1
00:00:00,330 --> 00:00:06,080
Welcome to what I consider is probably one of the most important parts of this cause.

2
00:00:06,090 --> 00:00:08,640
It's great to know all the technical concepts.

3
00:00:08,790 --> 00:00:14,640
But if you don't know the legal concepts and report writing you're gonna be left behind very quick.

4
00:00:14,640 --> 00:00:16,850
So let's talk about those.

5
00:00:16,860 --> 00:00:22,020
Let's cover the common legal documents and I'll cover what I go through in a sales process and what

6
00:00:22,020 --> 00:00:23,410
you're gonna see as a pen tester.

7
00:00:23,410 --> 00:00:26,110
We'll talk about pen test reports et cetera.

8
00:00:26,220 --> 00:00:34,070
So looking at these common legal documents I've broken them down into three sections there's sales there

9
00:00:34,080 --> 00:00:37,390
is the before you test and the after you test.

10
00:00:37,560 --> 00:00:44,850
Now as a penetration tester chances are you're only going to see the before you test and after you test

11
00:00:44,850 --> 00:00:51,990
documents if you have some access to the sales side it's possible depending on your role and your function.

12
00:00:51,990 --> 00:00:54,360
Most likely you're not going to see a lot of that stuff.

13
00:00:54,390 --> 00:00:55,070
OK.

14
00:00:55,110 --> 00:01:02,400
You might be aware of it but a lot of that contains sales information and legal information and things

15
00:01:02,400 --> 00:01:07,080
that you know kind of that separation and duties where you might not need to know how much a contract

16
00:01:07,080 --> 00:01:10,170
is worth or how a contract was written et cetera.

17
00:01:10,440 --> 00:01:14,490
You will be privy usually to the rules of engagement and the findings report.

18
00:01:14,520 --> 00:01:16,800
So let's talk about these in order.

19
00:01:16,830 --> 00:01:24,750
So in a sales process the first thing that we might do is we might sign what is called a nondisclosure

20
00:01:24,750 --> 00:01:25,150
agreement.

21
00:01:25,150 --> 00:01:27,590
It's usually a mutual non-disclosure agreement.

22
00:01:27,690 --> 00:01:35,580
And what that says is Hey I'm not going to take anything I've learned today and disclose it to anybody

23
00:01:35,580 --> 00:01:35,970
else.

24
00:01:35,970 --> 00:01:38,060
And I want you to do the same.

25
00:01:38,070 --> 00:01:42,960
So this process usually goes something like this and I'll talk about my process as a business owner

26
00:01:43,530 --> 00:01:47,760
a client will reach out to you or a potential client or reach out to you and they'll say hey I'm interested

27
00:01:47,790 --> 00:01:49,240
in your services.

28
00:01:49,380 --> 00:01:56,370
I need a pen test and I'll say OK let's let's talk about that you know and a lot of clients will want

29
00:01:56,370 --> 00:02:00,080
you to before you meet sign a nondisclosure agreement.

30
00:02:00,300 --> 00:02:06,330
So if they talk about anything specific to their network you can't just go out there and say hey X Y

31
00:02:06,330 --> 00:02:11,970
Z about this client here's their network information you're prohibited from actually doing that.

32
00:02:12,000 --> 00:02:19,710
So that will come either be tween the sales process or before the rules of engagement but usually comes

33
00:02:19,770 --> 00:02:23,490
early on in the sales process and from there.

34
00:02:23,490 --> 00:02:30,180
Once you have a nondisclosure agreement you sit down you talk scoping you you say hey like OK what what

35
00:02:30,180 --> 00:02:32,240
IP addresses do I need to test.

36
00:02:32,340 --> 00:02:34,260
What are the ranges how many of them.

37
00:02:34,260 --> 00:02:40,470
What's your goal you know you have your sales meeting you talk about that when you talk about that you

38
00:02:40,470 --> 00:02:43,500
are going to put together two items.

39
00:02:43,530 --> 00:02:46,230
One is a master service agreement.

40
00:02:46,230 --> 00:02:49,290
And the other is what is called a Statement of Work.

41
00:02:49,320 --> 00:02:55,440
Now the master service agreement is a contractual document and basically it's going to specify your

42
00:02:55,440 --> 00:03:00,980
performance objectives and kind of outline the responsibilities of both of the parties.

43
00:03:00,990 --> 00:03:06,560
Now if you are curious to see what a nondisclosure agreement looks like or a master service agreement

44
00:03:06,560 --> 00:03:10,830
or statement work you can Google a lot of these and here's an example.

45
00:03:10,830 --> 00:03:16,280
I just went out to Google and said rapid 7 which is a pen testing company and said master service agreement.

46
00:03:16,590 --> 00:03:21,000
And guess what rabbit seven actually has their master service agreement right here so you can click

47
00:03:21,000 --> 00:03:22,620
on it you can read through it.

48
00:03:22,710 --> 00:03:25,740
It's all legal mumbo jumbo type stuff right.

49
00:03:26,370 --> 00:03:30,910
But you can read through this and see exactly what they specify.

50
00:03:30,960 --> 00:03:37,110
Now the master service agreement is kind of like this blanket agreement that covers multiple contracts.

51
00:03:37,140 --> 00:03:37,500
OK.

52
00:03:37,500 --> 00:03:43,020
Now the Statement of Work is specific to a contract itself a single contract.

53
00:03:43,080 --> 00:03:49,330
Now in the statement of work you're talking about activities deliverables timelines how much it's going

54
00:03:49,330 --> 00:03:49,770
to pay.

55
00:03:49,770 --> 00:03:50,790
It's a quote as well.

