1
00:00:06,940 --> 00:00:08,330
- It goes without saying,

2
00:00:08,330 --> 00:00:10,630
you have to be very aware of the different

3
00:00:10,630 --> 00:00:13,990
legal concepts of penetration testing.

4
00:00:13,990 --> 00:00:16,850
You have to be aware of local laws and,

5
00:00:16,850 --> 00:00:19,350
you know different type
of regulations and so on.

6
00:00:19,350 --> 00:00:21,150
And this is because some of the activities

7
00:00:21,150 --> 00:00:22,950
in the penetration test

8
00:00:22,950 --> 00:00:25,340
might violate some local laws

9
00:00:25,340 --> 00:00:28,347
depending on where geographically

10
00:00:28,347 --> 00:00:30,063
you are doing this test.

11
00:00:31,050 --> 00:00:31,883
For example,

12
00:00:31,883 --> 00:00:33,860
if you actually collect packet captures

13
00:00:33,860 --> 00:00:37,040
or obtain information
from a voiceover AP system

14
00:00:37,040 --> 00:00:39,610
or voicemails doing the penetration test,

15
00:00:39,610 --> 00:00:41,630
that action can be considered

16
00:00:41,630 --> 00:00:44,260
wire tapping in some countries.

17
00:00:44,260 --> 00:00:45,630
In addition to local laws,

18
00:00:45,630 --> 00:00:47,790
you will be responsible for creating

19
00:00:47,790 --> 00:00:51,090
certain legal documents like contracts,

20
00:00:51,090 --> 00:00:53,650
statement of works or SOWs,

21
00:00:53,650 --> 00:00:56,710
Master Service Agreements or MSAs,

22
00:00:56,710 --> 00:00:59,700
Non-Disclosure Agreements or NDAs.

23
00:00:59,700 --> 00:01:01,810
Now, if you work for a large company

24
00:01:01,810 --> 00:01:03,980
and you're a consultant doing business

25
00:01:03,980 --> 00:01:06,780
for that company to another client,

26
00:01:06,780 --> 00:01:08,760
most definitely their legal department

27
00:01:08,760 --> 00:01:11,320
will actually take care
of a lot of the things

28
00:01:11,320 --> 00:01:12,740
that we're gonna be highlighting here.

29
00:01:12,740 --> 00:01:14,295
Right?

30
00:01:14,295 --> 00:01:15,230
But for the purpose of the exam

31
00:01:15,230 --> 00:01:16,990
you have to understand these concepts

32
00:01:16,990 --> 00:01:18,130
especially the contract,

33
00:01:18,130 --> 00:01:19,050
the statement of works,

34
00:01:19,050 --> 00:01:21,850
the master service agreements

35
00:01:21,850 --> 00:01:23,240
and the non disclosure agreements.

36
00:01:23,240 --> 00:01:25,040
So starting with the contracts.

37
00:01:25,040 --> 00:01:25,873
The contract is actually

38
00:01:25,873 --> 00:01:26,770
of course, you know,

39
00:01:26,770 --> 00:01:28,490
goes without saying also,

40
00:01:28,490 --> 00:01:31,160
is one of the most important
documents in your engagement.

41
00:01:31,160 --> 00:01:34,900
It's actually specifying
the terms of the agreement.

42
00:01:34,900 --> 00:01:36,800
How will you get paid?

43
00:01:36,800 --> 00:01:38,880
and a clear documentation of the services

44
00:01:38,880 --> 00:01:40,580
that will be performed.

45
00:01:40,580 --> 00:01:42,610
The document should be very specific.

46
00:01:42,610 --> 00:01:44,590
It should be easy to understand.

47
00:01:44,590 --> 00:01:47,470
And without any ambiguities, right?

48
00:01:47,470 --> 00:01:51,330
Ambiguities will likely lead
into customer dissatisfaction

49
00:01:51,330 --> 00:01:53,873
or friction between you and your customer.

50
00:01:54,760 --> 00:01:56,520
Legal advice by a lawyer

51
00:01:56,520 --> 00:01:58,660
is always recommended
for a contract, right?

52
00:01:58,660 --> 00:02:00,940
So if you are brand new into pen testing

53
00:02:00,940 --> 00:02:02,660
and you're doing this in your own,

54
00:02:02,660 --> 00:02:05,620
I will definitely advise you to go ahead

55
00:02:05,620 --> 00:02:08,383
and get legal advice by a lawyer.

56
00:02:09,290 --> 00:02:11,800
Now, I mentioned the
statement of work earlier

57
00:02:11,800 --> 00:02:13,240
and basically what that is,

58
00:02:13,240 --> 00:02:15,390
is a document that specifies

59
00:02:15,390 --> 00:02:17,060
the activities to be performed

60
00:02:17,060 --> 00:02:19,360
during the penetration testing engagement.

61
00:02:19,360 --> 00:02:22,581
It can be used to define some of the,

62
00:02:22,581 --> 00:02:23,414
you know,

63
00:02:23,414 --> 00:02:26,170
most key elements of the
penetration testing engagement

64
00:02:26,170 --> 00:02:27,456
like, you know,

65
00:02:27,456 --> 00:02:28,780
the project timeline

66
00:02:28,780 --> 00:02:30,330
or the penetration testing timeline,

67
00:02:30,330 --> 00:02:32,140
including the report.

68
00:02:32,140 --> 00:02:33,980
A delivery schedule,

69
00:02:33,980 --> 00:02:36,800
the scope of the work to be performed.

