Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
34
When Bob first realizes Alice’s treachery, he learns that standing guard prevents Alice from
attempting to steal bananas. But Alice hypothesizes that Bob must sleep at some point. She pays
attention to when Bob goes to sleep, then quietly sneaks up to the tree to steal.
Bob then figures out how to build a tall stone wall around the tree.
Alice struggles to break
through it or climb over it. Eventually, she learns how to dig under the wall. Bob trains a guard
dog to protect the tree. Alice learns that she can pacify the dog with treats.
Bob takes a hardware security course and installs cameras and alarms to warn him anytime Alice
is nearby. Alice learns how to disable the cameras and alarms.
This cycle can continue almost indefinitely. In a strange way, both attacker and defender depend
on each other in order to increase their skillsets and better understand their respective crafts.
We can take this analogy further to include compliance and risk management
aspects of security. At some point, Bob accepts the risk that may steal bananas
and decides to get insurance. But his banana insurance won’t pay for stolen
bananas unless he complies with their requirements for risk mitigation, which
entail having a sturdy wall and guard dog.
3.2.2
Risks, Threats, Vulnerabilities, and Exploits
Like many technical fields, cybersecurity relies on a significant amount of jargon, acronyms, and
abbreviations. Throughout the OffSec Learning Library, we’ll try to introduce terms and vocabulary
as they come up organically. Before we learn about various cybersecurity theories and principles,
however, it’s important to define a few terms so we can follow what we’re learning. Let’s begin
with a cursory review of some of the basic concepts that cybersecurity is
about
: risks, threats,
vulnerabilities, and exploits.
The most fundamental of these four terms is
risk
,
23
since it applies to many domains outside of
cybersecurity and information technology. A simple way to define risk is to consider two axes: the
probability
that a negative event will occur, and the
impact
on something we value if such an
event happens. This definition allows us to conceptualize risks via four quadrants:
1.
Low probability, low impact events
2.
Low probability, high impact events
3.
High probability, low impact events
4.
High probability, high impact events
As cybersecurity professionals, we should always consider risk by examining the questions “How
likely is it that a particular attack might happen?” and “What would be the worst possible outcome
if the attack occurs?”
23
(Wikipedia, 2022), https://en.wikipedia.org/wiki/Risk
Penetration Testing with Kali Linux
PWK - Copyright © 2023 OffSec Services Limited. All rights reserved.
35
When we can attribute a specific
risk to a particular cause, we’re describing a
threat
. In
cybersecurity, a threat
24
is something that poses risk to an asset we care about protecting. Not all
threats are human; if our network depends on the local electricity grid, a severe lightning storm
could be a threat to ongoing system operations.
Nevertheless, in many cases we are focused on human threats, including
malicious programs
built by people. A person or group of people embodying a threat is known as a
Yüklə
Dostları ilə paylaş: