Читать книгу The Art of Attack - Maxie Reynolds - Страница 12

Defenses against attackers generally center on building technological protections to combat ever-lurking adversaries. Businesses typically try to fortify their assets by closing off the most obscure entry points, which is commendable. But it becomes irrelevant if they leave the front door wide open rather than employing an active defense. Attackers are often relentless and dogged types (and need to be in order to succeed). Protecting against this can be difficult, because the threat is somewhat faceless and motionless until one day it's not—how can we truly protect ourselves against such a faceless, shapeless entity, you may wonder? Something that doesn't seem like it's a threat at all until one day it appears, and it is tangible, dangerous, and consequential. Looking the threat in the face leaves most companies wondering how they could have missed imagining the scenario in which they find themselves, and the truth is there are infinite attack scenarios. Imagining and barricading against them all is futile. Learning to think like an attacker, seeing how information about you can be used against you, will not stop it from happening, but it will make halting attacks in their tracks that much easier. It's the closest thing to a security panacea I will see in my working lifetime, of that I have no doubt.

People, typically not in the cybersecurity or information security industries, wonder if it's safe or even ethical to teach people how to think like an attacker, whether that be teaching a penetration tester how to break into networks or a social engineer how to elicit information and use it against a target. My response is always this: the solution to successfully fending off attacks and staying ahead of them is to be able to think like those who would seek to attack us. I am not teaching people to be malevolent or corrupt; I am teaching them to how to be ethical—testing people, companies, and security for our greater good. When a company is attacked, regardless if they left themselves open to it or not, it affects the people who work there; it affects the people who used the services. This should not be overlooked or taken lightly. Because of the stakes, we must have only trusted individuals within our workplaces, or the information security/cybersecurity sectors test our businesses.

Also, as I have said in the introduction and countless times before, whether it be when asked by people curious about my profession or in interview and training settings, putting the word ethical, or some variation of it, before the word attacker will not make the words that follow invisible to malicious actors. I also cannot control who buys this book. But I believe that learning to think like a malicious attacker can and will help us, as security professionals, get ahead, stay ahead, and beat them. We take their power when we can think like them, but with a purer intent.

As a society, we test everything: we test our cars to see how they'll fare on impact, we test buildings for structural safety, we even test markets before launching products. We train our emergency personnel, too, and rightly so. We wouldn't simply place a person in front of a burning building with a hose expecting them to put it out; we test our firefighters, give them experience and build their skills. The same goes for many other professions. As businesses, we can and should test everything. “Everything” includes human-based defenses. Testing people against ostensibly malicious attacks is tactical, daunting, and dynamic, but it works as a way of upping security, and it's the next great defense in security for businesses, and for us all. One of the most effective ways to uncover flaws and weaknesses in a business's security posture is to carry out planned attacks, exposing gaps in their defenses before a malicious attacker can take advantage.

Finally, while testing people is of course not teaching them the attacker mindset, it is teaching them how an attack might rear its ugly head and that alone gives them defenses against it. So, as security professionals, it's also our duty to form attack methods that, once executed, have no long-lasting adverse effects on the population tested—a major contrast when compared to those breeched by a malicious attacker. After all, some of the most devastating attacks haven't been the most technical—they've simply been human versus human. The catch is that only one human knows about the attack as it unfolds. By offering insight into the principles of AMs, we should be able to move the needle on security in the right direction without adversely affecting the population.