70
00:02:36,800 --> 00:02:39,990
One of the most crucial items of course

71
00:02:39,990 --> 00:02:41,660
of the pre-engagement tasks,

72
00:02:41,660 --> 00:02:43,440
the location of the work

73
00:02:43,440 --> 00:02:46,570
the special technical and
non technical requirements

74
00:02:46,570 --> 00:02:49,240
the payment schedule and so on.

75
00:02:49,240 --> 00:02:50,470
Right? So we also mentioned

76
00:02:50,470 --> 00:02:52,920
the rules of engagement document earlier.

77
00:02:52,920 --> 00:02:54,700
It includes, you know,
some of these elements,

78
00:02:54,700 --> 00:02:57,970
in some cases actually
they can be combined.

79
00:02:57,970 --> 00:03:00,690
You may have actually a master contract

80
00:03:00,690 --> 00:03:02,420
that will include the, you know

81
00:03:02,420 --> 00:03:04,710
basically the SOW, the main contract

82
00:03:04,710 --> 00:03:06,650
and the rules of engagement

83
00:03:06,650 --> 00:03:09,623
but in most cases actually
are separate documents.

84
00:03:10,640 --> 00:03:12,260
Now, another legal aspect

85
00:03:12,260 --> 00:03:14,820
of a penetration testing engagement

86
00:03:14,820 --> 00:03:17,880
against the concept is Export Control.

87
00:03:17,880 --> 00:03:20,010
You always have to become aware

88
00:03:20,010 --> 00:03:24,020
of any export control
restriction that may be present

89
00:03:24,020 --> 00:03:26,810
in the country where
the penetration testing

90
00:03:26,810 --> 00:03:29,280
will be performed, especially
if you're actually working

91
00:03:29,280 --> 00:03:31,510
for a multinational company,

92
00:03:31,510 --> 00:03:32,880
that they may actually fly you

93
00:03:32,880 --> 00:03:34,800
to different places around the world.

94
00:03:34,800 --> 00:03:38,120
There may be tools, software,
hardware that cannot

95
00:03:38,120 --> 00:03:42,140
be exported or imported to that country.

96
00:03:42,140 --> 00:03:45,330
And these include certain
cryptographic software,

97
00:03:45,330 --> 00:03:47,090
encryption technologies.

98
00:03:47,090 --> 00:03:48,460
And for several years,

99
00:03:48,460 --> 00:03:50,270
more than 40 countries actually have been

100
00:03:50,270 --> 00:03:54,133
trying to negotiate this
type of export controls under

101
00:03:54,133 --> 00:03:56,530
an arrangement called The
Wassenaar Arrangement.

102
00:03:56,530 --> 00:03:59,260
And basically that was an arrangement

103
00:04:00,320 --> 00:04:01,810
was established for export control

104
00:04:01,810 --> 00:04:03,710
for conversional arms

105
00:04:03,710 --> 00:04:05,950
and the dual use of
goods and technologies.

106
00:04:05,950 --> 00:04:08,930
Right? And now for many, many years,

107
00:04:08,930 --> 00:04:11,483
they actually have been also trying

108
00:04:11,483 --> 00:04:13,320
to consider security tools

109
00:04:13,320 --> 00:04:14,510
and software, power

110
00:04:14,510 --> 00:04:17,530
and specifically things that can be used

111
00:04:17,530 --> 00:04:20,020
for penetration testing
and ethical hacking

112
00:04:20,020 --> 00:04:21,384
or you know

113
00:04:21,384 --> 00:04:22,620
real life hacking to be considered

114
00:04:22,620 --> 00:04:25,060
as arms and could be controlled

115
00:04:25,060 --> 00:04:27,900
by those certain national
laws in different countries.

116
00:04:27,900 --> 00:04:30,570
So you have to be very aware of that.

117
00:04:30,570 --> 00:04:33,600
Now your customer may have
specific corporate policies

118
00:04:33,600 --> 00:04:36,130
that need to be taken into consideration

119
00:04:36,130 --> 00:04:39,680
whenever you perform a
penetration testing as well.

120
00:04:39,680 --> 00:04:42,030
In most cases, the customer will initially

121
00:04:42,030 --> 00:04:46,283
disclose any items with
their corporate policy,

122
00:04:47,240 --> 00:04:49,240
statements that may actually
have a direct impact

123
00:04:49,240 --> 00:04:51,300
of the penetration testing engagement

124
00:04:51,300 --> 00:04:53,680
but you have to always ask, right?

125
00:04:53,680 --> 00:04:56,480
Always be sure and clearly document

126
00:04:56,480 --> 00:04:59,710
if there are actually any
of those policies in place.

127
00:04:59,710 --> 00:05:01,920
Some companies may also be

128
00:05:01,920 --> 00:05:04,010
under a specific regulation
when they actually

129
00:05:04,010 --> 00:05:05,510
have to create a vulnerability

130
00:05:06,561 --> 00:05:09,140
and a penetration testing policy
within their organization.

131
00:05:09,140 --> 00:05:12,320
They might specify restricted

132
00:05:12,320 --> 00:05:15,210
and non-restricted systems and information

133
00:05:15,210 --> 00:05:19,350
on how the penetration testing
should be conducted according

134
00:05:19,350 --> 00:05:22,020
to a regulatory standard as well.

135
00:05:22,020 --> 00:05:25,790
So all those are a lot of
different legal aspects

136
00:05:25,790 --> 00:05:29,613
of penetration testing
that many people actually

137
00:05:29,613 --> 00:05:31,440
do not know that assist
and that you should take

138
00:05:31,440 --> 00:05:35,013
into consideration in your
company or in your engagement.