Wow... Absolutely awesome questions to ask and these are discussions that are industry should have more often. In fact, this is so relevant and good that I would love to see this developed out into a panel discussion type presentation in future. Happy to be part of it if you wish or happy to submit similar questions or ideas for whomever you choose, but definitely keep a lot of this in mind because these are topics that are always going to be relevant and important.
@@alexandrezani interesting, I thought that these were a lot clearer myself. You have strict rules, the only question in my mind would be whether to mention legal drug use in your report. As it is a breach if company policy it could be used as leverage against the employee. You don't need to mention who, just that you think that you smelled weed during a staff smoke break.
Not really. You report everything and you say nothing to your colleagues. You tell the specialist that the server is out of scope, but note how segmentation was found to be inconsistent with prior descriptions. It’s also very unlikely that you get to have the run of the entire place yet one server is out of scope. That said, when you do this kind of work, you tend to piss off the people that management wants to find and correct. Since you use criminal tools and techniques, there is an association with you already being shady. If there is any action or outcome that could put your professional integrity into question, you find yourself looking for a new career. Always do the right thing. Alway, always, always have this conversation with the client first. In fact, I would have called my client sponsor and told them about the server. If (s)he green lights it, you’re good to go. You are there to serve the interests of the client. Be in tune with that and act accordingly.
@@CandyGramForMongo_ don't take this the wrong way, but if you truly believe all of your statements -- and the flippancy with which you're delivering them -- you are not helping my industry and that makes me feel a little sorry for you and your associates. I appreciate much of what you're saying about having good conversations with the client first and about calling them if you discover that server, but other things you are saying show the need for -- forgive me -- more emotional growth in this field. EDIT: to clarify some details (which are much better-explored in a future conversation elsewhere, not in a little comment window)... You were not hired to be a hall monitor and tattle tale on someone who is violating a company's drug use policy. Your ingress via the side door would be equally actionable if a smoker of Marlboros were slipping out the side as it would if someone was vaping Sour D. And I would also argue that faulty door closer hardware is more at fault than anyone stepping outside there. Even people using that door for fully legitimate purposes can introduce a security risk if the door closer doesn't operate fully. The porn in the desk drawer? Again... that's not germane to what you were engaged to test and I would consider it irrelevant to what you are going to report. As for the crypto miner... do you know who is installed it? Were you contracted to perform DFIR work against that computer? Or is it sufficient to report "security software policy on company workstations was observed to possibly be insufficient for the prevention of installation of unauthorized applications"
@@adammorris8112 I think the scope question is super easy: exceeding scope is a potential CFAA violation. Don't break the CFAA. (And definitely don't break the CFAA and then write an official report explaining how you broke the CFAA!) The rest, I would be uncomfortable with reporting individual failures. I'm big on "if people are doing the wrong thing, you didn't set them up to do the right thing." Also, as a practical matter, it's not cost effective to keep hiring red teams to figure out if some guy is sneaking out to smoke weed. The company needs to update its policies so when they hire some guy who likes to take a weed break, that guy won't need to hide and thereby undermine security.
1. mention how employees seem to take frequent breaks to smoke, and couldn’t determine what was being smoked. Also mention how guards are not preforming duties 2. Tell client that some systems had pornography, were detected mining cryptocurrencies, and may have a hidden malware/virus running in tandem. Report door and sticky note, and mention how a well funded team could easily use both to cause damage 3. Tell data specialist that it’s a strict no-go and report finding to client for further instructions 4. “I had fun, but I signed a NDA. Sorry”
I think the real question is how I would write the report. Your job is to help the client improve security. In the case of the guards, the problem is a lack of supervision. They could fire every one of them, but without changes, it would be the same way in a short period of time. I'd say that the guards were unsupervised and it showed in their lack of attention, getting worse in the off hours. I don't see a security issue with the magazine stash, but the browser tabs suggest the company doesn't have an effective firewall preventing users from going to harmful sites.
I'm not in the industry, but I think I would try to report on processes, not people. 1. Ignore the weed. Report that there are no processes in place to guarantee that guards are actively monitoring. 2. Report that the latch was not fully engaged. Report that a door sensor / alarm is missing. Report the sticky note. Ignore the pr0n unless of an illegal kind. Report that illegal software was not detected (both the crypto miner and your payload). 3. Off-limits remains off limit, although if possible contact the client and ask if it can be included. 4. Don't get caught off guard and have your own NDA ready, which allows discussion of anonymised findings. Don't discuss specific findings with friend. Might be the hardest one.
Seems this round boils down to: are you professional about your job? In any case, my answer would be: all of the above, all of the above, no but tell your employer you could have easily done it and how, no. You are employed to find liabilities and report them to your employer so that he could fix them; also, if your friend is so professional that he wouldn't talk about the job with anyone else, why should you behave differently?
