mary element that has been impacted in countless thefts of data, from Target, to the
Office of Personnel Management, to Equifax and Sony. When consumer information
is stolen, the confidentiality of that information has been compromised.
Generally, we expect that when we store something, it will be the same when we go to
retrieve it. Corrupted or altered data may be caused by various factors, which may not
necessarily be malicious in nature. Just because we talk about security doesn’t always
mean we are talking about malicious behavior. Certainly, the cases I mentioned previ‐
ously were malicious. However, bad or failing memory can cause data corruption on
a disk. I say this from personal experience. Similarly, failing hard drives or other stor‐
age media can cause data corruption. Of course, in some cases malicious and deliber‐
ate actions will lead to corrupted or incorrect data. When that information has been
corrupted, no matter the cause, it’s a failure or breach of integrity.
Integrity
is entirely
about something being in a state you reasonably expect it to be in.
Finally, let’s consider
availability
. If I kick the plug to your computer out of the wall,
likely falling to the floor and maybe hitting my head in the process, your computer
will become unavailable (as long as we are talking about a desktop system and not a
system with a battery). Similarly, if you have a network cable and the clip has come
off such that the connector won’t stay in the wall jack or in the network interface card,
your system will be unavailable on the network. This may impact you, of course, and
your ability to do your job, but it may also impact others if they need anything that’s
on your computer. Anytime there is a server failure, that’s an impact to availability. If
an attacker can cause a service or entire operating system to fail, even temporarily,
that’s an impact to availability, which can have serious ramifications to the business. It
may mean consumers can’t get to advertised services. It may mean a lot of expendi‐
ture in manpower and other resources to keep the services running and available, as
in the case of the banks that were hit with enormous, sustained, and lengthy denial-
of-service attacks. While the attempt at an availability failure wasn’t successful, there
was an impact to the business in fighting it.
Testing anything related to these elements is security testing, no matter what form
that testing may take. When it comes to network security testing, we may be testing
service fragility, encryption strength, and other factors. What we will be looking at
when we talk about network testing is a set of stress-testing tools to start with. We
will also look at other tools that are sometimes known to cause network failures.
While a lot of bugs in the network stacks of operating systems were likely fixed years
ago, you may sometimes run into lighter weight, fragile devices that may be attached
to the network. These devices may be more susceptible to these sorts of attacks. These
devices may include printers, Voice over IP phones, thermostats, refrigerators, and
nearly countless other devices that are being connected, more and more, to networks
these days.
