1
00:00:06,530 --> 00:00:08,400
- [Instructor] So what is ethical hacking

2
00:00:08,400 --> 00:00:10,290
and penetration testing?

3
00:00:10,290 --> 00:00:12,000
If you're watching this video course,

4
00:00:12,000 --> 00:00:15,660
you most likely already
have some understanding

5
00:00:15,660 --> 00:00:17,620
of what is pen testing.

6
00:00:17,620 --> 00:00:20,150
So I'm not gonna cover
all the basics here.

7
00:00:20,150 --> 00:00:22,580
However, I do want to cover

8
00:00:22,580 --> 00:00:24,550
and discuss a few of the differences

9
00:00:24,550 --> 00:00:28,130
between an ethical
hacker, a malicious hacker

10
00:00:28,130 --> 00:00:31,880
and also a few key
concepts like red teaming

11
00:00:31,880 --> 00:00:35,840
or red teams and offensive
security as a whole.

12
00:00:35,840 --> 00:00:38,450
An ethical hacker is a
security professional

13
00:00:38,450 --> 00:00:42,140
that will try to mimic a malicious hacker.

14
00:00:42,140 --> 00:00:46,420
The main difference is
that he or she those that,

15
00:00:46,420 --> 00:00:50,580
you know attempt of compromising a system

16
00:00:50,580 --> 00:00:54,310
or mimic a malicious
attacker with permission.

17
00:00:54,310 --> 00:00:57,140
That is the main difference,
the word permission.

18
00:00:57,140 --> 00:01:00,530
Also the scope in penetration
testing determines

19
00:01:00,530 --> 00:01:03,670
what a pen tester can do and cannot do.

20
00:01:03,670 --> 00:01:06,217
We will definitely go over scope

21
00:01:06,217 --> 00:01:09,660
and a lot of different
things that you have to do

22
00:01:09,660 --> 00:01:13,763
in the pre-engagement
activities later in the course.

23
00:01:14,640 --> 00:01:17,100
Now you also have
probably heard the concept

24
00:01:17,100 --> 00:01:19,890
of red teaming, right? Or red teams.

25
00:01:19,890 --> 00:01:21,628
Basically a red team is like a team

26
00:01:21,628 --> 00:01:24,600
of ethical hackers like you and me

27
00:01:24,600 --> 00:01:26,960
that try to mimic a true attacker.

28
00:01:26,960 --> 00:01:30,480
They tend to operate with
a little bit more freedom

29
00:01:30,480 --> 00:01:33,440
and bigger scope than a
traditional pen tester.

30
00:01:33,440 --> 00:01:36,530
However, one thing that I
want to highlight is that

31
00:01:36,530 --> 00:01:40,872
the effectiveness of a true
red team completely depends

32
00:01:40,872 --> 00:01:44,160
on the maturity level of the company

33
00:01:44,160 --> 00:01:47,320
and the culture of the company as a whole.

34
00:01:47,320 --> 00:01:50,790
Now, most people in the
computer technology field

35
00:01:50,790 --> 00:01:53,810
will consider themselves
as hackers, right?

36
00:01:53,810 --> 00:01:57,230
By the simple fact that
you actually are somebody

37
00:01:57,230 --> 00:01:59,870
that is thinking out of the
box that is actually trying

38
00:01:59,870 --> 00:02:02,850
to figure out things out of the normal

39
00:02:02,850 --> 00:02:06,610
and of course, in the offensive
security aspects of things

40
00:02:06,610 --> 00:02:09,580
that you are actually trying
to break into systems.

41
00:02:09,580 --> 00:02:12,610
This obviously is not a
malicious thing, right?

42
00:02:12,610 --> 00:02:16,310
Of course, remember the word permission.

43
00:02:16,310 --> 00:02:19,090
So if you have the permission
and you're hired to do that

44
00:02:19,090 --> 00:02:24,010
that's why, you know,
good key scope, you know

45
00:02:24,010 --> 00:02:29,010
the clear scope and also a
specific rules of engagement

46
00:02:29,450 --> 00:02:33,260
is crucial for any pen testing activity.

47
00:02:33,260 --> 00:02:36,810
So the key factor here is
actually defining ethical

48
00:02:36,810 --> 00:02:39,360
versus non-ethical hacker, right?

49
00:02:39,360 --> 00:02:43,210
So of course an unethical
hacker does all that

50
00:02:43,210 --> 00:02:45,010
for a malicious intent,

51
00:02:45,010 --> 00:02:48,330
whether it's to steal corporate secrets,

52
00:02:48,330 --> 00:02:52,080
to or intellectual property,
to steal money, right?

53
00:02:52,080 --> 00:02:55,730
Either credit card
information or true money.

54
00:02:55,730 --> 00:02:58,960
For in the case of activism,

55
00:02:58,960 --> 00:03:03,842
to protest against some political activity

56
00:03:03,842 --> 00:03:07,120
or they don't believe in a specific,

57
00:03:07,120 --> 00:03:08,220
you know political movement

58
00:03:08,220 --> 00:03:10,861
or even the company culture
of a specific company

59
00:03:10,861 --> 00:03:13,180
or they're trying to protest
against something, right?

60
00:03:13,180 --> 00:03:16,400
So there's many different levels of,

61
00:03:16,400 --> 00:03:19,440
or types of non-ethical hackers

62
00:03:19,440 --> 00:03:21,290
or malicious hackers out there.

