Introduction
Modern Information Security can be difficult to understand. Terms like “attack”, “exploit” and “vulnerability” might be self-explanatory but what do pentest, EDR and DAST mean? Why is it important to assign testing scopes?
This is a continuation of this article.
Modern Information Security Explained Through Violence
Some person can throw a brick on your head from the top floor. This is an attack.
To do this, he will go to the construction site, climb to the highest floor, pick up a brick, aim and throw it down. This is an exploit.
Your head is not designed to hit bricks with a given weight and acceleration. This is a vulnerability.
You remove all the bricks from the construction site, exclude the presence of any person on it, and, just in case, also the upper floors. This is security.
You put on a helmet to somehow reduce the consequences of hitting a brick. This is anti-virus / EDR.
In your safety rules, everyone is prescribed to wear helmets. But the staff walked without helmets, and continue to walk. This is paper security.
The foreman is still alive, that person is throwing bricks in all directions, and the watchman is already pushing the red button. This is a security analyzer.
You hire two foremen so that in the event of the death of one of them, the work will not stop. This is formal fault tolerance.
You hire as many foremen as you have bricks at a construction site plus one more. This is the actual fault tolerance.
You buy a device that throws bricks in all directions, like tennis balls. This is DAST.
Some person made his way to the construction site, climbed to the upper floors, killed the foreman with a brick, and now joyfully demands to pay him a reward for this. This is a bug-hunter.
You buy a virtual simulator that does everything the same as DAST but without building the construction. This is SAST.
You buy a feedback module between the throwing device and the construction simulator. This is IAST.
You were crazy about buying and turned to a third-party company for help. The company invites you to purchase the latest concrete mixer from a renowned vendor to solve the problem with bricks. You don’t care how a concrete mixer and bricks are connected, but you still buy. Now, not only bricks can fall from your upper floors, but also a concrete mixer, which makes the problem of bricks not so significant. This is the involvement of an integrator.
You hired an expert to check the possibility of entering the construction site, climbing up to the upper floors, and dropping bricks on the heads of staff. This is a pentester.
The pentester was not only able to kill the foreman with a brick in ten different ways, but he also destroyed the whole object, burned the equipment, and forced the watchmen to kill each other. This is an experienced pentester who was not assigned a testing scope in time.
You did everything conceivable and inconceivable so that the fallen brick would not kill anyone, the object could not be destroyed, the equipment could not be burned, and also security belts for watchmen, to be sure. The very next day, the foreman is fallen off from a brake system of the concrete mixer. This is the reality of modern information security.
Final Thoughts
Thank you, readers hope you all liked it. This article was first published here.