_MY_ moral compass? Tell everything but tell no names. As in, "employees were found smoking weed and guards were found being inatentive", not "THIS employe was found smoking weed and THIS guard was found being inatentive". Let the client decide if he wants to ferret down specifically who each was or just ennact company-wide stern warnings or whatever - not YOUR job.
I'd include everything in the report, weed smoker potential blackmail to gain access, slack guards definitely a weak point to be exploited, porn on PC, again potential blackmail weakness, smokers leaving door unsecured definitely access weak point. Not sure how NDA work as don't think we have them in the UK, but if you've signed something, then guess it's like a contract, so if you disclose details you'll probably be screwed over if found out, plus probably irreparable damage to your reputation, so at most I'd probably say that the job went well. And the server access thing, definitely tell your IT guy to stay away, but include that access could have been made to server, because you never know when your being tested yourselves and could well be a honey pot to check out your company/team. Lastly, you're contracted to do a job, exposing and discovering weakness in the company, so everything needs disclosing, you're not there to make friends. PS I'm not in info sec or anything like that, just find it Interesting and my comments are just based on what I think is common sense.
@@NapalmLlama thanks for that, I've never been in any position where I'd be required to sign an NDA, closest to that I suppose that I've had to sign is the official secrets act, promising the souls of all my future generations to the devil if I revealed classified information.
@@legion162 It's basically a promise to treat the counterparty's secrets the same way you treat your own secrets. There's plenty of scope for the data to leak accidentally without breach of contract, and even if you leak it on purpose, the onus is still on them to prove it. Probably also true of official secrets? IANAL.
@@NapalmLlama you don't actually have to sign anything with regards to the official secrets act, as its actually an act of law, however I think when you are dealing with classified government information they get you to sign a document to press home the importance of not sharing the information
I believe you perfectly understood the job of a red team... but I think the ethical dilemmas mentioned in the video mostly boil down to: "should you do your job even if it goes against your values"?
Personally... 1. Report on all of it including the drug use as it could be used as a mechanism to blackmail the employee in question. 2. Report on all of it as it all presents a potential risk to the company. 3. The server is out of scope, it should not be touched. The fact that it appears you could should be reported in the report, but you have strict rules for your engagement. Step outside those rules and you risk your own organisation. 4. Tell my friend nothing more than "you know, it was a typical engagement" or some equally generic comment. I am under NDA, and such a comment is unlikely to be considered in breach of the NDA.
I'm not sure I have any good answers for this, but here goes: I would document the means of entry, and what I noticed on recon, including the behaviors of employees and guards, but may word things a bit vaguely depending on the individual situation. Due to my personal feelings about things like weed, I would probably not mention the specifics, but would say that some employees inadvertently left the door unlatched while out to take smoke breaks. I probably would mention that the guard seemed to be having a hard time staying awake, but as a chronic insomniac, I empathize with this, and know how hard it can be in certain situations to stay awake, would probably recommend some solutions involving suggestions to help keep the guards active on duty (like, rather than just sitting there watching, maybe provide them tasks to do that are relevant to the security of the place, such as checking doors, or offering a standing desk (this is my trick when I'm dozing off at work, I stand up and work, it helps a lot). Once inside, this gets even more complicated. I would absolutely mention the sticky note with credentials being in an obvious place. I would also mention that the only thing that was locked uses a lock which is very easy to bypass, and describe how it was bypassed and what was inside. If the password were a simple one, I'd also make note of that, even though its complexity doesn't matter if it's just written on a damn sticky note, but it's still something I would consider. I would detail what kinds of vulnerabilities were exploited on the computer itself, and would report the crypto mining and the porn in the browser since whoever that was didn't have the decency to at least cover their tracks. (Side note, why the fuck do people watch porn AT WORK?) I would probably add some emphasis to the value of stopping crypto mining, such as power consumption, or the possibility of external access to that machine, or any other things that are relevant there. If a team member discovers that the network isn't segmented correctly and that this could provide access to the out-of-scope assets, I would thank them and reinforce that it was a good find, but firmly tell them not to access the system. In the report, I'd make notes about what kinds of issues could come up from this kind of unauthorized access, including the potential for outside compromise, insider threats, etc. and what value it might be to the company to fix these things (i.e. what damage could be done, and how much it could cost them, including considerations like legal fees, time and labor for restoring a system after something like a ransomware attack, etc.) At dinner with my friend, I would politely tell them that it went well, but that I can't tell them any details about the job, and hope that they understand. If they probe deeper, I would probably be more upfront and explain that I signed an NDA, and simply can't tell them.
