scanned passport. 216 00:11:24.559 --> 00:11:25.320 Oh my goodness. 217 00:11:25.399 --> 00:11:27.960 Yeah, so I called the emergency contact all proud saying 218 00:11:28.000 --> 00:11:32.559 we're in and the context is, uh, it's not our servers. Hmmm. 219 00:11:33.240 --> 00:11:36.080 Turns out the IP address now belonged to some completely 220 00:11:36.120 --> 00:11:40.159 innocent Spanish company. The Airon database information was simply out 221 00:11:40.200 --> 00:11:43.519 of date. It's just a powerful reminder that even elementary 222 00:11:43.519 --> 00:11:46.799 information like IP ownership needs to be double checked, especially 223 00:11:46.879 --> 00:11:47.919 in a black box scenario. 224 00:11:48.039 --> 00:11:51.639 Well that's a nightmare scenario, seriously, and it really highlights 225 00:11:51.639 --> 00:11:54.159 why gray box testing is probably the most common approach. 226 00:11:54.200 --> 00:11:56.720 When you say, definitely, it strikes that balance. 227 00:11:56.840 --> 00:12:00.600 Yeah, it provides the tester with some insider information maybe 228 00:12:00.840 --> 00:12:05.600 user credentials, network diagrams, but still maintains a realistic simulation 229 00:12:05.720 --> 00:12:06.759 of a hacker's perspective. 230 00:12:06.840 --> 00:12:09.000 Makes it both effective and efficient. 231 00:12:08.720 --> 00:12:12.240 Exactly best of both worlds often okay. 232 00:12:12.879 --> 00:12:16.679 But regardless of the testing approach, white black, gray, the 233 00:12:16.799 --> 00:12:20.879 ultimate goal is always define vulnerabilities. So what is a 234 00:12:20.960 --> 00:12:22.399 vulnerability precisely? 235 00:12:22.559 --> 00:12:25.960 Well, there are formal definitions out there. ANISA, the European 236 00:12:26.039 --> 00:12:29.120 Union Agency for Network and Information Security, they put it 237 00:12:29.120 --> 00:12:32.679 pretty succinctly. They define it as the existence of a 238 00:12:32.720 --> 00:12:37.759 weakness compromising the security. Simple, okay, a weakness right. The 239 00:12:37.799 --> 00:12:40.919 Internet Engineering Task Force the IETF they expand on that 240 00:12:40.960 --> 00:12:43.879 a bit. They call it a flaw or weakness exploited 241 00:12:43.919 --> 00:12:45.759 to violate the system security policy. 242 00:12:45.919 --> 00:12:48.600 So, to simplify it even more, it's basically something that 243 00:12:48.639 --> 00:12:51.080 makes it possible for someone to force your computer or 244 00:12:51.159 --> 00:12:53.240 your system to do something you don't want. 245 00:12:53.120 --> 00:12:53.480 It to do. 246 00:12:53.600 --> 00:12:55.960 That's a good way to put it. And these vulnerabilities 247 00:12:56.000 --> 00:12:58.720 typically compromise one or more aspects of what we call 248 00:12:58.759 --> 00:13:04.080 the CIA triapp ah, the CIA triads, YEP, confidentiality, integrity, 249 00:13:04.120 --> 00:13:09.840 and availability. Confidentiality is about keeping information secret right, ensuring 250 00:13:09.919 --> 00:13:14.000 only authorized people can access it, pretty straightforward. Integrity ensures 251 00:13:14.000 --> 00:13:17.799 information hasn't been tampered with by unauthorized users. Think of, say, 252 00:13:18.360 --> 00:13:21.360 an e commerce system, where a vulnerability might let a 253 00:13:21.360 --> 00:13:25.360 customer change other customers order information. That's an integrity violation. 254 00:13:25.559 --> 00:13:25.879 Got it. 255 00:13:26.240 --> 00:13:29.879 Availability just means information and systems are accessible when needed, 256 00:13:30.320 --> 00:13:33.159 preventing things like a power outage or maybe a distributed 257 00:13:33.200 --> 00:13:37.240 denial of service attack from bringing services down. That's an 258 00:13:37.279 --> 00:13:38.399 availability issue. 259 00:13:38.480 --> 00:13:43.919 Confidentiality, integrity, availability. Okay, So how are these vulnerabilities actually 260 00:13:44.000 --> 00:13:46.679 uncovered and how do we measure how serious they are? 261 00:13:46.799 --> 00:13:49.039 Well, it's kind of a continuous process. You can visualize 262 00:13:49.039 --> 00:13:52.519 it as a vulnerability wheel almost. It starts with flawed software. 