Penetration Testing with Kali Linux OffSec
particular, each will become more skilled and sophisticated
|
|
particular, each will become more skilled and sophisticated because of the efforts (or imagined efforts) of their counterpart. The attacker-defender relationship dynamic helps to fundamentally explain why cybersecurity becomes exponentially more complicated over time. To understand this dynamic better, let’s introduce the fictional characters Alice and Bob. We’ll make use of them often throughout the OffSec Learning Library and the cryptography 22 literature in various contexts to demonstrate examples and thought experiments. For this particular story, let’s imagine that Bob has an asset that he wants to defend: a great banana tree! Bob wants to make sure that only he can pick its bananas. Meanwhile, attacker Alice would love to nothing more than to steal Bob’s bananas. First, Bob doesn’t pay any special attention to the security of his tree. It’s relatively easy for Alice to just walk up to it and steal a banana. As Alice gets better and better at stealing, however, Bob will also get better at protecting his tree. 22 (Wikipedia, 2022), https://en.wikipedia.org/wiki/Cryptography Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 34 When Bob first realizes Alice’s treachery, he learns that standing guard prevents Alice from attempting to steal bananas. But Alice hypothesizes that Bob must sleep at some point. She pays attention to when Bob goes to sleep, then quietly sneaks up to the tree to steal. Bob then figures out how to build a tall stone wall around the tree. Alice struggles to break through it or climb over it. Eventually, she learns how to dig under the wall. Bob trains a guard dog to protect the tree. Alice learns that she can pacify the dog with treats. Bob takes a hardware security course and installs cameras and alarms to warn him anytime Alice is nearby. Alice learns how to disable the cameras and alarms. This cycle can continue almost indefinitely. In a strange way, both attacker and defender depend on each other in order to increase their skillsets and better understand their respective crafts. We can take this analogy further to include compliance and risk management aspects of security. At some point, Bob accepts the risk that may steal bananas and decides to get insurance. But his banana insurance won’t pay for stolen bananas unless he complies with their requirements for risk mitigation, which entail having a sturdy wall and guard dog. 3.2.2 Risks, Threats, Vulnerabilities, and Exploits Like many technical fields, cybersecurity relies on a significant amount of jargon, acronyms, and abbreviations. Throughout the OffSec Learning Library, we’ll try to introduce terms and vocabulary as they come up organically. Before we learn about various cybersecurity theories and principles, however, it’s important to define a few terms so we can follow what we’re learning. Let’s begin with a cursory review of some of the basic concepts that cybersecurity is about : risks, threats, vulnerabilities, and exploits. The most fundamental of these four terms is risk , 23 since it applies to many domains outside of cybersecurity and information technology. A simple way to define risk is to consider two axes: the probability that a negative event will occur, and the impact on something we value if such an event happens. This definition allows us to conceptualize risks via four quadrants: 1. Low probability, low impact events 2. Low probability, high impact events 3. High probability, low impact events 4. High probability, high impact events As cybersecurity professionals, we should always consider risk by examining the questions “How likely is it that a particular attack might happen?” and “What would be the worst possible outcome if the attack occurs?” 23 (Wikipedia, 2022), https://en.wikipedia.org/wiki/Risk Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 35 When we can attribute a specific risk to a particular cause, we’re describing a threat . In cybersecurity, a threat 24 is something that poses risk to an asset we care about protecting. Not all threats are human; if our network depends on the local electricity grid, a severe lightning storm could be a threat to ongoing system operations. Nevertheless, in many cases we are focused on human threats, including malicious programs built by people. A person or group of people embodying a threat is known as a Yüklə Dostları ilə paylaş:
|