Never touch anything out of scope, clearly. But usually there is someone on the inside you coordinate with during the exercise. Run this by them and see if they want it added to scope and if so get the new scope in writing. Always stay within the rules of engagement. Does scope/rules of engagement include something which state or imply they would want to know about risks such as a weed smoking employee or sleeping guards? Then include it. Being that these issues are common they are good questions to ask about up front when crafting the scope/rules of engagement. If you are having to ask yourself these questions and put yourself into a moral quandry during the exercise or when writing your report without having addressed this sort of thing previously in the contract with the client you've already made a mistake. Note that the weed smoking, porn watching, sleeping employees are also targets for blackmail. That is just as big of a risk as the fact that they aren't doing their jobs properly IMHO. I think there are two questions: If I were the client, would I want to know about these things? Most likely, yes. Then, if I am the pentester, is it more ethical to always give the client the best value in terms of telling them things such as the above knowing that they would want to know or to exercise discretion sticking strictly to the letter of the contract and no more? I expect the former to be better for business (or how could reporting on those things go sideways for the pentested? I'm no lawyer.) but the latter might weigh on your conscience. Although the fact that they are a blackmail risk weighs heavily with me personally.
These seem fairly easy. I am paid to do a job, and that engagement has parameters. The guards need more accountability. They apparently don't have any adequate direct supervision . If the server is out of scope, I simply report the problem with the network and that I could have easily breached the server. Telling the client this, vs actually completing the server breach won't be any different in their eyes, except that I also stepped over the clearly written line. The last one is probably the most difficult. Only because you want to talk shop with people that understand what you do. But it's still not difficult. You signed an NDA, and your buddy should understand that.
I'm big on the systems-not-people approach to making larger organizations work. So I would draw the line at identifying problematic behaviors, but not individuals. So for instance, I wouldn't say "Bob smokes weed and that allowed us to gain access" but instead say "The hard no-weed policy is causing some employees to attempt to hide unauthorized smoke breaks which results in them not closing doors properly. I recommend you allow employees to smoke legal drugs during designated smoke breaks in order to reduce the need for them to hide." Similarly, instead of "The night shift guard sleeps on the job" I might say something like "Having a single guard during the night shift makes it hard for them to focus on their jobs. I recommend you keep two guards in the booth during night shifts in order to make sure they stay engaged and alert." Again, instead of pointing out "this guy is mining crypto", I would say something like "There appears to be unauthorized software running on company computers. I recommend you install monitoring software to identify and block unauthorized applications." NDAs have a specific purpose. In this case, presumably, the company wants to avoid embarassment and malicious actors taking advantage of vulnerabilities you discovered. As long as you keep your comments generic-enough, you can achieve the purpose of the NDA and not sound like someone whose vocabulary is limited to "I cannot comment." Edit: Oh, and don't exceed the scope! That's not even an ethics thing. That's a CFAA violation you don't want to deal with. (If that company is as much as hardass as you portray them there is very real risk in them calling the Feds on you.)
This... Raise the behaviours not the individuals. You observed risky behaviours in several places. You did not observe every employee so you don't know who might have committed similar breaches you didn't see. If the company is any good then they will find ways to mitigate risk without firing good employees. (E.g. a designated smoking area with an alarmed exit, so they can swipe out of the building, but even if that door remains ajar it can't be easily accessed.
First off, NDA means exactly that. There's no exceptions I've ever seen in one for spouses and buddies. It's your word, and you're only as good as it. As far as the rest... The scope is the scope. If people aren't where they're supposed to be, doing what they're supposed to do, or incapacitated from doing it... That's a security issue. As for the porn employee, it might be a security issue in that he/she could be open to coercion where they get caught and compromise security to keep someone from reporting them and losing their job. Same with the weed smoker.
Disclaimer: Not in the business but good with writing management-compatible powerpoints: 1. "inadequate enforcement of Draconian drug use guidelines leave employees open to blackmail." 2. "Inadequate guarding procedures allow undetected entry due to single point of failure." 3. "Non-Work related programs and data were found, indicating either a cultural or a supervisory failure." 4. "Initial penetration showed more access than in scope. See attached quote if deeper probing is desired." Also: "Individual-person-specific issues are out of scope, consider hiring a PI. Recommendation to contact $PrivateInvestigatorFriendWhoGivesMeKickbackForNewClients" 5. "Can't tell you anything specific about this client, other than that they paid on time. Got a general list of more esoteric and funny vulnerabilities that I got this and other client's OK to share, if you are interested."
They are paying you for your loyalty. When you service them, they are your master. If classified i only share general concepts. If the smoking or what ever behavior doesn't effect the aspect you are assigned it's not relevant. So if you there for physical and not data the crypto is not in the scope of your application. If the smoking was in assigned area at assigned time, what they do is not important if you suspect its crack... I've had people bring weapons into areas they were not authorized so it had to be called out. Ronin have rules 🤔
The presumably permitted smoking allowed easier ingress so that should be raised as it does lower security. The drug use, pornography and crypto-mining all increase the risk that the employees in question could be subverted (blackmailed or enticed). You don't have to mention which employees, but it is highly relevant to your client's security.
