Security testing isn’t entirely about popping boxes. In fact, you might suggest that the
majority of security testing isn’t penetration testing. There are just so many areas of
protecting systems and software that aren’t related to what would commonly be
thought of as penetration testing. Before we start talking about what we can do with
Kali Linux when it comes to network security testing, we should go over what secu‐
rity is so you can better understand what testing means in this context.
When professionals, and certainly certification organizations, talk about security,
they make reference to what is commonly known as the
triad
. Some will add ele‐
ments, but at the core of information security are three fundamentals: confidentiality,
integrity, and availability. Anything that may impact one of these aspects of systems
or software impacts the security of that software or system. Security testing will or
should take all of those aspects into consideration and not the limited view that a
penetration test may provide insight into.
As you may know, the triad is generally represented as an equilateral triangle. The tri‐
angle is equilateral because all three elements are considered to have equal weight.
Additionally, if any of the elements are lost, you no longer have a triangle. You can see
a common representation in
Figure 2-1
, where all three sides are the same length.
Every one of these elements is considered crucial for information to be considered
reliable and trustworthy. These days, because businesses and people rely so heavily on
information that is stored digitally, it’s essential that information be available, be con‐
fidential when necessary, and have integrity.
Figure 2-1. The CIA triad
Most businesses run on secrets. People also have secrets: their social security number,
passwords they use, tax information, medical information, and a variety of other
pieces of data. Businesses need to protect their intellectual property, for one thing.
They may have many trade secrets that could have negative impacts on the business if
the information were to get out of the organization. Keeping this information secret,
regardless of what it is, is
confidentiality
. Anytime that information can be removed
from the place where it is kept safe, confidentiality has been breached. This is the pri‐