263 00:13:52.759 --> 00:13:55.879 Hackers identify bugs in it, Then they might develop exploit 264 00:13:55.879 --> 00:13:58.799 code that prompts a vendor response, hopefully a patch, and 265 00:13:58.840 --> 00:14:01.600 finally there's the user response applying that patch. Then the 266 00:14:01.600 --> 00:14:04.720 cycle starts again with new flaws or mispatches. It's an 267 00:14:04.759 --> 00:14:06.840 ongoing cycle of discovery and defense. 268 00:14:07.200 --> 00:14:10.360 Interesting, and some vendors actually embrace this cycle, don't they 269 00:14:10.840 --> 00:14:12.080 by offering bug bounties. 270 00:14:12.320 --> 00:14:17.240 Exactly. These are slightly unorthodox maybe, but incredibly effective ways 271 00:14:17.440 --> 00:14:20.799 for companies to get security reviews from a huge pool 272 00:14:20.919 --> 00:14:25.759 of ethical experts. Microsoft, for example, famously paid one researcher 273 00:14:25.960 --> 00:14:29.480 one hundred thousand dollars back in twenty fourteen for discovering 274 00:14:29.679 --> 00:14:33.840 a pretty significant vulnerability. It incentivizes finding flaws before the 275 00:14:33.879 --> 00:14:34.679 bad guys. 276 00:14:34.440 --> 00:14:36.799 Do one hundred thousand dollars. Wow. 277 00:14:36.919 --> 00:14:40.519 Okay, Now, a crucial concept here is the zero day exploit. 278 00:14:40.559 --> 00:14:41.480 What exactly is that. 279 00:14:41.759 --> 00:14:45.279 H zero days? These are vulnerabilities that are not publicly 280 00:14:45.360 --> 00:14:49.080 known and critically for which no patch is available. This 281 00:14:49.159 --> 00:14:52.600 leads system administrators with literally zero days to patch because 282 00:14:52.639 --> 00:14:54.600 the vendor isn't even aware of the issue yet, or 283 00:14:54.639 --> 00:14:56.679 maybe they are but haven't had time to develop and 284 00:14:56.720 --> 00:14:57.080 release a. 285 00:14:57.120 --> 00:14:58.960 Fix, so it's like an open door that nobody knows 286 00:14:59.000 --> 00:14:59.960 about except the attacker. 287 00:15:00.120 --> 00:15:02.799 Pretty much, zero days are the holy grail for attackers 288 00:15:02.840 --> 00:15:05.639 because they offer that window of opportunity where defenses are 289 00:15:05.639 --> 00:15:09.840 effectively blind. They're highly prized fetch significant sums on the 290 00:15:09.840 --> 00:15:12.720 black market sometimes because they're so effective before a vendor 291 00:15:12.759 --> 00:15:13.279 can react. 292 00:15:13.440 --> 00:15:16.360 Okay, that makes sense. So this raises an important question. 293 00:15:16.840 --> 00:15:19.440 Once a vulnerability is found, whether it's a zero day 294 00:15:19.559 --> 00:15:22.679 or just a known one, how do we measure its seriousness? 295 00:15:22.720 --> 00:15:23.600 How bad is it? 296 00:15:23.759 --> 00:15:26.720 Right? The industry standard for that is the Common Vulnerability 297 00:15:26.720 --> 00:15:29.720 Scoring System or CVSS. It's basically a zero to ten scale. 298 00:15:29.960 --> 00:15:33.600 Higher number means greater severity, more urgent need for attention. 299 00:15:33.679 --> 00:15:34.600 Okay, zero to ten. 300 00:15:34.720 --> 00:15:37.720 Yeah. For instance, there was a Microsoft silver Light vulnerability 301 00:15:38.000 --> 00:15:42.320 identified as CVE twenty sixteen zero zero zero three four. 302 00:15:42.840 --> 00:15:46.200 That CVE just tends for common vulnerabilities and exposures. It's 303 00:15:46.240 --> 00:15:49.679 like a global dictionary for known security flaws. Anyway, that 304 00:15:49.799 --> 00:15:52.600 silver Light bug scored a high nine point six on 305 00:15:52.679 --> 00:15:55.960 the CDSS scale. That signals immediate attention needed because the 306 00:15:55.960 --> 00:15:57.200 potential impact is severe. 307 00:15:57.480 --> 00:15:59.519 Nine point six Yeah, that sounds pretty urgent. 308 00:15:59.600 --> 00:16:02.519 Okay, So before any hands on hacking actually begins, a 309 00:16:02.519 --> 00:16:05.679 security tester needs to make some thorough technical preparations, right. 