Probably wouldn't mention the weed, that's really not my job. Probably WOULD mention the fact that dummies taking breaks aren't closing the door properly. That's a safety issue for other people in the building. From there the pot thing is their game to play.
* Report what's relevant to security. * Always abide by the no touch/no effects list. * Don't tell your friends who your clients are, then you can tell them what happened.
Only thing I exclude from my report is the person smoking pot. Id say people are leaving the door open after smokong and thats about it. I would write in great detail the security teams failures because they aren't doing their jobs. Id tell the tech expert to leave the server alone because we aren't getting paid to mess with it but document that we could have messed with it so they patch up their network. As for the guy asking me how the job went I would give him no details on the job. If I told a client I wouldn't then thats that. I'll do what I am paid to do and I take adhering to my own word seriously.
I agree, except for the pot smoking. I would simply state that their hard line drug use policy increases the likelihood that employees could be coerced, and that legal drugs should be permitted with the understanding that they do not impair the employees performance. Prescription drugs can impair performance and so employees should know it is a liability issue not a control issue.
I love how everyone in this comment section assumes that each one of these questions has a clear answer, yet are often *very* contradictory with eachother. Just goes to show how varied human morality actually is :p
No lines here.. Using lines would be dumb, because criminals don’t use lines either! They gave me permission to do the same thing criminals do. So i will go all the way! And i am a Messianic Hebrew so my moral compass will always win. And when promising not to tell ANYBODY, i don’t tell ANYBODY. Not even that one close friend that i can trust! That was not the deal PERIOD :D Good stuff man, love your vids.. keep em coming ;)
1. All the details. I don't care if bad employees I don't know get fired for being bad. 2. Same answer. 3. Tell the specialist to not touch anything out of scope. 4. Keep details of the job a secret since I'm legally required to. ezpz
It's important to think like a judge. So you observed someone doing what you call 'smoking'. You say you smelled weed. Can we rely on your judgement? Did you chemically sample the smoke? Are you aware of any medical exemptions permitted by the company or the law? Nope. So, report what you see only and not what you 'feel or think'. Stick to solid facts. Don't report workers by name or identify them if possible (not always possible). The files on the computer are not 'porn', they are 'non-standard' data files. Guards who are not doing their job is simply a coverage issue and should not be a personal worker review. At most you might recommend a staggered guard change schedule to cover observed lack of coverage. The door is not 'being left open by workers' but rather is a door that is not closing properly. A secured smoking area should be provided. So, report facts and keep judgements to yourself. Don't like smokers? Don't care. Report a bunch of 'snitchy' details and the hiring company might think your too amateur to handle the job. The only crimes you need to report is in regards to a person harming or intending to harm themselves or someone else. If you find a 'booby-trap' or anything IDLH (Immediately Dangerous to Life and Health) you would report that ASAP. Finally, if there is an employee smoking pot at a workplace with a strict anti-drug use policy then clearly the employee is not the problem but rather it is the lack of enforcement internally of the company's Security & Safety policies. Attempting to heap security problems on a single person or worker position simply drives the larger issues underground. Let HR deal with employee behaviour. Your job is to test the corporate security structure on a much larger scale. The key skill you would need to work on is 'Compartmentalization', or the ability to separate your work from your feelings and re-connect with your feelings after work (okay, over-simplified).
I don't think you understand the job of a red team at all. It is not to discover crimes or otherwise "harmful" behaviour committed by employees, but rather to identify security vulnerabilities. See the comment by @Legion above, he got it right and actually understood why the issues mentioned in the video are ethical dilemmas. You clearly did not.
Thats hard man. BUT you are on a professional engagement, therefore Id report all security risks and misuse of company property. Maybe, but probably not, leaving out the draw full of porn, but report everything else? It really depends on what is in the scope. Having said that, an employee with an obvious porn addition who is indulging at work is open to blackmail and therefore also a security risk. Id have to report everything, it sucks but that is the job.
So what answers did you come up with? There is no right or wrong answer as far as I know, just a general consensus as to where the line would be drawn.
![[69] How Far Can You Photo-Decode a Key?](http://i.ytimg.com/vi/r9bjo8tk4qg/mqdefault.jpg)
![[69] How Far Can You Photo-Decode a Key?](/img/tr.png)
![[61] Covert Entry Tool Tierlist](http://i.ytimg.com/vi/7FullVIDj9o/mqdefault.jpg)
![[60] I was Hired to Legally Break into a Company](http://i.ytimg.com/vi/4pD3AYYKbZg/mqdefault.jpg)
![[58] The Red Team Tactics of Among Us](/img/n.gif)
Wow... Absolutely awesome questions to ask and these are discussions that are industry should have more often.
In fact, this is so relevant and good that I would love to see this developed out into a panel discussion type presentation in future. Happy to be part of it if you wish or happy to submit similar questions or ideas for whomever you choose, but definitely keep a lot of this in mind because these are topics that are always going to be relevant and important.
