Structured Penetration
Like many human activities, the process of running a penetration test can be broken down into a series of steps that generally describe the whole action in smaller chunks. While, from far enough back, the penetration test might look merely like throwing a bunch of bits at a complicated system and collecting the results, breaking the activity down the way Weidman does in the text makes it a process far more approachable to those from non-technical backgrounds. Too, it helps bring understanding to other technical practitioners that may not have been privy to serious security discussions before. In many ways, breaking activities down into steps is at the root of all education -- trying to bring sense to historical events, history is broken down into events that feed into and flow from one another; trying to bring sense to mathematics or chemistry, calculations and reactions are broken into steps.
Breaking down a penetration test into a series of easily explained steps as Weidman does is thus the first step in teaching new initiates how to go about such a test. As the book is subtitled "A Hands-On Introduction to Hacking," it could hardly be more appropriate that she begins her book with an outline of the steps required for a successful pentest. Introductory materials in a wide variety of subjects are based around lists of steps; breaking down processes into constituent elements makes vast amounts of information easier to make sense of for new and experienced students alike. Whether it's the list of ages of earth that geologists and evolutionary biologists proudly print in their textbooks or the simple "Stop, Drop and Roll" that elementary students are drilled on, organizing complex data by breaking it into simpler constituents is a widespread human activity.
Lists and steps are as common throughout information technology and other computer subjects as they are in other human endeavors. It's not just a penetration test that is acted out in steps -- whether it's the initial set-up of a router or building a single-page website application, technicians and developers alike break their own processes down into steps, just as Weidman did in her book for penetration testing. And certainly, it is not merely to save brain cells some work that processes are broken down into steps. There are a wide variety of benefits -- setting up every router with the same steps makes an organization's network much easier to maintain and increases the likelihood of security best practices being enacted, for example.
In many ways, computers themselves are simply very complex boxes we've built that can follow sets of instructions. CPUs chomp through registers filled with actions to take; set-up for devices and their drivers proceeds in steps; an internet application goes through a number of steps to make connectivity happen and to return what it gets to the end-user. As human as list-making is, we may have created devices that are better at it than we are!
-
Structured Penetration
Discussing an excerpt from Penetration Testing.19 May -
Moore's Law, Broadly
Discussing an excerpt from Semantic Information Processing.12 April -
Logging in Practice
Discussing an excerpt from Hadoop in Practice.31 March -
Code polished like Gems
Discussing an excerpt from Eloquent Ruby.3 March -
Complexity
Discussing an excerpt from Cryptography Engineering.25 September -
Surefire Questions
Discussing an essay by Gerald Weinberg.13 September