310 00:16:05.720 --> 00:16:06.519 What does that involve? 311 00:16:06.679 --> 00:16:11.240 Absolutely, preparation is key. One vital step is collecting network traffic. 312 00:16:12.080 --> 00:16:15.200 This is essential not just for analysis later, but also 313 00:16:15.320 --> 00:16:18.679 for legal protection tools like wire shark, which has a 314 00:16:18.759 --> 00:16:22.480 nice graphical interface, and tcpdump, which is command line based 315 00:16:22.720 --> 00:16:25.919 are indispensable. They capture every single bite of data sent 316 00:16:25.960 --> 00:16:29.559 between the tester's machine and the target system. That traffic 317 00:16:29.600 --> 00:16:32.279 can literally be the sloking gun in a legal dispute, 318 00:16:32.600 --> 00:16:35.080 or the key to understanding exactly what happened during a 319 00:16:35.120 --> 00:16:36.039 test or an attack. 320 00:16:36.159 --> 00:16:39.879 So it's like recording the whole conversation between the computers precisely. 321 00:16:40.240 --> 00:16:43.840 It provides an undeniable record of events, crucial for diagnosing 322 00:16:43.879 --> 00:16:46.840 issues and also for defending yourself if something goes wrong 323 00:16:46.960 --> 00:16:48.519 during a test and questions are asked. 324 00:16:48.840 --> 00:16:51.639 Makes sense. Note taking is also paramount, I imagine. 325 00:16:51.320 --> 00:16:56.600 Oh hugely. Yeah, but critically, any sensitive test data, client information, discovered, passwords, 326 00:16:56.679 --> 00:17:01.039 vulnerability should always be stored locally, securely. Never ever use 327 00:17:01.080 --> 00:17:03.799 cloud based note taking apps like Evernote or simple note 328 00:17:03.799 --> 00:17:06.920 for this stuff. You just can't risk processing sensitive client 329 00:17:07.000 --> 00:17:09.559 data on third party servers. It's a huge liability. 330 00:17:09.640 --> 00:17:11.359 Good point, Keep it local. 331 00:17:11.240 --> 00:17:14.680 Keep it local, keep it encrypted. And saving complex commands 332 00:17:14.680 --> 00:17:18.240 you've used, that's just a smart habit. Save time, helps 333 00:17:18.279 --> 00:17:20.640 you reproduce your steps, makes reporting easier. 334 00:17:20.680 --> 00:17:23.839 Okay, and what about the software setup? What tools are essential? 335 00:17:24.079 --> 00:17:27.759 Well? For efficiency? Pre configured virtual machines, loaded with security 336 00:17:27.759 --> 00:17:31.039 tools are really the way to go. Kali Linux, for instance, 337 00:17:31.359 --> 00:17:35.599 is basically a Linux distribution built specifically for security work. 338 00:17:36.079 --> 00:17:40.880 It comes bundled with well pretty much every imaginable security 339 00:17:40.920 --> 00:17:43.039 related tool. As Benson puts. 340 00:17:42.799 --> 00:17:45.920 It, Kyllie right, heard of that one, and then there's metasploit. 341 00:17:46.519 --> 00:17:50.279 This is widely regarded as the most impactful penetration testing 342 00:17:50.319 --> 00:17:54.720 solution on the planet. It's invaluable for verifying vulnerabilities. It 343 00:17:54.759 --> 00:17:57.119 has a huge library of pre built exploits you can 344 00:17:57.200 --> 00:17:58.960 use to demonstrate impact safely, not. 345 00:17:59.039 --> 00:17:59.880 A sploit, okay. 346 00:18:00.200 --> 00:18:02.480 And when you're dealing with data, especially if you're involved 347 00:18:02.519 --> 00:18:06.359 in incident response after a breach, remember the order of volatility. 348 00:18:06.680 --> 00:18:08.079 Order volatility, what's that. 349 00:18:08.160 --> 00:18:10.559 It's a forensics principle. It basically tells you what evidence 350 00:18:10.599 --> 00:18:14.119 disappears fastest. Data in memory RAM is far more volatile, 351 00:18:14.119 --> 00:18:16.839 meaning it's lost much quicker than data sitting on a 352 00:18:16.880 --> 00:18:19.720 hard drive. So if you're the first responder to an incident, 353 00:18:20.359 --> 00:18:23.200 understanding this tells you what evidence you need to prioritize 354 00:18:23.200 --> 00:18:26.720 capturing immediately because it might literally vanish if machine reboots 355 00:18:26.799 --> 00:18:27.640 or loses power. 356 00:18:27.880 --> 00:18:31.599 Ah okay, capture the most fleeting evidence first, got it. 357 00:18:32.039 --> 00:18:35.960 That's critical for incident response and to really keep secrets 358 00:18:36.000 --> 00:18:39.839 safe during the test itself. Security testers rely heavily on 359 00:18:40.000 --> 00:18:43.720 full disk encryption right like file vault for Max or 360 00:18:43.880 --> 00:18:45.119 BitLocker for Windows. 361 00:18:45.200 --> 00:18:48.640 Absolutely non negotiable. Full disc encryption on the testing laptop. 362 00:18:48.920 --> 00:18:52.279 Encrypted backups too. And if you absolutely must use cloud 363 00:18:52.359 --> 00:18:55.039 storage for some reason, maybe sharing a draft report, manually 364 00:18:55.160 --> 00:18:57.880 ENCRYPTO files before they even touch the cloud. Use something 365 00:18:57.920 --> 00:19:01.160 strong like PDP or AES encrypt within a ZIP file. 366 00:19:01.640 --> 00:19:04.680 Don't rely on the cloud provider's encryptional loan for highly 367 00:19:04.720 --> 00:19:05.839 sensitive stuff. 368 00:19:05.640 --> 00:19:08.720 Right, encrypt it yourself first. And finally, something that sounds 369 00:19:08.759 --> 00:19:12.079 may be less technical but is crucial liability insurance. 370 00:19:12.440 --> 00:19:17.319 Oh indispensable, especially for independent consultants. Spenson mentiones his own 371 00:19:17.519 --> 00:19:19.680 one million dollars coverage. 372 00:19:19.240 --> 00:19:20.559 A million euros. 373 00:19:20.640 --> 00:19:24.279 Yeah, and why because things can quickly go sideways during 374 00:19:24.279 --> 00:19:28.000 a test, even with the best intentions. One wrong move, 375 00:19:28.359 --> 00:19:32.400 one unintended system crash, one misconfiguration, and you can be 376 00:19:32.400 --> 00:19:35.759 facing a massive lawsuit. That insurance can be a lifesaver 377 00:19:35.880 --> 00:19:38.680 financially and professionally. Don't test without it. 378 00:19:38.759 --> 00:19:42.440 Found advice. Okay, So preparations are done. Insurance is in place. 379 00:19:42.880 --> 00:19:45.559 Let's step into the hacking phase of the security test, 380 00:19:46.000 --> 00:19:48.759 where the hands on technical work truly begins. This phase 381 00:19:48.799 --> 00:19:53.160 generally involves three key steps. Right, identify, exploit, and then report. 382 00:19:53.400 --> 00:19:54.200 That's the core loop. 383 00:19:54.480 --> 00:19:59.160 Identify exploit report Okay, First up identifying vulnerabilities. This starts 384 00:19:59.160 --> 00:20:01.440 with footprinting, you said, which is passive. 385 00:20:01.759 --> 00:20:05.680 Right. Footprinting is all about passive information gathering, no direct 386 00:20:05.680 --> 00:20:08.960 interaction with the target system. Yet you're using public resources 387 00:20:09.200 --> 00:20:12.519 things like intel techniques. May be checking public whois servers 388 00:20:12.519 --> 00:20:15.920 for domain registration info, looking at job posting, social media, 389 00:20:16.279 --> 00:20:18.720 gathering intelligence before anyone even knows you're looking. 390 00:20:18.920 --> 00:20:23.480 Okay, reconnaissance from AFAR. Then comes scanning. That's active. 391 00:20:23.680 --> 00:20:27.240 Yes, scanning is active. Now you're directly probing the target 392 00:20:27.279 --> 00:20:30.920 network to map out available hosts and services, and the 393 00:20:30.960 --> 00:20:33.960 tool for this is almost always end map. It's the 394 00:20:34.079 --> 00:20:39.400 undisputed industry standard network scanner. For very good reason. NMAP 395 00:20:39.440 --> 00:20:42.119 can tell you what IP addresses are live, what ports 396 00:20:42.119 --> 00:20:44.440 are open, closed, or may be filtered by a firewall. 397 00:20:44.920 --> 00:20:48.240 It can often identify the services running on those open ports, 398 00:20:48.480 --> 00:20:50.599 and even make a decent guess at the operating system 399 00:20:50.640 --> 00:20:52.440 it's like taking an X ray of the network perimeter. 400 00:20:52.640 --> 00:20:54.839 En MAP got it. And you mentioned an anecdote earlier 401 00:20:54.880 --> 00:20:58.079