Would love to see what people have to say. These ones are a lot harder than the last ones I would say.
@@alexandrezani interesting, I thought that these were a lot clearer myself. You have strict rules, the only question in my mind would be whether to mention legal drug use in your report. As it is a breach if company policy it could be used as leverage against the employee. You don't need to mention who, just that you think that you smelled weed during a staff smoke break.
Not really. You report everything and you say nothing to your colleagues. You tell the specialist that the server is out of scope, but note how segmentation was found to be inconsistent with prior descriptions. It’s also very unlikely that you get to have the run of the entire place yet one server is out of scope.
That said, when you do this kind of work, you tend to piss off the people that management wants to find and correct. Since you use criminal tools and techniques, there is an association with you already being shady. If there is any action or outcome that could put your professional integrity into question, you find yourself looking for a new career. Always do the right thing.
Alway, always, always have this conversation with the client first. In fact, I would have called my client sponsor and told them about the server. If (s)he green lights it, you’re good to go.
You are there to serve the interests of the client. Be in tune with that and act accordingly.
@@CandyGramForMongo_ don't take this the wrong way, but if you truly believe all of your statements -- and the flippancy with which you're delivering them -- you are not helping my industry and that makes me feel a little sorry for you and your associates. I appreciate much of what you're saying about having good conversations with the client first and about calling them if you discover that server, but other things you are saying show the need for -- forgive me -- more emotional growth in this field.
EDIT: to clarify some details (which are much better-explored in a future conversation elsewhere, not in a little comment window)...
You were not hired to be a hall monitor and tattle tale on someone who is violating a company's drug use policy. Your ingress via the side door would be equally actionable if a smoker of Marlboros were slipping out the side as it would if someone was vaping Sour D. And I would also argue that faulty door closer hardware is more at fault than anyone stepping outside there. Even people using that door for fully legitimate purposes can introduce a security risk if the door closer doesn't operate fully.
The porn in the desk drawer? Again... that's not germane to what you were engaged to test and I would consider it irrelevant to what you are going to report. As for the crypto miner... do you know who is installed it? Were you contracted to perform DFIR work against that computer? Or is it sufficient to report "security software policy on company workstations was observed to possibly be insufficient for the prevention of installation of unauthorized applications"
@@adammorris8112 I think the scope question is super easy: exceeding scope is a potential CFAA violation. Don't break the CFAA. (And definitely don't break the CFAA and then write an official report explaining how you broke the CFAA!)
The rest, I would be uncomfortable with reporting individual failures. I'm big on "if people are doing the wrong thing, you didn't set them up to do the right thing." Also, as a practical matter, it's not cost effective to keep hiring red teams to figure out if some guy is sneaking out to smoke weed. The company needs to update its policies so when they hire some guy who likes to take a weed break, that guy won't need to hide and thereby undermine security.
1. mention how employees seem to take frequent breaks to smoke, and couldn’t determine what was being smoked. Also mention how guards are not preforming duties
2. Tell client that some systems had pornography, were detected mining cryptocurrencies, and may have a hidden malware/virus running in tandem. Report door and sticky note, and mention how a well funded team could easily use both to cause damage
3. Tell data specialist that it’s a strict no-go and report finding to client for further instructions
4. “I had fun, but I signed a NDA. Sorry”
I think the real question is how I would write the report. Your job is to help the client improve security. In the case of the guards, the problem is a lack of supervision. They could fire every one of them, but without changes, it would be the same way in a short period of time. I'd say that the guards were unsupervised and it showed in their lack of attention, getting worse in the off hours. I don't see a security issue with the magazine stash, but the browser tabs suggest the company doesn't have an effective firewall preventing users from going to harmful sites.
I'm not in the industry, but I think I would try to report on processes, not people.
1. Ignore the weed. Report that there are no processes in place to guarantee that guards are actively monitoring.
2. Report that the latch was not fully engaged. Report that a door sensor / alarm is missing. Report the sticky note. Ignore the pr0n unless of an illegal kind. Report that illegal software was not detected (both the crypto miner and your payload).
3. Off-limits remains off limit, although if possible contact the client and ask if it can be included.
4. Don't get caught off guard and have your own NDA ready, which allows discussion of anonymised findings. Don't discuss specific findings with friend. Might be the hardest one.
Seems this round boils down to: are you professional about your job?
In any case, my answer would be: all of the above, all of the above, no but tell your employer you could have easily done it and how, no.
You are employed to find liabilities and report them to your employer so that he could fix them; also, if your friend is so professional that he wouldn't talk about the job with anyone else, why should you behave differently?
HOLY SHIT! I KNEW SOMEONE WAS IN MY OFFICE IM MISSING A HUSTLER! (please dont tell anyone)
As long as it's not child porn it's something the company should handle internally
_MY_ moral compass? Tell everything but tell no names. As in, "employees were found smoking weed and guards were found being inatentive", not "THIS employe was found smoking weed and THIS guard was found being inatentive". Let the client decide if he wants to ferret down specifically who each was or just ennact company-wide stern warnings or whatever - not YOUR job.
