Penetration Testing with Kali Linux OffSec
|
|
security
67 principles 68 we might encounter throughout our OffSec Learning Journey. Although this subject could be its own in-depth Module, for now, we’ll cover a few high-level descriptions. The Principle of Least Privilege 69 expresses the idea that each part within a system should only be granted the lowest possible privileges needed to achieve its task. Whether referring to users on a machine or lines of code in a program, correctly adhering to this discipline can greatly narrow the attack surface. Earlier we referenced the 2019 Capital One attack. We’ll recall that this attack was facilitated by leveraging a Web Application Firewall with permissions that were too high for its required functions. It’s important to understand that the Principle of Least Privilege does not only apply to human individuals or groups, but any entity (including machines, routers, and firewalls) that can read, write, or modify data. The Zero Trust 70 security model takes the Principle of Least Privilege and carries it to its ultimate conclusion. This model advocates for removing all implicit trust of networks and has a goal of protecting access to resources, often with granular authorization processes for every resource request. Open Security , 71 a somewhat counter-intuitive principle, states that the security of a system should not depend on its secrecy . In other words, even if an attacker knows exactly how the system’s security is implemented, the attacker should still be thwarted. This isn’t to say that nothing should be secret. Credentials are a clear case where the security of a password depends 67 (Wheeler, 2021), https://dwheeler.com/secure-programs/Secure-Programs-HOWTO/follow-good-principles.html 68 (Patchstack, 2021), https://blog.threatpress.com/security-design-principles-owasp/ 69 (Wikipedia, 2021), https://en.wikipedia.org/wiki/Principle_of_least_privilege 70 (Wikipedia, 2022), https://en.wikipedia.org/wiki/Zero_trust_security_model 71 (Wikipedia, 2021), https://en.wikipedia.org/wiki/Open_security Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 45 on its secrecy. However, we’d want our system to be secure even if the attacker knows there is a password, and even if they know the cryptographic algorithm behind it. Defense in Depth 72 advocates for adding defenses to as many layers of a system as possible, so that if one is bypassed, another may still prevent full infiltration. An example of defense in depth outside the context of cybersecurity would be a garage that requires entering an electronic code, using a key on a bolted door lock, then finally disabling a voice-activated internal alarm system to open the garage. Many organizations do not apply adequate defenses for their systems and lean too heavily on external tools or providers that focus on one specific area of defense. This can lead to single points of failure, resulting in a very weak security posture. We must learn to apply many layers of controls and design our systems with defense in depth in order to resist more threats and better respond to incidents. 3.4.2 Security Controls and Strategies To meet the ideals of concepts such as least privilege, open security, and defense-in-depth, we need to implement Security Strategies . These can include interventions like: • 24/7 vigilance • Threat modelling • Table top discussions • Continuous training on tactics, processes, and procedures • Continuous automated patching • Continuous supply chain verification • Secure coding and design • Daily log reviews • Multiple layers of well-implemented Yüklə Dostları ilə paylaş:
|