Читать книгу Hacking For Dummies - Kevin Beaver - Страница 20

To catch a thief, you must think like a thief. That adage is the basis of vulnerability and penetration testing. Knowing your enemy is critical. The law of averages works against security. With the increased number of hackers and their expanding knowledge and the growing number of system vulnerabilities and other unknowns, all computer systems and applications are likely to be hacked or compromised somehow. Protecting your systems from the bad guys —not just addressing general security best practices — is critical. When you know hacker tricks, you find out how vulnerable your systems really are and can take the necessary steps to make them secure.

Hacking preys on weak security practices and both disclosed and undisclosed vulnerabilities. More and more research, such as the annual Verizon Data Breach Investigations Report (www.verizon.com/business/resources/reports/dbir/), shows that long-standing, known vulnerabilities are continually being targeted. Firewalls, advanced endpoint security, security incident and event management (SIEM), and other fancy (and expensive) security technologies often create a false feeling of safety. Attacking your own systems to discover vulnerabilities — especially the low-hanging fruit that gets so many people into trouble — helps you go beyond security products to make them even more secure. Vulnerability and penetration testing is a proven method for greatly hardening your systems from attack. If you don’t identify weaknesses, it’s only a matter of time before the vulnerabilities are exploited.

As hackers expand their knowledge, so should you. You must think like them and work like them to protect your systems from them. As a security professional, you must know the activities that the bad guys carry out, as well as how to stop their efforts. Knowing what to look for and how to use that information helps you thwart their efforts.

You don’t have to protect your systems from everything. You can’t. The only protection against everything is unplugging your computer systems and locking them away so no one can touch them — not even you and especially not your users. But doing so is not the best approach to security, and it’s certainly not good for business! What’s important is protecting your systems from known vulnerabilities and common attacks — the 20 percent of the issues that create 80 percent of the risks, which happen to be some of the most overlooked weaknesses in most organizations. Seriously, you wouldn’t believe the basic flaws I see in my work!

Anticipating all the possible vulnerabilities you’ll have in your systems and business processes is impossible. You certainly can’t plan for all types of attacks — especially the unknown ones. But the more combinations you try and the more often you test whole systems instead of individual units, the better your chances are of discovering vulnerabilities that affect your information systems in their entirety.

Don’t take your security testing too far, though; hardening your systems from unlikely (or even less likely) attacks makes little sense and will probably get in the way of doing business.

Your overall goals for security testing are to

 Prioritize your systems so that you can focus your efforts on what matters.

 Test your systems in a nondestructive fashion.

 Enumerate vulnerabilities and, if necessary, prove to management that business risks exist.

 Apply results to address the vulnerabilities and better secure your systems.