I'd include everything in the report, weed smoker potential blackmail to gain access, slack guards definitely a weak point to be exploited, porn on PC, again potential blackmail weakness, smokers leaving door unsecured definitely access weak point.
Not sure how NDA work as don't think we have them in the UK, but if you've signed something, then guess it's like a contract, so if you disclose details you'll probably be screwed over if found out, plus probably irreparable damage to your reputation, so at most I'd probably say that the job went well.
And the server access thing, definitely tell your IT guy to stay away, but include that access could have been made to server, because you never know when your being tested yourselves and could well be a honey pot to check out your company/team.
Lastly, you're contracted to do a job, exposing and discovering weakness in the company, so everything needs disclosing, you're not there to make friends.
PS
I'm not in info sec or anything like that, just find it Interesting and my comments are just based on what I think is common sense.
We absolutely have NDAs in the UK. They are hard to enforce, but I suspect that's true everywhere.
@@NapalmLlama thanks for that, I've never been in any position where I'd be required to sign an NDA, closest to that I suppose that I've had to sign is the official secrets act, promising the souls of all my future generations to the devil if I revealed classified information.
@@legion162 It's basically a promise to treat the counterparty's secrets the same way you treat your own secrets. There's plenty of scope for the data to leak accidentally without breach of contract, and even if you leak it on purpose, the onus is still on them to prove it. Probably also true of official secrets? IANAL.
@@NapalmLlama you don't actually have to sign anything with regards to the official secrets act, as its actually an act of law, however I think when you are dealing with classified government information they get you to sign a document to press home the importance of not sharing the information
I believe you perfectly understood the job of a red team... but I think the ethical dilemmas mentioned in the video mostly boil down to: "should you do your job even if it goes against your values"?
Personally...
1. Report on all of it including the drug use as it could be used as a mechanism to blackmail the employee in question.
2. Report on all of it as it all presents a potential risk to the company.
3. The server is out of scope, it should not be touched. The fact that it appears you could should be reported in the report, but you have strict rules for your engagement. Step outside those rules and you risk your own organisation.
4. Tell my friend nothing more than "you know, it was a typical engagement" or some equally generic comment. I am under NDA, and such a comment is unlikely to be considered in breach of the NDA.
I'm not sure I have any good answers for this, but here goes:
I would document the means of entry, and what I noticed on recon, including the behaviors of employees and guards, but may word things a bit vaguely depending on the individual situation. Due to my personal feelings about things like weed, I would probably not mention the specifics, but would say that some employees inadvertently left the door unlatched while out to take smoke breaks. I probably would mention that the guard seemed to be having a hard time staying awake, but as a chronic insomniac, I empathize with this, and know how hard it can be in certain situations to stay awake, would probably recommend some solutions involving suggestions to help keep the guards active on duty (like, rather than just sitting there watching, maybe provide them tasks to do that are relevant to the security of the place, such as checking doors, or offering a standing desk (this is my trick when I'm dozing off at work, I stand up and work, it helps a lot).
Once inside, this gets even more complicated. I would absolutely mention the sticky note with credentials being in an obvious place. I would also mention that the only thing that was locked uses a lock which is very easy to bypass, and describe how it was bypassed and what was inside. If the password were a simple one, I'd also make note of that, even though its complexity doesn't matter if it's just written on a damn sticky note, but it's still something I would consider. I would detail what kinds of vulnerabilities were exploited on the computer itself, and would report the crypto mining and the porn in the browser since whoever that was didn't have the decency to at least cover their tracks. (Side note, why the fuck do people watch porn AT WORK?) I would probably add some emphasis to the value of stopping crypto mining, such as power consumption, or the possibility of external access to that machine, or any other things that are relevant there.
If a team member discovers that the network isn't segmented correctly and that this could provide access to the out-of-scope assets, I would thank them and reinforce that it was a good find, but firmly tell them not to access the system. In the report, I'd make notes about what kinds of issues could come up from this kind of unauthorized access, including the potential for outside compromise, insider threats, etc. and what value it might be to the company to fix these things (i.e. what damage could be done, and how much it could cost them, including considerations like legal fees, time and labor for restoring a system after something like a ransomware attack, etc.)
At dinner with my friend, I would politely tell them that it went well, but that I can't tell them any details about the job, and hope that they understand. If they probe deeper, I would probably be more upfront and explain that I signed an NDA, and simply can't tell them.
This format is awesome ... Brings up some thought exercises that im pretty sure most ppl don’t consider
Aw man, I thought one of these scenarios resulted in physically incapacitating/detaining a security gaurd.
Excellent questions and very thought-provoking. Please keep this series going.
Your content is amazing. Thank you for doing what you do!
Never touch anything out of scope, clearly. But usually there is someone on the inside you coordinate with during the exercise. Run this by them and see if they want it added to scope and if so get the new scope in writing.
Always stay within the rules of engagement.
Does scope/rules of engagement include something which state or imply they would want to know about risks such as a weed smoking employee or sleeping guards? Then include it.
Being that these issues are common they are good questions to ask about up front when crafting the scope/rules of engagement. If you are having to ask yourself these questions and put yourself into a moral quandry during the exercise or when writing your report without having addressed this sort of thing previously in the contract with the client you've already made a mistake.
Note that the weed smoking, porn watching, sleeping employees are also targets for blackmail. That is just as big of a risk as the fact that they aren't doing their jobs properly IMHO.
I think there are two questions:
If I were the client, would I want to know about these things? Most likely, yes.
Then, if I am the pentester, is it more ethical to always give the client the best value in terms of telling them things such as the above knowing that they would want to know or to exercise discretion sticking strictly to the letter of the contract and no more?
I expect the former to be better for business (or how could reporting on those things go sideways for the pentested? I'm no lawyer.) but the latter might weigh on your conscience. Although the fact that they are a blackmail risk weighs heavily with me personally.
These seem fairly easy.
I am paid to do a job, and that engagement has parameters.
The guards need more accountability. They apparently don't have any adequate direct supervision .
If the server is out of scope, I simply report the problem with the network and that I could have easily breached the server. Telling the client this, vs actually completing the server breach won't be any different in their eyes, except that I also stepped over the clearly written line.
The last one is probably the most difficult. Only because you want to talk shop with people that understand what you do. But it's still not difficult. You signed an NDA, and your buddy should understand that.
I'm big on the systems-not-people approach to making larger organizations work. So I would draw the line at identifying problematic behaviors, but not individuals.
So for instance, I wouldn't say "Bob smokes weed and that allowed us to gain access" but instead say "The hard no-weed policy is causing some employees to attempt to hide unauthorized smoke breaks which results in them not closing doors properly. I recommend you allow employees to smoke legal drugs during designated smoke breaks in order to reduce the need for them to hide."
Similarly, instead of "The night shift guard sleeps on the job" I might say something like "Having a single guard during the night shift makes it hard for them to focus on their jobs. I recommend you keep two guards in the booth during night shifts in order to make sure they stay engaged and alert."
Again, instead of pointing out "this guy is mining crypto", I would say something like "There appears to be unauthorized software running on company computers. I recommend you install monitoring software to identify and block unauthorized applications."
NDAs have a specific purpose. In this case, presumably, the company wants to avoid embarassment and malicious actors taking advantage of vulnerabilities you discovered. As long as you keep your comments generic-enough, you can achieve the purpose of the NDA and not sound like someone whose vocabulary is limited to "I cannot comment."
Edit: Oh, and don't exceed the scope! That's not even an ethics thing. That's a CFAA violation you don't want to deal with. (If that company is as much as hardass as you portray them there is very real risk in them calling the Feds on you.)
This... Raise the behaviours not the individuals. You observed risky behaviours in several places. You did not observe every employee so you don't know who might have committed similar breaches you didn't see.
If the company is any good then they will find ways to mitigate risk without firing good employees. (E.g. a designated smoking area with an alarmed exit, so they can swipe out of the building, but even if that door remains ajar it can't be easily accessed.
First off, NDA means exactly that. There's no exceptions I've ever seen in one for spouses and buddies. It's your word, and you're only as good as it.
As far as the rest... The scope is the scope. If people aren't where they're supposed to be, doing what they're supposed to do, or incapacitated from doing it... That's a security issue.
As for the porn employee, it might be a security issue in that he/she could be open to coercion where they get caught and compromise security to keep someone from reporting them and losing their job. Same with the weed smoker.
Looks like we found the employee 😂
Disclaimer: Not in the business but good with writing management-compatible powerpoints:
1. "inadequate enforcement of Draconian drug use guidelines leave employees open to blackmail."
2. "Inadequate guarding procedures allow undetected entry due to single point of failure."
3. "Non-Work related programs and data were found, indicating either a cultural or a supervisory failure."
4. "Initial penetration showed more access than in scope. See attached quote if deeper probing is desired."
Also: "Individual-person-specific issues are out of scope, consider hiring a PI. Recommendation to contact $PrivateInvestigatorFriendWhoGivesMeKickbackForNewClients"
5. "Can't tell you anything specific about this client, other than that they paid on time. Got a general list of more esoteric and funny vulnerabilities that I got this and other client's OK to share, if you are interested."
They are paying you for your loyalty. When you service them, they are your master. If classified i only share general concepts. If the smoking or what ever behavior doesn't effect the aspect you are assigned it's not relevant. So if you there for physical and not data the crypto is not in the scope of your application. If the smoking was in assigned area at assigned time, what they do is not important if you suspect its crack... I've had people bring weapons into areas they were not authorized so it had to be called out. Ronin have rules 🤔
The presumably permitted smoking allowed easier ingress so that should be raised as it does lower security.
