Penetration Testing with Kali Linux OffSec
|
|
CIA triad
. CIA stands for Confidentiality , Integrity , and Availability . Each of these is a desirable property of the things we might want to secure, and each of these three properties can be attacked. Most (though not all) attacks against computer systems and networks will threaten one of these attributes. Let’s begin with a high level overview before we dive into each one: • Confidentiality : Can actors who should not have access to the system or information access the system or information? • Integrity : Can the data or the system be modified in some way that is not intended? • Availability : Are the data or the system accessible when and how they are intended to be? It is also important to note that in some cases, we may be far more concerned with one aspect of the CIA triad than others. For instance, if someone has a personal journal that contains their most secret thoughts, the confidentiality of the journal may be far more important to the owner than its integrity or its availability. In other words, they may not be as concerned about whether someone can write to the journal (as opposed to reading it) or whether or not the journal is always accessible. On the other hand, if we are securing a system that tracks medical prescriptions, the integrity of the data will be most critical. While it is important to prevent other people from reading what medications someone uses and it is important that the right people can access this list of medications, if someone were able to change the contents of the system, it could lead to life- threatening results. When we are securing a system and an issue is discovered, we will want to consider which of these three concepts, or which combination of them, the issue impacts. This helps us understand the problem in a more comprehensive manner and allows us to categorize the issues and respond accordingly. 3.3.1 Confidentiality A system is Confidential if the only people that can access it are the people explicitly permitted to do so. A person’s social media account credentials are considered confidential as long as the user’s password is known only to the owner. If a hacker steals or guesses the password and they can access the account, this would constitute an attack against confidentiality. Common attacks against confidentiality include network eavesdropping 55 and credential stuffing . 56 55 (Wikipedia, 2021), https://en.wikipedia.org/wiki/Network_eavesdropping 56 (Wikipedia, 2021), https://en.wikipedia.org/wiki/Credential_stuffing Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 42 Let’s consider an example of an attack against confidentiality, assess its impact, and understand how it could have been prevented or mitigated. In August 2021, T-Mobile 57 announced that hackers had accessed data associated with over 50 million current, former, and prospective customers. While no payment information, passwords, or PINs were accessed, some of the data included first and last names, dates of birth, social security numbers, and ID / drivers’ license information. This data was subsequently offered for sale on the dark web. The attack impacted the confidentiality of the personal information of millions of current, former, and prospective customers. The confidentiality of this information was subsequently further compromised by being made available for purchase on the dark web. This also led to further reputational damage to T-Mobile as the attack was one of a number of then-recent breaches. There is limited information available on the exact Yüklə Dostları ilə paylaş:
|