56
00:03:50,790 --> 00:03:51,090
Right.

57
00:03:51,090 --> 00:03:56,520
So you're going to say hey I'm going to perform let's just throw something out there a wireless penetration

58
00:03:56,520 --> 00:04:04,430
test and we're going to do it by this deadline and we're going to deliver you a report when we're done.

59
00:04:04,650 --> 00:04:06,860
And it's going to cost you this much money.

60
00:04:06,960 --> 00:04:10,280
So if the client or potential client agrees to that.

61
00:04:10,320 --> 00:04:16,150
They're going to sign that statement of work and they're going to sign that master service agreement.

62
00:04:16,200 --> 00:04:22,000
Now in the sales process you might actually need a few more documentations or a few more documents.

63
00:04:22,230 --> 00:04:24,480
One is sample report.

64
00:04:24,510 --> 00:04:26,850
A lot of clients like to see a sample report.

65
00:04:26,850 --> 00:04:30,980
I will show you one as well and you might need a recommendation letters.

66
00:04:31,010 --> 00:04:31,310
OK.

67
00:04:31,320 --> 00:04:35,640
If you're going on on the sales side most of this doesn't concern you but it's things that you should

68
00:04:35,640 --> 00:04:39,440
still know about especially if you ever want to open your own business or start with.

69
00:04:39,440 --> 00:04:43,630
But the what we're going to focus on and what I'm going to show you is the findings report.

70
00:04:43,740 --> 00:04:47,670
So you're not going to have seen this but you should google some of these things and find out a little

71
00:04:47,670 --> 00:04:49,430
bit more about them.

72
00:04:49,470 --> 00:04:53,790
So before you test you are going to have what's called a rules of engagement.

73
00:04:53,790 --> 00:04:59,000
So once we get the statement work sign the master service agreement sign everything up until that point

74
00:04:59,000 --> 00:05:00,220
has been kind of ballpark.

75
00:05:00,540 --> 00:05:03,270
So say there is an external pen test you're doing.

76
00:05:03,270 --> 00:05:08,880
They might say I have one hundred IP addresses I need tested and you say OK you know you talk through

77
00:05:08,880 --> 00:05:13,530
it you give them a quote you give him that statement at work they sign it everything's good and then

78
00:05:13,530 --> 00:05:16,580
you have what is called a rules of engagement meeting.

79
00:05:16,620 --> 00:05:20,490
Now the rules of engagement meaning will cover specifics of your testing.

80
00:05:20,490 --> 00:05:23,230
So for example you have this one hundred IP addresses.

81
00:05:23,370 --> 00:05:27,790
It'll say OK here are the exact IP addresses that you're going to be testing.

82
00:05:27,920 --> 00:05:29,430
You're gonna have that in your rules of engagement.

83
00:05:29,430 --> 00:05:34,500
And I like to call the rules of engagement a CIA or which is cover your you know what.

84
00:05:34,500 --> 00:05:41,370
Cover your butt and you need this because it's going to say what you can and can't do what what can

85
00:05:41,370 --> 00:05:43,860
you attack specifically the IP addresses.

86
00:05:43,980 --> 00:05:46,250
What can you do what can't you do.

87
00:05:46,290 --> 00:05:49,680
Usually what we cannot do is what's called denial of service right.

88
00:05:49,680 --> 00:05:51,030
We cannot deny service.

89
00:05:51,030 --> 00:05:53,800
Typically what we're testing against is in production.

90
00:05:53,940 --> 00:05:59,370
We do not want to take down production for our client and a lot of the times we will not do social engineering

91
00:05:59,460 --> 00:06:00,690
on engagements.

92
00:06:00,690 --> 00:06:05,940
A lot of assessments have social engineering set aside as its own assessment.

93
00:06:05,940 --> 00:06:07,800
So they typically leave those two out.

94
00:06:07,800 --> 00:06:11,670
Almost always denial of service unless that's a specific thing they're wanting test it.

95
00:06:12,390 --> 00:06:18,630
So you have this Rules of Engagement document you can not start your penetration test until that rules

96
00:06:18,630 --> 00:06:20,070
of engagement is signed.

97
00:06:20,400 --> 00:06:20,630
OK.

98
00:06:20,640 --> 00:06:26,220
You absolutely cannot because that covers you in case of anything you say here is what you told me to

99
00:06:26,220 --> 00:06:26,610
test.

100
00:06:26,620 --> 00:06:29,710
Here's what I'm testing and here's what I am allowed to do.

101
00:06:29,910 --> 00:06:32,810
So make sure you have a rules of engagement sign.

102
00:06:32,820 --> 00:06:40,230
Now lastly and what's most important for you as a penetration tester is going to be the findings report.

103
00:06:40,230 --> 00:06:42,570
So we're going to talk about the finders report.

104
00:06:42,570 --> 00:06:47,370
It's going to detail what you found from a high level and a technical level.

105
00:06:47,430 --> 00:06:54,410
And I'm going to be providing you with a sample report that you are free to use free to utilize et cetera.

106
00:06:54,420 --> 00:07:00,570
We'll cover that in one video and then in a second video I'm going to show you how that report can be

107
00:07:00,570 --> 00:07:06,330
taken and modified and I will show you what it looks like to have a real pen test report we'll review

108
00:07:06,330 --> 00:07:09,870
a real pen test report and you can see what one actually looks like.

109
00:07:10,140 --> 00:07:14,910
So let's go ahead and talk about pen test report writing and next video I'll catch you over there and

110
00:07:14,910 --> 00:07:15,630
we'll look at it.