The drug use, pornography and crypto-mining all increase the risk that the employees in question could be subverted (blackmailed or enticed). You don't have to mention which employees, but it is highly relevant to your client's security.
Probably wouldn't mention the weed, that's really not my job.
Probably WOULD mention the fact that dummies taking breaks aren't closing the door properly. That's a safety issue for other people in the building.
From there the pot thing is their game to play.
* Report what's relevant to security.
* Always abide by the no touch/no effects list.
* Don't tell your friends who your clients are, then you can tell them what happened.
Brother is trying to mine crypto on an office PC with built in graphics, he's just gonna fry the computer before he makes a penny 💀
nice.
Only thing I exclude from my report is the person smoking pot. Id say people are leaving the door open after smokong and thats about it. I would write in great detail the security teams failures because they aren't doing their jobs. Id tell the tech expert to leave the server alone because we aren't getting paid to mess with it but document that we could have messed with it so they patch up their network. As for the guy asking me how the job went I would give him no details on the job. If I told a client I wouldn't then thats that. I'll do what I am paid to do and I take adhering to my own word seriously.
I agree, except for the pot smoking. I would simply state that their hard line drug use policy increases the likelihood that employees could be coerced, and that legal drugs should be permitted with the understanding that they do not impair the employees performance. Prescription drugs can impair performance and so employees should know it is a liability issue not a control issue.
I love how everyone in this comment section assumes that each one of these questions has a clear answer, yet are often *very* contradictory with eachother. Just goes to show how varied human morality actually is :p
No lines here..
Using lines would be dumb, because criminals don’t use lines either!
They gave me permission to do the same thing criminals do. So i will go all the way!
And i am a Messianic Hebrew so my moral compass will always win.
And when promising not to tell ANYBODY, i don’t tell ANYBODY. Not even that one close friend that i can trust!
That was not the deal PERIOD
:D
Good stuff man, love your vids.. keep em coming ;)
Shop them all
1. All the details. I don't care if bad employees I don't know get fired for being bad. 2. Same answer. 3. Tell the specialist to not touch anything out of scope. 4. Keep details of the job a secret since I'm legally required to. ezpz
Catching bad employees isn't your job though. Not your circus, not your monkey.
So is this a real job you can do? If so I need an application
Follow your ROE
It's important to think like a judge. So you observed someone doing what you call 'smoking'. You say you smelled weed. Can we rely on your judgement? Did you chemically sample the smoke? Are you aware of any medical exemptions permitted by the company or the law? Nope. So, report what you see only and not what you 'feel or think'. Stick to solid facts. Don't report workers by name or identify them if possible (not always possible). The files on the computer are not 'porn', they are 'non-standard' data files. Guards who are not doing their job is simply a coverage issue and should not be a personal worker review. At most you might recommend a staggered guard change schedule to cover observed lack of coverage. The door is not 'being left open by workers' but rather is a door that is not closing properly. A secured smoking area should be provided. So, report facts and keep judgements to yourself. Don't like smokers? Don't care. Report a bunch of 'snitchy' details and the hiring company might think your too amateur to handle the job. The only crimes you need to report is in regards to a person harming or intending to harm themselves or someone else. If you find a 'booby-trap' or anything IDLH (Immediately Dangerous to Life and Health) you would report that ASAP.
Finally, if there is an employee smoking pot at a workplace with a strict anti-drug use policy then clearly the employee is not the problem but rather it is the lack of enforcement internally of the company's Security & Safety policies. Attempting to heap security problems on a single person or worker position simply drives the larger issues underground. Let HR deal with employee behaviour. Your job is to test the corporate security structure on a much larger scale. The key skill you would need to work on is 'Compartmentalization', or the ability to separate your work from your feelings and re-connect with your feelings after work (okay, over-simplified).
I don't think you understand the job of a red team at all. It is not to discover crimes or otherwise "harmful" behaviour committed by employees, but rather to identify security vulnerabilities. See the comment by @Legion above, he got it right and actually understood why the issues mentioned in the video are ethical dilemmas. You clearly did not.
Thats hard man. BUT you are on a professional engagement, therefore Id report all security risks and misuse of company property. Maybe, but probably not, leaving out the draw full of porn, but report everything else?
It really depends on what is in the scope. Having said that, an employee with an obvious porn addition who is indulging at work is open to blackmail and therefore also a security risk. Id have to report everything, it sucks but that is the job.
I need the answers to the questions you asked.
So what answers did you come up with? There is no right or wrong answer as far as I know, just a general consensus as to where the line would be drawn.
@@adammorris8112 : thanks.
The answer is no to all of these if they're out of the scope of the job