CompTIA PenTest+: Scoping & Engagement

IN THIS COURSE

• 1.  Course Overview
  1m 24s
  In this video, you’ll learn more about your instructor and this course. In this course, you’ll learn the fundamentals of penetration, including how to compare and contrast governance, risk, and compliance concepts that include regulatory compliance considerations. You’ll explore legal concepts such as service-level agreements, statement of work, non-disclosure agreements, and master service agreements. You’ll also learn the importance of scoping and organizational customer requirements. FREE ACCESS
• 2.  Regulatory Compliance Considerations
  8m 32s
  In this video, you’ll get an overview of compliance considerations, including Payment Card Industry Data Security Standard, or PCI DSS, and the General Data Protection Regulation, or GDPR. In general, penetration testing for compliance is a special case of penetration test in that the additional requirements must be met. Regulatory requirements, which are government laws passed to protect data and protect users are what drive most compliance considerations. Compliance requirements vary by area. FREE ACCESS
• 3.  Geographical Location Restrictions
  7m 59s
  In this video, you’ll learn about geographical location restrictions, such as country limitations, tool restrictions, local laws, and local government requirements. You’ll see that the requirements about how you carry out pentesting must be checked based on the country you're in. This can affect the tools you use as a pentester. Government regulations and restrictions based on acts of government apply in the jurisdictions they're operating in. FREE ACCESS
• 4.  Service Level Agreements
  7m 57s
  In this video, you’ll learn when to use the service level agreement, or SLA. You’ll see how it compares to other agreements you'll need when pentesting. You’ll also learn the important points to include in an SLA. You’ll learn a service level agreement describes service commitment and expectations. These expectations are what will and can be done, what cannot be done, and who’s responsible for these things. Governance and compliance basics must also be included. FREE ACCESS
• 5.  Confidentiality Protection
  4m 46s
  In this video, you’ll learn the importance of protecting confidentiality during pentesting exercises. The general approach to protecting confidentiality includes providing an efficient and effective pentesting platform, communicating compliance needs to managers and system administrators, eliminating unnecessary tools and libraries that could introduce vulnerabilities, and monitoring and reporting on concerns found or raised during pentesting. One of the models used is the CIA triad model. FREE ACCESS
• 6.  Penetration Testing Statement of Work
  5m 30s
  In this video, you’ll learn the details you need to include in a penetration test statement of work. A statement of work, or SOW, is one of the key documents describing project elements to be agreed upon before pentesting starts. Key items in a statement of work are the scope of work in detail and what the penetration tests cover. It also includes the price and payment schedule for the project and milestone payment amounts. FREE ACCESS
• 7.  Defining Non-disclosure Agreements
  5m 8s
  In this video, you’ll learn the key components of a non-disclosure agreement for pentesting. In general terms, a non-disclosure agreement, or NDA is the legal document used to enforce a confidential relationship between parties. It says the parties of the agreement may be privy to confidential or private information and that the information can’t be disclosed or shared outside of the agreement. The purpose of that confidential information is disclosed during the course of pentesting. FREE ACCESS
• 8.  Working with Master Service Agreements
  5m 1s
  In this video, you’ll learn the important details and benefits of a master services agreement, or MSA. These must be signed prior to penetration testing. An MSA is a governing agreement between the pentester and client. It governs the relationship, not the service or the work performed. It provides general terms for ongoing projects. The MSA focuses on the open-ended and generic terms of the agreement between pentester and client, not on specific project terms. FREE ACCESS
• 9.  Obtaining Permission to Attack
  5m 48s
  In this video, you’ll learn how to obtain permission to attack before pentesting. Authorization to attack can only come from written permission to carry out pentesting. It cannot be substituted by an oral agreement or a handshake. If there's no written permission, then you cannot carry out pentesting. Written authorization must come from a signing authority, typically a director or executive. If third parties are involved, you’ll also need third-party authorization. FREE ACCESS
• 10.  Standards and Methodologies
  5m 24s
  In this video, you’ll learn about common standards and methodologies, including the Mitre attack framework, the Open Web Application Security Project or OWASP, and the National Institute of Standards and Technology, NIST. In pentesting, best practices include applying common standards and methodology. You'll also need to include standards or guidelines in your documentation to cite the approaches, guidelines, or methodologies you use. FREE ACCESS
• 11.  Rules of Engagement
  6m 14s
  In this video, you’ll learn how clearly defined rules of engagement help with the expectations and safety of penetration testing. The rules of engagement broadly cover several high-level aspects. These are considered on a test-by-test basis. Individual tests, categories of tests, or phases of testing may have different rules of engagement. Some tests must be coordinated so they're given advanced warning and others need to test responses for when the test comes unexpectedly. FREE ACCESS
• 12.  Environmental Considerations
  4m 42s
  In this video, you’ll learn the important environmental considerations for pentesting. Environmental considerations are about looking at the operating elements, the tools, the places, and the people working together. As pentesters, you’re often focused more on technology-related factors. While you unconsciously factor in elements such as network, application, and cloud into your scope, it’s important to look at the wider environment. This includes the computing environment. FREE ACCESS
• 13.  Defining Target Lists
  5m 53s
  In this video, you’ll learn about target lists such as wireless networks, domain, and physical locations. Finding target lists is part of the information gathering and vulnerability identification phase of pentesting. This is done once the scope and authorization have been completed. Carrying out reconnaissance in this phase is about identifying specific tests based on the environment and environments you're operating in. Vulnerabilities discovered inform the response needed to meet compliance and strengthen security. FREE ACCESS
• 14.  Validating Scope of Engagement
  8m 19s
  In this video, you’ll learn the important details regarding the scope of engagement using strategies such as time management, reviewing client contracts, and goal reprioritization. When validating the scope of an engagement, it’s important to understand the client’s organization and their needs, whether it’s increased security, compliance-based testing, or a regulatory requirement. You need to gather requirements, know the organization's policies, needs, and goals, and determine the scope. FREE ACCESS
• 15.  Course Summary
  1m 8s
  In this video, you’ll summarize what you’ve learned in this course. You’ve learned how to understand the steps, documents, discussions, and resources involved in successfully scoping and engagement. You explored regulatory compliance considerations and geographical location restrictions. You learned about service level agreements, the importance of protecting confidentiality, and the details included in a penetration testing SOW. You also explored NDA details and the benefits of master service agreements. FREE ACCESS