63
00:03:21,290 --> 00:03:22,870
Now, a security researcher looking

64
00:03:22,870 --> 00:03:24,960
for vulnerabilities in
products, applications

65
00:03:24,960 --> 00:03:29,400
and web services is actually
considered an ethical hacker.

66
00:03:29,400 --> 00:03:31,340
Now their responsibilities
actually, of course

67
00:03:31,340 --> 00:03:35,130
to disclose those vulnerabilities
to the person that

68
00:03:35,130 --> 00:03:38,930
or the company that hire
them, or in the case

69
00:03:38,930 --> 00:03:40,970
that they're actually doing
vulnerability researching

70
00:03:40,970 --> 00:03:44,910
in their own, they must
disclose responsibly

71
00:03:44,910 --> 00:03:47,790
those vulnerabilities
to the vendors or owners

72
00:03:47,790 --> 00:03:49,780
of that target research.

73
00:03:49,780 --> 00:03:51,400
So why do we need pen testing though?

74
00:03:51,400 --> 00:03:54,880
First of all, as somebody
that is responsible

75
00:03:54,880 --> 00:03:57,310
for securing defending a network or system

76
00:03:57,310 --> 00:04:00,821
you actually want to find as
many potential vulnerabilities

77
00:04:00,821 --> 00:04:04,000
before the bad guys, you know, do this.

78
00:04:04,000 --> 00:04:05,670
You know, for years we
actually have developed

79
00:04:05,670 --> 00:04:08,620
and implemented many
different defensive techniques

80
00:04:08,620 --> 00:04:12,510
like antiviruses, firewalls,
nutrition prevention system,

81
00:04:12,510 --> 00:04:14,480
anti-malware.

82
00:04:14,480 --> 00:04:19,250
However, we have to find ways to make sure

83
00:04:19,250 --> 00:04:21,460
that those are effective, right?

84
00:04:21,460 --> 00:04:24,670
And that we also
continuously look for ways

85
00:04:24,670 --> 00:04:28,650
on how bad guys can
compromise our systems,

86
00:04:28,650 --> 00:04:31,740
and of course do malfeasance.

87
00:04:31,740 --> 00:04:35,820
Now in many different
scenarios, penetration testing

88
00:04:35,820 --> 00:04:38,880
is a mandatory requirement

89
00:04:38,880 --> 00:04:42,510
by many different
regulations out there, right?

90
00:04:42,510 --> 00:04:46,690
Things like PCI or HIPAA,
you know, they mention

91
00:04:46,690 --> 00:04:50,550
that you must have a
penetration testing assessment

92
00:04:50,550 --> 00:04:51,740
at least once a year.

93
00:04:51,740 --> 00:04:53,920
That's a typical guidance,
you know, out there.

94
00:04:53,920 --> 00:04:56,870
And we actually gonna be
covering a few things especially

95
00:04:56,870 --> 00:05:01,730
around compliance based pen
testing later in the course.

96
00:05:01,730 --> 00:05:06,350
As you know, systems as
networks change constantly.

97
00:05:06,350 --> 00:05:08,180
And as a matter of fact,
you know, technology

98
00:05:08,180 --> 00:05:11,730
is changing constantly
at a very rapid pace

99
00:05:11,730 --> 00:05:12,910
and it's not gonna slow down,

100
00:05:12,910 --> 00:05:14,299
it's actually gonna be worse, right?

101
00:05:14,299 --> 00:05:15,630
So that means that

102
00:05:15,630 --> 00:05:19,000
the tech surface can also
change as well, right?

103
00:05:19,000 --> 00:05:21,050
You have to consider this whenever you

104
00:05:21,050 --> 00:05:24,660
are beginning a
penetration testing career.

105
00:05:24,660 --> 00:05:28,180
And even if you are in a
intermediate or advanced phase

106
00:05:28,180 --> 00:05:32,770
you have to, you know, all
the time, reinvent yourself

107
00:05:32,770 --> 00:05:36,480
and try to actually keep
up with new technologies

108
00:05:36,480 --> 00:05:41,320
and new trends because that's,
you know, how you become

109
00:05:41,320 --> 00:05:42,343
a better pen testing.

110
00:05:42,343 --> 00:05:46,395
It's not so much about tools
is more about the methodologies

111
00:05:46,395 --> 00:05:48,920
is a lot about the techniques.

112
00:05:48,920 --> 00:05:53,580
And then you also having,
you know, a way to adapt

113
00:05:53,580 --> 00:05:56,870
to learn new technologies and
to find ways on how to attack

114
00:05:56,870 --> 00:06:00,040
and compromise those
technologies and those systems.

115
00:06:00,040 --> 00:06:02,780
So I'm gonna be highlighting
this throughout the course

116
00:06:02,780 --> 00:06:04,470
and then in the next sections,

117
00:06:04,470 --> 00:06:06,120
you're actually gonna be looking

118
00:06:06,120 --> 00:06:10,850
into how the current landscape
is actually changing related

119
00:06:10,850 --> 00:06:14,210
to security and also exploring

120
00:06:14,210 --> 00:06:16,160
the different penetration
testing methodologies.

121
00:06:16,160 --> 00:06:18,400
Again, it's not much about tools,

122
00:06:18,400 --> 00:06:21,378
it's a lot about methodologies,
how to build your own lab

123
00:06:21,378 --> 00:06:25,783
and tips on how to prepare
specifically for this exam.