Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 108

If the attackers can get to your systems, they've got a chance to be able to get into them. This starts in the physical domain, where access includes physical contact at Layer 1 network systems, at the USB ports or memory card slots on your endpoints and other devices. It includes being able to see the blinking LEDs on routers (which blink with each 1 or 0 being sent down the wire), and it includes being bold as brass and just walking into your office spaces as if they're a pizza delivery person or business visitor. And although we've not yet seen it reported, it won't be long now before we do see an attacker using hobbyist-grade UAVs to carry out intrusion attempts.

Chapter 2 will look at the concept of defense in depth, integrating a variety of deterrence, prevention, and detection capabilities to defend the points of entry into your systems. Threat modeling, done during the risk assessment and vulnerability assessment phases (which Chapter 3 examines in more detail), have given you maps of your systems architecture, which show it at the data, control, and management planes as well as in the physical dimension. Start at the outermost perimeter in those four planes and put on your penetration-tester hat to see these control concepts in action.

One major caution: What you are about to do is tantamount to penetration testing, and to keep that testing ethical, you need to first make sure that you're on the right side of law and ethics. Before you take any action that might be construed as an attempted penetration of an organization's information systems or properties under their control, gain their owners and senior managers permission in writing. Lay out a detailed plan of what you are going to attempt to do, why you propose it as worthwhile, and what you anticipate the disruptions to normal business operations might be. Work with them to specify how you'll monitor and control the penetration test activities and how you'll suspend or terminate them immediately if required. As you learn with each step, err on the side of caution and go back to that management team and ask for their written permission to take the next step.

At a minimum, this will keep you out of jail. It will enhance your chances of staying employed. It will also go a long way toward increasing the awareness of the threat and the opportunity that your management and leadership stakeholders have to do something about it.